AI rule: azure.ml.compute_instance.idle (#132)

Author: sureshcsdp

README.fr.md

@@ -141,7 +141,7 @@ Pas encore de compte cloud ? `cleancloud demo` affiche un exemple de sortie sans
 - **Détection du gaspillage IA/ML sur les 3 clouds :** endpoints SageMaker, clusters AML Compute et endpoints Vertex AI inactifs, facturés 500–23 000 $/mois par ressource en silence. Ressources GPU flaggées risque HIGH. Les outils natifs montrent la facture — CleanCloud indique quel endpoint supprimer. Opt-in via `--category ai`
 - **Gouvernance policy-as-code :** `cleancloud.yaml` pour la configuration par règle, les exceptions avec dates d'expiration, les seuils de coût et de confiance, les exclusions par tag — versionné aux côtés de votre infrastructure. Chaque exception est une approbation auditée dans git.
 - **Application de politique (opt-in) :** `--fail-on-confidence HIGH` ou `--fail-on-cost 500` — appliquer des seuils de gaspillage en CI/CD sur un planning, géré par les équipes platform ou FinOps
-- **34 règles de détection sélectives et haut signal :** volumes orphelins, bases de données inactives, instances arrêtées, registres inutilisés, et plus — conçues pour éviter les faux positifs en environnements IaC, chacune avec une estimation de coût déterministe
+- **35 règles de détection sélectives et haut signal :** volumes orphelins, bases de données inactives, instances arrêtées, registres inutilisés, et plus — conçues pour éviter les faux positifs en environnements IaC, chacune avec une estimation de coût déterministe
 - **Scan multi-comptes (AWS) :** scannez des AWS Organizations entières en une exécution — fichier de config, IDs inline, ou auto-découverte via `--org`
 - **Scan multi-abonnements (Azure) :** scannez tous les abonnements Azure en parallèle — auto-découverte via Management Group, détail des coûts par abonnement inclus
 - **Scan multi-projets (GCP) :** scannez tous les projets GCP accessibles en parallèle — auto-découverte via Application Default Credentials, détail des coûts par projet inclus
@@ -221,6 +221,7 @@ L'infrastructure IA/ML inactive est la source de gaspillage cloud invisible à l
 | Endpoint SageMaker (GPU) | 500 – 23 000 $ / mois |
 | Instance Notebook SageMaker (GPU) | 500 – 23 000+ $ / mois |
 | Cluster AML Compute Azure (GPU) | 600 – 15 000 $ / mois |
+| Instance de calcul Azure ML (GPU) | 600 – 15 000+ $ / mois |
 | Endpoint Vertex AI Online Prediction (GPU) | 449 – 23 000+ $ / mois |
 
 CleanCloud détecte les endpoints à zéro invocation / zéro prédiction et les instances de notebook inactives sur les 3 clouds et les signale risque HIGH. Les outils natifs montrent la facture — ils ne vous disent pas *quel endpoint* supprimer.
@@ -466,7 +467,7 @@ Oui. CleanCloud n'a besoin d'accès réseau qu'aux endpoints API de votre cloud
 
 ## Ce que CleanCloud détecte
 
-34 règles pour AWS, Azure et GCP — conservatives, haut signal, conçues pour éviter les faux positifs en environnements IaC.
+35 règles pour AWS, Azure et GCP — conservatives, haut signal, conçues pour éviter les faux positifs en environnements IaC.
 
 **AWS :**
 - Compute : instances arrêtées 30+ jours (charges EBS continuent)
@@ -483,7 +484,7 @@ Oui. CleanCloud n'a besoin d'accès réseau qu'aux endpoints API de votre cloud
 - Réseau : adresses IP publiques inutilisées, Load Balancers vides (HIGH), App Gateways vides (HIGH), VNet Gateways inactives
 - Plateforme : App Service Plans vides (HIGH), bases de données SQL inactives (HIGH), App Services inactifs, Container Registries inutilisés
 - Gouvernance : ressources sans tags
-- IA/ML *(opt-in : `--category ai`)* : clusters de calcul AML avec capacité baseline non nulle et aucune activité depuis 14+ jours — clusters GPU flaggés risque HIGH ($600–$15K/mois)
+- IA/ML *(opt-in : `--category ai`)* : clusters de calcul AML avec capacité baseline non nulle et aucune activité depuis 14+ jours — clusters GPU flaggés risque HIGH ($600–$15K/mois) ; instances de calcul Azure ML Running sans activité depuis 14+ jours — instances GPU flaggées risque CRITICAL ($600–$15K+/mois)
 
