Merge branch 'main' into feature/issue726

Author: kpoineal

.github/workflows/scorecard.yml

@@ -54,7 +54,7 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
-        with:
-          sarif_file: results.sarif
+      #- name: "Upload to code-scanning"
+      #  uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+      #  with:
+      #    sarif_file: results.sarif

azure-resources/Compute/virtualMachines/kql/302fda08-ee65-4fbe-a916-6dc0b33169c4.kql

@@ -1,7 +1,13 @@
 // Azure Resource Graph Query
-// Find all Virtual Machines not associated with a Capacity Reservation, and provide details for Capacity Reservation like vmSize, location, and zone.
-resources
-| where type =~ 'Microsoft.Compute/virtualMachines'
-| where isnull(properties.capacityReservation)
-| extend zoneValue = iff(isnull(zones), "null", zones)
-| project recommendationId = "302fda08-ee65-4fbe-a916-6dc0b33169c4", name, id, tags, param1 = strcat("VmSize: ", properties.hardwareProfile.vmSize), param2 = strcat("Location: ", location), param3 = strcat("Zone: ", zoneValue)
+// Find Virtual Machine capacity reservations and their associated properties
+advisorresources
+| where properties.recommendationTypeId =~ '1670c0af-6536-4cbf-872f-152c91a51a80' // RecommendationID from Advisor
+| mv-expand resId = properties.resourceMetadata.resourceId
+| extend resId = tolower(tostring(resId))
+| project recId = properties.recommendationTypeId, resId
+| join kind=leftouter (
+    resources
+    | extend id = tolower(tostring(id))
+    | project id, name, tags, location, properties
+) on $left.resId == $right.id
+| project recommendationId = "302fda08-ee65-4fbe-a916-6dc0b33169c4", name , id = resId, tags,param1 = properties.hardwareProfile.vmSize, param2 = location

azure-resources/Compute/virtualMachines/kql/52ab9e5c-eec0-3148-8bd7-b6dd9e1be870.kql

@@ -1,16 +1,38 @@
 // Azure Resource Graph Query
-// Find VMS that do not have maintenance configuration assigned
-Resources
-| extend resourceId = tolower(id)
-| project name, location, type, id, tags, resourceId, properties
+// Find VMs on Dedicated Hosts or using Isolated SKUs (via substring match)  that do NOT have a maintenance configuration assigned
+resources
 | where type =~ 'Microsoft.Compute/virtualMachines'
+| extend
+    resourceId    = tolower(id),
+    hostId        = tostring(properties.host.id),
+    hostGroupId   = tostring(properties.hostGroup.id),
+    vmSize        = tostring(properties.hardwareProfile.vmSize)
+| where
+    // 1) Dedicated Host association
+    isnotempty(hostId) or isnotempty(hostGroupId)
+    // 2) OR any of the "isolated" substrings
+    or (
+        vmSize contains "i_"    or
+        vmSize contains "is_"   or
+        vmSize contains "id_"   or
+        vmSize contains "ids_"  or
+        vmSize contains "idms_" or
+        vmSize contains "ims_"  or
+        vmSize contains "G5"    or
+        vmSize contains "GS5"   or
+        vmSize contains "F72s_" or
+        vmSize contains "M128ms"
+    )
 | join kind=leftouter (
-maintenanceresources
-| where type =~ "microsoft.maintenance/configurationassignments"
-| project planName = name, type, maintenanceProps = properties
-| extend resourceId = tostring(maintenanceProps.resourceId)
+    resources
+    | where type =~ 'microsoft.maintenance/configurationassignments'
+    | extend resourceId = tolower(tostring(properties.resourceId))
+    | project resourceId, maintenanceProps = properties
 ) on resourceId
 | where isnull(maintenanceProps)
-| project recommendationId = "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870",name, id, tags
+| project
+    recommendationId = "52ab9e5c-eec0-3148-8bd7-b6dd9e1be870",
+    name,
+    id,
+    tags
 | order by id asc
-

azure-resources/Compute/virtualMachines/kql/73d1bb04-7d3e-0d47-bc0d-63afe773b5fe.kql

