Feature/dsc v3 native resources

[mimachniak]

Add DSCv3 Azure Arc Resources and documentation example

---

This change is 

[coderabbitai]

Warning

Review limit reached

@mimachniak, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 45 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 91a23217-75f6-4ec0-8bba-94ad4507a1f0

📥 Commits

Reviewing files that changed from the base of the PR and between 59cd9ae and 8908312.

📒 Files selected for processing (3)

• CHANGELOG.md
• docs/azure_arc_agent-operations-examples.md
• dsc_resources/azure_arc_agent.resource.ps1

Walkthrough

A new Microsoft.Azure.Arc/AgentConfiguration DSC v3 resource is introduced. It consists of a JSON manifest with embedded schema, a PowerShell script implementing Get, Set, Test, and Export operations against the azcmagent CLI, a Pester test suite using a stubbed agent, two example DSC YAML configurations, and updated README and reference documentation.

Changes

Azure Arc AgentConfiguration DSC Resource

Layer / File(s)	Summary
Resource manifest, embedded schema, and project registration dsc_resources/.project.data.json, dsc_resources/azure_arc_agent.dsc.resource.json	Registers the resource in .project.data.json, defines command wiring for get/set/test/export via pwsh, sets set to require an elevated security context, and embeds the JSON schema with property types (boolean-or-null, string-or-null, array-or-null) and read-only fields.
Entry point, PropertyMap, and normalization helpers dsc_resources/azure_arc_agent.resource.ps1	Defines the Operation/JsonInput entry-point parameters with strict mode, the $script:PropertyMap DSC-to-azcmagent key mapping, and helper functions for agent discovery, JSON input parsing, and normalization of booleans, string lists, and configMode.
State read, drift detection, and configuration mutation dsc_resources/azure_arc_agent.resource.ps1	Implements Get-CurrentState, Test-InDesiredState (with list-equality logic for allow/block lists), Set-DesiredState (including monitor→full two-step configMode handling), Get-ExportState, and the main operation dispatch switch with top-level error handling.
Pester tests with stubbed azcmagent dsc_resources/tests/azure_arc_agent.tests.ps1	Creates a stub azcmagent.ps1 that persists JSON state and logs invocations, wires it via PATH override, and validates Get, Test, and Set operations end-to-end, including allowlist/blocklist content and the monitor→full mode transition sequence.
README, parameter docs, operation examples, and YAML configs README.md, docs/azure_arc_agent-parameters.md, docs/azure_arc_agent-operations-examples.md, dsc_config_example/arc-agent.dsc.yaml, dsc_config_example/arc-agent-export.dsc.yaml	Replaces the minimal README with installation and discovery setup docs, adds a parameters reference (writable/read-only fields, validation rules), adds operation examples for Get/Test/Set/Export, and provides two example DSC YAML configs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Feature/dsc v3 native resources' directly describes the main change: adding DSC v3 native resources for Azure Arc agent management.
Description check	✅ Passed	The description 'Add DSCv3 Azure Arc Resources and documentation example' is clearly related to the changeset which adds DSC v3 Azure Arc resources and multiple documentation files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

dsc_resources/azure_arc_agent.dsc.resource.json (1)

117-122: ⚡ Quick win

Add enum constraint for configMode allowed values.

The schema permits any string or null for configMode, but the documented contract restricts it to "monitor" or "full". Adding an enum constraint provides fail-fast validation at the schema layer before the PowerShell normalization logic runs.

🛡️ Proposed schema enhancement

 "configMode": {
     "type": [
         "string",
         "null"
-    ]
+    ],
+    "enum": [
+        "monitor",
+        "full",
+        null
+    ]
 },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dsc_resources/azure_arc_agent.dsc.resource.json` around lines 117 - 122, The
configMode property in the schema currently accepts any string value or null,
but it should be restricted to only the documented valid values "monitor" or
"full". Add an enum constraint to the configMode field definition that
explicitly lists the allowed string values "monitor" and "full", keeping null as
an allowed type to maintain backward compatibility. This will enable
schema-level validation before any PowerShell normalization logic executes.

dsc_resources/azure_arc_agent.resource.ps1 (1)

10-12: 💤 Low value

Consider removing ValueFromPipeline or adding a process block.

The parameter uses ValueFromPipeline = $true but the script has no process block. While this works for single JSON input from stdin in the DSC context, it's not best practice. Since the DSC manifest pipes $input to the script and expects a single JSON string, the ValueFromPipeline attribute may be unnecessary.

