Merge branch 'main' of https://github.com/jimays-avila/Azure-Proactiv…

…e-Resiliency-Library

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,6 +3,13 @@
 
 Replace this with a brief description of what this Pull Request fixes, changes, etc.
 
+## Related Issues/Work Items
+
+Replace this with a list of related GitHub Issues and/or ADO Work Items (Internal Only)
+
+- To associate a GitHub Issue, use a [key word](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword) preceded with the GitHub issue number.
+- To associate an ADO Work Item, use the key word `AB#` succeeded with the [ADO Work Item ID](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword).
+
 ## This PR fixes/adds/changes/removes
 
 1. *Replace me*

docs/content/contributing/_index.md

@@ -145,7 +145,7 @@ hugo new --kind service-bundle services/compute/virtual-machines
 {{< /code >}}
 4. Open `_index.md` in VS Code and make relevant changes
     - You can copy the recommendations labelled `CM-1` or `CM-2` multiple times to create more recommendations
-5. Update the ARG, PowerShell, AZCLI scripts in the `code` folder within `virtual-machines`
+5. Update Azure Resource Graph queries, PowerShell, AZCLI scripts in the `code` folder within `virtual-machines`
     - You will see there is a folder, e.g. `cm-1`, `cm-2`, per recommendation to help with file structure organization
 6. Ensure you use the correct Azure resource abbreviations provided within our Cloud Adoption Framework (CAF) documentation [here](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations). For example, use `vm` for Virtual Machines.
 7. Save, commit and push your changes to your branch and repo
@@ -156,6 +156,33 @@ hugo new --kind service-bundle services/compute/virtual-machines
 Don't forget you can see your changes live by running a local copy of the APRL website by following the guidance [here.](#run-and-access-a-local-copy-of-aprl-during-development)
 {{< /alert >}}
 
+## Automation Standards for Recommendations
+
+When creating recommendations for a service, please follow the below standards:
+
+### Azure Resource Graph (ARG) Queries
+
+1. ARG query columns name returned should only include the following:
+  | Column Name | Required | Example | Description |
+  |:---:|:---:|:---:|:---:|
+  | recommendationId | Yes | aks-1 | The acronym of the Azure service that the query is returning results for, followed by the APRL recommendation number. |
+  | name | Yes | test-aks | The resource name of the Azure resource that does not adher to the APRL recommendation. |
+  | id | Yes | /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/test-resource-group/providers/Microsoft.ContainerService/managedClusters/test-aks | The resource ID of the Azure resource that does not adhere to the APRL recommendation. |
+  | tags | No | {"Environment":"Test","Department":"IT"} | Any relevant tags associated to the resource that does not adhere to the APRL recommendation. |
+  | param1 | No | networkProfile:kubenet | Any additional information that is necessary to provide clarification for the APRL recommendation. |
+  | param2 | No | networkProfile:kubenet | Any additional information that is necessary to provide clarification for the APRL recommendation. |
+  | param3 | No | networkProfile:kubenet | Any additional information that is necessary to provide clarification for the APRL recommendation. |
+  | param4 | No | networkProfile:kubenet | Any additional information that is necessary to provide clarification for the APRL recommendation. |
+  | param5 | No | networkProfile:kubenet | Any additional information that is necessary to provide clarification for the APRL recommendation. |
+
+1. If the ARG query is under development, the query should have a single line stating: `// under-development`
+
+1. If a recommendation query cannot be returned due to limitations with the data provided within ARG, the query should have a single line stating: `// cannot-be-validated-with-arg`
+
+{{< alert style="info" >}}
+If you need support with validating a query, please reach out to the APRL team via the [APRL GitHub General Question/Feedback Form](https://github.com/Azure/Azure-Proactive-Resiliency-Library/issues/new?assignees=&labels=feedback%2C+question&projects=&template=general-question-feedback----.md&title=%E2%9D%93%F0%9F%91%82+Question%2FFeedback+-+PLEASE+CHANGE+ME+TO+SOMETHING+DESCRIPTIVE)
+{{< /alert >}}
+
 ## Updating a Service's Recommendation Page
 
