Skip to main content

Installation

The azure exporter is deployed using Terraform on Azure Container App. It uses our Terraform Ocean Integration Factory module to deploy the exporter.

The Azure exporter is initially configured to collect Azure resources from the subscription where it's deployed. However, it can be adjusted to ingest resources from multiple subscriptions. To learn how to configure the Azure exporter for this purpose, check out the instructions in the Multiple subscriptions setup section.

tip

Multiple ways to deploy the Azure exporter could be found in the Azure Integration example README

Azure infrastructure used by the Azure exporter​

The Azure exporter uses the following Azure infrastructure:

  • Azure Container App;
  • Azure Event Grid (Used for real-time data sync to Port):
    • Azure Event Grid System Topic of type Microsoft.Resources.Subscriptions;
    • Azure Event Grid Subscription;
warning

Due to a limitation in Azure only one Event Grid system topic of type Microsoft.Resources.Subscriptions can be created per subscription, so if you already have one you'll need to pass it to the integration using event_grid_system_topic_name=<your-event-grid-system-topic-name>.

In case a system topic already exists and is not provided to the deployment of the integration, the integration will due to not being able to create a new one.

Prerequisites​

Permissions​

In order to successfully deploy the Azure exporter, it's crucial to ensure that the user who deploys the integration in the Azure subscription has the appropriate access permissions. One of the following permission assignments are required:

  • Option 1: the user can have the Owner Azure role assigned to him for the subscription that the integration will be deployed on. This role provides comprehensive control and access rights;

  • Option 2: for a more limited approach, the user should possess the minimum necessary permissions required to carry out the integration deployment. These permissions will grant the user access to specific resources and actions essential for the task without granting full Owner privileges. The following steps will guide you through the process of creating a custom role and assigning it to the user along with other required roles:

    • Create a custom role with the following permissions:

      Custom Resource Definition 
      {
        "id": "<ROLE_DEFINITION_ID>",
        "properties": {
          "roleName": "Azure Exporter Deployment",
          "description": "",
          "assignableScopes": ["/subscriptions/<SUBSCRIPTION_ID>"],
          "permissions": [
            {
              "actions": [
                "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                "Microsoft.ManagedIdentity/userAssignedIdentities/write",
                "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                "Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
                "Microsoft.Authorization/roleDefinitions/read",
                "Microsoft.Authorization/roleDefinitions/write",
                "Microsoft.Authorization/roleAssignments/write",
                "Microsoft.Authorization/roleAssignments/read",
                "Microsoft.Resources/subscriptions/resourceGroups/write",
                "Microsoft.OperationalInsights/workspaces/tables/write",
                "Microsoft.Resources/deployments/read",
                "Microsoft.Resources/deployments/write",
                "Microsoft.OperationalInsights/workspaces/read",
                "Microsoft.OperationalInsights/workspaces/write",
                "microsoft.app/containerapps/write",
                "microsoft.app/managedenvironments/read",
                "microsoft.app/managedenvironments/write",
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                "Microsoft.OperationalInsights/workspaces/sharedkeys/action",
                "microsoft.app/managedenvironments/join/action",
                "microsoft.app/containerapps/listsecrets/action",
                "microsoft.app/containerapps/delete",
                "microsoft.app/containerapps/stop/action",
                "microsoft.app/containerapps/start/action",
                "microsoft.app/containerapps/authconfigs/write",
                "microsoft.app/containerapps/authconfigs/delete",
                "microsoft.app/containerapps/revisions/restart/action",
                "microsoft.app/containerapps/revisions/activate/action",
                "microsoft.app/containerapps/revisions/deactivate/action",
                "microsoft.app/containerapps/sourcecontrols/write",
                "microsoft.app/containerapps/sourcecontrols/delete",
                "microsoft.app/managedenvironments/delete",
                "Microsoft.Authorization/roleAssignments/delete",
                "Microsoft.Authorization/roleDefinitions/delete",
                "Microsoft.OperationalInsights/workspaces/delete",
                "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
                "Microsoft.Resources/subscriptions/resourceGroups/delete"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
            }
          ]
        }
      }

    • Assign the following roles to the user on the subscription that will be used to deploy the integration:

      • The custom Azure Exporter Deployment role we defined above.
      • The API Management Workspace Contributor role.
      • The EventGrid Contributor role.
      • The ContainerApp Reader role.
      • The EventGrid EventSubscription Contributor role.

Installation​

  1. Login to Port and browse to the builder page

  2. Open the ingest modal by expanding one of the blueprints and clicking the ingest button on the blueprints.

    Dev Portal Builder Ingest Button

  3. Click on the Azure Exporter option under the Cloud Providers section:

    Dev Portal Builder Azure Exporter Option

  4. Edit and copy the installation command.

    tip

    The installation command includes placeholders that allow you to customize the integration's configuration. For example, you can update the command and specify the event_grid_system_topic_name parameter if you already have one.

    • Specify the event_grid_system_topic_name parameter if you already have an Event Grid system topic of type Microsoft.Resources.Subscriptions in your subscription;
    • Specify the event_grid_event_filter_list parameter if you want to listen to more events;
    • Specify the action_permissions_list parameter if you want the integration to have more permissions.

    Dev Portal Builder Azure Exporter Installation

  5. Run the command in your terminal to deploy the Azure exporter.

Multiple subscriptions setup​

To configure the Azure exporter to ingest resources from other subscriptions, you'll need to assign permissions to the managed identity running the integration in the subscriptions which you wish to ingest resources from.

  1. Head to the Azure portal and navigate to the subscription you want to ingest resources from.
  2. In the subscription's Access control (IAM) section, go to the Role assignment tab and choose the appropriate role for the managed identity responsible for the integration.
  3. Assign this role to the managed identity associated with the integration.
  4. Repeat this process for each subscription you wish to include.

For real-time data ingestion from multiple subscriptions, set up an Event Grid System Topic and an Event Grid Subscription in each subscription you want to include, connecting them to the Azure exporter.

For a detailed example using Terraform to configure the Event Grid System Topic and Event Grid Subscription, based on the installation output of the Azure exporter, refer to this example)

Further information​

  • Refer to the examples page for practical configurations and their corresponding blueprint definitions.