Skip to content

feat(ptn): Update FinOps Hub v12 pattern module#6549

Open
FallenHoot wants to merge 1 commit intoAzure:mainfrom
FallenHoot:feature/finops-hub-avm-module
Open

feat(ptn): Update FinOps Hub v12 pattern module#6549
FallenHoot wants to merge 1 commit intoAzure:mainfrom
FallenHoot:feature/finops-hub-avm-module

Conversation

@FallenHoot
Copy link
Contributor

@FallenHoot FallenHoot commented Feb 4, 2026
edited
Loading

Description

This PR adds the FinOps Hub pattern module to Azure Verified Modules (AVM). FinOps Hub is a comprehensive cost management and optimization solution that ingests, normalizes, and analyzes cloud cost data from multiple providers.

CI Status (Fork)

avm.ptn.finops-toolkit.finops-hub

Features

  • Multi-cloud support: Ingest FOCUS-compliant cost data from Azure, AWS, GCP, and OCI
  • Flexible analytics backend: Choose between Azure Data Explorer (ADX) or Microsoft Fabric
  • Pre-built analytics: KQL functions for cost analysis, optimization recommendations, and reporting
  • Security options: Optional managed virtual network for enhanced data protection
  • WAF-aligned: Deployment options that follow Azure Well-Architected Framework best practices
  • EXPERIMENTAL dashboard: ADX dashboard JSON with 19 pages covering cost analysis, commitments, optimization, and multi-cloud views

Module Details

Attribute Value
Module Path avm/ptn/finops-toolkit/finops-hub
Version 1.0.0
Type Pattern (ptn)
Telemetry 46d3xbcp.ptn.finopstoolkit-finopshub

AVM Compliance

  • ✅ Implements lock and diagnosticSettings standard interfaces
  • ✅ Uses AVM common types from avm/utl/types/avm-common-types:0.6.1
  • ✅ Follows AVM naming conventions and module structure
  • ✅ Includes comprehensive e2e tests for all deployment scenarios (7 tests)
  • ✅ Telemetry enabled via enableTelemetry parameter
  • ✅ PSRule WAF alignment checks passing

Test Scenarios

All 7 e2e test scenarios are enabled and passing:

Test Description Status
storage-minimal Basic deployment with storage-only defaults
adx-minimal Minimal ADX deployment
adx-waf-aligned WAF-aligned ADX with managed identities, diagnostics
adx-managed-network ADX with managed virtual network
fabric-minimal Minimal Fabric deployment
fabric-waf-aligned WAF-aligned Fabric deployment
managed-network Managed virtual network configuration

ADX Managed Identity Policy — Implementation Note

The ADX cluster requires a managed_identity policy for native ingestion via Azure Data Factory. We explored several approaches to automate this:

  1. Deployment Script with scriptLevel: 'Cluster' — Works in CI but the database script resource has limitations with cluster-level KQL commands in some edge cases.
  2. Cluster Principal Assignment — Grants broad admin roles; not granular enough for just ingestion policy.
  3. Direct REST API via deployment scripts — Requires bearer token management and adds deployment complexity.

Current approach: The ADX managed identity policy is set via an ADF pipeline activity (Set Ingestion Policy) that runs as part of the ingestion_ETL_dataExplorer pipeline. This mirrors the upstream FinOps Toolkit pattern where ADF manages ADX configuration as part of the data pipeline, rather than during ARM deployment.

We've engaged the ADX Product Group for guidance on a cleaner Bicep-native approach (e.g., a dedicated ARM resource type for MI policy). In the meantime, the ADF-based approach is reliable and production-tested.

Related

Checklist

  • Module follows AVM specifications
  • All required interfaces implemented
  • Documentation complete (README.md)
  • E2E tests included and passing (all 7 scenarios)
  • Bicep compiles without errors
  • PSRule WAF alignment checks passing
  • main.json regenerated and CR-free
  • README.md regenerated via Set-ModuleReadMe

@FallenHoot FallenHoot requested review from a team as code owners February 4, 2026 16:26
@avm-organizer avm-organizer bot added the Needs: Module Owner 📣 This module needs an owner to develop or maintain it label Feb 4, 2026
@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue labels Feb 4, 2026
@FallenHoot FallenHoot force-pushed the feature/finops-hub-avm-module branch from f68750c to 5720da9 Compare February 6, 2026 14:12
@FallenHoot FallenHoot requested a review from a team as a code owner February 6, 2026 14:12
feat(ptn): Add FinOps Hub pattern module (avm/ptn/finops-toolkit/fino…
f7896a9 
…ps-hub)

This module deploys a FinOps Hub — a data platform for FinOps that normalizes
multi-cloud cost data into the FOCUS specification using Azure Data Explorer,
Data Factory, and optional Microsoft Fabric integration.

Key capabilities:
- Three deployment modes: Storage-only, ADX (recommended), and Fabric
- Multi-cloud support: Azure, AWS, GCP, and on-premises/datacenter costs
- FOCUS 1.0-1.3 normalization with open data enrichment
- Interactive ADX dashboard with 22 pages (19 standard + 3 experimental)
- WAF-aligned options: managed VNET, private endpoints, CMK encryption
- Managed exports pipeline for automated Cost Management data ingestion

Architecture decisions documented in ADR.md (ADR-001 through ADR-015) covering:
- AVM compliance, resource naming, region selection, identity management
- ADF pipeline approach for ADX managed identity policy (ADR-015)
- ADX principal assignment identity format fix (ADR-014)

Test scenarios: adx-minimal, adx-waf-aligned, adx-managed-network,
fabric-minimal, fabric-waf-aligned, storage-minimal, managed-network

Includes operational scripts for deployment, test data generation,
ADX SKU selection, and hub state management.
@FallenHoot FallenHoot force-pushed the feature/finops-hub-avm-module branch 3 times, most recently from 3bf4817 to f7896a9 Compare February 11, 2026 17:12
@FallenHoot FallenHoot changed the title feat(ptn): Add FinOps Hub pattern module feat(ptn): Update FinOps Hub v12 pattern module Feb 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebassem sebassem Awaiting requested review from sebassem

@arthurclares arthurclares Awaiting requested review from arthurclares

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Needs: Module Owner 📣 This module needs an owner to develop or maintain it Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@FallenHoot