Chaos Studio fault and action library
The following faults are available for use today. Visit the Fault Providers page to understand which resource types are supported.
Time delay
| Property | Value |
|---|---|
| Fault Provider | N/A |
| Supported OS Types | N/A |
| Description | Adds a time delay before, between, or after other actions. This fault is useful for waiting for the impact of a fault to appear in a service, or for waiting for an activity outside of the experiment to complete. For example, waiting for autohealing to occur before injecting another fault. |
| Prerequisites | N/A |
| Urn | urn:csci:microsoft:chaosStudio:timedDelay/1.0 |
| duration | The duration of the delay in ISO 8601 format (Example: PT10M) |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "delay",
"name": "urn:csci:microsoft:chaosStudio:timedDelay/1.0",
"duration": "PT10M"
}
]
}
CPU pressure
| Property | Value |
|---|---|
| Capability Name | CPUPressure-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows, Linux |
| Description | Adds CPU pressure, up to the specified value, on the VM where this fault is injected during the fault action. The artificial CPU pressure is removed at the end of the duration or if the experiment is canceled. On Windows, the "% Processor Utility" performance counter is used at fault start to determine current CPU percentage, which is subtracted from the pressureLevel defined in the fault so that % Processor Utility will hit approximately the pressureLevel defined in the fault parameters. |
| Prerequisites | Linux: Running the fault on a Linux VM requires the stress-ng utility to be installed. You can install it using the package manager for your Linux distro, APT Command to install stress-ng: sudo apt-get update && sudo apt-get -y install unzip && sudo apt-get -y install stress-ng YUM Command to install stress-ng: sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && sudo yum -y install stress-ng |
| Windows: None. | |
| Urn | urn:csci:microsoft:agent:cpuPressure/1.0 |
| Parameters (key, value) | |
| pressureLevel | An integer between 1 and 99 that indicates how much CPU pressure (%) will be applied to the VM. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:cpuPressure/1.0",
"parameters": [
{
"key": "pressureLevel",
"value": "95"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Limitations
Known issues on Linux:
- Stress effect may not be terminated correctly if AzureChaosAgent is unexpectedly killed.
- Linux CPU fault is only tested on Ubuntu 16.04-LTS and Ubuntu 18.04-LTS.
Physical memory pressure
| Property | Value |
|---|---|
| Capability Name | PhysicalMemoryPressure-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows, Linux |
| Description | Add physical memory pressure up to the specified value on the VM where this fault is injected during of the fault action. The artificial physical memory pressure is removed at the end of the duration or if the experiment is canceled. |
| Prerequisites | Linux: Running the fault on a Linux VM requires the stress-ng utility to be installed. You can install it using the package manager for your Linux distro, APT Command to install stress-ng: sudo apt-get update && sudo apt-get -y install unzip && sudo apt-get -y install stress-ng YUM Command to install stress-ng: sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && sudo yum -y install stress-ng |
| Windows: None. | |
| Urn | urn:csci:microsoft:agent:physicalMemoryPressure/1.0 |
| Parameters (key, value) | |
| pressureLevel | An integer between 1 and 99 that indicates how much physical memory pressure (%) will be applied to the VM. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:physicalMemoryPressure/1.0",
"parameters": [
{
"key": "pressureLevel",
"value": "95"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Limitations
Currently, the Windows agent doesn't reduce memory pressure when other applications increase their memory usage. If the overall memory usage exceeds 100%, the Windows agent may crash.
