A Prometheus exporter for AWS Trusted Advisor.
Trusted Advisor exposes metrics in Cloudwatch, so one could be tempted to use the Cloudwatch exporter to get Trusted Advisor metrics.
However, this approach suffers from various issues:
- Trusted Advisor only publishes metrics when it refreshes its checks, which creates large gaps in the metrics
- In turn, this makes the Cloudwatch exporter highly unreliable - with Cloudwatch being full of holes, the metrics exported to Prometheus will be inconsistent as well
- You can partly work around that issue by configuring the Cloudwatch exporter to request old data with
range_seconds, but scrapes then become extremely long (120+ seconds) and the whole setup will start being expensive, as Cloudwatch isn't cheap - A minor issue in comparison - Trusted Advisor only publishes its metrics in us-east-1, so your Cloudwatch exporter needs to be configured for that region
Instead, this exporter retrieves data directly from the Support API in order to always get up-to-date and correct data. This means you will need a support plan of Business or above to use this exporter.
Finally, unlike Cloudwatch, this API is free. Well, "free" in the sense that it's included in the cost of your support contract. 🙂
prometheus-trusted-advisor-exporter uses the standard AWS authentication methods provided by the AWS SDK for Go, so you should be able to authenticate using the standard environment variables, shared credentials file, IAM roles for EC2, etc. See Specifying Credentials for more details.
It requires the following permissions:
support:DescribeTrustedAdvisorCheckssupport:DescribeTrustedAdvisorCheckResult
The exporter is configured via the following environment variables:
| Variable | Description | Default value |
|---|---|---|
LISTEN_ADDR |
Address and port the exporter will listen to | :2112 |
REFRESH_PERIOD |
How often to refresh all checks and their values, in seconds | 300 |
go build
./prometheus-trusted-advisor-exporterOr use the Docker container:
docker build . -t prometheus-trusted-advisor-exporter
docker run -p 2112:2112 -it prometheus-trusted-advisor-exporterA pre-built version of this container is available on the ECR public gallery:
docker run -p 2112:2112 -it public.ecr.aws/r0t8x2e9/prometheus_trusted_advisor_exporterprometheus-trusted-advisor-exporter exposes a single gauge at /metrics:
# HELP aws_trusted_advisor_check AWS Trusted Advisor check result
# TYPE aws_trusted_advisor_check gauge
aws_trusted_advisor_check{category="cost_optimizing",checkid="1e93e4c0b5",name="Amazon EC2 Reserved Instance Lease Expiration",status="ok"} 0
aws_trusted_advisor_check{category="cost_optimizing",checkid="1qazXsw23e",name="Amazon Relational Database Service (RDS) Reserved Instance Optimization",status="warning"} 8
aws_trusted_advisor_check{category="cost_optimizing",checkid="1qw23er45t",name="Amazon Redshift Reserved Node Optimization",status="ok"} 0
aws_trusted_advisor_check{category="cost_optimizing",checkid="51fC20e7I2",name="Amazon Route 53 Latency Resource Record Sets",status="ok"} 0
aws_trusted_advisor_check{category="security",checkid="DqdJqYeRm5",name="IAM Access Key Rotation",status="error"} 36
(...)
All Trusted Advisor checks are exported for every scrape, regardless of their status. They will get a status of "ok" (green), "warning" (yellow), "error" (red), or "not_available" if the check failed to refresh.