Firefly Azure Integration provides enterprise-grade ARM templates for seamlessly connecting your Azure subscriptions with Firefly's cloud asset management and FinOps platform. These templates automate the complete setup process, from service principal creation to advanced monitoring infrastructure deployment.
Firefly is a comprehensive cloud asset management platform that helps organizations:
- Discover & Inventory all cloud resources across multiple providers
- Optimize Costs with intelligent recommendations and automated policies
- Ensure Compliance with security and governance standards
- Manage Infrastructure as Code with drift detection and remediation
- Monitor Changes in real-time with event-driven architecture
- Perfect for small to medium organizations
- Quick setup with minimal configuration
- Ideal for testing and proof-of-concept scenarios
- Enterprise-scale deployment across multiple subscriptions
- Centralized management with distributed monitoring
- Bulk onboarding with parallel processing
- Organization-wide deployment across entire management group hierarchies
- Automatic discovery of new subscriptions
- Enterprise governance and compliance at scale
- Reader: Read-only access to Azure resources
- Billing Reader: Access to cost and billing information
- App Configuration Data Reader: Configuration data access
- Security Reader: Security recommendations and alerts
- Storage Blob Data Reader: Conditional access to storage blobs
- Firefly Custom Role: Specialized permissions for:
- Storage account key access
- Database connection strings
- Kubernetes cluster credentials
- Web app configurations
- Redis cache keys
- Search service keys
- Log Analytics workspace keys
- Terraform state file access (
*state,*.tfstateenv:*) - Restricted blob access with intelligent filtering
- Network-level security controls
- Azure Event Grid Integration: Instant notifications for resource changes
- Storage Account Monitoring: Centralized log collection and analysis
- Diagnostic Settings: Automatic configuration across all subscriptions
- Webhook Integration: Direct integration with Firefly's event processing pipeline
- Dedicated storage accounts per subscription
- Event Grid system topics with custom filtering
- Automated diagnostic settings deployment
- Configurable retention and delivery policies
- Custom tag support through editable grid interface
- Automatic
firefly: truetag application - Tag inheritance across all created resources
- Compliance and cost allocation support
- Dedicated resource groups per subscription (
firefly-monitoring-{subscriptionId}) - Unique naming conventions to prevent conflicts
- Centralized resource lifecycle management
- Restrict access to predefined Firefly IP addresses
- Enhanced security for sensitive environments
- Configurable IP allowlists
- TLS 1.2+ enforcement
3.224.145.192
54.83.245.177
3.213.167.195
54.146.252.237
34.226.97.113
- Production/Non-Production environment flags
- Auto-Discovery capabilities for new resources
- Infrastructure as Code detection and monitoring
- Custom directory domain configuration
- Automatic Subscription Name Detection: Uses actual Azure subscription display names
- Intelligent Fallback: Uses subscription ID if name unavailable
- Conflict Resolution: Automatic handling of duplicate names
- Permissions: Contributor or Owner role on target subscription(s)
- Azure AD Rights: Ability to create service principals and assign roles
- Subscription Access: Valid Azure subscription(s) to monitor
- Active Firefly Account: Sign up here
- API Credentials: Access Key and Secret Key from Firefly dashboard
- Webhook Access: Firefly webhook endpoint accessibility
The deployment wizard will guide you through creating a service principal:
- Click "Create new" in the Service Principal section
- Name your application (e.g., "Firefly-Integration")
- Select account type (single or multi-tenant based on your needs)
- Click "Register" to create the service principal
- Create a client secret:
- Click "+ New Client Secret"
- Set expiration (recommend 24 months)
- Copy the secret value immediately (it won't be shown again)
- Return to deployment and paste the client secret
- β Enable Event-Driven Monitoring: Real-time resource change tracking
- β Production Environment: Mark as production for enhanced monitoring
- β Multi-Subscription Deployment: Monitor multiple subscriptions simultaneously
- β Enforce Storage Network Rules: Restrict access to Firefly IPs only
- Access Key: Your Firefly API access key
- Secret Key: Your Firefly API secret key
- Custom Tags: Add organizational tags to all resources
- Target Subscriptions: Select additional subscriptions to monitor
- Directory Domain: Your organization's domain (defaults to firefly.ai)
- Review all settings in the final step
- Accept terms and conditions
- Click "Create" to start deployment
- Monitor progress in the Azure portal (typically 5-10 minutes)
- Check Firefly Dashboard: Verify new integration appears
- Validate Resource Discovery: Confirm Azure resources are being discovered
- Test Event Monitoring: Make a test change to verify real-time monitoring
- Review Permissions: Ensure service principal has correct role assignments
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Azure Subscription β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββ β
β β Service β β RBAC Roles β β
β β Principal βββββΆβ β’ Reader β β
β β β β β’ Billing Reader β β
β βββββββββββββββββββ β β’ Security Reader β β
β β β’ App Configuration Data Reader β β
β β β’ Custom Firefly Role β β
β β β’ Storage Blob Data Reader β β
β βββββββββββββββββββββββββββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Monitoring Infrastructure (Optional) β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββββββ β β
β β β Storage β β Event Grid β β Diagnostic Settings β β β
β β β Account β β Topic β β (Activity Logs) β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
ββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β Firefly Platform β