 {{< panel title="Important" style="danger" >}}

docs/content/services/ai-ml/databricks/code/dbw-1/dbw-1.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-10/dbw-10.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-11/dbw-11.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-12/dbw-12.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-13/dbw-13.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-14/dbw-14.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-15/dbw-15.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-16/dbw-16.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-17/dbw-17.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-18/dbw-18.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-19/dbw-19.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-2/dbw-2.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-20/dbw-20.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-21/dbw-21.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-22/dbw-22.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-23/dbw-23.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-24/dbw-24.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-25/dbw-25.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-26/dbw-26.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-27/dbw-27.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-28/dbw-28.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-3/dbw-3.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-4/dbw-4.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-5/dbw-5.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-6/dbw-6.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-7/dbw-7.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-8/dbw-8.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/ai-ml/databricks/code/dbw-9/dbw-9.kql

@@ -0,0 +1 @@
+// under-development

docs/content/services/compute/virtual-machine-scale-sets/_index.md

@@ -227,6 +227,7 @@ When you create your VMSS, use availability zones to protect your applications a
 **Resources**
 
 - [Create a Virtual Machine Scale Set that uses Availability Zones](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones)
+- [Update scale set to add availability zones](https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones?tabs=cli-1%2Cportal-2#update-scale-set-to-add-availability-zones)
 
 **Resource Graph Query/Scripts**
 

docs/content/services/container/azure-container-registry/_index.md

@@ -128,6 +128,14 @@ Some characteristics of your images themselves can impact pull performance:
 
 - [Registry authentication options - Azure Container Registry](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account)
 
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/cr-4/cr-4.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
 <br><br>
 
 ### CR-5 - Use Repository namespaces
@@ -144,6 +152,13 @@ By using repository namespaces, you can allow sharing a single registry across m
 
 - [Registry best practices - use repository namespaces](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#repository-namespaces)
 
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/cr-5/cr-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
 <br><br>
 
 ### CR-6 - Move Container Registry to a dedicated resource group
@@ -263,6 +278,13 @@ Resource Logs are not collected and stored until you create a diagnostic setting
 - [Monitoring Azure Container Registry data reference - Resource Logs](https://learn.microsoft.com/en-us/azure/container-registry/monitor-service-reference#resource-logs)
 - [Monitor Azure Container Registry - Enable diagnostic logs](https://learn.microsoft.com/en-us/azure/container-registry/monitor-service#collection-and-routing)
 
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/cr-10/cr-10.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
 <br><br>
 
 ### CR-11 - Monitor Azure Container Registry with Azure Monitor
@@ -279,6 +301,15 @@ When you have critical applications and business processes relying on Azure reso
 
 - [Monitoring Azure Container Registry data reference](https://learn.microsoft.com/en-us/azure/container-registry/monitor-service-reference#metrics)
 - [Monitor Azure Container Registry](https://learn.microsoft.com/en-us/azure/container-registry/monitor-service)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/cr-11/cr-11.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
 <br><br>
 