 **GCP :**
 - Compute : instances VM arrêtées 30+ jours (charges disque continuent) (HIGH)

README.md

@@ -221,6 +221,7 @@ Idle AI/ML infrastructure is the fastest-growing source of invisible cloud spend
 | SageMaker endpoint (GPU) | $500 – $23,000 / month |
 | SageMaker Notebook Instance (GPU) | $500 – $23,000+ / month |
 | Azure AML compute cluster (GPU) | $600 – $15,000 / month |
+| Azure ML Compute Instance (GPU) | $600 – $15,000+ / month |
 | Vertex AI Online Prediction endpoint (GPU) | $449 – $23,000+ / month |
 
 CleanCloud detects zero-invocation / zero-prediction endpoints and idle notebook instances across all three clouds and flags them HIGH risk. Native cost tools show the bill — they don't tell you *which endpoint* to delete.
@@ -466,7 +467,7 @@ Yes. CleanCloud only needs network access to your cloud provider's API endpoints
 
 ## What CleanCloud Detects
 
-34 rules across AWS, Azure, and GCP — conservative, high-signal, designed to avoid false positives in IaC environments.
+35 rules across AWS, Azure, and GCP — conservative, high-signal, designed to avoid false positives in IaC environments.
 
 **AWS:**
 - Compute: stopped instances 30+ days (EBS charges continue)
@@ -483,7 +484,7 @@ Yes. CleanCloud only needs network access to your cloud provider's API endpoints
 - Network: unused public IPs, empty load balancers (HIGH), empty App Gateways (HIGH), idle VNet Gateways
 - Platform: empty App Service Plans (HIGH), idle SQL databases (HIGH), idle App Services, unused Container Registries
 - Governance: untagged resources
-- AI/ML *(opt-in: `--category ai`)*: idle AML compute clusters with non-zero baseline capacity and no workload activity 14+ days — GPU clusters flagged HIGH risk ($600–$15K/month)
+- AI/ML *(opt-in: `--category ai`)*: idle AML compute clusters with non-zero baseline capacity and no workload activity 14+ days — GPU clusters flagged HIGH risk ($600–$15K/month); idle Compute Instances with no control-plane activity 14+ days — GPU instances CRITICAL risk ($600–$15K+/month)
 
 **GCP:**
 - Compute: stopped instances 30+ days (disk charges continue) (HIGH)

cleancloud/demo/findings.py

@@ -422,7 +422,7 @@
                 "Disk status: READY",
                 "No VM users (users list empty)",
                 "Disk type: pd-ssd (~$0.17/GB/month storage)",
-                "Size: 500 GB → ~$85.0/month (estimated, region-dependent)",
+                "Size: 500 GB -> ~$85.0/month (estimated, region-dependent)",
                 "Last detached: 1656h ago",
             ],
             signals_not_checked=[
@@ -737,6 +737,61 @@
         ),
         estimated_monthly_cost_usd=4406.0,
     ),
+    Finding(
+        provider="azure",
+        rule_id="azure.ml.compute_instance.idle",
+        resource_type="azure.ml.compute_instance",
+        resource_id=(
+            "/subscriptions/29d91ee0-922f-483a-a81f-1a5eff4ecfa2"
+            "/resourceGroups/rg-ml-platform"
+            "/providers/Microsoft.MachineLearningServices"
+            "/workspaces/ml-platform-prod"
+            "/computes/nlp-research-vm"
+        ),
+        region="East US",
+        title="Idle Azure ML Compute Instance (>14 Days Idle, 31 Days Since Activity)",
+        summary=(
+            "Azure ML Compute Instance 'nlp-research-vm' in workspace 'ml-platform-prod' "
+            "has had no control-plane activity for 31 days but remains Running, incurring "
+            "continuous charges (~$2,203/month)."
+        ),
+        reason="Azure ML Compute Instance has had no control-plane activity for 31 days",
+        risk=RiskLevel.CRITICAL,
+        confidence=ConfidenceLevel.HIGH,
+        detected_at=_NOW,
+        details={
+            "instance_name": "nlp-research-vm",
+            "workspace_name": "ml-platform-prod",
+            "resource_group": "rg-ml-platform",
+            "vm_size": "Standard_NC6s_v3",
+            "state": "Running",
+            "is_gpu": True,
+            "age_days": 31,
+            "idle_since_days": 31,
+            "idle_days_threshold": 14,
+            "idle_ratio": 2.21,
+            "estimated_monthly_cost": "~$2,203/month",
+            "cost_source": "approximate_East US",
+        },
+        evidence=Evidence(
+            signals_used=[
+                "Instance state: Running",
+                "Age: 31 days",
+                "Last control-plane operation: 31 days ago (last_operation.operation_time) — last op: Start",
+                "VM size: Standard_NC6s_v3",
+                "GPU instance — high hourly cost",
+            ],
+            signals_not_checked=[
+                "Active Jupyter kernel or notebook sessions",
+                "VS Code / RStudio remote connections",
+                "Scheduled jobs running on this instance",
+                "Assigned user's planned future use",
+                "Resource tags (e.g. keep_alive=true)",
+            ],
+            time_window="31 days",
+        ),
+        estimated_monthly_cost_usd=2203.0,
+    ),
 ]
 