Virtual memory pressure
| Property | Value |
|---|---|
| Capability Name | VirtualMemoryPressure-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Add virtual memory pressure up to the specified value on the VM where this fault is injected during the fault action. The artificial virtual memory pressure is removed at the end of the duration or if the experiment is canceled. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:agent:virtualMemoryPressure/1.0 |
| Parameters (key, value) | |
| pressureLevel | An integer between 1 and 99 that indicates how much physical memory pressure (%) will be applied to the VM. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:virtualMemoryPressure/1.0",
"parameters": [
{
"key": "pressureLevel",
"value": "95"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Disk I/O pressure (Windows)
| Property | Value |
|---|---|
| Capability Name | DiskIOPressure-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Uses the diskspd utility to add disk pressure to the primary storage of the VM where it's injected during the fault action. This fault has five different modes of execution. The artificial disk pressure is removed at the end of the duration or if the experiment is canceled. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:agent:diskIOPressure/1.0 |
| Parameters (key, value) | |
| pressureMode | The preset mode of disk pressure to add to the primary storage of the VM. Must be one of the PressureModes in the table below. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Pressure modes
| PressureMode | Description |
|---|---|
| PremiumStorageP10IOPS | numberOfThreads = 1 randomBlockSizeInKB = 64 randomSeed = 10 numberOfIOperThread = 25 sizeOfBlocksInKB = 8 sizeOfWriteBufferInKB = 64 fileSizeInGB = 2 percentOfWriteActions = 50 |
| PremiumStorageP10Throttling | numberOfThreads = 2 randomBlockSizeInKB = 64 randomSeed = 10 numberOfIOperThread = 25 sizeOfBlocksInKB = 64 sizeOfWriteBufferInKB = 64 fileSizeInGB = 1 percentOfWriteActions = 50 |
| PremiumStorageP50IOPS | numberOfThreads = 32 randomBlockSizeInKB = 64 randomSeed = 10 numberOfIOperThread = 32 sizeOfBlocksInKB = 8 sizeOfWriteBufferInKB = 64 fileSizeInGB = 1 percentOfWriteActions = 50 |
| PremiumStorageP50Throttling | numberOfThreads = 2 randomBlockSizeInKB = 1024 randomSeed = 10 numberOfIOperThread = 2 sizeOfBlocksInKB = 1024 sizeOfWriteBufferInKB = 1024 fileSizeInGB = 20 percentOfWriteActions = 50 |
| Default | numberOfThreads = 2 randomBlockSizeInKB = 64 randomSeed = 10 numberOfIOperThread = 2 sizeOfBlocksInKB = 64 sizeOfWriteBufferInKB = 64 fileSizeInGB = 1 percentOfWriteActions = 50 |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:diskIOPressure/1.0",
"parameters": [
{
"key": "pressureMode",
"value": "PremiumStorageP10IOPS"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Disk I/O pressure (Linux)
| Property | Value |
|---|---|
| Capability Name | LinuxDiskIOPressure-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Linux |
| Description | Uses stress-ng to apply pressure to the disk. One or more worker processes are spawned that perform I/O processes with temporary files. For details on how pressure is applied see https://wiki.ubuntu.com/Kernel/Reference/stress-ng. |
| Prerequisites | Running the fault on a Linux VM requires the stress-ng utility to be installed. You can install it using the package manager for your Linux distro, APT Command to install stress-ng: sudo apt-get update && sudo apt-get -y install unzip && sudo apt-get -y install stress-ng YUM Command to install stress-ng: sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && sudo yum -y install stress-ng |
| Urn | urn:csci:microsoft:agent:linuxDiskIOPressure/1.0 |
| Parameters (key, value) | |
| workerCount | Number of worker processes to run. Setting workerCount to 0 will generate as many worker processes as there are number of processors. |
| fileSizePerWorker | Size of the temporary file a worker will perform I/O operations against. Integer plus a unit in bytes (b), kilobytes (k), megabytes (m), or gigabytes (g) (for example, 4m for 4 megabytes, 256g for 256 gigabytes) |
| blockSize | Block size to be used for disk I/O operations, capped at 4 megabytes. Integer plus a unit in bytes (b), kilobytes (k), or megabytes (m) (for example, 512k for 512 kilobytes) |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:linuxDiskIOPressure/1.0",
"parameters": [
{
"key": "workerCount",
"value": "0"
},
{
"key": "fileSizePerWorker",
"value": "512m"
},
{
"key": "blockSize",
"value": "256k"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Arbitrary Stress-ng stress
| Property | Value |
|---|---|
| Capability Name | StressNg-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Linux |
| Description | Run any stress-ng command by passing arguments directly to stress-ng. Useful for when one of the pre-defined faults for stress-ng doesn't meet your needs. |
| Prerequisites | Running the fault on a Linux VM requires the stress-ng utility to be installed. You can install it using the package manager for your Linux distro, APT Command to install stress-ng: sudo apt-get update && sudo apt-get -y install unzip && sudo apt-get -y install stress-ng YUM Command to install stress-ng: sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && sudo yum -y install stress-ng |
| Urn | urn:csci:microsoft:agent:stressNg/1.0 |
| Parameters (key, value) | |
| stressNgArguments | One or more arguments to pass to the stress-ng process. For details on possible stress-ng arguments see https://wiki.ubuntu.com/Kernel/Reference/stress-ng |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:stressNg/1.0",
"parameters": [
{
"key": "stressNgArguments",
"value": "--random 64"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Stop Windows service
| Property | Value |
|---|---|
| Capability Name | StopService-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Uses the Windows Service Controller APIs to stop a Windows service during the fault, restarting it at the end of the duration or if the experiment is canceled. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:agent:stopService/1.0 |
| Parameters (key, value) | |
