@pagopa/dx-savemoney 0.2.5 → 0.2.6

package/src/azure/analyzer.ts

@@ -1,5 +1,22 @@
 /**
  * Azure resource analyzer - Main orchestration logic
+ *
+ * Iterates every resource in every configured subscription, dispatches it
+ * to the registered analyzers (see `./analyzers/registry.ts`), and feeds
+ * the resulting findings into the report generator.
+ *
+ * Phase 0 refactor:
+ *  - Resources are dispatched through a plugin-style `Analyzer` registry
+ *    instead of a hard-coded `switch` statement.
+ *  - Per-subscription resources are analyzed in parallel via a small
+ *    in-process limiter (default concurrency 8, configurable via
+ *    `AzureConfig.concurrency`).
+ *  - Azure Monitor metric calls are memoized for the duration of a run via
+ *    a per-run `MetricsCache` passed through `AnalyzerContext`, so concurrent
+ *    calls to `analyzeAzureResources` stay fully isolated.
+ *
+ * The output schema (`AzureDetailedResourceReport`) is unchanged so the
+ * existing report formats keep working untouched.
  */
 
 import { ContainerAppsAPIClient } from "@azure/arm-appcontainers";
@@ -10,6 +27,7 @@ import { NetworkManagementClient } from "@azure/arm-network";
 import * as armResources from "@azure/arm-resources";
 import { DefaultAzureCredential } from "@azure/identity";
 import { getLogger } from "@logtape/logtape";
+import pLimit from "p-limit";
 
 import type { AzureConfig, AzureDetailedResourceReport } from "./types.js";
 
@@ -19,19 +37,16 @@ import {
   mergeResults,
   type Thresholds,
 } from "../types.js";
-import { generateReport } from "./report.js";
 import {
-  analyzeAppServicePlan,
-  analyzeContainerApp,
-  analyzeDisk,
-  analyzeNic,
-  analyzePrivateEndpoint,
-  analyzePublicIp,
-  analyzeStaticSite,
-  analyzeStorageAccount,
-  analyzeVM,
-} from "./resources/index.js";
-import { matchesTags } from "./utils.js";
+  type Analyzer,
+  type AnalyzerContext,
+  type AzureClients,
+  createDefaultAnalyzers,
+} from "./analyzers/index.js";
+import { generateReport } from "./report.js";
+import { matchesTags, type MetricsCache } from "./utils.js";
+
+const DEFAULT_CONCURRENCY = 8;
 
 /**
  * Analyzes resources in multiple Azure subscriptions and generates a report.
@@ -47,62 +62,96 @@ export async function analyzeAzureResources(
   const credential = new DefaultAzureCredential();
   const allReports: AzureDetailedResourceReport[] = [];
 
+  const analyzers = createDefaultAnalyzers();
+  const thresholds: Thresholds = config.thresholds ?? DEFAULT_THRESHOLDS;
+
+  // Normalise concurrency the same way p-limit does to keep maxInFlight
+  // consistent. A raw value of 0/NaN would produce maxInFlight = 0/NaN and
+  // either deadlock or silently disable backpressure.
+  const rawConcurrency = config.concurrency ?? DEFAULT_CONCURRENCY;
+  const concurrency = Number.isFinite(rawConcurrency)
+    ? Math.max(1, Math.floor(rawConcurrency))
+    : 1;
+  const limit = pLimit(concurrency);
+
+  // Bound the in-flight Set to `2 × concurrency` so memory stays proportional
+  // to the limiter width, not the total resource count in a subscription.
+  const maxInFlight = concurrency * 2;
+
   for (const subscriptionId of config.subscriptionIds) {
     logger.info(`Analyzing subscription: ${subscriptionId}`);
 
+    const sid = subscriptionId.trim();
+
+    // Fresh cache per subscription — bounds peak memory to one subscription's
+    // worth of metrics and keeps concurrent analyzeAzureResources calls isolated.
+    const runCache: MetricsCache = new Map();
+
+    const clients: AzureClients = {
+      compute: new ComputeManagementClient(credential, sid),
+      containerApps: new ContainerAppsAPIClient(credential, sid),
+      monitor: new MonitorClient(credential, sid),
+      network: new NetworkManagementClient(credential, sid),
+      webSite: new WebSiteManagementClient(credential, sid),
+    };
     const resourceClient = new armResources.ResourceManagementClient(
       credential,
-      subscriptionId.trim(),
-    );
-    const monitorClient = new MonitorClient(credential, subscriptionId.trim());
-    const computeClient = new ComputeManagementClient(
-      credential,
-      subscriptionId.trim(),
-    );
-    const networkClient = new NetworkManagementClient(
-      credential,
-      subscriptionId.trim(),
-    );
-    const webSiteClient = new WebSiteManagementClient(
-      credential,
-      subscriptionId.trim(),
-    );
-    const containerAppsClient = new ContainerAppsAPIClient(
-      credential,
-      subscriptionId.trim(),
+      sid,
     );
 