@@ -1,2 +1,18 @@
-// cannot-be-validated-with-arg
+// Azure Resource Graph Query
+// Find all VM NICs that have Accelerated Networking enabled
+resources
+| where type =~ 'Microsoft.Compute/virtualMachines'
+| mv-expand nic = properties.networkProfile.networkInterfaces
+| project name, id, tags, lowerCaseNicId = tolower(nic.id), vmSize = tostring(properties.hardwareProfile.vmSize)
+| join kind = inner (
+    resources
+    | where type =~ 'Microsoft.Network/networkInterfaces'
+    | where properties.enableAcceleratedNetworking == true
+    | project nicName = split(id, "/")[8], lowerCaseNicId = tolower(id)
+    )
+    on lowerCaseNicId
+| summarize nicNames = make_set(nicName) by name, id, tostring(tags), vmSize
+| extend param2 = strcat("NicName: ", strcat_array(nicNames, ", ")), param3 = strcat("VMSize: ", vmSize)
+| project recommendationId = "dfedbeb1-1519-fc47-86a5-52f96cf07105", name, id, tags, param1="This machine has AccelNet enabled, but it is not possible to confirm if the GuestOS drivers are Up-to-Date.", param2,param3
+| order by id asc
 

azure-resources/Compute/virtualMachines/recommendations.yaml

@@ -17,7 +17,7 @@
 
 - description: Deploy VMs across Availability Zones
   aprlGuid: 2bd0be95-a825-6f47-a8c6-3db1fb5eb387
-  recommendationTypeId: null
+  recommendationTypeId: 066a047a-9ace-45f4-ac50-6325840a6b00
   recommendationControl: HighAvailability
   recommendationImpact: High
   recommendationResourceType: Microsoft.Compute/virtualMachines
@@ -117,23 +117,6 @@
     - name: What is the Azure Backup service?
       url: "https://learn.microsoft.com/azure/backup/backup-overview"
 
-- description: Review VMs in stopped state
-  aprlGuid: 98b334c0-8578-6046-9e43-b6e8fce6318e
-  recommendationTypeId: null
-  recommendationControl: Governance
-  recommendationImpact: Low
-  recommendationResourceType: Microsoft.Compute/virtualMachines
-  recommendationMetadataState: Disabled
-  longDescription: |
-    Azure Virtual Machines (VM) instances have various states, like provisioning and power states. A non-running VM may indicate issues or it being unnecessary, suggesting removal could help cut costs.
-  potentialBenefits: Reduce costs by removing unused VMs
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: States and billing status of Azure Virtual Machines
-      url: "https://learn.microsoft.com/azure/virtual-machines/states-billing?context=%2Ftroubleshoot%2Fazure%2Fvirtual-machines%2Fcontext%2Fcontext#power-states-and-billing"
-
 - description: Enable Accelerated Networking (AccelNet)
   aprlGuid: dfedbeb1-1519-fc47-86a5-52f96cf07105
   recommendationTypeId: null
@@ -162,46 +145,12 @@
     When Accelerated Networking is enabled, the default Azure VNet interface in GuestOS is swapped for a Mellanox, and its driver comes from a 3rd party. Marketplace images have the latest Mellanox drivers, but post-deployment, updating the driver is the user's responsibility.
   potentialBenefits: Enhanced VM network efficiency
   pgVerified: true
-  automationAvailable: false
+  automationAvailable: true
   tags: []
   learnMoreLink:
     - name: Accelerated Networking (AccelNet) overview
       url: "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview"
 
-- description: VMs should not have a Public IP directly associated
-  aprlGuid: 1f629a30-c9d0-d241-82ee-6f2eb9d42cb4
-  recommendationTypeId: null
-  recommendationControl: Security
-  recommendationImpact: Medium
-  recommendationResourceType: Microsoft.Compute/virtualMachines
-  recommendationMetadataState: Disabled
-  longDescription: |
-    For outbound internet connectivity of Virtual Machines, using NAT Gateway or Azure Firewall is recommended to enhance security and service resilience, thanks to their higher availability and SNAT ports.
-  potentialBenefits: Enhanced security and service resiliency
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: Use Source Network Address Translation (SNAT) for outbound connections
-      url: "https://learn.microsoft.com/azure/load-balancer/load-balancer-outbound-connections"
-
-- description: VM network interfaces and associated subnets both have a Network Security Group associated
-  aprlGuid: 82b3cf6b-9ae2-2e44-b193-10793213f676
-  recommendationTypeId: null
-  recommendationControl: Security
-  recommendationImpact: Low
-  recommendationResourceType: Microsoft.Compute/virtualMachines
-  recommendationMetadataState: Disabled
-  longDescription: |
-    Unless you have a specific reason, it's advised to associate a network security group to a subnet or a network interface, but not both, to avoid unexpected communication issues and troubleshooting due to potential rule conflicts between the two associations.
-  potentialBenefits: Reduces communication problems
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: How network security groups filter network traffic
-      url: "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic"
-
 - description: IP Forwarding should only be enabled for Network Virtual Appliances
   aprlGuid: 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad
   recommendationTypeId: null
@@ -219,23 +168,6 @@
     - name: Enable or disable IP forwarding
       url: "https://learn.microsoft.com/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#enable-or-disable-ip-forwarding"
 
