Skip to main content

Installation

The azure exporter is deployed using Terraform on Azure Container App. It uses our Terraform Ocean Integration Factory module to deploy the exporter.

The Azure exporter is initially configured to collect Azure resources from the subscription where it's deployed. However, it can be adjusted to ingest resources from multiple subscriptions. To learn how to configure the Azure exporter for this purpose, check out the instructions in the Multiple subscriptions setup section.

tip

Multiple ways to deploy the Azure exporter could be found in the Azure Integration example README

Azure infrastructure used by the Azure exporter

The Azure exporter uses the following Azure infrastructure:

  • Azure Container App;
  • Azure Event Grid (Used for real-time data sync to Port):
    • Azure Event Grid System Topic of type Microsoft.Resources.Subscriptions;
    • Azure Event Grid Subscription;
warning

Due to a limitation in Azure only one Event Grid system topic of type Microsoft.Resources.Subscriptions can be created per subscription, so if you already have one you'll need to pass it to the integration using event_grid_system_topic_name=<your-event-grid-system-topic-name>.

In case a system topic already exists and is not provided to the deployment of the integration, the integration will due to not being able to create a new one.

Prerequisites

Permissions

In order to successfully deploy the Azure exporter, it's crucial to ensure that the user who deploys the integration in the Azure subscription has the appropriate access permissions. One of the following permission assignments are required:

  • Option 1: the user can have the Owner Azure role assigned to him for the subscription that the integration will be deployed on. This role provides comprehensive control and access rights;

  • Option 2: for a more limited approach, the user should possess the minimum necessary permissions required to carry out the integration deployment. These permissions will grant the user access to specific resources and actions essential for the task without granting full Owner privileges. The following steps will guide you through the process of creating a custom role and assigning it to the user along with other required roles:

    • Create a custom role with the following permissions:

      Custom Resource Definition 
      {
        "id": "<ROLE_DEFINITION_ID>",
        "properties": {
          "roleName": "Azure Exporter Deployment",
          "description": "",
          "assignableScopes": ["/subscriptions/<SUBSCRIPTION_ID>"],
          "permissions": [
            {
              "actions": [
                "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                "Microsoft.ManagedIdentity/userAssignedIdentities/write",
                "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                "Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
                "Microsoft.Authorization/roleDefinitions/read",
                "Microsoft.Authorization/roleDefinitions/write",
                "Microsoft.Authorization/roleAssignments/write",
                "Microsoft.Authorization/roleAssignments/read",
                "Microsoft.Resources/subscriptions/resourceGroups/write",
                "Microsoft.OperationalInsights/workspaces/tables/write",
                "Microsoft.Resources/deployments/read",
                "Microsoft.Resources/deployments/write",
                "Microsoft.OperationalInsights/workspaces/read",
                "Microsoft.OperationalInsights/workspaces/write",
                "microsoft.app/containerapps/write",
                "microsoft.app/managedenvironments/read",
                "microsoft.app/managedenvironments/write",
                "Microsoft.Resources/subscriptions/resourceGroups/read",
                "Microsoft.OperationalInsights/workspaces/sharedkeys/action",
                "microsoft.app/managedenvironments/join/action",
                "microsoft.app/containerapps/listsecrets/action",
                "microsoft.app/containerapps/delete",
                "microsoft.app/containerapps/stop/action",
                "microsoft.app/containerapps/start/action",
                "microsoft.app/containerapps/authconfigs/write",
                "microsoft.app/containerapps/authconfigs/delete",
                "microsoft.app/containerapps/revisions/restart/action",
                "microsoft.app/containerapps/revisions/activate/action",
                "microsoft.app/containerapps/revisions/deactivate/action",
                "microsoft.app/containerapps/sourcecontrols/write",
                "microsoft.app/containerapps/sourcecontrols/delete",
                "microsoft.app/managedenvironments/delete",
                "Microsoft.Authorization/roleAssignments/delete",
                "Microsoft.Authorization/roleDefinitions/delete",
                "Microsoft.OperationalInsights/workspaces/delete",
                "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
                "Microsoft.Resources/subscriptions/resourceGroups/delete"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
            }
          ]
        }
      }

    • Assign the following roles to the user on the subscription that will be used to deploy the integration:

      • The custom Azure Exporter Deployment role we defined above.
      • The API Management Workspace Contributor role.
      • The EventGrid Contributor role.
      • The ContainerApp Reader role.
      • The EventGrid EventSubscription Contributor role.

