Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.
PoC代码[已公开]
id: azure-vmss-auto-repairs-disabled
info:
name: Azure VMSS Automatic Instance Repairs Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.
impact: |
Not having Automatic Instance Repairs enabled can lead to prolonged downtime and potential service disruption as unhealthy instances may not be promptly replaced.
remediation: |
Enable the Automatic Instance Repairs feature for Azure VMSS to ensure high availability and resilience of your applications.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let ScaleSetData of iterate(template.scaleSetList)) {
ScaleSetData = JSON.parse(ScaleSetData);
set("name", ScaleSetData.name);
set("resourceGroup", ScaleSetData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: scaleSetList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"AutomaticRepairsPolicyEnabled": automaticRepairsPolicy.enabled}'
matchers-condition: and
matchers:
- type: word
words:
- '"AutomaticRepairsPolicyEnabled": null'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " does not have automatic instance repairs enabled"'
# digest: 4a0a0047304502200bb2271ef7c206d28dbb7dc16cfb6f7d7a4045a7c8f06bf25fa5d1fd7e324ae6022100cefef05d5f9721948ba2957f0c9c0a8967b485cbf731acac5a9fdb3e7d04e877:922c64590222798bb761d5b6d8e72950