-- description: Customer DNS Servers should be configured in the Virtual Network level
-  aprlGuid: 1cf8fe21-9593-1e4e-966b-779a294c0d30
-  recommendationTypeId: null
-  recommendationControl: OtherBestPractices
-  recommendationImpact: Low
-  recommendationResourceType: Microsoft.Compute/virtualMachines
-  recommendationMetadataState: Disabled
-  longDescription: |
-    Configure the DNS Server at the Virtual Network level to prevent any inconsistency across the environment.
-  potentialBenefits: Ensures DNS consistency
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: Name resolution for resources in Azure virtual networks
-      url: "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
-
 - description: Network access to the VM disk should be set to Disable public access and enable private access
   aprlGuid: 70b1d2be-e6c4-b54e-9959-b1b690f9e485
   recommendationTypeId: null
@@ -253,40 +185,6 @@
     - name: Restrict import/export access for managed disks using Azure Private Link
       url: "https://learn.microsoft.com/azure/virtual-machines/disks-enable-private-links-for-import-export-portal"
 
-- description: Ensure that your VMs are compliant with Azure Policies
-  aprlGuid: c42343ae-2712-2843-a285-3437eb0b28a1
-  recommendationTypeId: null
-  recommendationControl: Governance
-  recommendationImpact: Low
-  recommendationResourceType: Microsoft.Compute/virtualMachines
-  recommendationMetadataState: Disabled
-  longDescription: |
-    Keeping your virtual machine (VM) secure is crucial for the applications you run. This involves using various Azure services and features to ensure secure access to your VMs and the secure storage of your data, aiming for overall security of your VM and applications.
-  potentialBenefits: Secure VMs and applications
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: Policy-driven governance
-      url: "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-principles#policy-driven-governance"
-
-- description: Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled
-  aprlGuid: f0a97179-133a-6e4f-8a49-8a44da73ffce
-  recommendationTypeId: a40cc620-e72c-fdf4-c554-c6ca2cd705c0
-  recommendationControl: Security
-  recommendationImpact: High
-  recommendationResourceType: Microsoft.Compute/virtualMachines
-  recommendationMetadataState: Disabled
-  longDescription: |
-    Consider enabling Azure Disk Encryption (ADE) for encrypting Azure VM disks using DM-Crypt (Linux) or BitLocker (Windows). Additionally, consider Encryption at host and Confidential disk encryption for enhanced data security.
-  potentialBenefits: Enhances data security and integrity
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: Overview of managed disk encryption options
-      url: "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview"
-
 - description: Enable VM Insights
   aprlGuid: b72214bb-e879-5f4b-b9cd-642db84f36f4
   recommendationTypeId: null
@@ -304,28 +202,11 @@
     - name: Overview of VM insights
       url: "https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-overview"
 
-- description: Configure monitoring for all Azure Virtual Machines
-  aprlGuid: 4a9d8973-6dba-0042-b3aa-07924877ebd5
-  recommendationTypeId: null
-  recommendationControl: MonitoringAndAlerting
-  recommendationImpact: Low
-  recommendationResourceType: Microsoft.Compute/virtualMachines
-  recommendationMetadataState: Disabled
-  longDescription: |
-    Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection.
-  potentialBenefits: Enhanced diagnostics and auditing capability
-  pgVerified: true
-  automationAvailable: true
-  tags: []
-  learnMoreLink:
-    - name: Azure Monitor Agent overview
-      url: "https://learn.microsoft.com/azure/azure-monitor/agents/agents-overview"
-
-- description: Use maintenance configurations for the VMs
+- description: Use maintenance configurations for the Dedicated and/or Isolated VM SKUs
   aprlGuid: 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870
   recommendationTypeId: null
   recommendationControl: HighAvailability
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Compute/virtualMachines
   recommendationMetadataState: Active
   longDescription: |
@@ -372,7 +253,7 @@
     - name: Disk type comparison and decision tree
       url: "https://learn.microsoft.com/azure/virtual-machines/disks-types#disk-type-comparison"
 