β β’ Resource Discovery β
β β’ Cost Optimization β
β β’ Security Monitoring β
β β’ Compliance Tracking β
βββββββββββββββββββββββββββ
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Subscription 1 β β Subscription 2 β β Subscription N β
β β β β β β
β βββββββββββββββ β β βββββββββββββββ β β βββββββββββββββ β
β βMonitoring β β β βMonitoring β β β βMonitoring β β
β βInfrastructureβ β β βInfrastructureβ β β βInfrastructureβ β
β βββββββββββββββ β β βββββββββββββββ β β βββββββββββββββ β
βββββββββββ¬ββββββββ βββββββββββ¬ββββββββ βββββββββββ¬ββββββββ
β β β
ββββββββββββββββββββββΌβββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β Shared Service Principalβ
β β’ Cross-subscription β
β RBAC assignments β
β β’ Centralized auth β
βββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β Firefly Platform β
β βββββββββββββββββββββββ β
β β Unified Dashboard β β
β β β’ All subscriptions β β
β β β’ Cost analytics β β
β β β’ Security posture β β
β β β’ Compliance view β β
β βββββββββββββββββββββββ β
βββββββββββββββββββββββββββ
The template creates custom roles with specific permissions:
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.Web/sites/config/list/Action",
"Microsoft.Cache/redis/listKeys/action",
"Microsoft.AppConfiguration/configurationStores/ListKeys/action",
"Microsoft.Search/searchServices/listQueryKeys/action",
"Microsoft.OperationalInsights/workspaces/sharedkeys/action"
]
}Event subscriptions are configured with:
- Event Types:
Microsoft.Storage.BlobCreated - Delivery: Webhook to Firefly endpoint
- Retry Policy: 30 attempts over 24 hours
- Batch Size: Single events for real-time processing
When network rules are enforced:
- Default Action: Deny all traffic
- Allowed IPs: Only Firefly IP addresses
- TLS Version: Minimum TLS 1.2
- Public Access: Controlled blob access only
# Check Azure AD permissions
az ad sp list --display-name "Firefly-Integration"
# Verify you have Application Administrator role
az role assignment list --assignee <your-user-id> --all# Check subscription permissions
az role assignment list --scope "/subscriptions/<subscription-id>"
# Verify Owner or User Access Administrator role
az role definition list --name "Owner"- β Verify Firefly credentials are correct
- β
Check network connectivity to
https://prodapi.firefly.ai - β Ensure service principal has required permissions
- β Validate subscription ID format
# Check diagnostic settings
az monitor diagnostic-settings subscription list
# Verify storage account access
az storage account show --name <storage-account-name>
# Test event grid subscription
az eventgrid system-topic event-subscription list --system-topic-name <topic-name># PowerShell validation script
$subscriptionId = "<your-subscription-id>"
$spObjectId = "<service-principal-object-id>"
# Check service principal
Get-AzADServicePrincipal -ObjectId $spObjectId
# List role assignments
Get-AzRoleAssignment -ObjectId $spObjectId -Scope "/subscriptions/$subscriptionId"
# Check storage account (if event-driven enabled)
Get-AzStorageAccount -ResourceGroupName "firefly-monitoring-$subscriptionId"
# Verify diagnostic settings
Get-AzDiagnosticSetting -ResourceId "/subscriptions/$subscriptionId"- Azure Portal: Real-time deployment progress
- Activity Log: Detailed operation logs
- Resource Health: Post-deployment validation
- Firefly Dashboard: Integration status and metrics
- Resource Discovery: Automated inventory updates
- Cost Analytics: Billing data synchronization
- Security Posture: Compliance and security insights
- Real-time Events: Resource creation, modification, deletion
- Storage Metrics: Log ingestion and processing rates
- Webhook Delivery: Success/failure rates and retry statistics
- Diagnostic Logs: Administrative activity tracking
- π Rotate secrets regularly (every 12-24 months)
- π Use certificate authentication when possible
- π Document service principal usage and ownership
- π« Avoid sharing credentials across environments
- π₯ Limit service principal editors to security team
- π Regular access reviews of role assignments
- π Monitor sign-in logs for unusual activity
- π¨ Set up alerts for permission changes
- π Enable storage network rules for sensitive environments
- π Use private endpoints where applicable
- π Monitor network access patterns
- π‘οΈ Implement conditional access policies
- π Tag all resources for cost allocation
- π Document integration purpose and data flows
- π Regular compliance audits of permissions
- π Monitor resource usage and costs
- π§ Email Support: [email protected]
- π GitHub Issues: Report bugs and feature requests
- π Documentation: Firefly Knowledge Base
- π¬ Community: Firefly Community Forum
We welcome contributions! Please see our Contributing Guidelines for details on:
- π Bug reports and feature requests
- π§ Code contributions and improvements
- π Documentation updates
- π§ͺ Testing and validation
- π Firefly Website
- π Platform Documentation
- π Getting Started Guide
- π― Best Practices
- π ARM Template Documentation
- π Azure RBAC Guide
- π§ Service Principal Management
- π Azure Monitor Documentation
- π’ Enterprise Deployment Patterns
- π§ Custom Role Definitions
- π Monitoring Configurations
- π‘οΈ Security Hardening
- π azurefireflydeploy.json - Main onboarding template
- π azurefireflydeploy-managementgroups.json - Management group deployment
- ποΈ azurefirelfyoffboard.json - Offboarding template
- π¨ CreateUIDefinition.json - UI for single/multi-subscription onboarding
- π¨ CreateUIDefinition-managementgroups.json - UI for management group deployment
- π¨ CreateUIDefinition-offboard.json - UI for offboarding
This project is licensed under the MIT License - see the LICENSE file for details.
- π Microsoft Azure team for ARM template platform
- π Firefly Engineering team for platform development
- π Community Contributors for feedback and improvements
- π§ DevOps Community for best practices and patterns
Made with β€οΈ by the Firefly Team
Empowering cloud excellence through intelligent automation
