AzureLocalRanger

Author(s)

• Azure Local Cloud

Tags

AzureLocal AzureStackHCI HCI Arc ArcEnabledInfrastructure PowerShell Documentation Inventory Audit AsBuilt Report Discovery HealthCheck Cluster FailoverClustering Windows WindowsServer Hyper-V StorageSpacesDirect S2D

Functions

Invoke-AzureLocalRanger New-AzureLocalRangerConfig Export-AzureLocalRangerReport Test-AzureLocalRangerPrerequisites Test-RangerPermissions Invoke-RangerWizard Export-RangerWafConfig Import-RangerWafConfig Get-RangerRemediation Publish-RangerRun Invoke-AzureLocalRangerEstate Import-RangerManualEvidence

PSEditions

Core

Dependencies

This module has no dependencies.

Release Notes

## v2.6.4 — First-Run UX Patch

Patch release that completes v2.6.3's First-Run UX work. The v2.6.3
drop shipped with a structural-placeholder leak in the default config
that blocked the advertised 2-field / zero-config invocation path —
bare `Invoke-AzureLocalRanger` still threw on `environment.name`,
`cluster.fqdn`, and `resourceGroup` even after the operator answered
the subscription + tenant prompts. Same bug class as v2.6.3 #292
(kv-ranger leak) but for structural fields.

### Fixed
- **Default config scaffold placeholders break bare `Invoke-AzureLocalRanger`
 and the 2-field invocation (#300)** — `Get-RangerDefaultConfig` no
 longer ships placeholder values for `environment.name`, `clusterName`,
 `description`, `targets.cluster.fqdn`, `targets.azure.subscriptionId`
 / `tenantId` / `resourceGroup`, or `targets.bmc.endpoints`. The auto-
 discovery cluster-select gate now fires correctly when the operator
 hasn't supplied a clusterName.

### Changed
- **Interactive prompt re-runs auto-discovery between answers (#300)** —
 `Invoke-RangerInteractiveInput` now prompts one field at a time and
 re-runs `Invoke-RangerAzureAutoDiscovery` after each answer. Supplying
 subscription + tenant at the first two prompts fires
 `Select-RangerCluster` on the next pass and auto-fills clusterName,
 resourceGroup, cluster.fqdn, and nodes — so the remaining prompts
 collapse to zero or one.
- **Prompt order now leads with Azure identifiers (#300)** —
 `Get-RangerMissingRequiredInputs` lists `subscriptionId` and
 `tenantId` before the fields that auto-discovery would fill. Operators
 who know nothing but those two can now invoke bare
 `Invoke-AzureLocalRanger` and be done.
- **Fixture-mode bypass in `Test-RangerConfiguration` (#300)** — the
 required-target check now respects fixture mode the same way
 `Get-RangerMissingRequiredInputs` does, so fixture-backed runs no
 longer fail validation just because the default cluster target is
 now legitimately empty.

## v2.6.3 — First-Run UX

Lowers the required-input floor to **tenantId + subscriptionId**, fills in the
rest via Azure Arc auto-discovery, and rebuilds the setup wizard with full
credential-method coverage and a proper YAML serializer.

### Added
- **Cluster node auto-discovery (#294)** — `Invoke-RangerAzureAutoDiscovery`
 now populates `targets.cluster.nodes` from Arc cluster `properties.nodes` or
 a subscription-wide Arc machines query. Short names are promoted to FQDNs
 using the discovered cluster domain suffix.
- **Three-field minimum invocation (#296)** — `Invoke-AzureLocalRanger` no
 longer requires `-ConfigPath` or `-ConfigObject`. Passing
 `-SubscriptionId -TenantId -ClusterName` on the command line (or any subset,
 with prompting for the rest in interactive mode) is enough to start a run.
- **Two-field cluster auto-select (#297)** — new `Select-RangerCluster`
 enumerates `microsoft.azurestackhci/clusters` in the subscription. Single
 clusters auto-select; multiples prompt an interactive menu; `-Unattended`
 and non-interactive hosts fail fast with `RANGER-DISC-002`. No HCI clusters
 throws `RANGER-DISC-001`; permission failures throw `RANGER-AUTH-001`.

### Changed
- **Scope-gated device credential prompting (#295)** —
 `Resolve-RangerCredentialMap` only prompts for BMC / switch / firewall
 credentials when the relevant collector is in scope AND a matching target
 list is populated. Explicit credential overrides are still honored even
 when the target list is empty.
- **Wizard overhaul (#291)** — `Invoke-RangerWizard` covers all six Azure
 auth strategies (existing-context, run-time prompt, service-principal with
 optional KV secret ref, managed-identity, device-code, azure-cli); GUID
 fields are validated inline and re-prompted; an optional BMC section adds
 iDRAC endpoints; a review screen prints the assembled YAML before save or
 run; existing files prompt for overwrite; and save now writes YAML via
 `ConvertTo-RangerYaml` by default — fixing the bug where `.yml` files
 contained JSON.

### Fixed
- **kv-ranger credential leak (#292)** — `Get-RangerDefaultConfig` no longer
 ships placeholder `keyvault://kv-ranger/*` password references for the
 `cluster`, `domain`, and `bmc` credential blocks. Missing credentials now
 fall through to the interactive prompt instead of producing a spurious KV
 DNS error from a vault the operator never configured.

## v2.6.2 — TRAILHEAD Bug Fixes (P7 Regression)

Bug-fix release addressing two issues found during TRAILHEAD P7 regression testing.