-    const thresholds: Thresholds = config.thresholds ?? DEFAULT_THRESHOLDS;
+    const inFlight = new Set<Promise<void>>();
 
-    // Use the async iterator to avoid memory explosion for large environments
+    // Use the async iterator to avoid loading all resources into memory at once.
     for await (const resource of resourceClient.resources.list()) {
-      // Skip resources that don't match the requested tag filter
       if (!matchesTags(resource, config.filterTags)) {
         continue;
       }
 
-      const { costRisk, reason, suspectedUnused } = await analyzeResource(
-        resource,
-        monitorClient,
-        computeClient,
-        networkClient,
-        webSiteClient,
-        containerAppsClient,
-        config.preferredLocation,
-        config.timespanDays,
-        thresholds,
-        config.verbose || false,
-      );
+      // Backpressure: wait for a slot before enqueuing the next task so that
+      // the inFlight Set stays bounded by maxInFlight instead of growing to the
+      // total resource count in the subscription.
+      while (inFlight.size >= maxInFlight) {
+        await Promise.race(inFlight).catch(() => undefined);
+      }
+
+      const task: Promise<void> = limit(async () => {
+        const { costRisk, reason, suspectedUnused } = await analyzeResource(
+          resource,
+          analyzers,
+          clients,
+          runCache,
+          config.preferredLocation,
+          config.timespanDays,
+          thresholds,
+          config.verbose || false,
+        );
+
+        if (suspectedUnused) {
+          allReports.push({
+            analysis: {
+              costRisk,
+              reason: reason || "No specific findings.",
+              suspectedUnused,
+            },
+            resource,
+          });
+        }
+      });
+
+      inFlight.add(task);
+      // Suppress the unhandled-rejection that would occur between task creation
+      // and the Promise.allSettled drain below. The .catch() handler is a no-op
+      // because the actual error is still visible to allSettled (which logs it)
+      // via the original `task` reference kept in inFlight.
+      void task.catch(() => undefined).finally(() => inFlight.delete(task));
+    }
 
-      if (suspectedUnused) {
-        allReports.push({
-          analysis: {
-            costRisk,
-            reason: reason || "No specific findings.",
-            suspectedUnused,
-          },
-          resource: resource,
-        });
+    // Drain remaining tasks; surface any unexpected errors so they don't
+    // disappear silently and produce an incomplete report without a signal.
+    const results = await Promise.allSettled(inFlight);
+    for (const result of results) {
+      if (result.status === "rejected") {
+        logger.error(`Resource analysis failed: ${String(result.reason)}`);
       }
     }
   }
@@ -119,34 +168,32 @@ export async function analyzeAzureResources(
 }
 
 /**
- * Analyzes a single Azure resource based on its type.
+ * Analyzes a single Azure resource by dispatching it to every registered
+ * analyzer that supports it. Generic checks (missing tags, location
+ * mismatch) are applied around the analyzer-specific logic.
  *
- * @param resource - The Azure resource to analyze
- * @param monitorClient - Azure Monitor client for metrics
- * @param computeClient - Azure Compute client
- * @param networkClient - Azure Network client
- * @param webSiteClient - Azure Web Site client
- * @param containerAppsClient - Azure Container Apps client
- * @param preferredLocation - Preferred Azure location
- * @param timespanDays - Number of days to analyze metrics
- * @param verbose - Whether verbose logging is enabled
+ * @param resource          The Azure resource to analyze
+ * @param analyzers         Registered analyzers (typically `createDefaultAnalyzers()`)
+ * @param clients           Bundle of Azure SDK clients shared across analyzers
+ * @param metricsCache      Run-scoped metrics cache to pass through to analyzers
+ * @param preferredLocation Preferred Azure region (resources elsewhere are flagged)
+ * @param timespanDays      Look-back window for Azure Monitor metrics
+ * @param thresholds        Numeric thresholds used during analysis
+ * @param verbose           Whether verbose logging is enabled
  * @returns Analysis result with cost risk and reason
  */
 export async function analyzeResource(
   resource: armResources.GenericResource,
-  monitorClient: MonitorClient,
-  computeClient: ComputeManagementClient,
-  networkClient: NetworkManagementClient,
-  webSiteClient: WebSiteManagementClient,
-  containerAppsClient: ContainerAppsAPIClient,
+  analyzers: Analyzer[],
+  clients: AzureClients,
+  metricsCache: MetricsCache = new Map(),
   preferredLocation: string,
   timespanDays: number,
   thresholds: Thresholds,
   verbose = false,
 ): Promise<AnalysisResult> {
-  const type = resource.type?.toLowerCase() || "";
-  let result = {
-    costRisk: "low" as "high" | "low" | "medium",
+  let result: AnalysisResult = {
+    costRisk: "low",
     reason: "",
     suspectedUnused: false,
   };
@@ -157,100 +204,28 @@ export async function analyzeResource(
     result.reason += "No tags found. ";
   }
 
