From a3e6f86fd900360399e5cf65b6bb3b716e09432b Mon Sep 17 00:00:00 2001 From: Markus Blaschke Date: Wed, 7 Jun 2023 10:43:02 +0200 Subject: [PATCH] release 23.6.0 Signed-off-by: Markus Blaschke --- README.md | 174 +++++++++++------------------------- config/opts.go | 2 +- metrics_azurerm_defender.go | 12 +-- 3 files changed, 59 insertions(+), 129 deletions(-) diff --git a/README.md b/README.md index af5692e..8e43f98 100644 --- a/README.md +++ b/README.md @@ -28,70 +28,33 @@ useful with additional exporters: ## Configuration -Normally no configuration is needed but can be customized using environment variables. - -(to disable specific scrape collectors set them to `0` or set `SCRAPE_TIME` to `0` to disable all by default) - ``` Usage: azure-resourcemanager-exporter [OPTIONS] Application Options: - --log.debug debug mode [$LOG_DEBUG] - --log.trace trace mode [$LOG_TRACE] - --log.json Switch log output to json format [$LOG_JSON] - --azure.tenant= Azure tenant id [$AZURE_TENANT_ID] - --azure.environment= Azure environment name (default: AZUREPUBLICCLOUD) [$AZURE_ENVIRONMENT] - --azure.subscription= Azure subscription ID (space delimiter) [$AZURE_SUBSCRIPTION_ID] - --azure.location= Azure locations (space delimiter) (default: westeurope, northeurope) [$AZURE_LOCATION] - --azure.resourcegroup.tag= Azure ResourceGroup tags (space delimiter) (default: owner) [$AZURE_RESOURCEGROUP_TAG] - --azure.resource.tag= Azure Resource tags (space delimiter) (default: owner) [$AZURE_RESOURCE_TAG] - --scrape.time= Default scrape time (time.duration) (default: 5m) [$SCRAPE_TIME] - --scrape.time.exporter= Scrape time for exporter metrics (time.duration) (default: 10s) [$SCRAPE_TIME_EXPORTER] - --scrape.time.general= Scrape time for general metrics (time.duration) [$SCRAPE_TIME_GENERAL] - --scrape.time.resource= Scrape time for resource metrics (time.duration) [$SCRAPE_TIME_RESOURCE] - --scrape.time.quota= Scrape time for quota metrics (time.duration) [$SCRAPE_TIME_QUOTA] - --scrape.time.security= Scrape time for Security metrics (time.duration) [$SCRAPE_TIME_SECURITY] - --scrape.time.resourcehealth= Scrape time for ResourceHealth metrics (time.duration) [$SCRAPE_TIME_RESOURCEHEALTH] - --scrape.time.iam= Scrape time for IAM metrics (time.duration) [$SCRAPE_TIME_IAM] - --scrape.time.graph= Scrape time for Graph metrics (time.duration) [$SCRAPE_TIME_GRAPH] - --scrape.time.costs= Scrape time for costs/consumtion metrics (time.duration; BETA) (default: 0) [$SCRAPE_TIME_COSTS] - --resourcehealth.summary.maxlength= Max length of ResourceHealth summary label (0 = disable summary label) (default: 0) - [$RESOURCEHEALTH_SUMMARY_MAXLENGTH] - --graph.application.filter= MS Graph application $filter query eg: startswith(displayName,'A') [$GRAPH_APPLICATION_FILTER] - --graph.serviceprincipal.filter= MS Graph serviceprincipal $filter query eg: startswith(displayName,'A') [$GRAPH_SERVICEPRINCIPAL_FILTER] - --costs.timeframe= Timeframe for cost reportings (space delimiter) (default: MonthToDate, YearToDate) - [$COSTS_TIMEFRAME] - --costs.dimension= Dimensions for detailed cost metrics (eg - 'ResourceGroup','ResourceGroupName','ResourceLocation','ConsumedService','ResourceType','ResourceI- - - d','MeterId','BillingMonth','MeterCategory','MeterSubcategory','Meter','AccountName','DepartmentNa- - - me','SubscriptionId','SubscriptionName','ServiceName','ServiceTier','EnrollmentAccountName','Billi- - - ngAccountId','ResourceGuid','BillingPeriod','InvoiceNumber','ChargeType','PublisherType','Reservat- - - ionId','ReservationName','Frequency','PartNumber','CostAllocationRuleName','MarkupRuleName','Prici- - - ngModel') (space