Installation

Get your Azure Account Credentials

Follow this guide to create a service principal in order to get your Azure account credentials:

  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET
  • AZURE_TENANT_ID
  • AZURE_SUBSCRIPTION_ID

Or register an app in the Azure portal to get your credentials.

Using this installation option means that the integration will be able to update Port in real time using webhooks.

This table summarizes the available parameters for the installation. Set them as you wish in the script below, then copy it and run it in your terminal:

ParameterDescriptionExampleRequired
port.clientIdYour port client id
port.clientSecretYour port client secret
port.baseUrlYour Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US
integration.config.appHostThe host of the Port Ocean app. Used to set up the integration endpoint as the target for webhookshttps://my-ocean-integration.com

Advanced configuration

ParameterDescription
integration.eventListener.typeThe event listener type. Read more about event listeners
integration.typeThe integration to be installed
scheduledResyncIntervalThe number of minutes between each resync. When not set the integration will resync for each event listener resync event. Read more about scheduledResyncInterval
initializePortResourcesDefault true, When set to true the integration will create default blueprints and the port App config Mapping. Read more about initializePortResources

To install the integration using Helm, run the following command:

helm repo add --force-update port-labs https://port-labs.github.io/helm-charts
helm upgrade --install my-azure-integration port-labs/port-ocean \
	--set port.clientId="PORT_CLIENT_ID"  \
	--set port.clientSecret="PORT_CLIENT_SECRET"  \
	--set port.baseUrl="https://api.getport.io"  \
	--set initializePortResources=true  \
	--set scheduledResyncInterval=60 \
	--set integration.identifier="my-azure-integration"  \
	--set integration.type="azure"  \
	--set integration.eventListener.type="POLLING"  \
	--set "extraEnv[0].name=AZURE_CLIENT_ID"  \
	--set "extraEnv[0].value=xxxx-your-client-id-xxxxx"  \
	--set "extraEnv[1].name=AZURE_CLIENT_SECRET"  \
	--set "extraEnv[1].value=xxxxxxx-your-client-secret-xxxx"  \
	--set "extraEnv[2].name=AZURE_TENANT_ID"  \
	--set "extraEnv[2].value=xxxx-your-tenant-id-xxxxx"  \
	--set "extraEnv[3].name=AZURE_SUBSCRIPTION_ID"  \
	--set "extraEnv[3].value=xxxx-your-subscription-id-xxxxx"
Selecting a Port API URL by account region

The baseUrl, port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.

Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.

Multiple subscriptions setup

To configure the Azure exporter to ingest resources from other subscriptions, you'll need to assign permissions to the managed identity running the integration in the subscriptions which you wish to ingest resources from.

  1. Head to the Azure portal and navigate to the subscription you want to ingest resources from.
  2. In the subscription's Access control (IAM) section, go to the Role assignment tab and choose the appropriate role for the managed identity responsible for the integration.
  3. Assign this role to the managed identity associated with the integration.
  4. Repeat this process for each subscription you wish to include.

For real-time data ingestion from multiple subscriptions, set up an Event Grid System Topic and an Event Grid Subscription in each subscription you want to include, connecting them to the Azure exporter.

For a detailed example using Terraform to configure the Event Grid System Topic and Event Grid Subscription, based on the installation output of the Azure exporter, refer to this example)

Further information

  • Refer to the examples page for practical configurations and their corresponding blueprint definitions.