 AWS_AI_FINDINGS: List[Finding] = [

cleancloud/doctor/aws.py

@@ -793,7 +793,7 @@ def run_aws_multi_account_doctor(
                 external_id=config.external_id,
             )
             assumed_identity = assumed.client("sts", config=BOTO_CONFIG).get_caller_identity()
-            success(f"{label}  →  {assumed_identity['Arn']}")
+            success(f"{label}  ->  {assumed_identity['Arn']}")
             passed += 1
         except botocore.exceptions.ClientError as e:
             code = e.response["Error"]["Code"]

cleancloud/doctor/azure.py

@@ -328,7 +328,7 @@ def run_azure_doctor() -> None:
 
 
 def run_azure_ai_doctor(subscription_id: str = None) -> None:
-    """Validate Azure permissions for --category ai (Azure ML compute rules)."""
+    """Validate Azure permissions for --category ai (Azure ML compute cluster and compute instance rules)."""
     info("")
     info("=" * 70)
     info("AZURE AI/ML PERMISSION VALIDATION")

cleancloud/doctor/gcp.py

@@ -368,7 +368,7 @@ def run_gcp_doctor(project_id: Optional[str] = None) -> None:
             warn("compute.disks.list — MISSING (rule: disk_unattached will be skipped)")
         except NotFound:
             info("compute.disks.list — Compute Engine API not enabled (rule unavailable)")
-            info("  → enable via: gcloud services enable compute.googleapis.com")
+            info("  -> enable via: gcloud services enable compute.googleapis.com")
         except ResourceExhausted:
             warn("compute.disks.list — API quota exceeded (retry later)")
         except Exception as e:
@@ -387,7 +387,7 @@ def run_gcp_doctor(project_id: Optional[str] = None) -> None:
             warn("compute.instances.list — MISSING (rule: vm_stopped will be skipped)")
         except NotFound:
             info("compute.instances.list — Compute Engine API not enabled (rule unavailable)")
-            info("  → enable via: gcloud services enable compute.googleapis.com")
+            info("  -> enable via: gcloud services enable compute.googleapis.com")
         except ResourceExhausted:
             warn("compute.instances.list — API quota exceeded (retry later)")
         except Exception as e:
@@ -406,7 +406,7 @@ def run_gcp_doctor(project_id: Optional[str] = None) -> None:
             warn("compute.addresses.list — MISSING (rule: ip_unused regional IPs will be skipped)")
         except NotFound:
             info("compute.addresses.list — Compute Engine API not enabled (rule unavailable)")
-            info("  → enable via: gcloud services enable compute.googleapis.com")
+            info("  -> enable via: gcloud services enable compute.googleapis.com")
         except ResourceExhausted:
             warn("compute.addresses.list — API quota exceeded (retry later)")
         except Exception as e:
@@ -427,7 +427,7 @@ def run_gcp_doctor(project_id: Optional[str] = None) -> None:
             )
         except NotFound:
             info("compute.globalAddresses.list — Compute Engine API not enabled (rule unavailable)")
-            info("  → enable via: gcloud services enable compute.googleapis.com")
+            info("  -> enable via: gcloud services enable compute.googleapis.com")
         except ResourceExhausted:
             warn("compute.globalAddresses.list — API quota exceeded (retry later)")
         except Exception as e:
@@ -446,7 +446,7 @@ def run_gcp_doctor(project_id: Optional[str] = None) -> None:
             warn("compute.snapshots.list — MISSING (rule: snapshot_old will be skipped)")
         except NotFound:
             info("compute.snapshots.list — Compute Engine API not enabled (rule unavailable)")
-            info("  → enable via: gcloud services enable compute.googleapis.com")
+            info("  -> enable via: gcloud services enable compute.googleapis.com")
         except ResourceExhausted:
             warn("compute.snapshots.list — API quota exceeded (retry later)")
         except Exception as e:
@@ -466,7 +466,7 @@ def run_gcp_doctor(project_id: Optional[str] = None) -> None:
                 warn("cloudsql.instances.list — MISSING (rule: sql_instance_idle will be skipped)")
             elif resp.status_code == 404:
                 info("cloudsql.instances.list — Cloud SQL API not enabled (rule unavailable)")
-                info("  → enable via: gcloud services enable sqladmin.googleapis.com")
+                info("  -> enable via: gcloud services enable sqladmin.googleapis.com")
             else:
                 permissions_tested.append("cloudsql.instances.list")
                 success("cloudsql.instances.list")
@@ -509,7 +509,7 @@ def run_gcp_doctor(project_id: Optional[str] = None) -> None:
             )
         except NotFound:
             info("monitoring.timeSeries.list — Cloud Monitoring API not enabled (rule unavailable)")
-            info("  → enable via: gcloud services enable monitoring.googleapis.com")
+            info("  -> enable via: gcloud services enable monitoring.googleapis.com")
         except ResourceExhausted:
             warn("monitoring.timeSeries.list — API quota exceeded (retry later)")
         except Exception as e:

