=====================
azureenergylabelercli
=====================
A cli to help generate energy label for Azure tenant, subscriptions and resource groups.
* Documentation: https://azureenergylabelercli.readthedocs.org/en/latest
Energy Labels
=============
.. csv-table:: Energy Labels table
:header: "label", "high", "medium", "low"
"A =>", "0", "up to 10", "up to 20"
"B ==>", "up to 10", "up to 20", "up to 40"
"C ===>", "up to 15", "up to 30", "up to 60"
"D ====>", "up to 20", "up to 40", "up to 80"
"E =====>", "up to 25", "up to 50", "up to 100"
Arguments
=========
.. csv-table:: CLI Arguments table
:header: "description", "CLI argument", "environment variable", "example value"
"Tenant ID (required)", "`--tenant-id`", "`AZURE_LABELER_TENANT_ID`", "`00000000-0000-0000-0000-000000000000`"
"Path to export the results", "`--export-path`", "`AZURE_LABELER_EXPORT_PATH`", "`/local/path` or Storage Account Url with SAS token `https://sa.blob.windows.net/container/?sas_token`"
"Export only number of findings and energy label", "`--export-metrics`", "`AZURE_LABELER_EXPORT_METRICS`", "`false` (default)"
"Export all findings information along with energy label", "`--export-all`", "`AZURE_LABELER_EXPORT_ALL`", "`true` (default)"
"Regulatory frameworks to take into account", "`--frameworks`", "`AZURE_LABELER_FRAMEWORKS`", "`'Microsoft cloud security benchmark,Azure CIS 1.1.0'`"
"Explicit list of subscriptions to take into account", "`--allowed-subscription-ids`", "`AZURE_LABELER_ALLOWED_SUBSCRIPTION_IDS`", "`'00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001'`"
"Explicit list of subscriptions NOT to take into account", "`--denied-subscription-ids`", "`AZURE_LABELER_DENIED_SUBSCRIPTION_IDS`", "`'00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001'`"
"List of resource groups to exclude", "`--denied-resource-group-names`", "`AZURE_LABELER_DENIED_RESOURCE_GROUP_NAMES`", "`'SBPP-WEU-AARC-01-RSG, SBPA-WEU-AARC-01-RSG'`"
"Level of log printing", "`--log-level`", "`AZURE_LABELER_LOG_LEVEL`", "`info`"
"Logging configuration", "`--log-config`", "`AZURE_LABELER_LOG_CONFIG`", ""
Supported authentication types
==============================
Azure CLI
---------
If you are running the Energy Labeler from your local machine, make sure the user you are authenticated as has the `Security Reader` permission or higher.
.. code-block:: bash
az login --tenant 00000000-0000-0000-0000-000000000000
Managed Identity
----------------
If you are running the `azureenergylabeler` container in Azure (on ACI, ACA, etc), this is safest and preferred authentication method.
To make use of Managed Identity authentication for the Energy Labeler, make sure it is enabled on your instance (ACI, Function App, etc):
.. code-block::
identity: {
type: 'SystemAssigned'
}
Also make sure you have a role assignment to your instance, `Security Reader` is required.
.. code-block::
@description('Security Reader role definition')
var roleDefinitionId = resourceId('microsoft.authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')
@description('Assign Security Reader role to the container so it can gather security compliance of the subscription/tenant')
resource securityReaderAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(name)
scope: tenant()
properties: {
principalId: containergroup.identity.principalId
roleDefinitionId: roleDefinitionId
}
}
Service Principal credentials
-----------------------------
If you are running the `azureenergylabeler` container outside Azure, you need to authenticate to Azure using Service Principal credentials.
The Service Principal therefore must have `Security Reader` permission assigned to either at Tenant Level or to the subscriptions where Energy Label are calculated.