-  // Route to type-specific analysis hooks
-  switch (type) {
-    case "microsoft.app/containerapps": {
-      const containerAppResult = await analyzeContainerApp(
-        resource,
-        containerAppsClient,
-        monitorClient,
-        timespanDays,
-        thresholds,
-        verbose,
-      );
-      result = mergeResults(result, containerAppResult);
-      break;
-    }
-    case "microsoft.compute/disks": {
-      const diskResult = await analyzeDisk(resource, computeClient, verbose);
-      result = mergeResults(result, diskResult);
-      break;
-    }
-    case "microsoft.compute/virtualmachines": {
-      const vmResult = await analyzeVM(
-        resource,
-        monitorClient,
-        computeClient,
-        timespanDays,
-        thresholds,
-        verbose,
-      );
-      result = mergeResults(result, vmResult);
-      break;
-    }
-    case "microsoft.network/networkinterfaces": {
-      const nicResult = await analyzeNic(resource, networkClient, verbose);
-      result = mergeResults(result, nicResult);
-      break;
-    }
-    case "microsoft.network/privateendpoints": {
-      const peResult = await analyzePrivateEndpoint(
-        resource,
-        networkClient,
-        verbose,
-      );
-      result = mergeResults(result, peResult);
-      break;
-    }
-    case "microsoft.network/publicipaddresses": {
-      const pipResult = await analyzePublicIp(
-        resource,
-        networkClient,
-        monitorClient,
-        timespanDays,
-        thresholds,
-        verbose,
-      );
-      result = mergeResults(result, pipResult);
-      break;
-    }
-    case "microsoft.storage/storageaccounts": {
-      const storageResult = await analyzeStorageAccount(
-        resource,
-        monitorClient,
-        timespanDays,
-        thresholds,
-        verbose,
-      );
-      result = mergeResults(result, storageResult);
-      break;
-    }
-    case "microsoft.web/serverfarms": {
-      const aspResult = await analyzeAppServicePlan(
-        resource,
-        webSiteClient,
-        monitorClient,
-        timespanDays,
-        thresholds,
-        verbose,
-      );
-      result = mergeResults(result, aspResult);
-      break;
-    }
-    case "microsoft.web/staticsites": {
-      const staticSiteResult = await analyzeStaticSite(
-        resource,
-        monitorClient,
-        timespanDays,
-        thresholds,
-        verbose,
-      );
-      result = mergeResults(result, staticSiteResult);
-      break;
+  const ctx: AnalyzerContext = {
+    clients,
+    metricsCache,
+    preferredLocation,
+    resource,
+    thresholds,
+    timespanDays,
+    verbose,
+  };
+
+  let matched = false;
+  for (const analyzer of analyzers) {
+    if (!analyzer.supports(resource)) {
+      continue;
     }
-    default:
-      result.reason += "No specific analysis for this resource type. ";
-      break;
+    matched = true;
+    const specific = await analyzer.analyze(ctx);
+    result = mergeResults(result, specific);
+  }
+
+  if (!matched) {
+    result.reason += "No specific analysis for this resource type. ";
   }
 