 ### CR-12 - Enable soft delete policy

docs/content/services/container/azure-container-registry/code/cr-10/cr-10.kql

@@ -0,0 +1 @@
+// cannot-be-validated-with-arg

docs/content/services/container/azure-container-registry/code/cr-11/cr-11.kql

@@ -0,0 +1 @@
+// cannot-be-validated-with-arg

docs/content/services/container/azure-container-registry/code/cr-4/cr-4.kql

@@ -0,0 +1 @@
+// cannot-be-validated-with-arg

docs/content/services/container/azure-container-registry/code/cr-5/cr-5.kql

@@ -0,0 +1 @@
+// cannot-be-validated-with-arg

docs/content/services/database/db-for-postgresql/_index.md

@@ -0,0 +1,50 @@
++++
+title = "DB for PostgreSQL"
+description = "Best practices and resiliency recommendations for Database for PostgreSQL and associated resources and settings."
+date = "10/11/23"
+author = "ejhenry"
+msAuthor = "ejhenry"
+draft = false
++++
+
+The presented resiliency recommendations in this guidance include Database for PostgreSQL and associated resources and settings.
+
+## Summary of Recommendations
+
+{{< table style="table-striped" >}}
+| Recommendation                                    |  Category                                                               |  Impact         |  State            | ARG Query Available |
+| :------------------------------------------------ | :---------------------------------------------------------------------: | :------:        | :------:          | :-----------------: |
+| [PSQL-1 - Enable HA with zone redundancy](#psql-1---enable-ha-with-zone-redundancy) | High Availability | High | Preview  |         Yes         |
+{{< /table >}}
+
+{{< alert style="info" >}}
+
+Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}})
+
+{{< /alert >}}
+
+## Recommendations Details
+
+### PSQL-1 - Enable HA with zone redundancy
+
+**Category: Availability**
+
+**Impact: High**
+
+**Recommendation**
+
+Enable HA with zone redundancy on flexible server instances. Zone redundant high availability deploys a standby replica in a different zone with automatic failover capability.
+
+**Resources**
+
+- [Overview of high availability with Azure Database for PostgreSQL](https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-high-availability)
+
+**Resource Graph Query**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/psql-1/psql-1.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>

docs/content/services/database/db-for-postgresql/code/psql-1/psql-1.azcli

@@ -0,0 +1 @@
+:: under-development

docs/content/services/database/db-for-postgresql/code/psql-1/psql-1.kql

@@ -0,0 +1,6 @@
+// Azure Resource Graph Query
+// Find Database for PostgreSQL instances that are not zone redundant
+resources
+| where type == "microsoft.dbforpostgresql/flexibleservers"
+| where properties.highAvailability.mode != "ZoneRedundant"
+| project recommendationId = "psql-1", name, id, param1 = "ZoneRedundant: False"

docs/content/services/database/db-for-postgresql/code/psql-1/psql-1.ps1

@@ -0,0 +1 @@
+# under-development

docs/content/services/integration/event-hub/_index.md

@@ -0,0 +1,50 @@
++++
+title = "Event Hub"
+description = "Best practices and resiliency recommendations for Event Hub and associated resources and settings."
+date = "10/6/23"
+author = "ejhenry"
+msAuthor = "ejhenry"
+draft = false
++++
+
+The presented resiliency recommendations in this guidance include Event Hub and associated resources and settings.
+
+## Summary of Recommendations
+
+{{< table style="table-striped" >}}
+| Recommendation                                    |  Category                                                               |  Impact         |  State            | ARG Query Available |
+| :------------------------------------------------ | :---------------------------------------------------------------------: | :------:        | :------:          | :-----------------: |
+| [EVHNS-1 - Enable zone redundancy for Event Hub namespace](#evhns-1---enable-zone-redundancy-for-event-hub-namespace) | High Availability | High | Preview  |         Yes         |
+{{< /table >}}
+
+{{< alert style="info" >}}
+
+Definitions of states can be found [here]({{< ref "../../../_index.md#definitions-of-terms-used-in-aprl">}})
+
+{{< /alert >}}
+
+## Recommendations Details
+
+### EVHNS-1 - Enable zone redundancy for Event Hub namespace
+
+**Category: Availability**
+
+**Impact: High**
+
+**Recommendation**
+
+Event Hubs supports Availability Zones, providing fault-isolated locations within an Azure region. The Availability Zones support is only available in Azure regions with availability zones. Both metadata and data (events) are replicated across data centers in the availability zone.
+
+**Resources**
+
+- [Azure Event Hubs - Geo-disaster recovery](https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal#availability-zones)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/evhns-1/evhns-1.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>