Service principal with secret
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. csv-table:: CLI Arguments table
:header: "variable name", "value"
"`AZURE_CLIENT_ID`", "id of an Azure Active Directory application"
"`AZURE_TENANT_ID`", "id of the application's Azure Active Directory tenant"
"`AZURE_CLIENT_SECRET`", "one of the application's client secrets"
Service principal with certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. csv-table:: CLI Arguments table
:header: "variable name", "value"
"`AZURE_CLIENT_ID`", "id of an Azure Active Directory application"
"`AZURE_TENANT_ID`", "id of the application's Azure Active Directory tenant"
"`AZURE_CLIENT_CERTIFICATE_PATH`", "path to a PEM or PKCS12 certificate file including private key"
"`AZURE_CLIENT_CERTIFICATE_PASSWORD`", "password of the certificate file, if any"
Installation
============
Pipx
----
.. code-block::
pipx install azureenergylabelercli
installed package azureenergylabelercli 1.0.0, installed using Python 3.10.5
These apps are now globally available
- azure-energy-labeler
- azure_energy_labeler_cli.py
done! ✨ 🌟 ✨
Examples
========
Calculate energy label for a tenant
-----------------------------------
.. code-block::
azure-energy-labeler --tenant-id <TENANT_ID>
Calculate energy label for two subscriptions in a tenant
--------------------------------------------------------
.. code-block::
azure-energy-labeler --tenant-id <TENANT_ID> --allowed-subscription-ids 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001
Calculate energy label for a tenant and export all findings to a local folder
-----------------------------------------------------------------------------
.. code-block::
azure-energy-labeler --tenant-id 2ba489e8-3466-4f52-a32d-263d28b832e1 --export-path /tmp/ --export-all
Calculate energy label for a tenant and export all findings to a Storage Account Blob Container
-----------------------------------------------------------------------------------------------
.. code-block::
azure-energy-labeler --tenant-id 2ba489e8-3466-4f52-a32d-263d28b832e1 --export-path "https://sa.blob.windows.net/container/?sas_token" --export-all
Development Workflow
====================
The workflow supports the following steps
* lint
* test
* build
* document
* upload
* graph
These actions are supported out of the box by the corresponding scripts under _CI/scripts directory with sane defaults based on best practices.
Sourcing setup_aliases.ps1 for windows powershell or setup_aliases.sh in bash on Mac or Linux will provide with handy aliases for the shell of all those commands prepended with an underscore.
The bootstrap script creates a .venv directory inside the project directory hosting the virtual environment. It uses pipenv for that.
It is called by all other scripts before they do anything. So one could simple start by calling _lint and that would set up everything before it tried to actually lint the project
Once the code is ready to be delivered the _tag script should be called accepting one of three arguments, patch, minor, major following the semantic versioning scheme.
So for the initial delivery one would call
$ _tag --minor
which would bump the version of the project to 0.1.0 tag it in git and do a push and also ask for the change and automagically update HISTORY.rst with the version and the change provided.
So the full workflow after git is initialized is:
* repeat as necessary (of course it could be test - code - lint :) )
* code
* lint
* test
* commit and push
* develop more through the code-lint-test cycle
* tag (with the appropriate argument)
* build
* upload (if you want to host your package in pypi)
* document (of course this could be run at any point)
Important Information
=====================
This template is based on pipenv. In order to be compatible with requirements.txt so the actual created package can be used by any part of the existing python ecosystem some hacks were needed.
So when building a package out of this **do not** simple call
$ python setup.py sdist bdist_egg
**as this will produce an unusable artifact with files missing.**
Instead use the provided build and upload scripts that create all the necessary files in the artifact.
Project Features
================
* TODO
History
-------
0.0.1 (04-05-2022)
---------------------
* First code creation
0.1.0 (27-06-2022)
------------------
* First release
1.0.0 (22-09-2022)
------------------
* Add support for environment variables as default argument value
* Arguments with array of values changed from a space separated list to a comma separated list
* CLI now uses the most recent version of the azureenergylabelerlib
1.0.1 (26-09-2022)
------------------
* Fixed a bug preventing collection of resource group findings
1.1.0 (04-10-2022)
------------------
* Updated dependency azurenergylabelerlib to version 2.0.0
2.0.0 (19-10-2022)
------------------
* Microsoft renamed "Azure Security Benchmark" to "Microsoft cloud security benchmark", changing the interface
2.0.1 (20-10-2022)
------------------
* Fix broken dependecies
2.0.2 (08-03-2023)
------------------
* Bump template and dependencies.
2.0.3 (21-03-2023)
------------------
* Bumped library version which now filters subscriptions based on the tenant_id.
2.1.0 (15-05-2023)
------------------
* Added option to disable banner and spinner
* Improved filtering of findings
2.1.1 (28-06-2023)
------------------
* Updated library dependency
2.2.0 (22-09-2023)
------------------
* feat: updating azureenergylabelerlib to 3.3.0 to allow excluding resource groups
2.2.1 (22-09-2023)
------------------
* Fix: AZURE_LABELER_DENIED_RESOURCE_GROUP_NAMES changed to a string delimited list due to gitlab-ci not supporting variables of the type list.
2.2.2 (22-09-2023)
------------------
* fix: the list syntax in the readme file broke the release. It expects a comma after a quote.