   // Generic check for location

package/src/azure/analyzers/index.ts

@@ -0,0 +1,6 @@
+/**
+ * Re-exports for the Azure analyzer plugin layer.
+ */
+
+export { createDefaultAnalyzers } from "./registry.js";
+export type { Analyzer, AnalyzerContext, AzureClients } from "./types.js";

package/src/azure/analyzers/registry.ts

@@ -0,0 +1,184 @@
+/**
+ * Default registry of Azure analyzers.
+ *
+ * Each entry wraps an existing per-type analyzer function (kept in
+ * `../resources/`) and exposes it through the unified `Analyzer`
+ * interface. The orchestrator simply iterates the registry — no big
+ * `switch` statement, no risk of forgetting to wire a new analyzer
+ * into the orchestrator when the catalog grows.
+ *
+ * Adding a new analyzer is a single insertion here.
+ */
+
+import type { Analyzer } from "./types.js";
+
+import {
+  analyzeAppServicePlan,
+  analyzeContainerApp,
+  analyzeDisk,
+  analyzeNic,
+  analyzePrivateEndpoint,
+  analyzePublicIp,
+  analyzeStaticSite,
+  analyzeStorageAccount,
+  analyzeVM,
+} from "../resources/index.js";
+
+/**
+ * Builds the default set of analyzers in the same order they were
+ * previously evaluated by the orchestrator's `switch` statement. The
+ * order is not behaviourally meaningful today (each resource is matched
+ * by exactly one analyzer) but is kept deterministic for predictable
+ * logging and to ease future debugging.
+ */
+export function createDefaultAnalyzers(): Analyzer[] {
+  return [
+    {
+      analyze: ({
+        clients,
+        metricsCache,
+        resource,
+        thresholds,
+        timespanDays,
+        verbose,
+      }) =>
+        analyzeContainerApp(
+          resource,
+          clients.containerApps,
+          clients.monitor,
+          timespanDays,
+          thresholds,
+          verbose,
+          metricsCache,
+        ),
+      id: "azure.container-app",
+      supports: (r) => r.type?.toLowerCase() === "microsoft.app/containerapps",
+    },
+    {
+      analyze: ({ clients, resource, verbose }) =>
+        analyzeDisk(resource, clients.compute, verbose),
+      id: "azure.disk",
+      supports: (r) => r.type?.toLowerCase() === "microsoft.compute/disks",
+    },
+    {
+      analyze: ({
+        clients,
+        metricsCache,
+        resource,
+        thresholds,
+        timespanDays,
+        verbose,
+      }) =>
+        analyzeVM(
+          resource,
+          clients.monitor,
+          clients.compute,
+          timespanDays,
+          thresholds,
+          verbose,
+          metricsCache,
+        ),
+      id: "azure.vm",
+      supports: (r) =>
+        r.type?.toLowerCase() === "microsoft.compute/virtualmachines",
+    },
+    {
+      analyze: ({ clients, resource, verbose }) =>
+        analyzeNic(resource, clients.network, verbose),
+      id: "azure.nic",
+      supports: (r) =>
+        r.type?.toLowerCase() === "microsoft.network/networkinterfaces",
+    },
+    {
+      analyze: ({ clients, resource, verbose }) =>
+        analyzePrivateEndpoint(resource, clients.network, verbose),
+      id: "azure.private-endpoint",
+      supports: (r) =>
+        r.type?.toLowerCase() === "microsoft.network/privateendpoints",
+    },
+    {
+      analyze: ({
+        clients,
+        metricsCache,
+        resource,
+        thresholds,
+        timespanDays,
+        verbose,
+      }) =>
+        analyzePublicIp(
+          resource,
+          clients.network,
+          clients.monitor,
+          timespanDays,
+          thresholds,
+          verbose,
+          metricsCache,
+        ),
+      id: "azure.public-ip",
+      supports: (r) =>
+        r.type?.toLowerCase() === "microsoft.network/publicipaddresses",
+    },
+    {
+      analyze: ({
+        clients,
+        metricsCache,
+        resource,
+        thresholds,
+        timespanDays,
+        verbose,
+      }) =>
+        analyzeStorageAccount(
+          resource,
+          clients.monitor,
+          timespanDays,
+          thresholds,
+          verbose,
+          metricsCache,
+        ),
+      id: "azure.storage-account",
+      supports: (r) =>
+        r.type?.toLowerCase() === "microsoft.storage/storageaccounts",
+    },
+    {
+      analyze: ({
+        clients,
+        metricsCache,
+        resource,
+        thresholds,
+        timespanDays,
+        verbose,
+      }) =>
+        analyzeAppServicePlan(
+          resource,
+          clients.webSite,
+          clients.monitor,
+          timespanDays,
+          thresholds,
+          verbose,
+          metricsCache,
+        ),
+      id: "azure.app-service-plan",
+      supports: (r) => r.type?.toLowerCase() === "microsoft.web/serverfarms",
+    },
+    {
+      analyze: ({
+        clients,
+        metricsCache,
+        resource,
+        thresholds,
+        timespanDays,
+        verbose,
+      }) =>
+        analyzeStaticSite(
+          resource,
+          clients.monitor,
+          timespanDays,
+          thresholds,
+          verbose,
+          metricsCache,
+        ),
+      id: "azure.static-web-app",
+      supports: (r) => r.type?.toLowerCase() === "microsoft.web/staticsites",
+    },
+  ];
+}