| serviceName | The name of the Windows service you want to stop. You can run sc.exe query in command prompt to explore service names, Windows service friendly names aren't supported. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:stopService/1.0",
"parameters": [
{
"key": "serviceName",
"value": "nvagent"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Time change
| Property | Value |
|---|---|
| Capability Name | TimeChange-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Changes the system time of the VM where it's injected, and resets the time at the end of the expiriment or if the experiment is canceled. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:agent:timeChange/1.0 |
| Parameters (key, value) | |
| dateTime | A DateTime string in ISO8601 format. If YYYY-MM-DD values are missing, they're defaulted to the current day when the experiment runs. If Thh:mm:ss values are missing, the default value is 12:00:00 AM. If a 2-digit year is provided (YY), it's converted to a 4-digit year (YYYY) based on the current century. If <Z> is missing, it's defaulted to the offset of the local timezone. <Z> must always include a sign symbol (negative or positive). |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:timeChange/1.0",
"parameters": [
{
"key": "dateTime",
"value": "2038-01-01T03:14:07"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Kill process
| Property | Value |
|---|---|
| Capability Name | KillProcess-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows, Linux |
| Description | Kills all the running instances of a process that matches the process name sent in the fault parameters. Within the duration set for the fault action, a process is killed repetitively based on the value of the kill interval specified. This fault is a destructive fault where system admin would need to manually recover the process if self-healing is configured for it. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:agent:killProcess/1.0 |
| Parameters (key, value) | |
| processName | Name of a process running on a VM (without the .exe) |
| killIntervalInMilliseconds | Amount of time the fault will wait in between successive kill attempts in milliseconds. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:killProcess/1.0",
"parameters": [
{
"key": "processName",
"value": "myapp"
},
{
"key": "killIntervalInMilliseconds",
"value": "1000"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
DNS failure
| Property | Value |
|---|---|
| Capability Name | DnsFailure-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Substitutes DNS lookup request responses with a specified error code. DNS lookup requests that will be substituted must:
|
| Prerequisites | None. |
| Urn | urn:csci:microsoft:agent:dnsFailure/1.0 |
| Parameters (key, value) | |
| hosts | Delimited JSON array of host names to fail DNS lookup request for. This property accepts wildcards ( *), but only for the first subdomain in an address and only applies to the subdomain for which they're specified. For example:
|
| dnsFailureReturnCode | DNS error code to be returned to the client for the lookup failure (FormErr, ServFail, NXDomain, NotImp, Refused, XDomain, YXRRSet, NXRRSet, NotAuth, NotZone). For more details on DNS return codes, visit the IANA website |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:dnsFailure/1.0",
"parameters": [
{
"key": "hosts",
"value": "[ \"www.bing.com\", \"msdn.microsoft.com\" ]"
},
{
"key": "dnsFailureReturnCode",
"value": "ServFail"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Limitations
- The DNS Failure fault requires Windows 2019 RS5 or newer.
- DNS Cache will be ignored during the duration of the fault for the host names defined in the fault.
Network latency
| Property | Value |
|---|---|
| Capability Name | NetworkLatency-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Increases network latency for a specified port range and network block. |
| Prerequisites | Agent must be run as administrator. If the agent is installed as a VM extension, it runs as administrator by default. |
| Urn | urn:csci:microsoft:agent:networkLatency/1.0 |
| Parameters (key, value) | |
| latencyInMilliseconds | Amount of latency to be applied in milliseconds. |
| destinationFilters | Delimited JSON array of packet filters defining which outbound packets to target for fault injection. Maximum of 16. |
| address | IP address indicating the start of the IP range. |
| subnetMask | Subnet mask for the IP address range. |
| portLow | (Optional) Port number of the start of the port range. |
| portHigh | (Optional) Port number of the end of the port range. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:networkLatency/1.0",
"parameters": [
{
"key": "destinationFilters",
"value": "[ { \"address\": \"23.45.229.97\", \"subnetMask\": \"255.255.255.224\", \"portLow\": \"5000\", \"portHigh\": \"5200\" } ]"
},
{
"key": "latencyInMilliseconds",
"value": "100",
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Network disconnect
| Property | Value |
|---|---|
| Capability Name | NetworkDisconnect-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Blocks outbound network traffic for specified port range and network block. |
| Prerequisites | Agent must be run as administrator. If the agent is installed as a VM extension, it runs as administrator by default. |
| Urn | urn:csci:microsoft:agent:networkDisconnect/1.0 |
| Parameters (key, value) | |
| destinationFilters | Delimited JSON array of packet filters defining which outbound packets to target for fault injection. Maximum of 16. |
| address | IP address indicating the start of the IP range. |
| subnetMask | Subnet mask for the IP address range. |
| portLow | (Optional) Port number of the start of the port range. |
| portHigh | (Optional) Port number of the end of the port range. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:networkDisconnect/1.0",
"parameters": [
{
"key": "destinationFilters",
"value": "[ { \"address\": \"23.45.229.97\", \"subnetMask\": \"255.255.255.224\", \"portLow\": \"5000\", \"portHigh\": \"5200\" } ]"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Warning
The network disconnect fault only affects new connections. Existing active connections continue to persist. You can restart the service or process to force connections to break.