delimiter) (default: ResourceType, ResourceLocation) [$COSTS_DIMENSION] - --costs.request.delay= Delay API requests by this time to avoid ratelimits (default: 10s) [$COSTS_REQUEST_DELAY] - --portscan Enable portscan for public IPs [$PORTSCAN] - --portscan.time= Portscan time (time.duration) (default: 3h) [$PORTSCAN_TIME] - --portscan.parallel= Portscan parallel scans (parallel * threads = concurrent gofuncs) (default: 2) [$PORTSCAN_PARALLEL] - --portscan.threads= Portscan threads (concurrent port scans per IP) (default: 1000) [$PORTSCAN_THREADS] - --portscan.timeout= Portscan timeout (seconds) (default: 5) [$PORTSCAN_TIMEOUT] - --portscan.range= Portscan port range (first-last) (space delimiter) (default: 1-65535) [$PORTSCAN_RANGE] - --cache.path= Cache path [$CACHE_PATH] - --server.bind= Server address (default: :8080) [$SERVER_BIND] - --server.timeout.read= Server read timeout (default: 5s) [$SERVER_TIMEOUT_READ] - --server.timeout.write= Server write timeout (default: 10s) [$SERVER_TIMEOUT_WRITE] + --log.debug debug mode [$LOG_DEBUG] + --log.devel development mode [$LOG_DEVEL] + --log.json Switch log output to json format [$LOG_JSON] + --config= Path to config file [$CONFIG] + --azure.tenant= Azure tenant id [$AZURE_TENANT_ID] + --azure.environment= Azure environment name (default: AZUREPUBLICCLOUD) [$AZURE_ENVIRONMENT] + --cache.path= Cache path (to folder, file://path... or azblob://storageaccount.blob.core.windows.net/containername or + k8scm://{namespace}/{configmap}}) [$CACHE_PATH] + --server.bind= Server address (default: :8080) [$SERVER_BIND] + --server.timeout.read= Server read timeout (default: 5s) [$SERVER_TIMEOUT_READ] + --server.timeout.write= Server write timeout (default: 10s) [$SERVER_TIMEOUT_WRITE] Help Options: - -h, --help Show this help message + -h, --help Show this help message ``` for Azure API authentication (using ENV vars) see https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication +## Config file + +see [`example.yaml`](`example.yaml`) + ## Deprecations/old resource metrics Please use [`azure-resourcegraph-exporter`](https://github.com/webdevops/azure-resourcegraph-exporter) for exporting resources. @@ -103,83 +66,50 @@ This exporter is using Azure ResourceGraph queries and not wasting Azure API cal This exporter needs `Reader` permissions on subscription level. -For Azure write rate limits it tries to tag the subscription with an empty tag set (actually no changes). -For this operation it needs `Microsoft.Resources/tags/write` on scope `/subscription/*`. - -To disable write rate limits set `SCRAPE_RATELIMIT_WRITE` to `0`. - ## Metrics -| Metric | Collector | Description | -|------------------------------------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------| -| `azurerm_stats` | Exporter | General exporter stats | -| `azurerm_consumtion_bugdet_info` | Costs | Azure CostManagement bugdet information | -| `azurerm_consumtion_bugdet_limit` | Costs | Limit of CostManagemnet budget | -| `azurerm_consumtion_bugdet_current` | Costs | Current costs of CostManagement budget | -| `azurerm_consumtion_bugdet_usage` | Costs | Current budget usage in percentage | -| `azurerm_costmanagement_overall_usage` | Costs | CostManagement "usage" metric with timeframes by Subscription and ResourceGroup | -| `azurerm_costmanagement_overall_actualcost` | Costs | CostManagement "actualcosts" metric with timeframes by Subscription and ResourceGroup | -| `azurerm_costmanagement_detail_usage` | Costs | CostManagement "usage" metric with timeframes by Subscription and ResourceGroup and cost dimensions (see `COSTS_DIMENSION`) | -| `azurerm_costmanagement_detail_actualcost` | Costs | CostManagement "actualcosts" metric with timeframes by Subscription and ResourceGroup and cost dimensions (see `COSTS_DIMENSION`) | -| `azurerm_subscription_info` | General | Azure Subscription details (ID, name, ...) | -| `azurerm_resource_health` | Health | Azure Resource health information | -| `azurerm_iam_roleassignment_info` | IAM | Azure IAM RoleAssignment information | -| `azurerm_iam_roledefinition_info` | IAM | Azure IAM RoleDefinition information | -| `azurerm_iam_principal_info` | IAM | Azure IAM Principal information | -| `azurerm_quota_info` | Quota | Azure RM quota details (readable name, scope, ...) | -| `azurerm_quota_current` | Quota | Azure RM quota current (current value) | -| `azurerm_quota_limit` | Quota | Azure RM quota limit (maximum limited value) | -| `azurerm_quota_usage` | Quota | Azure RM quota usage in percent | -| `azurerm_resourcegroup_info` | Resource | Azure ResourceGroup details (subscriptionID, name, various tags ...) | -| `azurerm_resource_info` | Resource | Azure Resource information | -| `azurerm_securitycenter_compliance` | Security | Azure SecurityCenter compliance status | -| `azurerm_advisor_recommendation` | Security | Azure Advisory recommendations (eg. security findings) | -| `azurerm_graph_app_info` | Graph | AzureAD graph application information | -| `azurerm_graph_app_credential` | Graph | AzureAD graph application credentials (create,expiry) information | -| `azurerm_publicip_info` | Portscan | Azure PublicIP information | -| `azurerm_publicip_portscan_status` | Portscan | Status of scanned ports (finished scan, elapsed time, updated timestamp) | -| `azurerm_publicip_portscan_port` | Portscan | List of opened ports per IP | +| Metric | Collector | Description | +|---------------------------------------------|------------|----------------------------------------------------------------------------------------------| +| `azurerm_stats` | Exporter | General exporter stats | +| `azurerm_costs_budget_info` | Costs | Azure CostManagement bugdet information | +| `azurerm_costs_budget_current` | Costs | Current value of CostManagemnet budget usage | +| `azurerm_costs_budget_limit` | Costs | Limit of CostManagemnet budget | +| `azurerm_costs_budget_usage` | Costs | Percentage of usage of CostManagemnet budget | +| `azurerm_costs_{queryName}` | Costs | Costs query result (see `example.yaml`) | +| `azurerm_subscription_info` | General | Azure Subscription details (ID, name, ...) | +| `azurerm_resource_health` | Health | Azure Resource health information | +| `azurerm_iam_roleassignment_info` | IAM | Azure IAM RoleAssignment information | +| `azurerm_iam_roledefinition_info` | IAM | Azure IAM RoleDefinition information | +| `azurerm_iam_principal_info` | IAM | Azure IAM Principal information | +| `azurerm_quota_info` | Quota | Azure RM quota details (readable name, scope, ...) | +| `azurerm_quota_current` | Quota | Azure RM quota current (current value) | +| `azurerm_quota_limit` | Quota | Azure RM quota limit (maximum limited value) | +| `azurerm_quota_usage` | Quota | Azure RM quota usage in percent | +| `azurerm_resourcegroup_info` | Resource | Azure ResourceGroup details (subscriptionID, name, various tags ...) | +| `azurerm_resource_info` | Resource | Azure Resource information | +| `azurerm_defender_secure_score_percentage` | Defender | Azure Defender secure score percerntage per Subscription | +| `azurerm_defender_secure_score_max` | Defender | The maximum number of points you can gain by completing all recommendations within a control | +| `azurerm_defender_secure_score_current` | Defender | The current Azure Defender secure score | +| `azurerm_defender_compliance_score` | Defender | Azure Defender compliance score (based on applied Policies) | +| `azurerm_defender_compliance_resources` | Defender | Azure Defender count of compliance resource in assessment | +| `azurerm_defender_advisor_recommendation` | Defender | Azure Defender recommendations (eg. security findings) | +| `azurerm_graph_app_info` | Graph | AzureAD graph application information | +| `azurerm_graph_app_credential` | Graph | AzureAD graph application credentials (create,expiry) information | +| `azurerm_graph_serviceprincipal_info` | Graph | AzureAD graph servicePrincipal information | +| `azurerm_graph_serviceprincipal_credential` | Graph | AzureAD graph servicePrincipal credentials (create,expiry) information | +| `azurerm_publicip_info` | Portscan | Azure PublicIP information | +| `azurerm_publicip_portscan_status` | Portscan | Status of scanned ports (finished scan, elapsed time, updated timestamp) | +| `azurerm_publicip_portscan_port` | Portscan | List of opened ports per IP | ### ResourceTags handling -Tag can be dynamically added to metrics and processed though filters - -format is: `tagname?filter1` or `tagname?filter1&filter2` - -| Tag filter | Description | -|------------|-----------------------------| -| `toLower` | Lowercasing Azure tag value | -| `toUpper` | Uppercasing Azure tag value | +see [armclient tagmanager documentation](https://github.com/webdevops/go-common/blob/main/azuresdk/README.md#tag-manager) ### AzureTracing metrics -(with 22.2.0 and later) - -Azuretracing metrics collects latency and latency from azure-sdk-for-go and creates metrics and is controllable using -environment variables (eg. setting buckets, disabling metrics or disable autoreset). - -| Metric | Description | -|------------------------------------------|----------------------------------------------------------------------------------------| -| `azurerm_api_ratelimit` | Azure ratelimit metrics (only on /metrics, resets after query due to limited validity) | -| `azurerm_api_request_*` | Azure request count and latency as histogram | - -### Settings +see [armclient tracing documentation](https://github.com/webdevops/go-common/blob/main/azuresdk/README.md#azuretracing-metrics) -| Environment variable | Example | Description | -|------------------------------------------|------------------------------------|----------------------------------------------------------------| -| `METRIC_AZURERM_API_REQUEST_BUCKETS` | `1, 2.5, 5, 10, 30, 60, 90, 120` | Sets buckets for `azurerm_api_request` histogram metric | -| `METRIC_AZURERM_API_REQUEST_ENABLE` | `false` | Enables/disables `azurerm_api_request_*` metric | -| `METRIC_AZURERM_API_REQUEST_LABELS` | `apiEndpoint, method, statusCode` | Controls labels of `azurerm_api_request_*` metric | -| `METRIC_AZURERM_API_RATELIMIT_ENABLE` | `false` | Enables/disables `azurerm_api_ratelimit` metric | -| `METRIC_AZURERM_API_RATELIMIT_AUTORESET` | `false` | Enables/disables `azurerm_api_ratelimit` autoreset after fetch | +### Caching +see [prometheus collector cache documentation](https://github.com/webdevops/go-common/blob/main/prometheus/README.md#caching) -| `azurerm_api_request` label | Status | Description | -|-----------------------------|--------------------|----------------------------------------------------------------------------------------------------------| -| `apiEndpoint` | enabled