cleancloud/filtering/rules.py

@@ -98,12 +98,12 @@ def _validate_params(rule_id: str, params: Dict[str, Any], func: Callable) -> No
         if key not in valid:
             close = difflib.get_close_matches(key, valid.keys(), n=1, cutoff=0.6)
             hint = f" (did you mean '{close[0]}'?)" if close else f". Valid params: {sorted(valid)}"
-            raise ValueError(f"Invalid config: rules.{rule_id}.params.{key} → unknown field{hint}")
+            raise ValueError(f"Invalid config: rules.{rule_id}.params.{key} -> unknown field{hint}")
 
         expected_type = valid[key]
         if expected_type is not None and not isinstance(value, expected_type):
             raise ValueError(
-                f"Invalid config: rules.{rule_id}.params.{key} → "
+                f"Invalid config: rules.{rule_id}.params.{key} -> "
                 f"expected {expected_type.__name__}, got {type(value).__name__} ({value!r})"
             )
 

cleancloud/output/human.py

@@ -23,7 +23,7 @@ def print_human(findings: List[Finding]):
                 else f.account_id
             )
             print(f"   Account    : {label} ({f.account_id})")
-        print(f"   Resource   : {f.resource_type} → {f.resource_id}")
+        print(f"   Resource   : {f.resource_type} -> {f.resource_id}")
         if f.region:
             print(f"   Region     : {f.region}")
 

cleancloud/output/markdown.py

@@ -45,14 +45,20 @@ def write_markdown(
     else:
         regions_str = str(regions)
 
-    subscriptions = summary.get("subscriptions_scanned", [])
     accounts_scanned = summary.get("accounts_scanned")
-
     projects_scanned = summary.get("projects_scanned", [])
 
+    # Use names from per_subscription when available (falls back to IDs)
+    per_sub_meta = summary.get("per_subscription", [])
+    sub_names = (
+        [r["name"] for r in per_sub_meta]
+        if per_sub_meta
+        else summary.get("subscriptions_scanned", [])
+    )
+
     lines.append(f"**Provider:** {provider}  ")
-    if subscriptions:
-        lines.append(f"**Subscriptions:** {', '.join(subscriptions)}  ")
+    if sub_names:
+        lines.append(f"**Subscriptions:** {', '.join(sub_names)}  ")
     elif accounts_scanned is not None:
         lines.append(f"**Accounts:** {accounts_scanned}  ")
         lines.append(f"**Regions:** {regions_str}  ")
@@ -85,6 +91,15 @@ def write_markdown(
 
     lines.append("")
 
+    # Rules evaluated
+    rules_evaluated = summary.get("rules_evaluated", {})
+    if rules_evaluated:
+        lines.append(
+            f"**Rules evaluated ({len(rules_evaluated)}):** "
+            + ", ".join(f"`{r}`" for r in sorted(rules_evaluated.keys()))
+        )
+        lines.append("")
+
     # Confidence breakdown
     by_conf = summary.get("by_confidence", {})
     if by_conf:
@@ -134,9 +149,9 @@ def write_markdown(
             lines.append(f"| {label} ({rid}) | {r.get('findings', 0)}{status_str} | {cost_str} |")
         lines.append("")
 
-    # Azure multi-subscription breakdown
+    # Azure multi-subscription breakdown (only shown when more than one subscription)
     per_sub = summary.get("per_subscription")
-    if per_sub:
+    if per_sub and len(per_sub) > 1:
         lines.append("**Per-subscription breakdown:**")
         lines.append("")
         lines.append("| Subscription | Findings | Est. Monthly Cost |")