Network disconnect with firewall rule
| Property | Value |
|---|---|
| Capability Name | NetworkDisconnectViaFirewall-1.0 |
| Target type | Microsoft-Agent |
| Supported OS Types | Windows |
| Description | Applies a Windows firewall rule to block outbound traffic for specified port range and network block. |
| Prerequisites | Agent must be run as administrator. If the agent is installed as a VM extension, it runs as administrator by default. |
| Urn | urn:csci:microsoft:agent:networkDisconnectViaFirewall/1.0 |
| Parameters (key, value) | |
| destinationFilters | Delimited JSON array of packet filters defining which outbound packets to target for fault injection. Maximum of 3. |
| address | IP address indicating the start of the IP range. |
| subnetMask | Subnet mask for the IP address range. |
| portLow | (Optional) Port number of the start of the port range. |
| portHigh | (Optional) Port number of the end of the port range. |
| virtualMachineScaleSetInstances | An array of instance IDs when applying this fault to a Virtual Machine Scale Set. Required for Virtual Machine Scale Sets. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:agent:networkDisconnectViaFirewall/1.0",
"parameters": [
{
"key": "destinationFilters",
"value": "[ { \"Address\": \"23.45.229.97\", \"SubnetMask\": \"255.255.255.224\", \"PortLow\": \"5000\", \"PortHigh\": \"5200\" } ]"
},
{
"key": "virtualMachineScaleSetInstances",
"value": "[0,1,2]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
ARM virtual machine shutdown
| Property | Value |
|---|---|
| Capability Name | Shutdown-1.0 |
| Target type | Microsoft-VirtualMachine |
| Supported OS Types | Windows, Linux |
| Description | Shuts down a VM for the duration of the fault, and restarts it at the end of the expiriment or if the experiment is canceled. Only Azure Resource Manager VMs are supported. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:virtualMachine:shutdown/1.0 |
| Parameters (key, value) | |
| abruptShutdown | (Optional) Boolean indicating if the VM should be shut down gracefully or abruptly (destructive). |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:virtualMachine:shutdown/1.0",
"parameters": [
{
"key": "abruptShutdown",
"value": "false"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
ARM Virtual Machine Scale Set instance shutdown
This fault has two available versions that you can use, Version 1.0 and Version 2.0.
Version 1.0
| Property | Value |
|---|---|
| Capability Name | Version 1.0 |
| Target type | Microsoft-VirtualMachineScaleSet |
| Supported OS Types | Windows, Linux |
| Description | Shuts down or kills a Virtual Machine Scale Set instance during the fault, and restarts the VM at the end of the fault duration or if the experiment is canceled. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:virtualMachineScaleSet:shutdown/1.0 |
| Parameters (key, value) | |
| abruptShutdown | (Optional) Boolean indicating if the Virtual Machine Scale Set instance should be shut down gracefully or abruptly (destructive). |
| instances | A string that is a delimited array of Virtual Machine Scale Set instance IDs to which the fault will be applied. |
Version 1.0 sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:virtualMachineScaleSet:shutdown/1.0",
"parameters": [
{
"key": "abruptShutdown",
"value": "true"
},
{
"key": "instances",
"value": "[\"1\",\"3\"]"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Version 2.0
| Property | Value |
|---|---|
| Capability Name | Shutdown-2.0 |
| Target type | Microsoft-VirtualMachineScaleSet |
| Supported OS Types | Windows, Linux |
| Description | Shuts down or kills a Virtual Machine Scale Set instance during the fault, and restarts the VM at the end of the fault duration or if the experiment is canceled. Supports dynamic targeting. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:virtualMachineScaleSet:shutdown/2.0 |
| filter | (Optional) Available starting with Version 2.0. Used to filter the list of targets in a selector. Currently supports filtering on a list of zones, and the filter is only applied to VMSS resources within a zone.
