# README
Azure ResourceManager Exporter
Prometheus exporter for Azure information.
Features
-
Uses of official Azure SDK for go
-
Supports all Azure environments (Azure public cloud, Azure governmant cloud, Azure china cloud, ...) via Azure SDK configuration
-
Docker image is based on Google's distroless static image to reduce attack surface (no shell, no other binaries inside image)
-
Available via Docker Hub and Quay (see badges on top)
-
Can run non-root and with readonly root filesystem, doesn't need any capabilities (you can safely use
drop: ["All"]) -
Publishes Azure API rate limit metrics (when exporter sends Azure API requests)
useful with additional exporters:
- azure-resourcegraph-exporter for exporting Azure resource information from Azure ResourceGraph API with custom Kusto queries (get the tags from resources and ResourceGroups with this exporter)
- azure-metrics-exporter for exporting Azure Monitor metrics
- azure-keyvault-exporter for exporting Azure KeyVault information (eg expiry date for secrets, certificates and keys)
- azure-loganalytics-exporter for exporting Azure LogAnalytics workspace information with custom Kusto queries (eg ingestion rate or application error count)
Configuration
Usage:
azure-resourcemanager-exporter [OPTIONS]
Application Options:
--log.debug debug mode [$LOG_DEBUG]
--log.devel development mode [$LOG_DEVEL]
--log.json Switch log output to json format [$LOG_JSON]
--config= Path to config file [$CONFIG]
--azure.tenant= Azure tenant id [$AZURE_TENANT_ID]
--azure.environment= Azure environment name (default: AZUREPUBLICCLOUD) [$AZURE_ENVIRONMENT]
--cache.path= Cache path (to folder, file://path... or azblob://storageaccount.blob.core.windows.net/containername or
k8scm://{namespace}/{configmap}}) [$CACHE_PATH]
--server.bind= Server address (default: :8080) [$SERVER_BIND]
--server.timeout.read= Server read timeout (default: 5s) [$SERVER_TIMEOUT_READ]
--server.timeout.write= Server write timeout (default: 10s) [$SERVER_TIMEOUT_WRITE]
Help Options:
-h, --help Show this help message
for Azure API authentication (using ENV vars) see https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication
Config file
see example.yaml
Deprecations/old resource metrics
Please use azure-resourcegraph-exporter for exporting resources.
This exporter is using Azure ResourceGraph queries and not wasting Azure API calls for fetching metrics.
azure-resourcegraph-exporter provides a way how metrics can be build by using Kusto queries.
Azure permissions
This exporter needs Reader permissions on subscription level.
Metrics
| Metric | Collector | Description |
|---|---|---|
azurerm_stats | Exporter | General exporter stats |
azurerm_costs_budget_info | Costs | Azure CostManagement bugdet information |
azurerm_costs_budget_current | Costs | Current value of CostManagemnet budget usage |
azurerm_costs_budget_limit | Costs | Limit of CostManagemnet budget |
azurerm_costs_budget_usage | Costs | Percentage of usage of CostManagemnet budget |
azurerm_costs_{queryName} | Costs | Costs query result (see example.yaml) |
azurerm_subscription_info | General | Azure Subscription details (ID, name, ...) |
azurerm_resource_health | Health | Azure Resource health information |
azurerm_iam_roleassignment_info | IAM | Azure IAM RoleAssignment information |
azurerm_iam_roledefinition_info | IAM | Azure IAM RoleDefinition information |
azurerm_iam_principal_info | IAM | Azure IAM Principal information |
azurerm_quota_info | Quota | Azure RM quota details (readable name, scope, ...) |
azurerm_quota_current | Quota | Azure RM quota current (current value) |
azurerm_quota_limit | Quota | Azure RM quota limit (maximum limited value) |
azurerm_quota_usage | Quota | Azure RM quota usage in percent |
azurerm_resourcegroup_info | Resource | Azure ResourceGroup details (subscriptionID, name, various tags ...) |
azurerm_resource_info | Resource | Azure Resource information |
azurerm_defender_secure_score_percentage | Defender | Azure Defender secure score percerntage per Subscription |
azurerm_defender_secure_score_max | Defender | The maximum number of points you can gain by completing all recommendations within a control |
azurerm_defender_secure_score_current | Defender | The current Azure Defender secure score |
azurerm_defender_compliance_score | Defender | Azure Defender compliance score (based on applied Policies) |
azurerm_defender_compliance_resources | Defender | Azure Defender count of compliance resource in assessment |
azurerm_defender_advisor_recommendation | Defender | Azure Defender recommendations (eg. security findings) |
azurerm_graph_app_info | Graph | AzureAD graph application information |
azurerm_graph_app_tag | Graph | AzureAD graph application tag |
azurerm_graph_app_credential | Graph | AzureAD graph application credentials (create,expiry) information |
azurerm_graph_serviceprincipal_info | Graph | AzureAD graph servicePrincipal information |
azurerm_graph_serviceprincipal_tag | Graph | AzureAD graph servicePrincipal tag |
azurerm_graph_serviceprincipal_credential | Graph | AzureAD graph servicePrincipal credentials (create,expiry) information |
azurerm_publicip_info | Portscan | Azure PublicIP information |
azurerm_publicip_portscan_status | Portscan | Status of scanned ports (finished scan, elapsed time, updated timestamp) |
azurerm_publicip_portscan_port | Portscan | List of opened ports per IP |
ResourceTags handling
see armclient tagmanager documentation
AzureTracing metrics
see armclient tracing documentation