### Fixed
- **Config validator rejects pptx and json-evidence formats (#262)** —
 `Test-RangerConfiguration` now includes `pptx` and `json-evidence` in the
 `$supportedFormats` whitelist. These formats were added in v2.5.0 but omitted
 from validation, causing any config referencing them to be rejected.
- **New-AzureLocalRangerConfig YAML template has misindented fields (#263)** —
 `credentials.azure.method` and `behavior.promptForMissingRequired` in the
 generated YAML config template now have correct indentation, preventing YAML
 parse errors when the template is used as-is.

## v2.6.1 — TRAILHEAD Bug Fixes (P3 Live Validation)

Bug-fix release addressing failures discovered during TRAILHEAD live validation
against a 4-node Dell AX-760 Azure Local cluster.

### Fixed
- **Topology collector returns 0 nodes on partial WinRM failure (#259)** —
 `Invoke-RangerRemoteCommand` now executes each cluster node individually rather
 than batching all targets in one `Invoke-Command` call. A single-node Kerberos/
 Negotiate error (0x80090304) no longer aborts collection from healthy nodes.
- **licenseProfiles/default 404 causes transcript noise (#260)** —
 `Get-AzResource` for optional Arc license profiles now uses
 `-ErrorAction SilentlyContinue` so missing profiles (404) are returned as
 `not-found` status without being promoted to terminating errors.
- **Search-AzGraph 'Argument types do not match' (#261)** —
 `Get-RangerArmResourcesByGraph` now explicitly casts subscription and
 management-group arrays to `[string[]]`, fixing a type mismatch when
 subscription IDs originate from YAML parsing.

## v2.5.0 — Extended Platform Coverage

Workload/cost intelligence, multi-cluster orchestration, and executive-ready
presentation output.

### Added
- **Capacity headroom (#128)** — `capacityAnalysis` domain: per-node + cluster
 vCPU/memory/storage/pool allocation with Healthy/Warning/Critical status.
- **Idle / underutilized VM detection (#125)** — `vmUtilization` domain.
 Classifies VMs from `vm.utilization` sidecar data and emits rightsizing
 proposals plus potential freed-resource savings.
- **Storage efficiency (#126)** — `storageEfficiency` domain: per-volume dedup
 state, dedup ratio, saved GiB, thin-provisioning coverage, and a `wasteClass`
 tag for dedup candidates and over-provisioned volumes.
- **SQL / Windows Server license inventory (#127)** — `licenseInventory` domain
 enumerates guest SQL instances (edition, version, core count, license model,
 AHB eligibility) and Windows Server instances with totals.
- **Multi-cluster estate rollup (#129)** — `Invoke-AzureLocalRangerEstate` runs
 Ranger across an estate config and emits `estate-rollup.json`,
 `estate-summary.html`, and `powerbi/estate-clusters.csv`.
- **PowerPoint output (#80)** — `pptx` output format builds an OOXML .pptx
 via `System.IO.Packaging`. No Office dependency.
- **Manual evidence import (#32)** — `Import-RangerManualEvidence` merges
 hand-collected evidence into an existing manifest with provenance labels.

### Changed
- Runtime pipeline runs v2.5.0 analyzers after collectors and before schema
 validation so new domains are subject to the same checks.

## v2.3.0 — Cloud Publishing

Push Ranger run packages to Azure Blob and stream telemetry to Log Analytics
Workspace after every run — with no code changes required if the cluster is
already Arc-enrolled and the runner has Storage Blob Data Contributor.

### Added
- **Azure Blob publisher (#244)** — `Publish-RangerRun` uploads the run package
 (manifest, evidence, package-index, log, reports, powerbi) to Azure Blob with
 SHA-256 idempotency. Auth chain: Managed Identity → Entra RBAC → SAS from Key Vault.
 `Invoke-AzureLocalRanger -PublishToStorage` triggers automatically post-run.
- **Catalog + latest-pointer blobs (#245)** — after each publish, writes
 `_catalog/{cluster}/latest.json` and merges `_catalog/_index.json` so
 downstream consumers find the latest run without listing.
- **Log Analytics Workspace sink (#247)** — `Invoke-AzureLocalRanger -PublishToLogAnalytics`
 posts `RangerRun_CL` (scores, counts, AHB, cloud-publish status) and
 `RangerFinding_CL` (one row per failing WAF rule) to a DCE/DCR pair via
 the Logs Ingestion API.
- **Cloud Publishing guide (#246)** — `docs/operator/cloud-publishing.md` with
 step-by-step RBAC setup, config examples, and troubleshooting.
## v2.2.0 — WAF Compliance Guidance
Structured remediation blocks per rule, WAF compliance roadmap (Now/Next/Later),
gap-to-goal projection, per-pillar checklist, Get-RangerRemediation command.

## v2.1.0 — Preflight Hardening
Per-resource-type ARM probe, deep WinRM CIM probe (root/MSCluster +
root/virtualization/v2 + root/Microsoft/Windows/Storage), Azure Advisor read probe.

## v2.0.0 — Extended Collectors & WAF Intelligence
Seven new Arc-surface collectors (per-node extensions, logical networks +
subnets, storage paths, custom locations, Arc Resource Bridge, Arc Gateway,
marketplace + custom images), Azure Hybrid Benefit cost analysis, VM
distribution balance, agent version grouping, weighted WAF scoring,
hot-swap WAF config, `json-evidence` output format, concurrent-collection
and empty-data guards, and automatic required-module install/update.

## v1.6.0 — Platform Intelligence

Auto-discovery of RG/FQDN, multi-method Azure auth, graceful degradation, PDF / DOCX tables / XLSX / Power BI exports, graduated WAF scoring. Full v1.6.0 and earlier release notes: https://github.com/AzureLocal/azurelocal-ranger/blob/main/CHANGELOG.md

Full history: https://github.com/AzureLocal/azurelocal-ranger/blob/main/CHANGELOG.md