|
| Parameters (key, value) | |
| abruptShutdown | (Optional) Boolean indicating if the Virtual Machine Scale Set instance should be shut down gracefully or abruptly (destructive). |
Version 2.0 sample JSON snippets
The snippets below show how to configure both dynamic filtering and the shutdown 2.0 fault.
Configuring a filter for dynamic targeting:
{
"type": "List",
"id": "myResources",
"targets": [
{
"id": "<targetResourceId>",
"type": "ChaosTarget"
}
],
"filter": {
"type": "Simple",
"parameters": {
"zones": [
"1"
]
}
}
}
Configuring the shutdown fault:
{
"name": "branchOne",
"actions": [
{
"name": "urn:csci:microsoft:virtualMachineScaleSet:shutdown/2.0",
"type": "continuous",
"selectorId": "myResources",
"duration": "PT10M",
"parameters": [
{
"key": "abruptShutdown",
"value": "false"
}
]
}
]
}
Azure Cosmos DB failover
| Property | Value |
|---|---|
| Capability Name | Failover-1.0 |
| Target type | Microsoft-CosmosDB |
| Description | Causes an Azure Cosmos DB account with a single write region to fail over to a specified read region to simulate a write region outage |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:cosmosDB:failover/1.0 |
| Parameters (key, value) | |
| readRegion | The read region that should be promoted to write region during the failover, for example, "East US 2" |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:cosmosDB:failover/1.0",
"parameters": [
{
"key": "readRegion",
"value": "West US 2"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh network faults
| Property | Value |
|---|---|
| Capability Name | NetworkChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes a network fault available through Chaos Mesh to run against your AKS cluster. Useful for recreating AKS incidents resulting from network outages, delays, duplications, loss, and corruption. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the NetworkChaos kind. You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"action\":\"delay\",\"mode\":\"one\",\"selector\":{\"namespaces\":[\"default\"],\"labelSelectors\":{\"app\":\"web-show\"}},\"delay\":{\"latency\":\"10ms\",\"correlation\":\"100\",\"jitter\":\"0ms\"}}"
}
],
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh pod faults
| Property | Value |
|---|---|
| Capability Name | PodChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes a pod fault available through Chaos Mesh to run against your AKS cluster. Useful for recreating AKS incidents that are a result of pod failures or container issues. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:podChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the PodChaos kind. You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:podChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"action\":\"pod-failure\",\"mode\":\"one\",\"duration\":\"30s\",\"selector\":{\"labelSelectors\":{\"app.kubernetes.io\/component\":\"tikv\"}}}"
}
],
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh stress faults
| Property | Value |
|---|---|
| Capability Name | StressChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes a stress fault available through Chaos Mesh to run against your AKS cluster. Useful for recreating AKS incidents due to stresses over a collection of pods, for example, due to high CPU or memory consumption. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:stressChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the StressChaos kind. You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:stressChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"mode\":\"one\",\"selector\":{\"labelSelectors\":{\"app\":\"app1\"}},\"stressors\":{\"memory\":{\"workers\":4,\"size\":\"256MB\"}}}"
}
],
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh IO faults
| Property | Value |
|---|---|
| Capability Name | IOChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes an IO fault available through Chaos Mesh to run against your AKS cluster. Useful for recreating AKS incidents due to IO delays and read/write failures when using IO system calls such as open, read, and write. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:IOChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the IOChaos kind. You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:IOChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"action\":\"latency\",\"mode\":\"one\",\"selector\":{\"labelSelectors\":{\"app\":\"etcd\"}},\"volumePath\":\"\/var\/run\/etcd\",\"path\":\"\/var\/run\/etcd\/**\/*\",\"delay\":\"100ms\",\"percent\":50,\"duration\":\"400s\"}"
}
],
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh time faults
| Property | Value |
|---|---|
| Capability Name | TimeChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes a change in the system clock on your AKS cluster using Chaos Mesh. Useful for recreating AKS incidents that result from distributed systems falling out of sync, missing/incorrect leap year/leap second logic, and more. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:timeChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the TimeChaos kind. You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:timeChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"mode\":\"one\",\"selector\":{\"labelSelectors\":{\"app\":\"app1\"}},\"timeOffset\":\"-10m100ns\"}"
}
],
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh kernel faults
| Property | Value |
|---|---|
