🐛 Fix review feedback: outbundRule typo, nil-safety guards, and lazy-load AKS/IAM/Redis sub-resources

- Fix pre-existing typo: "outbundRule" → "outboundRule" in CreateResource
- Add nil checks on Properties before accessing PrivateIPAddress in:
  - Firewall ipConfigurations()
  - Firewall managementIpConfiguration()
  - VirtualNetworkGateway ipConfigurations()
- Lazy-load AKS cluster aadProfile and autoUpgradeProfile
- Lazy-load IAM roleDefinition permissions
- Lazy-load Redis privateEndpointConnections

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

providers/azure/resources/aks.go

@@ -199,45 +199,6 @@ func (a *mqlAzureSubscriptionAksService) clusters() ([]any, error) {
 				}
 			}
 
-			// Create AAD Profile sub-resource
-			var aadProfileData *llx.RawData = llx.NilData
-			if entry.Properties.AADProfile != nil {
-				aadP := entry.Properties.AADProfile
-				adminGroupObjectIDs := []any{}
-				for _, gid := range aadP.AdminGroupObjectIDs {
-					if gid != nil {
-						adminGroupObjectIDs = append(adminGroupObjectIDs, *gid)
-					}
-				}
-				aadRes, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster.aadProfile",
-					map[string]*llx.RawData{
-						"id":                  llx.StringData(*entry.ID + "/aadProfile"),
-						"managed":             llx.BoolDataPtr(aadP.Managed),
-						"enableAzureRBAC":     llx.BoolDataPtr(aadP.EnableAzureRBAC),
-						"adminGroupObjectIDs": llx.ArrayData(adminGroupObjectIDs, types.String),
-					})
-				if err != nil {
-					return nil, err
-				}
-				aadProfileData = llx.ResourceData(aadRes, "azure.subscription.aksService.cluster.aadProfile")
-			}
-
-			// Create Auto-Upgrade Profile sub-resource
-			var autoUpgradeProfileData *llx.RawData = llx.NilData
-			if entry.Properties.AutoUpgradeProfile != nil {
-				aup := entry.Properties.AutoUpgradeProfile
-				autoUpgradeRes, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster.autoUpgradeProfile",
-					map[string]*llx.RawData{
-						"id":                   llx.StringData(*entry.ID + "/autoUpgradeProfile"),
-						"upgradeChannel":       llx.StringDataPtr((*string)(aup.UpgradeChannel)),
-						"nodeOSUpgradeChannel": llx.StringDataPtr((*string)(aup.NodeOSUpgradeChannel)),
-					})
-				if err != nil {
-					return nil, err
-				}
-				autoUpgradeProfileData = llx.ResourceData(autoUpgradeRes, "azure.subscription.aksService.cluster.autoUpgradeProfile")
-			}
-
 			mqlAksCluster, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster",
 				map[string]*llx.RawData{
 					"id":                             llx.StringDataPtr(entry.ID),
@@ -274,14 +235,61 @@ func (a *mqlAzureSubscriptionAksService) clusters() ([]any, error) {
 					"azureKeyVaultKmsNetworkAccess":  llx.StringDataPtr(azureKeyVaultKmsNetworkAccess),
 					"disableLocalAccounts":           llx.BoolDataPtr(entry.Properties.DisableLocalAccounts),
 					"publicNetworkAccess":            llx.StringDataPtr((*string)(entry.Properties.PublicNetworkAccess)),
-					"aadProfile":                     aadProfileData,
-					"autoUpgradeProfile":             autoUpgradeProfileData,
 				})
 			if err != nil {
 				return nil, err
 			}
-			res = append(res, mqlAksCluster)
+			mqlCluster := mqlAksCluster.(*mqlAzureSubscriptionAksServiceCluster)
+			mqlCluster.cacheProperties = entry.Properties
+			res = append(res, mqlCluster)
 		}
 	}
 	return res, nil
 }
+
+type mqlAzureSubscriptionAksServiceClusterInternal struct {
+	cacheProperties *clusters.ManagedClusterProperties
+}
+
+func (a *mqlAzureSubscriptionAksServiceCluster) aadProfile() (*mqlAzureSubscriptionAksServiceClusterAadProfile, error) {
+	if a.cacheProperties == nil || a.cacheProperties.AADProfile == nil {
+		a.AadProfile.State = plugin.StateIsSet | plugin.StateIsNull
+		return nil, nil
+	}
+	aadP := a.cacheProperties.AADProfile
+	adminGroupObjectIDs := []any{}
+	for _, gid := range aadP.AdminGroupObjectIDs {
+		if gid != nil {
+			adminGroupObjectIDs = append(adminGroupObjectIDs, *gid)
+		}
+	}
+	aadRes, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster.aadProfile",
+		map[string]*llx.RawData{
+			"id":                  llx.StringData(a.Id.Data + "/aadProfile"),
+			"managed":             llx.BoolDataPtr(aadP.Managed),
+			"enableAzureRBAC":     llx.BoolDataPtr(aadP.EnableAzureRBAC),
+			"adminGroupObjectIDs": llx.ArrayData(adminGroupObjectIDs, types.String),
+		})
+	if err != nil {
+		return nil, err
+	}
+	return aadRes.(*mqlAzureSubscriptionAksServiceClusterAadProfile), nil
+}
+
+func (a *mqlAzureSubscriptionAksServiceCluster) autoUpgradeProfile() (*mqlAzureSubscriptionAksServiceClusterAutoUpgradeProfile, error) {
+	if a.cacheProperties == nil || a.cacheProperties.AutoUpgradeProfile == nil {
+		a.AutoUpgradeProfile.State = plugin.StateIsSet | plugin.StateIsNull
+		return nil, nil
+	}
+	aup := a.cacheProperties.AutoUpgradeProfile
+	autoUpgradeRes, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster.autoUpgradeProfile",
+		map[string]*llx.RawData{
+			"id":                   llx.StringData(a.Id.Data + "/autoUpgradeProfile"),
+			"upgradeChannel":       llx.StringDataPtr((*string)(aup.UpgradeChannel)),
+			"nodeOSUpgradeChannel": llx.StringDataPtr((*string)(aup.NodeOSUpgradeChannel)),
+		})
+	if err != nil {
+		return nil, err
+	}
+	return autoUpgradeRes.(*mqlAzureSubscriptionAksServiceClusterAutoUpgradeProfile), nil
+}