2.2.3 (22-09-2023)
------------------
* fix: the list syntax in the readme file broke the release. It expects a comma after a quote.
2.2.4 (03-10-2023)
------------------
* fix: denied_resource_group_names was optional in azureenergylabelerlib 3.3.0. This broke the code if no value was given, therefore updating to 3.3.1.
2.2.5 (05-10-2023)
------------------
* feat: added validation for azure resource group names in azureenergylaberlib 3.3.2
2.2.7 (06-06-2024)
------------------
* Bump dependencies.
Raw data
{
"_id": null,
"home_page": "https://github.com/schubergphilis/azureenergylabelercli",
"name": "azureenergylabelercli",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "azureenergylabelercli",
"author": "Sayantan Khanra",
"author_email": "skhanra@schubergphilis.com",
"download_url": "https://files.pythonhosted.org/packages/78/16/cbd05c79493e9179d9815d37d19f93f3aa9af078e45430a4a1f05a2bd147/azureenergylabelercli-2.2.7.tar.gz",
"platform": null,
"description": "=====================\nazureenergylabelercli\n=====================\n\nA cli to help generate energy label for Azure tenant, subscriptions and resource groups.\n\n\n* Documentation: https://azureenergylabelercli.readthedocs.org/en/latest\n\n\nEnergy Labels\n=============\n\n.. csv-table:: Energy Labels table\n :header: \"label\", \"high\", \"medium\", \"low\"\n\n \"A =>\", \"0\", \"up to 10\", \"up to 20\"\n \"B ==>\", \"up to 10\", \"up to 20\", \"up to 40\"\n \"C ===>\", \"up to 15\", \"up to 30\", \"up to 60\"\n \"D ====>\", \"up to 20\", \"up to 40\", \"up to 80\"\n \"E =====>\", \"up to 25\", \"up to 50\", \"up to 100\"\n\n\nArguments\n=========\n\n.. csv-table:: CLI Arguments table\n :header: \"description\", \"CLI argument\", \"environment variable\", \"example value\"\n\n \"Tenant ID (required)\", \"`--tenant-id`\", \"`AZURE_LABELER_TENANT_ID`\", \"`00000000-0000-0000-0000-000000000000`\"\n \"Path to export the results\", \"`--export-path`\", \"`AZURE_LABELER_EXPORT_PATH`\", \"`/local/path` or Storage Account Url with SAS token `https://sa.blob.windows.net/container/?sas_token`\"\n \"Export only number of findings and energy label\", \"`--export-metrics`\", \"`AZURE_LABELER_EXPORT_METRICS`\", \"`false` (default)\"\n \"Export all findings information along with energy label\", \"`--export-all`\", \"`AZURE_LABELER_EXPORT_ALL`\", \"`true` (default)\"\n \"Regulatory frameworks to take into account\", \"`--frameworks`\", \"`AZURE_LABELER_FRAMEWORKS`\", \"`'Microsoft cloud security benchmark,Azure CIS 1.1.0'`\"\n \"Explicit list of subscriptions to take into account\", \"`--allowed-subscription-ids`\", \"`AZURE_LABELER_ALLOWED_SUBSCRIPTION_IDS`\", \"`'00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001'`\"\n \"Explicit list of subscriptions NOT to take into account\", \"`--denied-subscription-ids`\", \"`AZURE_LABELER_DENIED_SUBSCRIPTION_IDS`\", \"`'00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001'`\"\n \"List of resource groups to exclude\", \"`--denied-resource-group-names`\", \"`AZURE_LABELER_DENIED_RESOURCE_GROUP_NAMES`\", \"`'SBPP-WEU-AARC-01-RSG, SBPA-WEU-AARC-01-RSG'`\"\n \"Level of log printing\", \"`--log-level`\", \"`AZURE_LABELER_LOG_LEVEL`\", \"`info`\"\n \"Logging configuration\", \"`--log-config`\", \"`AZURE_LABELER_LOG_CONFIG`\", \"\"\n\n\nSupported authentication types\n==============================\n\nAzure CLI\n---------\n\nIf you are running the Energy Labeler from your local machine, make sure the user you are authenticated as has the `Security Reader` permission or higher.\n\n.. code-block:: bash\n\n az login --tenant 00000000-0000-0000-0000-000000000000\n\nManaged Identity\n----------------\n\nIf you are running the `azureenergylabeler` container in Azure (on ACI, ACA, etc), this is safest and preferred authentication method.\nTo make use of Managed Identity authentication for the Energy Labeler, make sure it is enabled on your instance (ACI, Function App, etc):\n.. code-block::\n\n identity: {\n type: 'SystemAssigned'\n\n }\n\n\nAlso make sure you have a role assignment to your instance, `Security Reader` is required.