| Capability Name | KernelChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes a kernel fault available through Chaos Mesh to run against your AKS cluster. Useful for recreating AKS incidents due to Linux kernel-level errors such as a mount failing or memory not being allocated. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:kernelChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the KernelChaos kind.You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:kernelChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"mode\":\"one\",\"selector\":{\"namespaces\":[\"chaos-mount\"]},\"failKernRequest\":{\"callchain\":[{\"funcname\":\"__x64_sys_mount\"}],\"failtype\":0}}"
}
],
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh HTTP faults
| Property | Value |
|---|---|
| Capability Name | HTTPChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes an HTTP fault available through Chaos Mesh to run against your AKS cluster. Useful for recreating incidents due HTTP request and response processing failures, such as delayed or incorrect responses. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:httpChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the HTTPChaos kind. You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:httpChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"mode\":\"all\",\"selector\":{\"labelSelectors\":{\"app\":\"nginx\"}},\"target\":\"Request\",\"port\":80,\"method\":\"GET\",\"path\":\"\/api\",\"abort\":true,\"duration\":\"5m\",\"scheduler\":{\"cron\":\"@every 10m\"}}"
}
],
"selectorid": "myResources"
}
]
}
AKS Chaos Mesh DNS faults
| Property | Value |
|---|---|
| Capability Name | DNSChaos-2.1 |
| Target type | Microsoft-AzureKubernetesServiceChaosMesh |
| Supported node pool OS types | Linux |
| Description | Causes a DNS fault available through Chaos Mesh to run against your AKS cluster. Useful for recreating incidents due to DNS failures. |
| Prerequisites | The AKS cluster must have Chaos Mesh deployed and the DNS service must be installed. |
| Urn | urn:csci:microsoft:azureKubernetesServiceChaosMesh:dnsChaos/2.1 |
| Parameters (key, value) | |
| jsonSpec | A JSON-formatted and, if created via ARM template, REST API, or Azure CLI, JSON-escaped Chaos Mesh spec that uses the DNSChaos kind. You can use a YAML-to-JSON converter like Convert YAML To JSON to convert the Chaos Mesh YAML to JSON and minify it. Then use a JSON string escape tool like JSON Escape / Unescape to escape the JSON spec. Only include the YAML under the "jsonSpec" property, don't include metadata, kind, etc. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:dnsChaos/2.1",
"parameters": [
{
"key": "jsonSpec",
"value": "{\"action\":\"random\",\"mode\":\"all\",\"patterns\":[\"google.com\",\"chaos-mesh.*\",\"github.?om\"],\"selector\":{\"namespaces\":[\"busybox\"]}}"
}
],
"selectorid": "myResources"
}
]
}
Network security group (set rules)
| Property | Value |
|---|---|
| Capability Name | SecurityRule-1.0 |
| Target type | Microsoft-NetworkSecurityGroup |
| Description | Enables manipulation or rule creation in an existing Azure Network Security Group or set of Azure Network Security Groups, assuming the rule definition is applicable cross security groups. Useful for simulating an outage of a downstream or cross-region dependency/non-dependency, simulating an event that's expected to trigger a logic to force a service failover, simulating an event that is expected to trigger an action from a monitoring or state management service, or as an alternative for blocking or allowing network traffic where Chaos Agent can't be deployed. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:networkSecurityGroup:securityRule/1.0 |
| Parameters (key, value) | |
| name | A unique name for the security rule that will be created. The fault will fail if another rule already exists on the NSG with the same name. Must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. |
| protocol | Protocol for the security rule. Must be Any, TCP, UDP, or ICMP. |
| sourceAddresses | A string representing a json-delimited array of CIDR formatted IP addresses. Can also be a service tag name for an inbound rule, for example, "AppService". Asterisk '*' can also be used to match all source IPs. |
| destinationAddresses | A string representing a json-delimited array of CIDR formatted IP addresses. Can also be a service tag name for an outbound rule, for example, "AppService". Asterisk '*' can also be used to match all destination IPs. |
| action | Security group access type. Must be either Allow or Deny |
| destinationPortRanges | A string representing a json-delimited array of single ports and/or port ranges, such as 80 or 1024-65535. |
| sourcePortRanges | A string representing a json-delimited array single ports and/or port ranges, such as 80 or 1024-65535. |
| priority | A value between 100 and 4096 that's unique for all security rules within the network security group. The fault will fail if another rule already exists on the NSG with the same priority. |
| direction | Direction of the traffic impacted by the security rule. Must be either Inbound or Outbound. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:networkSecurityGroup:securityRule/1.0",
"parameters": [
{
"key": "name",
"value": "Block_SingleHost_to_Networks"
},
{
"key": "protocol",
"value": "Any"
},
{
"key": "sourceAddresses",
"value": "[\"10.1.1.128/32\"]"
},
{
"key": "destinationAddresses",
"value": "[\"10.20.0.0/16\",\"10.30.0.0/16\"]"
},
{
"key": "access",
"value": "Deny"
},
{
"key": "destinationPortRanges",
"value": "[\"80-8080\"]"
},
{
"key": "sourcePortRanges",
"value": "[\"*\"]"
},
{
"key": "priority",
"value": "100"
},
{
"key": "direction",
"value": "Outbound"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Limitations
- The fault can only be applied to an existing Network Security Group.
