Skip to content

Add support for generating inventory with a graph query #1994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 8, 2025
Merged

Add support for generating inventory with a graph query #1994

merged 2 commits into from
Jul 8, 2025

Conversation

@p3ck
Copy link
Collaborator

@p3ck p3ck commented Jul 2, 2025

SUMMARY

New Azure Inventory Plugin Using Resource Graph and KQL for Improved Performance in Environments with hundreds of subscriptions.

ISSUE TYPE
  • New Module Pull Request
COMPONENT NAME

plugins/doc_fragments/azure_kql.py
plugins/inventory/azure_kql.py
requirements.txt
tests/integration/targets/inventory_azure/playbooks/create_inventory_config.yml
tests/integration/targets/inventory_azure/playbooks/empty_inventory_config.yml
tests/integration/targets/inventory_azure/playbooks/setup.yml
tests/integration/targets/inventory_azure/playbooks/test_inventory_kql.yml
tests/integration/targets/inventory_azure/runme.sh
tests/integration/targets/inventory_azure/templates/kql.yml

ADDITIONAL INFORMATION

The original idea came from a customer which had written a custom python script to generate a static inventory file. We expanded on that and made it into a proper inventory plugin.

While there is some overlap with the current azure_rm inventory plugin I think this is different enough to warrent a separate plugin. The query format gives a lot more control to the user to be able to generate inventory files.

Integration tests have been updated to handle this new module as well.

@p3ck p3ck requested review from Fred-sun and magodo July 2, 2025 16:24
@p3ck p3ck force-pushed the inventory_kql branch from b38464c to e2c344c Compare July 2, 2025 16:31
@p3ck
Copy link
Collaborator Author

p3ck commented Jul 2, 2025

I'm not sure why I'm getting this error in the sanity test though.. And only for 3.11

Running sanity test "import" on Python 3.8
Running sanity test "import" on Python 3.9
Running sanity test "import" on Python 3.10
Running sanity test "import" on Python 3.11
ERROR: Found 1 import issue(s) on python 3.11 which need to be resolved:
ERROR: plugins/inventory/azure_kql.py:104:0: traceback: ModuleNotFoundError: No module named 'pandas'

@Fred-sun
Copy link
Collaborator

Fred-sun commented Jul 3, 2025

Our test environment did not rely on pandas, so this error did not occur. If an error occurs in python3.11, does it mean that pandas is not included in the python3.11 standard library and needs to be installed by oneself?

@Fred-sun

This comment was marked as resolved.

Sign in to view
Fred-sun
Fred-sun reviewed Jul 3, 2025
View reviewed changes
Copy link
Collaborator

@Fred-sun Fred-sun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what caused it. Although the sanity detection indicates that 'pandas' does not exist, but there is no problem when azuer_kql.py is executed. So I want to temporarily solve the current problem in this way. Thank you!

@Fred-sun Fred-sun added question Further information is requested work in In trying to solve, or in working with contributors labels Jul 3, 2025
@p3ck
Add support for generating inventory with a graph query
35d5f2b 
New Azure Inventory Plugin Using Resource Graph and KQL for Improved
Performance in Environments with hundreds of subscriptions.
@p3ck p3ck force-pushed the inventory_kql branch from e2c344c to 35d5f2b Compare July 3, 2025 14:25
@p3ck p3ck added the ready_for_review The PR has been modified and can be reviewed and merged label Jul 3, 2025
@p3ck p3ck requested a review from Fred-sun July 3, 2025 15:57
@Fred-sun Fred-sun removed the work in In trying to solve, or in working with contributors label Jul 4, 2025
@Klaas-
Copy link
Contributor

Klaas- commented Jul 4, 2025

Hi,
I was using Graph to generate an inventory and it kept coming up with incorrect output. I notified MSFT of that and they said by design Graph is not a reliable source of information. I would suggest to not use Graph for collection of an inventory.