docs/content/services/integration/event-hub/code/evhns-1/evhns-1.azcli

@@ -0,0 +1 @@
+:: under-development

docs/content/services/integration/event-hub/code/evhns-1/evhns-1.kql

@@ -0,0 +1,7 @@
+// Azure Resource Graph Query
+// Find Event Hub namespace instances that are not zone redundant
+resources
+| where type == "microsoft.eventhub/namespaces"
+| where properties.zoneRedundant == false
+| project recommendationId = "evhns-1", name, id, param1 = "ZoneRedundant: False"
+| order by id asc

docs/content/services/integration/event-hub/code/evhns-1/evhns-1.ps1

@@ -0,0 +1 @@
+# under-development

docs/content/services/migration/_index.md

@@ -0,0 +1,18 @@
++++
+title = "Migration"
+description = "Migration Services"
+date = 2023-10-11T10:12:16Z
+draft = false
++++
+
+This page lists all of the Azure Services under the Migration category for which the APRL has guidance, recommendations and queries for.
+
+## Services List
+
+{{< alert style="info" >}}
+
+The below list of services is automatically populated based on the child folders and files in this directory within the source code in the repo.
+
+{{< /alert >}}
+
+{{< childpages >}}

docs/content/services/monitoring/log-analytics/_index.md

@@ -20,6 +20,7 @@ The below table shows the list of resiliency recommendations for Log Analytics a
 | [LOG-2 - Link Log Analytics Workspace to an Availability Zone enabled dedicated cluster](#log-2---link-log-analytics-workspace-to-an-availability-zone-enabled-dedicated-cluster) | Medium  | Preview |         Yes          |
 | [LOG-3 - Configure data collection to send critical data to multiple workspaces in different regions](#log-3---configure-data-collection-to-send-critical-data-to-multiple-workspaces-in-different-regions) | Medium  | Preview  |         No         |
 | [LOG-4 - Create a health status alert rule for your Log Analytics workspace](#log-4---create-a-health-status-alert-rule-for-your-log-analytics-workspace) | Low  | Preview  |         No         |
+| [LOG-5 - Configure minimal logging and retention of logs](#log-5---configure-minimal-logging-and-retention-of-logs) | Low  | Preview  |         Yes         |
 {{< /table >}}
 
 {{< alert style="info" >}}
@@ -129,3 +130,31 @@ A health status alert will proactively notify you if a workspace becomes unavail
 {{< /collapse >}}
 
 <br><br>
+
+### LOG-5 - Configure minimal logging and retention of logs
+
+**Category: Monitoring**
+
+**Impact: Low**
+
+**Guidance**
+
+ Azure Monitor Logs automatically retains log data for a specific period of time depending on the data type (for example, 31 days for platform logs and metrics). However, you may need to retain your data for longer periods for compliance or business reasons. You can configure the data retention settings based on your requirements.
+
+ For long-term storage, it might be necessary to move logs from Azure Monitor to a more cost-effective storage solution, such as Azure Blob Storage. This allows you to keep logs for an extended period of time without incurring high costs.
+
+**Resources**
+
+- [Data retention and archive in Azure Monitor Logs](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2)
+- [Run search jobs in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/search-jobs?tabs=portal-1%2Cportal-2)
+- [Restore logs in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/restore?tabs=api-1)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/log-5/log-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>

docs/content/services/monitoring/log-analytics/code/log-5/log-5.kql

@@ -0,0 +1,6 @@
+//Configure minimal logging and retention of logs.
+//Query to get the list of Log analytics workspaces and their current configured retention period
+resources
+| where type == "microsoft.operationalinsights/workspaces"
+| extend RetentionPeriod = tostring(properties.retentionInDays), SkuName=tostring(properties.sku.name)
+| project recommendationId="log-5", name,location,resourceGroup,RetentionPeriod,SkuName,subscriptionId