- When an NSG rule that is intended to deny traffic is applied existing connections won't be broken until they've been idle for 4 minutes. One workaround is to add another branch in the same step that uses a fault that would cause existing connections to break when the NSG fault is applied. For example, killing the process, temporarily stopping the service, or restarting the VM would cause connections to reset.
- Rules are applied at the start of the action. Any external changes to the rule during the duration of the action will cause the experiment to fail.
- Creating or modifying Application Security Group rules isn't supported.
- Priority values must be unique on each NSG targeted. Attempting to create a new rule that has the same priority value as another will cause the experiment to fail.
Azure Cache for Redis reboot
| Property | Value |
|---|---|
| Capability Name | Reboot-1.0 |
| Target type | Microsoft-AzureClusteredCacheForRedis |
| Description | Causes a forced reboot operation to occur on the target to simulate a brief outage. |
| Prerequisites | The target Azure Cache for Redis resource must be a Redis Cluster, which requires that the cache must be a Premium Tier cache. Standard and Basic Tiers aren't supported. |
| Urn | urn:csci:microsoft:azureClusteredCacheForRedis:reboot/1.0 |
| Fault type | Discrete |
| Parameters (key, value) | |
| rebootType | The node types where the reboot action is to be performed which can be specified as PrimaryNode, SecondaryNode or AllNodes. |
| shardId | The ID of the shard to be rebooted. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "discrete",
"name": "urn:csci:microsoft:azureClusteredCacheForRedis:reboot/1.0",
"parameters": [
{
"key": "RebootType",
"value": "AllNodes"
},
{
"key": "ShardId",
"value": "0"
}
],
"selectorid": "myResources"
}
]
}
Limitations
- The reboot fault causes a forced reboot to better simulate an outage event, which means there is the potential for data loss to occur.
- The reboot fault is a discrete fault type. Unlike continuous faults, it's a one-time action and therefore has no duration.