Alternative approach

Remove the ValueFromPipeline attribute since the script is invoked via stdin redirection rather than traditional pipeline binding:

-    [Parameter(Position = 1, ValueFromPipeline = $true)]
+    [Parameter(Position = 1)]
     [AllowEmptyString()]
     [string]$JsonInput

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dsc_resources/azure_arc_agent.resource.ps1` around lines 10 - 12, The
$JsonInput parameter in the azure_arc_agent.resource.ps1 script has
ValueFromPipeline set to true but the script does not contain a process block to
handle pipeline input, which is not best practice. Since the DSC manifest pipes
input via stdin redirection rather than traditional pipeline binding, remove the
ValueFromPipeline = $true attribute from the $JsonInput parameter definition
while keeping the Parameter, AllowEmptyString, and string type attributes
intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/azure_arc_agent-operations-examples.md`:
- Line 1: In the markdown file, the main heading starts with "P#" which is a
typo that should be corrected to just "#". Locate the heading with the text
"Microsoft.Azure.Arc/AgentConfiguration operation examples" and remove the stray
"P" character from the beginning of that line so it starts with a single "#"
character as is standard for markdown h1 headings.

In `@dsc_resources/azure_arc_agent.resource.ps1`:
- Around line 28-35: Add comment-based help documentation to the
Find-AzcmAgentCommand function and all other functions mentioned in the review
(also applies to functions at lines 37-48, 50-101, 103-124, 126-142, 144-159,
161-182, 184-223, 225-237, 239-265, 267-284, 286-311, 313-325, and 327-362). For
each function, insert a comment block immediately before the function keyword
that includes .SYNOPSIS with a brief summary, .DESCRIPTION with at least 40
characters explaining what the function does, .INPUTS describing what data the
function accepts (if applicable), and .OUTPUTS describing what the function
returns. Ensure all parameter descriptions are included for functions that have
parameters.
- Line 100: Remove the unary comma operator from the return statement in the
function that returns $normalizedItems. Since $normalizedItems is already
constructed as an array using the @() syntax earlier in the function, simply
change the return statement from `return ,$normalizedItems` to `return
$normalizedItems` to comply with PowerShell guidelines.

In `@dsc_resources/tests/azure_arc_agent.tests.ps1`:
- Line 124: The It block descriptions in the test file do not follow the coding
guidelines which require descriptions to start with "Should" rather than action
verbs. Update all It block descriptions at lines 124, 136, and 142 to start with
"Should" instead of their current action verbs (such as "Get", etc.), and ensure
they do not contain the word "when". For example, change "Get returns the
current azcmagent configuration" to "Should return the current azcmagent
configuration".
- Around line 4-167: Reorganize the three test scenarios within the Describe
block into separate Context blocks. Create three new Context blocks with
descriptions starting with 'When': wrap the It block 'Get returns the current
azcmagent configuration' in a Context 'When performing Get operation', wrap the
It block 'Test returns false when the current state differs from the desired
defaults' in a Context 'When performing Test operation', and wrap the It block
'Set applies the required Azure Arc commands in order' in a Context 'When
performing Set operation'. Keep all BeforeAll, BeforeEach, and AfterAll blocks
at the Describe level unchanged, and move only the three It blocks into their
respective Context blocks.

---

Nitpick comments:
In `@dsc_resources/azure_arc_agent.dsc.resource.json`:
- Around line 117-122: The configMode property in the schema currently accepts
any string value or null, but it should be restricted to only the documented
valid values "monitor" or "full". Add an enum constraint to the configMode field
definition that explicitly lists the allowed string values "monitor" and "full",
keeping null as an allowed type to maintain backward compatibility. This will
enable schema-level validation before any PowerShell normalization logic
executes.

In `@dsc_resources/azure_arc_agent.resource.ps1`:
- Around line 10-12: The $JsonInput parameter in the
azure_arc_agent.resource.ps1 script has ValueFromPipeline set to true but the
script does not contain a process block to handle pipeline input, which is not
best practice. Since the DSC manifest pipes input via stdin redirection rather
than traditional pipeline binding, remove the ValueFromPipeline = $true
attribute from the $JsonInput parameter definition while keeping the Parameter,
AllowEmptyString, and string type attributes intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 58d25a25-9d33-47be-9120-6b73a25d1bd6

📥 Commits

Reviewing files that changed from the base of the PR and between 8bb39d4 and 59cd9ae.

📒 Files selected for processing (9)

• README.md
• docs/azure_arc_agent-operations-examples.md
• docs/azure_arc_agent-parameters.md
• dsc_config_example/arc-agent-export.dsc.yaml
• dsc_config_example/arc-agent.dsc.yaml
• dsc_resources/.project.data.json
• dsc_resources/azure_arc_agent.dsc.resource.json
• dsc_resources/azure_arc_agent.resource.ps1
• dsc_resources/tests/azure_arc_agent.tests.ps1

[mimachniak]

Hi @mgreenegit can you review and mearge ?