-- description: Use Azure Boost VMs for Maintenance sensitive workload
+- description: Use Azure Boost VMs for Maintenance sensitive workload VMs
   aprlGuid: 9ab499d8-8844-424d-a2d4-8f53690eb8f8
   recommendationTypeId: null
   recommendationControl: HighAvailability

azure-resources/ContainerService/managedClusters/kql/005ccbbd-aeab-46ef-80bd-9bd4479412ec.kql

@@ -6,5 +6,4 @@ resources
 | extend taints = tostring(parse_json(agentPoolProfile.nodeTaints))
 | extend nodePool = tostring(parse_json(agentPoolProfile.name))
 | where taints !has "CriticalAddonsOnly=true:NoSchedule" and  agentPoolProfile.minCount < 2
-| project recommendationId="005ccbbd-aeab-46ef-80bd-9bd4479412ec", id, name, param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount)
-
+| project recommendationId="005ccbbd-aeab-46ef-80bd-9bd4479412ec", name=nodePool, id=strcat(id,"/agentPools/",nodePool), tags,param1=strcat("nodePoolName: ", nodePool), param2=strcat("nodePoolMinNodeCount: ", agentPoolProfile.minCount)

azure-resources/ContainerService/managedClusters/kql/0611251f-e70f-4243-8ddd-cfe894bec2e7.kql

@@ -3,4 +3,4 @@
 resources
 | where type =~ "Microsoft.ContainerService/managedClusters"
 | where sku.tier !in~ ("Standard", "Premium")
-| project recommendationId = "0611251f-e70f-4243-8ddd-cfe894bec2e7", id, name, tags, param1 = strcat("skuName: ", sku.name), param2 = strcat("skuTier: ", sku.tier)
+| project recommendationId = "0611251f-e70f-4243-8ddd-cfe894bec2e7", name,id, tags, param1 = strcat("skuName: ", sku.name), param2 = strcat("skuTier: ", sku.tier)

azure-resources/ContainerService/managedClusters/kql/26ebaf1f-c70d-4ebd-8641-4b60a0ce0094.kql

@@ -13,4 +13,4 @@ PolicyResources
     | where type =~ 'Microsoft.ContainerService/managedClusters'
     | project id, name
 ) on id
-| project recommendationId="26ebaf1f-c70d-4ebd-8641-4b60a0ce0094", id, name, param1=strcat("numNonCompliantAlerts: ", count_)
+| project recommendationId="26ebaf1f-c70d-4ebd-8641-4b60a0ce0094", name,id,param1=strcat("numNonCompliantAlerts: ", count_)

azure-resources/ContainerService/managedClusters/kql/4f63619f-5001-439c-bacb-8de891287727.kql

@@ -1,5 +1,5 @@
 // Azure Resource Graph Query
-// Returns AKS clusters that do not have any availability zones enabled or only use a single zone
+// Returns AKS clusters Node Pools that do not have any availability zones enabled or only use a single zone
 resources
 | where type =~ "Microsoft.ContainerService/managedClusters"
 | where location in~ ("australiaeast", "brazilsouth", "canadacentral", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "mexicocentral", "newzealandnorth", "northeurope", "norwayeast", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southeastasia", "spaincentral", "swedencentral", "switzerlandnorth", "uaenorth", "uksouth", "westeurope", "westus2", "westus3", "usgovvirginia", "chinanorth3")
@@ -10,8 +10,8 @@ resources
 | where numOfAvailabilityZones < 2
 | project
     recommendationId = "4f63619f-5001-439c-bacb-8de891287727",
-    id,
-    name,
+    name=pool.name,
+    id=strcat(id,"/agentPools/",pool.name),
     tags,
     param1 = strcat("NodePoolName: ", pool.name),
     param2 = strcat("Mode: ", pool.mode),

azure-resources/ContainerService/managedClusters/kql/5ee083cd-6ac3-4a83-8913-9549dd36cf56.kql

@@ -12,7 +12,7 @@ resources
 | where hasCriticalAddonsOnly
 | project
     recommendationId="5ee083cd-6ac3-4a83-8913-9549dd36cf56",
-    id,
     name,
+    id,
     tags,
     param1=strcat("nodepoolName: ", nodePool)