\n.. code-block::\n\n @description('Security Reader role definition')\n var roleDefinitionId = resourceId('microsoft.authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')\n\n @description('Assign Security Reader role to the container so it can gather security compliance of the subscription/tenant')\n resource securityReaderAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {\n name: guid(name)\n scope: tenant()\n properties: {\n principalId: containergroup.identity.principalId\n roleDefinitionId: roleDefinitionId\n }\n }\n\nService Principal credentials\n-----------------------------\n\nIf you are running the `azureenergylabeler` container outside Azure, you need to authenticate to Azure using Service Principal credentials.\nThe Service Principal therefore must have `Security Reader` permission assigned to either at Tenant Level or to the subscriptions where Energy Label are calculated.\n\nService principal with secret\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n.. csv-table:: CLI Arguments table\n :header: \"variable name\", \"value\"\n\n \"`AZURE_CLIENT_ID`\", \"id of an Azure Active Directory application\"\n \"`AZURE_TENANT_ID`\", \"id of the application's Azure Active Directory tenant\"\n \"`AZURE_CLIENT_SECRET`\", \"one of the application's client secrets\"\n\nService principal with certificate\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n.. csv-table:: CLI Arguments table\n :header: \"variable name\", \"value\"\n\n \"`AZURE_CLIENT_ID`\", \"id of an Azure Active Directory application\"\n \"`AZURE_TENANT_ID`\", \"id of the application's Azure Active Directory tenant\"\n \"`AZURE_CLIENT_CERTIFICATE_PATH`\", \"path to a PEM or PKCS12 certificate file including private key\"\n \"`AZURE_CLIENT_CERTIFICATE_PASSWORD`\", \"password of the certificate file, if any\"\n\n\nInstallation\n============\n\nPipx\n----\n\n.. code-block::\n\n pipx install azureenergylabelercli\n installed package azureenergylabelercli 1.0.0, installed using Python 3.10.5\n These apps are now globally available\n - azure-energy-labeler\n - azure_energy_labeler_cli.py\n done! \u2728 \ud83c\udf1f \u2728\n\n\nExamples\n========\n\nCalculate energy label for a tenant\n-----------------------------------\n\n.. code-block::\n\n azure-energy-labeler --tenant-id <TENANT_ID>\n\nCalculate energy label for two subscriptions in a tenant\n--------------------------------------------------------\n\n.. code-block::\n\n azure-energy-labeler --tenant-id <TENANT_ID> --allowed-subscription-ids 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001\n\n\nCalculate energy label for a tenant and export all findings to a local folder\n-----------------------------------------------------------------------------\n\n.. code-block::\n\n azure-energy-labeler --tenant-id 2ba489e8-3466-4f52-a32d-263d28b832e1 --export-path /tmp/ --export-all\n\n\nCalculate energy label for a tenant and export all findings to a Storage Account Blob Container\n-----------------------------------------------------------------------------------------------\n\n.. code-block::\n\n azure-energy-labeler --tenant-id 2ba489e8-3466-4f52-a32d-263d28b832e1 --export-path \"https://sa.blob.windows.net/container/?sas_token\" --export-all\n\n\nDevelopment Workflow\n====================\n\nThe workflow supports the following steps\n\n * lint\n * test\n * build\n * document\n * upload\n * graph\n\nThese actions are supported out of the box by the corresponding scripts under _CI/scripts directory with sane defaults based on best practices.\nSourcing setup_aliases.ps1 for windows powershell or setup_aliases.sh in bash on Mac or Linux will provide with handy aliases for the shell of all those commands prepended with an underscore.\n\nThe bootstrap script creates a .venv directory inside the project directory hosting the virtual environment. It uses pipenv for that.\nIt is called by all other scripts before they do anything. So one could simple start by calling _lint and that would set up everything before it tried to actually lint the project\n\nOnce the code is ready to be delivered the _tag script should be called accepting one of three arguments, patch, minor, major following the semantic versioning scheme.\nSo for the initial delivery one would call\n\n $ _tag --minor\n\nwhich would bump the version of the project to 0.1.0 tag it in git and do a push and also ask for the change and automagically update HISTORY.rst with the version and the change provided.