Announcement

Control Azure costs with 24 workflows for FinOps

FinOps workflows to discover, approve, and automate Azure cost savings recommendations.

Turbot Team
5 min. read - Jul 24, 2024

Cloud infrastructure managers are always looking for ways to save costs. It's good to detect underused or unused resources, and even better to automatically streamline or remove them. Enter the Azure Thrifty mod for Flowpipe, a new tool that enables you automate cost optimization. Let's see how it works.

Detect and release unused external IPs

Here's a Steampipe query that finds unattached external IPs.

> select name, region from azure_public_ip;
+---------+--------+
| name | region |
+---------+--------+
| ipaddr1 | eastus |
| ipaddr2 | eastus |
+---------+--------+

We're paying for these, and if we don't need them we should release them. To do that, we'll run the detect_and_correct_compute_addresses_if_unattached pipeline in the Azure Thrifty mod.

Per the README, the setup entails:

  • Cloning the mod

  • Visiting its directory and installing dependencies (flowpipe mod install)

  • Starting Steampipe as a service (steampipe service start)

  • Using credential_import to give Flowpipe access to the credentials in Steampipe azure.spc

  • Optionally, configuring variables that govern the mod's behavior.

Let's run the pipeline.

$ flowpipe pipeline run detect_and_correct_compute_addresses_if_unattached --arg='approvers=[""]
Detected unattached Compute address ip-addr-1.
Detected unattached Compute address ip-addr-2.

Now let's take action on them.

Wizard mode for interactive decisions

In wizard mode, Flowpipe prompts you to decide whether to release each address. It's the default, so we can run the pipeline with no arguments.

flowpipe pipeline run detect_and_correct_compute_addresses_if_unattached

Now, Flowpipe pauses on each detected address, so you can decide whether to release it. We'll choose Skip and keep this one for now.

┃ Detected unattached Compute address ip-addr-1.
┃ > Skip
┃ Delete Compute Address

Note that this interaction can instead happen in Slack, MSTeams, or email by naming — in approvers — one or more notifiers configured with alternate integrations.

Flowpipe proceeds to the next detected address. This time we'll choose Delete Compute Address; Flowpipe takes that action and reports the outcome.

Deleted Compute address ip-addr-2.

Nice!

Delete old compute snapshots automatically

You won't want to automatically release IP addresses without checking each one, but you might want to automatically delete compute snapshots older than a threshold number of days. There's another pipeline for that, detect_and_correct_compute_snapshots_exceeding_max_age.

To use that pipeline automatically, you'll activate a query trigger to query for old snapshots. And you'll set some configuration variables to control how it works. We'll put them into a file, continuous-compliance.fpvars.

approvers = []
compute_snapshots_exceeding_max_age_trigger_enabled = true
compute_snapshots_exceeding_max_age_trigger_schedule = "weekly"
compute_snapshots_exceeding_max_age_default_action = "delete_snapshot"
compute_snapshots_exceeding_max_age_days = 90

Then we'll run Flowpipe in server mode and point it at that package of variables.

flowpipe server --var-file=continuous-compliance.fpvars

With approvers = [] the pipeline handles each detected old snapshot without requiring approval. The default action is normally notify but here we override to delete_snapshot. Now, snapshots older than 90 days will be automatically deleted on a weekly basis.

Configuration-driven workflow

A detect-and-correct mod like this one doesn't require you to write any SQL or HCL. It's a tool that you configure and then use to perform a range of tasks you'd like to automate, with or without approval. Give Azure Thrifty a try, and please let us know how it goes.

See it in action