Import Infrastructure Objects via Azure

The Infrastructure Catalog allows you to import Infrastructure Objects across your various Azure accounts. Once imported, you can see details about your objects (Resource IDs, source account, region, storage size, etc), filter across Azure accounts ("how many databases do I have cumulatively across all my accounts?"), and define relationships between infrastructure objects to Services, Systems, and other Infrastructure Objects.

Integrating an Azure account with OpsLevel

Setup

Generate an Azure Service Principal

To integrate your Azure account with OpsLevel, you must first create a service principal with the Reader role that will grant OpsLevel access to your infrastructure in Azure. You can accomplish this by executing the following snippet in a terminal of your choice (or even from within an Azure Cloud Shell):

az ad sp create-for-rbac -n OpsLevelIntegration[SubscriptionName] --role Reader  --scopes /subscriptions/00000000-0000-0000-0000-000000000000

Don't forget to replace:

• OpsLevelIntegration[SubscriptionName] with a name of your choosing. The name for the service principal must be unique for each subscription you want to integrate in OpsLevel.
• 00000000-0000-0000-0000-000000000000 with the ID of the Subscription you wish to sync with OpsLevel

You should receive a response similar to the following:

{  
  "appId": "52cdd529-9bec-46d9-9c4a-a87ee0db3a68",  
  "displayName": "OpsLevelIntegrationProduction",  
  "password": "<redacted>",  
  "tenant": "0db04bc9-a410-4c10-8537-ae796091635d"  
}

Generating a Service Principal through the Azure Portal

Azure also supports creating a Service Principal directly through their portal, although it does involve registering an Entra Application first. If you choose to follow the Microsoft guide for creating a service principal, make sure to follow "Option 3" when setting up authentication and create a client secret. OpsLevel requires a client secret during setup.

Connect OpsLevel to Azure

To connect your OpsLevel account to Azure, navigate to Add New Integration from Integrations in the side navigation. Once on the New Integration page, find and select Azure Resources. A modal will appear where you can input your newly generated fields.

Here we'll use a few of the values we collected earlier:

• Name: An informative name that will help users identify the integration
• Tenant ID: The tenant field returned when creating your service principal
• Subscription ID: The ID that you passed in when creating your service principal
• Client ID: The client field returned when creating your service principal
• Client Secret: The password field returned when creating your service principal

Verify the Azure integration was successful

Once you have integrated your Azure account(s) you should now be able see them by navigating to Installed Integrations via Integrations on the side navigation. Once you've clicked on your integration, you will be able to see details about your integration such as the Subscription ID and when it was last synced.

Inferring ownership/relationships via Azure tags

Many Azure customers utilize tags within the admin console to assign ownership or relationships to Infrastructure Objects. Our Azure Integration allows you to leverage these existing tags to make ownership or relationship assignment for Infrastructure Objects simple.

Note that certain characters (:, @, =, and +) in tags will be converted to underscores - so, for instance, the key infra:dependency will be converted to infra_dependency.

Ownership Tags

By default, when a new integration is created we set a default ownership defining tag key of owner. If the value of owner matches a Team alias we will automatically assign ownership of that Infrastructure Object to that Team. Ownership for these objects will be locked from the UI or API.

You can use GraphQL to update the array of tag keys. You can also use GraphQL to set whether tags should override existing ownership using the tagsOverrideOwnership field. You can click here to go to the GraphiQL client with the query and mutation samples pre-filled.

Sample query to list out all Azure Resources integrations in the account with id for reference in the mutation below:

query azure_resources_integrations {
  account {
    integrations(type: "azureResources") {
      nodes {
        name
        id
        createdAt
        ... on AzureResourcesIntegration {
          ownershipTagKeys
          tagsOverrideOwnership
        }
      }
    }
  }
}

Sample mutation updating the tags used for ownership inference on an Azure Resources integration:

mutation azureResourcesIntegrationUpdate_override_tags {
  azureResourcesIntegrationUpdate(
    integration: {id: "XXX"}
    input: {ownershipTagKeys: ["owner", "team"], tagsOverrideOwnership: true}
  ) {
    integration {
      id
      name
      ... on AzureResourcesIntegration {
        aliases
        ownershipTagKeys
        tagsOverrideOwnership
      }
    }
    errors {
      message
      path
    }
  }
}

Relationship Tags

By default, OpsLevel sets default relationship-defining tag keys for belongs_to (opslevel-belongs-to), dependency_of (opslevel-dependency-of) and depends_on (opslevel-depends-on) relationships. These tags can be used inside of your Azure account to manage relationships using tags.

You can use GraphQL or the Account Settings UI to update the array of tag keys used for each of these relationships. Modifying these tag keys/prefixes allows for the use of existing tagging schemes to infer different relationship types.

You can update the tags used for relationship inference on an Azure integration:

If your prefer using GraphQL for configuration, here is a sample mutation for updating the tags used for relationship inference on an Azure integration:

mutation assignUpdatedTagRelationships {
  tagRelationshipKeysAssign(input: {
    dependsOn: ["opslevel-depends-on", "depends-on"],
    dependencyOf: ["opslevel-dependency-of", "dependency-of"],
    belongsTo: "part-of"
  }) {
  	errors { message path }
    tagRelationshipKeys {
      belongsTo
      dependencyOf
      dependsOn
    }
  }
}

What Infrastructure objects and types are imported?

We support a wide range of commonly used Azure Infrastructure Objects and Types as part of our integration, namely:

• Cache
  • Microsoft.Cache/Redis ("Cache for Redis")
• Compute
  • Microsoft.Compute/virtualMachines ("Virtual Machines")
• Database
  • Microsoft.Sql/servers/databases ("SQL Databases")
• Networking
  • Microsoft.Network/virtualNetworks ("Virtual Networks")
• Serverless Function
  • Microsoft.Web/sites/functions ("Function")

If there is an Object or Type not listed that you would be interested in importing, please reach out to our customer support team.

We synchronize changes from Azure every 12 hours.

Accessing Infrastructure objects

You can access your imported infrastructure objects by selecting Infrastructure in Catalog from the side navigation.

Once in the Infrastructure list page you will see a table listing all of the infrastructure objects you have imported. At a glance you will be able to see the following data around your objects:

• Name
• Resource Type
• Zone
• Source
• Tags
• Owner

You can discover even more information about your Infrastructure Objects by clicking the View Details icon in the table. This will open a drawer component that will display when the object was last synced along with a host of attributes we've pulled in from Azure around that object.

For a full breakdown of what we've synced from your Azure account, you can select the Raw JSON tab.