Azure ResourceManager Exporter

Prometheus exporter for Azure information.

Features

• Uses of official Azure SDK for go

• Supports all Azure environments (Azure public cloud, Azure governmant cloud, Azure china cloud, ...) via Azure SDK configuration

• Docker image is based on Google's distroless static image to reduce attack surface (no shell, no other binaries inside image)

• Available via Docker Hub and Quay (see badges on top)

• Can run non-root and with readonly root filesystem, doesn't need any capabilities (you can safely use drop: ["All"])

• Publishes Azure API rate limit metrics (when exporter sends Azure API requests)

useful with additional exporters:

• azure-resourcegraph-exporter for exporting Azure resource information from Azure ResourceGraph API with custom Kusto queries (get the tags from resources and ResourceGroups with this exporter)
• azure-metrics-exporter for exporting Azure Monitor metrics
• azure-keyvault-exporter for exporting Azure KeyVault information (eg expiry date for secrets, certificates and keys)
• azure-loganalytics-exporter for exporting Azure LogAnalytics workspace information with custom Kusto queries (eg ingestion rate or application error count)

Configuration

Usage:
  azure-resourcemanager-exporter [OPTIONS]

Application Options:
      --log.debug             debug mode [$LOG_DEBUG]
      --log.devel             development mode [$LOG_DEVEL]
      --log.json              Switch log output to json format [$LOG_JSON]
      --config=               Path to config file [$CONFIG]
      --azure.tenant=         Azure tenant id [$AZURE_TENANT_ID]
      --azure.environment=    Azure environment name (default: AZUREPUBLICCLOUD) [$AZURE_ENVIRONMENT]
      --cache.path=           Cache path (to folder, file://path... or azblob://storageaccount.blob.core.windows.net/containername or
                              k8scm://{namespace}/{configmap}}) [$CACHE_PATH]
      --server.bind=          Server address (default: :8080) [$SERVER_BIND]
      --server.timeout.read=  Server read timeout (default: 5s) [$SERVER_TIMEOUT_READ]
      --server.timeout.write= Server write timeout (default: 10s) [$SERVER_TIMEOUT_WRITE]

Help Options:
  -h, --help                  Show this help message

for Azure API authentication (using ENV vars) see https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication

Config file

see example.yaml

Deprecations/old resource metrics

Please use azure-resourcegraph-exporter for exporting resources. This exporter is using Azure ResourceGraph queries and not wasting Azure API calls for fetching metrics.

azure-resourcegraph-exporter provides a way how metrics can be build by using Kusto queries.

Azure permissions

This exporter needs Reader permissions on subscription level.

Metrics

Metric	Collector	Description
azurerm_stats	Exporter	General exporter stats
azurerm_costs_budget_info	Costs	Azure CostManagement bugdet information
azurerm_costs_budget_current	Costs	Current value of CostManagemnet budget usage
azurerm_costs_budget_limit	Costs	Limit of CostManagemnet budget
azurerm_costs_budget_usage	Costs	Percentage of usage of CostManagemnet budget
azurerm_costs_{queryName}	Costs	Costs query result (see example.yaml)
azurerm_subscription_info	General	Azure Subscription details (ID, name, ...)
azurerm_resource_health	Health	Azure Resource health information
azurerm_iam_roleassignment_info	IAM	Azure IAM RoleAssignment information
azurerm_iam_roledefinition_info	IAM	Azure IAM RoleDefinition information
azurerm_iam_principal_info	IAM	Azure IAM Principal information
azurerm_quota_info	Quota	Azure RM quota details (readable name, scope, ...)
azurerm_quota_current	Quota	Azure RM quota current (current value)
azurerm_quota_limit	Quota	Azure RM quota limit (maximum limited value)
azurerm_quota_usage	Quota	Azure RM quota usage in percent
azurerm_resourcegroup_info	Resource	Azure ResourceGroup details (subscriptionID, name, various tags ...)
azurerm_resource_info	Resource	Azure Resource information
azurerm_defender_secure_score_percentage	Defender	Azure Defender secure score percerntage per Subscription
azurerm_defender_secure_score_max	Defender	The maximum number of points you can gain by completing all recommendations within a control
azurerm_defender_secure_score_current	Defender	The current Azure Defender secure score
azurerm_defender_compliance_score	Defender	Azure Defender compliance score (based on applied Policies)
azurerm_defender_compliance_resources	Defender	Azure Defender count of compliance resource in assessment
azurerm_defender_advisor_recommendation	Defender	Azure Defender recommendations (eg. security findings)
azurerm_graph_app_info	Graph	AzureAD graph application information
azurerm_graph_app_tag	Graph	AzureAD graph application tag
azurerm_graph_app_credential	Graph	AzureAD graph application credentials (create,expiry) information
azurerm_graph_serviceprincipal_info	Graph	AzureAD graph servicePrincipal information
azurerm_graph_serviceprincipal_tag	Graph	AzureAD graph servicePrincipal tag
azurerm_graph_serviceprincipal_credential	Graph	AzureAD graph servicePrincipal credentials (create,expiry) information
azurerm_publicip_info	Portscan	Azure PublicIP information
azurerm_publicip_portscan_status	Portscan	Status of scanned ports (finished scan, elapsed time, updated timestamp)
azurerm_publicip_portscan_port	Portscan	List of opened ports per IP

ResourceTags handling

see armclient tagmanager documentation

AzureTracing metrics

see armclient tracing documentation

Caching

see prometheus collector cache documentation