by default | hostname of endpoint (max 3 parts) | -| `routingRegion` | enabled by default | detected region for API call, either routing region from Azure Management API or Azure resource location | -| `subscriptionID` | enabled by default | detected subscriptionID | -| `tenantID` | enabled by default | detected tenantID (extracted from jwt auth token) | -| `resourceProvider` | enabled by default | detected Azure Management API provider | -| `method` | enabled by default | HTTP method | -| `statusCode` | enabled by default | HTTP status code | diff --git a/config/opts.go b/config/opts.go index b3fb1e2..c13cde5 100644 --- a/config/opts.go +++ b/config/opts.go @@ -24,7 +24,7 @@ type ( // caching Cache struct { - Path string `long:"cache.path" env:"CACHE_PATH" description:"Cache path (to folder, file://path... or azblob://storageaccount.blob.core.windows.net/containername)"` + Path string `long:"cache.path" env:"CACHE_PATH" description:"Cache path (to folder, file://path... or azblob://storageaccount.blob.core.windows.net/containername or k8scm://{namespace}/{configmap}})"` } Server struct { diff --git a/metrics_azurerm_defender.go b/metrics_azurerm_defender.go index ed865c5..c3ee689 100644 --- a/metrics_azurerm_defender.go +++ b/metrics_azurerm_defender.go @@ -34,7 +34,7 @@ func (m *MetricsCollectorAzureRmDefender) Setup(collector *collector.Collector) m.prometheus.defenderSecureScorePercentage = prometheus.NewGaugeVec( prometheus.GaugeOpts{ Name: "azurerm_defender_secure_score_percentage", - Help: "Azure Audit Defender secure score in percent", + Help: "Azure Defender secure score in percent", }, []string{ "subscriptionID", @@ -46,7 +46,7 @@ func (m *MetricsCollectorAzureRmDefender) Setup(collector *collector.Collector) m.prometheus.defenderSecureScoreMax = prometheus.NewGaugeVec( prometheus.GaugeOpts{ Name: "azurerm_defender_secure_score_max", - Help: "Azure Audit Defender secure score max", + Help: "Azure Defender maximum secure score which can be achieved", }, []string{ "subscriptionID", @@ -58,7 +58,7 @@ func (m *MetricsCollectorAzureRmDefender) Setup(collector *collector.Collector) m.prometheus.defenderSecureScoreCurrent = prometheus.NewGaugeVec( prometheus.GaugeOpts{ Name: "azurerm_defender_secure_score_current", - Help: "Azure Audit Defender secure score current", + Help: "Azure Defender current secure score", }, []string{ "subscriptionID", @@ -70,7 +70,7 @@ func (m *MetricsCollectorAzureRmDefender) Setup(collector *collector.Collector) m.prometheus.defenderComplianceScore = prometheus.NewGaugeVec( prometheus.GaugeOpts{ Name: "azurerm_defender_compliance_score", - Help: "Azure Audit Defender compliance score", + Help: "Azure Defender compliance score", }, []string{ "subscriptionID", @@ -82,7 +82,7 @@ func (m *MetricsCollectorAzureRmDefender) Setup(collector *collector.Collector) m.prometheus.defenderComplianceResourceCount = prometheus.NewGaugeVec( prometheus.GaugeOpts{ Name: "azurerm_defender_compliance_resources", - Help: "Azure Audit Defender compliance score", + Help: "Azure Defender count of compliance resource in assessment", }, []string{ "subscriptionID", @@ -93,7 +93,7 @@ func (m *MetricsCollectorAzureRmDefender) Setup(collector *collector.Collector) m.prometheus.defenderAdvisorRecommendations = prometheus.NewGaugeVec( prometheus.GaugeOpts{ Name: "azurerm_defender_advisor_recommendation", - Help: "Azure Audit Advisor recommendation", + Help: "Azure Advisor recommendation", }, []string{ "subscriptionID",