Greetings
Klaas

@Klaas-
Copy link
Contributor

Klaas- commented Jul 4, 2025

For the MSFT people, the support case number was 2406170050002212

I'll quote from it for the red hat people:

"""
For a definition of what ARG should do, I can only refer to the official documents that states “Azure Resource Graph is an Azure service designed to extend Azure Resource Management by providing efficient and performant resource exploration.”
I think the keyword in that sentence is “efficient”. If ARG also performed data validation, it would not be efficient anymore. I quoted an article earlier that mentioned the full scan that ARG is doing to make sure it has all its properties. This scan can take 30 hours to become available due to the amount of data it needs to query. If it also had to validate the data it received, it would take way so much time that the information would be out of date by the time it was made available.

I think the answer to your question “Does Microsoft want to change that?” is “No, we don’t want to change how this works right now”. Andreea discussed the case with both ARG and Compute resource groups. They found the reason for the missing property but due to the design, there is nothing that can be changed without re-architecting some major Azure components and this is not something we’re ready for at this point. Maybe in the future, but for now we’ll have to live with validating the properties on the client side.
"""

In the case I was exploring I noticed that important fields for an inventory (in this case current powerstate) would silently fail and just show "" instead of the actual powerstate. I have since reverted to using the API directly. This, at least from the information in that case, is the only interface on which microsoft provides "guarantees" for information accuracy.

@magodo
Copy link
Collaborator

magodo commented Jul 7, 2025

@Klaas- Thanks for bringing this limitation, I can also add one more limitation of ARG: for newly created resources, it will need some time to propagate to ARG until they are queriable.

@p3ck Do you mind to put down some note/warning in the document of this new inventory, about the ARG limitations?

@Klaas-
Copy link
Contributor

Klaas- commented Jul 7, 2025

It also goes the other way, just on Friday I had another case with long-deleted resources still showing up in Graph. I stopped monitoring the situation after 8h post-delete because my day was finished. The answer from support is simply "this is a known issue" -- so also in that area, don't rely on Graph. If you want a proper inventory you have to use API until MSFT rethinks what Graph is and what it should guarantee to it's users

@p3ck
Copy link
Collaborator Author

p3ck commented Jul 7, 2025

@Klaas- Thanks for bringing this limitation, I can also add one more limitation of ARG: for newly created resources, it will need some time to propagate to ARG until they are queriable.

@p3ck Do you mind to put down some note/warning in the document of this new inventory, about the ARG limitations?

I will put something in the notes. I also have an inquiry to the customer who is currently generating their inventory via ARG and if they are aware of this issue.

@Klaas-
Copy link
Contributor

Klaas- commented Jul 7, 2025

the official Resource Graph answer is "for new resource it can take up to 30 hours to appear in graph" and same for deleted resources "it can take up to 30 hours until a deleted resource disappears from graph"

@p3ck
Copy link
Collaborator Author

p3ck commented Jul 7, 2025

I've put a disclaimer in the inventory module.

@Fred-sun
Copy link
Collaborator

Fred-sun commented Jul 8, 2025

pipeline test: https://dev.azure.com/azclitools/internal/_build/results?buildId=259862&view=logs&j=b6daf38b-8237-596a-54bf-319fae9744cb&t=4d624bf0-640b-531f-6c03-5be4c6767d72

@magodo magodo merged commit fcd13aa into ansible-collections:dev Jul 8, 2025
Klaas-
Klaas- reviewed Jul 8, 2025
View reviewed changes
plugins/inventory/azure_kql.py
for how to craft your own query. The one requirement is that you need to provide inventory_hostname.
- Requires a YAML configuration file whose name ends with 'azure_kql.(yml|yaml)'
- Be aware that currently Azure Resource Graph may not be consistent with the actual state of your
resources. It can take up to 30 minutes for updates to propagate. This applies both for resources
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you misread my comment :) 30 hours not minutes.

@Klaas-
Copy link
Contributor

Klaas- commented Jul 8, 2025

I've made a fix and some additions to warning in #2002

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@magodo magodo magodo approved these changes

@Fred-sun Fred-sun Awaiting requested review from Fred-sun

+1 more reviewer

@Klaas- Klaas- Klaas- left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@magodo magodo

Labels

question Further information is requested ready_for_review The PR has been modified and can be reviewed and merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@p3ck @Fred-sun @Klaas- @magodo