\n\n\nSo the full workflow after git is initialized is:\n\n * repeat as necessary (of course it could be test - code - lint :) )\n\n * code\n * lint\n * test\n * commit and push\n * develop more through the code-lint-test cycle\n * tag (with the appropriate argument)\n * build\n * upload (if you want to host your package in pypi)\n * document (of course this could be run at any point)\n\n\nImportant Information\n=====================\n\nThis template is based on pipenv. In order to be compatible with requirements.txt so the actual created package can be used by any part of the existing python ecosystem some hacks were needed.\nSo when building a package out of this **do not** simple call\n\n $ python setup.py sdist bdist_egg\n\n**as this will produce an unusable artifact with files missing.**\nInstead use the provided build and upload scripts that create all the necessary files in the artifact.\n\n\n\nProject Features\n================\n\n* TODO\n\n\n\n\n\nHistory\n-------\n\n0.0.1 (04-05-2022)\n---------------------\n\n* First code creation\n\n\n0.1.0 (27-06-2022)\n------------------\n\n* First release\n\n\n1.0.0 (22-09-2022)\n------------------\n\n* Add support for environment variables as default argument value\n* Arguments with array of values changed from a space separated list to a comma separated list\n* CLI now uses the most recent version of the azureenergylabelerlib\n\n\n1.0.1 (26-09-2022)\n------------------\n\n* Fixed a bug preventing collection of resource group findings\n\n\n1.1.0 (04-10-2022)\n------------------\n\n* Updated dependency azurenergylabelerlib to version 2.0.0\n\n\n2.0.0 (19-10-2022)\n------------------\n\n* Microsoft renamed \"Azure Security Benchmark\" to \"Microsoft cloud security benchmark\", changing the interface\n\n\n2.0.1 (20-10-2022)\n------------------\n\n* Fix broken dependecies\n\n\n2.0.2 (08-03-2023)\n------------------\n\n* Bump template and dependencies.\n\n\n2.0.3 (21-03-2023)\n------------------\n\n* Bumped library version which now filters subscriptions based on the tenant_id.\n\n\n2.1.0 (15-05-2023)\n------------------\n\n* Added option to disable banner and spinner\n* Improved filtering of findings\n\n\n2.1.1 (28-06-2023)\n------------------\n\n* Updated library dependency\n\n\n2.2.0 (22-09-2023)\n------------------\n\n* feat: updating azureenergylabelerlib to 3.3.0 to allow excluding resource groups\n\n\n2.2.1 (22-09-2023)\n------------------\n\n* Fix: AZURE_LABELER_DENIED_RESOURCE_GROUP_NAMES changed to a string delimited list due to gitlab-ci not supporting variables of the type list.\n\n\n2.2.2 (22-09-2023)\n------------------\n\n* fix: the list syntax in the readme file broke the release. It expects a comma after a quote.\n\n\n2.2.3 (22-09-2023)\n------------------\n\n* fix: the list syntax in the readme file broke the release. It expects a comma after a quote.\n\n\n2.2.4 (03-10-2023)\n------------------\n\n* fix: denied_resource_group_names was optional in azureenergylabelerlib 3.3.0. This broke the code if no value was given, therefore updating to 3.3.1.\n\n\n2.2.5 (05-10-2023)\n------------------\n\n* feat: added validation for azure resource group names in azureenergylaberlib 3.3.2\n\n\n2.2.7 (06-06-2024)\n------------------\n\n* Bump dependencies.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A cli to help generate energy label for Azure tenant, subscriptions and resource groups.",
"version": "2.2.7",
"project_urls": {
"Homepage": "https://github.com/schubergphilis/azureenergylabelercli"
},
"split_keywords": [
"azureenergylabelercli"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "7816cbd05c79493e9179d9815d37d19f93f3aa9af078e45430a4a1f05a2bd147",
"md5": "6435cc16acba2e778050a9d21acc6cd0",
"sha256": "1fa4cbb77540ad178a03e9ec07d7c2e04233eeac274650ec7019a66cb535ea9b"
},
"downloads": -1,
"filename": "azureenergylabelercli-2.2.7.tar.gz",
"has_sig": false,
"md5_digest": "6435cc16acba2e778050a9d21acc6cd0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 125564,
"upload_time": "2024-06-06T09:45:50",
"upload_time_iso_8601": "2024-06-06T09:45:50.194071Z",
"url": "https://files.pythonhosted.org/packages/78/16/cbd05c79493e9179d9815d37d19f93f3aa9af078e45430a4a1f05a2bd147/azureenergylabelercli-2.2.7.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-06-06 09:45:50",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "schubergphilis",
"github_project": "azureenergylabelercli",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"tox": true,
"lcname": "azureenergylabelercli"
}
JSON
