AzureMonitor: Azure settings in Grafana server config (#33728)

* Azure cloud settings

* Fix typos

* Grouped Azure settings

* Doc fixes

* Some settings are not needed

* Updated cloud name aliases

conf/defaults.ini

@@ -546,6 +546,22 @@ assume_role_enabled = true
 # Specify max no of pages to be returned by the ListMetricPages API
 list_metrics_page_limit = 500
 
+#################################### Azure ###############################
+[azure]
+# Azure cloud environment where Grafana is hosted
+# Possible values are AzureCloud, AzureChinaCloud, AzureUSGovernment and AzureGermanCloud
+# Default value is AzureCloud (i.e. public cloud)
+cloud = AzureCloud
+
+# Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance)
+# If enabled, the managed identity can be used for authentication of Grafana in Azure services
+# Disabled by default, needs to be explicitly enabled
+managed_identity_enabled = false
+
+# Client ID to use for user-assigned managed identity
+# Should be set for user-assigned identity and should be empty for system-assigned identity
+managed_identity_client_id =
+
 #################################### SMTP / Emailing #####################
 [smtp]
 enabled = false

conf/sample.ini

@@ -533,6 +533,22 @@
 # If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
 ; assume_role_enabled = true
 
+#################################### Azure ###############################
+[azure]
+# Azure cloud environment where Grafana is hosted
+# Possible values are AzureCloud, AzureChinaCloud, AzureUSGovernment and AzureGermanCloud
+# Default value is AzureCloud (i.e. public cloud)
+;cloud = AzureCloud
+
+# Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance)
+# If enabled, the managed identity can be used for authentication of Grafana in Azure services
+# Disabled by default, needs to be explicitly enabled
+;managed_identity_enabled = false
+
+# Client ID to use for user-assigned managed identity
+# Should be set for user-assigned identity and should be empty for system-assigned identity
+;managed_identity_client_id =
+
 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false

docs/sources/administration/configuration.md

@@ -807,6 +807,31 @@ Use the [List Metrics API](https://docs.aws.amazon.com/AmazonCloudWatch/latest/A
 
 <hr />
 
+## [azure]
+
+Grafana supports additional integration with Azure services when hosted in the Azure Cloud.
+
+### cloud
+
+Azure cloud environment where Grafana is hosted:
+
+| Azure Cloud                                      | Value                  |
+| ------------------------------------------------ | ---------------------- |
+| Microsoft Azure public cloud                     | AzureCloud (*default*) |
+| Microsoft Chinese national cloud                 | AzureChinaCloud        |
+| US Government cloud                              | AzureUSGovernment      |
+| Microsoft German national cloud ("Black Forest") | AzureGermanCloud       |
+
+### managed_identity_enabled
+
+Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance). Disabled by default, needs to be explicitly enabled.
+
+### managed_identity_client_id
+
+The client ID to use for user-assigned managed identity.
+
+Should be set for user-assigned identity and should be empty for system-assigned identity.
+
 ## [auth.jwt]
 
 Refer to [JWT authentication]({{< relref "../auth/jwt.md" >}}) for more information.

packages/grafana-runtime/src/config.ts

@@ -13,6 +13,11 @@ import {
   SystemDateFormatSettings,
 } from '@grafana/data';
 
+export interface AzureSettings {
+  cloud?: string;
+  managedIdentityEnabled: boolean;
+}
+
 export class GrafanaBootConfig implements GrafanaConfig {
   datasources: { [str: string]: DataSourceInstanceSettings } = {};
   panels: { [key: string]: PanelPluginMeta } = {};
@@ -74,6 +79,9 @@ export class GrafanaBootConfig implements GrafanaConfig {
   customTheme?: any;
   awsAllowedAuthProviders: string[] = [];
   awsAssumeRoleEnabled = false;
+  azure: AzureSettings = {
+    managedIdentityEnabled: false,
+  };
 
   constructor(options: GrafanaBootConfig) {
     const mode = options.bootData.user.lightTheme ? 'light' : 'dark';

pkg/api/frontendsettings.go

@@ -246,6 +246,10 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
 		"expressionsEnabled":      hs.Cfg.ExpressionsEnabled,
 		"awsAllowedAuthProviders": hs.Cfg.AWSAllowedAuthProviders,
 		"awsAssumeRoleEnabled":    hs.Cfg.AWSAssumeRoleEnabled,
+		"azure": map[string]interface{}{
+			"cloud":                  hs.Cfg.Azure.Cloud,
+			"managedIdentityEnabled": hs.Cfg.Azure.ManagedIdentityEnabled,
+		},
 	}
 
 	return jsonObj, nil

pkg/setting/setting.go

@@ -284,6 +284,9 @@ type Cfg struct {
 	AWSAssumeRoleEnabled    bool
 	AWSListMetricsPageLimit int
 
+	// Azure Cloud settings
+	Azure AzureSettings
+
 	// Auth proxy settings
 	AuthProxyEnabled          bool
 	AuthProxyHeaderName       string
@@ -900,6 +903,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 
 	cfg.readLDAPConfig()
 	cfg.handleAWSConfig()
+	cfg.readAzureSettings()
 	cfg.readSessionConfig()
 	cfg.readSmtpSettings()
 	cfg.readQuotaSettings()

pkg/setting/setting_azure.go

@@ -0,0 +1,62 @@
+package setting
+
+import "strings"
+
+const (
+	AzurePublic       = "AzureCloud"
+	AzureChina        = "AzureChinaCloud"
+	AzureUSGovernment = "AzureUSGovernment"
+	AzureGermany      = "AzureGermanCloud"
+)
+
+type AzureSettings struct {
+	Cloud                   string
+	ManagedIdentityEnabled  bool
+	ManagedIdentityClientId string
+}
+
+func (cfg *Cfg) readAzureSettings() {
+	azureSection := cfg.Raw.Section("azure")
+
+	// Cloud
+	cloudName := azureSection.Key("cloud").MustString(AzurePublic)
+	cfg.Azure.Cloud = normalizeAzureCloud(cloudName)
+
+	// Managed Identity
+	cfg.Azure.ManagedIdentityEnabled = azureSection.Key("managed_identity_enabled").MustBool(false)
+	cfg.Azure.ManagedIdentityClientId = azureSection.Key("managed_identity_client_id").String()
+}
+
+func normalizeAzureCloud(cloudName string) string {
+	switch strings.ToLower(cloudName) {
+	// Public
+	case "azurecloud":
+	case "azurepublic":
+	case "azurepubliccloud":
+	case "public":
+		return AzurePublic
+
+	// China
+	case "azurechina":
+	case "azurechinacloud":
+	case "china":
+		return AzureChina
+
+	// US Government
+	case "azureusgovernment":
+	case "azureusgovernmentcloud":
+	case "usgov":
+	case "usgovernment":
+		return AzureUSGovernment
+
+	// Germany
+	case "azuregermancloud":
+	case "azuregermany":
+	case "german":
+	case "germany":
+		return AzureGermany
+	}
+
+	// Pass the name unchanged if it's not known
+	return cloudName
+}