Cloud Services (Classic) shutdown
| Property | Value |
|---|---|
| Capability Name | Shutdown-1.0 |
| Target type | Microsoft-DomainName |
| Description | Stops a deployment during the fault and restarts the deployment at the end of the fault duration or if the experiment is canceled. |
| Prerequisites | None. |
| Urn | urn:csci:microsoft:domainName:shutdown/1.0 |
| Fault type | Continuous |
| Parameters | None. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:domainName:shutdown/1.0",
"parameters": [],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Key Vault Deny Access
| Property | Value |
|---|---|
| Capability Name | DenyAccess-1.0 |
| Target type | Microsoft-KeyVault |
| Description | Blocks all network access to a Key Vault by temporarily modifying the Key Vault network rules, preventing an application dependent on the Key Vault from accessing secrets, keys, and/or certificates. If the Key Vault allows access to all networks, this is changed to only allow access from selected networks with no virtual networks in the allowed list at the start of the fault and returned to allowing access to all networks at the end of the fault duration. If they Key Vault is set to only allow access from selected networks, any virtual networks in the allowed list are removed at the start of the fault and restored at the end of the fault duration. |
| Prerequisites | The target Key Vault can't have any firewall rules and must not be set to allow Azure services to bypass the firewall. If the target Key Vault is set to only allow access from selected networks, there must be at least one virtual network rule. The Key Vault can't be in recover mode. |
| Urn | urn:csci:microsoft:keyVault:denyAccess/1.0 |
| Fault type | Continuous |
| Parameters (key, value) | None. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:keyvault:denyAccess/1.0",
"parameters": [],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Key Vault Disable Certificate
| Property | Value |
|---|---|
| Capability Name | DisableCertificate-1.0 |
| Target Type | Microsoft-KeyVault |
| Description | Using certificate properties, fault will disable the certificate for specific duration (provided by user) and enables it after this fault duration. |
| Prerequisites | For OneCert certificates, the domain must be registered with OneCert before attempting to run the fault. |
| Urn | urn:csci:microsoft:keyvault:disableCertificate/1.0 |
| Fault Type | Continuous |
| Parameters (key, value) | |
| certificateName | Name of AKV certificate on which fault will be executed |
| version | The certificate version that should be updated; if not specified, the latest version will be updated. |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:keyvault:disableCertificate/1.0",
"parameters": [
{
"key": "certificateName",
"value": "<name of AKV certificate>"
},
{
"key": "version",
"value": "<certificate version>"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Key Vault Increment Certificate Version
| Property | Value |
|---|---|
| Capability Name | IncrementCertificateVersion-1.0 |
| Target Type | Microsoft-KeyVault |
| Description | Generates new certificate version and thumbprint using the Key Vault Certificate client library. Current working certificate will be upgraded to this version. |
| Prerequisites | For OneCert certificates, the domain must be registered with OneCert before attempting to run the fault. |
| Urn | urn:csci:microsoft:keyvault:incrementCertificateVersion/1.0 |
| Fault Type | Discrete |
| Parameters (key, value) | |
| certificateName | Name of AKV certificate on which fault will be executed |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "discrete",
"name": "urn:csci:microsoft:keyvault:incrementCertificateVersion/1.0",
"parameters": [
{
"key": "certificateName",
"value": "<name of AKV certificate>"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Key Vault Update Certificate Policy
| Property | Value |
|---|---|
| Capability Name | UpdateCertificatePolicy-1.0 |
| Target Type | Microsoft-KeyVault |
| Description | Certificate policies (examples: certificate validity period, certificate type, key size, or key type) are updated based on the user input and reverted after the fault duration. |
| Prerequisites | For OneCert certificates, the domain must be registered with OneCert before attempting to run the fault. |
| Urn | urn:csci:microsoft:keyvault:updateCertificatePolicy/1.0 |
| Fault Type | Continuous |
| Parameters (key, value) | |
| certificateName | Name of AKV certificate on which fault will be executed |
| version | The certificate version that should be updated; if not specified, the latest version will be updated. |
| enabled | Bool. Value indicating whether the new certificate version will be enabled |
| validityInMonths | The validity period of the certificate in months |
| certificateTransparency | Indicates whether the certificate should be published to the certificate transparency list when created |
| certificateType | the certificate type |
| contentType | The content type of the certificate, eg Pkcs12 when the certificate contains raw PFX bytes, or Pem when it contains ASCII PEM-encoded btes. Pkcs12 is the default value assumed |
| keySize | The size of the RSA key: 2048, 3072, or 4096 |
| exportable | Boolean. Value indicating if the certificate key is exportable from the vault or secure certificate store |
| reuseKey | Boolean. Value indicating if the certificate key should be reused when rotating the certificate |
| keyType | The type of backing key to be generated when issuing new certificates: RSA or EC |
Sample JSON
{
"name": "branchOne",
"actions": [
{
"type": "continuous",
"name": "urn:csci:microsoft:keyvault:updateCertificatePolicy/1.0",
"parameters": [
{
"key": "certificateName",
"value": "<name of AKV certificate>"
},
{
"key": "version",
"value": "<certificate version>"
},
{
"key": "enabled",
"value": "True"
},
{
"key": "validityInMonths",
"value": "12"
},
{
"key": "certificateTransparency",
"value": "True"
},
{
"key": "certificateType",
"value": "<certificate type>"
},
{
"key": "contentType",
"value": "Pem"
},
{
"key": "keySize",
"value": "4096"
},
{
"key": "exportable",
"value": "True"
},
{
"key": "reuseKey",
"value": "False"
},
{
"key": "keyType",
"value": "RSA"
}
],
"duration": "PT10M",
"selectorid": "myResources"
}
]
}
Feedback
Submit and view feedback for