package/src/azure/analyzers/types.ts

@@ -0,0 +1,66 @@
+/**
+ * Plugin architecture for Azure resource analyzers.
+ *
+ * Each `Analyzer` is a self-contained unit that:
+ *  1. declares the resource types it can handle (`supports`)
+ *  2. produces an `AnalysisResult` for a given resource (`analyze`)
+ *
+ * The orchestrator in `analyzer.ts` walks the registered analyzers for
+ * every resource it encounters. New sources (Azure Advisor, custom
+ * checks, pricing-enriched analyzers, …) can be added by implementing
+ * the interface and registering them in `registry.ts` without touching
+ * the orchestrator.
+ */
+
+import type { ContainerAppsAPIClient } from "@azure/arm-appcontainers";
+import type { WebSiteManagementClient } from "@azure/arm-appservice";
+import type { ComputeManagementClient } from "@azure/arm-compute";
+import type { MonitorClient } from "@azure/arm-monitor";
+import type { NetworkManagementClient } from "@azure/arm-network";
+import type * as armResources from "@azure/arm-resources";
+
+import type { AnalysisResult, Thresholds } from "../../types.js";
+import type { MetricsCache } from "../utils.js";
+
+/**
+ * Contract every analyzer must satisfy.
+ */
+export type Analyzer = {
+  analyze(ctx: AnalyzerContext): Promise<AnalysisResult>;
+  /**
+   * Stable identifier of the analyzer (e.g. `azure.vm`, `azure.advisor`).
+   * Used for logging, telemetry and future deduplication logic.
+   */
+  readonly id: string;
+  supports(resource: armResources.GenericResource): boolean;
+};
+
+/**
+ * Per-resource analysis context handed to every analyzer.
+ */
+export type AnalyzerContext = {
+  clients: AzureClients;
+  /**
+   * Run-scoped metrics cache. Pass through to `getMetric` calls so that
+   * concurrent `analyzeAzureResources` invocations stay isolated.
+   */
+  metricsCache: MetricsCache;
+  preferredLocation: string;
+  resource: armResources.GenericResource;
+  thresholds: Thresholds;
+  timespanDays: number;
+  verbose: boolean;
+};
+
+/**
+ * Bundle of Azure SDK clients an analyzer might need. The orchestrator
+ * builds them once per subscription and passes the same instances to
+ * every analyzer.
+ */
+export type AzureClients = {
+  compute: ComputeManagementClient;
+  containerApps: ContainerAppsAPIClient;
+  monitor: MonitorClient;
+  network: NetworkManagementClient;
+  webSite: WebSiteManagementClient;
+};

package/src/azure/config.ts

@@ -42,6 +42,7 @@ export async function loadAzureConfig(
       const rawYaml = yaml.load(raw);
       const parsed = ConfigSchema.parse(rawYaml);
       return {
+        concurrency: parsed.azure.concurrency,
         preferredLocation: parsed.azure.preferredLocation,
         subscriptionIds: parsed.azure.subscriptionIds,
         thresholds: parsed.azure.thresholds,

package/src/azure/resources/app-service.ts

@@ -13,6 +13,7 @@ import type { AnalysisResult, Thresholds } from "../../types.js";
 import { DEFAULT_THRESHOLDS } from "../../types.js";
 import {
   getMetric,
+  type MetricsCache,
   verboseLog,
   verboseLogAnalysisResult,
   verboseLogResourceStart,
@@ -34,6 +35,7 @@ export async function analyzeAppServicePlan(
   timespanDays: number,
   thresholds: Thresholds = DEFAULT_THRESHOLDS,
   verbose = false,
+  cache?: MetricsCache,
 ): Promise<AnalysisResult> {
   verboseLogResourceStart(
     verbose,
@@ -79,6 +81,7 @@ export async function analyzeAppServicePlan(
       "CpuPercentage",
       "Average",
       timespanDays,
+      cache,
     );
 
     const memoryPercentage = await getMetric(
@@ -87,6 +90,7 @@ export async function analyzeAppServicePlan(
       "MemoryPercentage",
       "Average",
       timespanDays,
+      cache,
     );
 
     if (