providers/azure/resources/azure.lr

@@ -3190,7 +3190,7 @@ private azure.subscription.authorizationService.roleDefinition @defaults ("name
   // Scopes for which the role definition applies
   scopes []string
   // Permissions that are attached to the role definition
-  permissions []azure.subscription.authorizationService.roleDefinition.permission
+  permissions() []azure.subscription.authorizationService.roleDefinition.permission
 }
 
 // Azure role definition permission
@@ -3308,9 +3308,9 @@ azure.subscription.aksService.cluster @defaults("name location kubernetesVersion
   // Whether public network access is enabled for the cluster ("Enabled" or "Disabled")
   publicNetworkAccess string
   // Azure Active Directory configuration for the cluster
-  aadProfile azure.subscription.aksService.cluster.aadProfile
+  aadProfile() azure.subscription.aksService.cluster.aadProfile
   // Auto-upgrade configuration for the cluster
-  autoUpgradeProfile azure.subscription.aksService.cluster.autoUpgradeProfile
+  autoUpgradeProfile() azure.subscription.aksService.cluster.autoUpgradeProfile
 }
 
 // Azure Kubernetes Service cluster AAD profile
@@ -3504,7 +3504,7 @@ azure.subscription.cacheService.redisInstance @defaults("id hostName") {
   // Managed identity information
   identity dict
   // Private endpoint connections for the Redis cache
-  privateEndpointConnections []azure.subscription.cacheService.redisInstance.privateEndpointConnection
+  privateEndpointConnections() []azure.subscription.cacheService.redisInstance.privateEndpointConnection
   // Firewall rules for the Redis cache
   firewallRules() []azure.subscription.cacheService.redisInstance.firewallRule
   // Patch schedules for the Redis cache

providers/azure/resources/azure.lr.go

@@ -1,7 +1,7 @@
 {
   "provider": "azure",
   "version": "13.1.6",
-  "generated_at": "2026-03-20T17:04:23-07:00",
+  "generated_at": "2026-03-20T17:43:31-07:00",
   "permissions": [
     "Microsoft.Advisor/recommendations/read",
     "Microsoft.Authorization/roleAssignments/read",

providers/azure/resources/azure.permissions.json

@@ -78,15 +78,6 @@ func (a *mqlAzureSubscriptionAuthorizationService) roles() ([]any, error) {
 					scopes = append(scopes, *s)
 				}
 			}
-			permissions := []any{}
-			for idx, p := range roleDef.Properties.Permissions {
-				id := fmt.Sprintf("%s/azure.subscription.authorizationService.roleDefinition.permission/%d", *roleDef.ID, idx)
-				permission, err := newMqlRolePermission(a.MqlRuntime, id, p)
-				if err != nil {
-					return nil, err
-				}
-				permissions = append(permissions, permission)
-			}
 			mqlRoleDefinition, err := CreateResource(a.MqlRuntime, "azure.subscription.authorizationService.roleDefinition",
 				map[string]*llx.RawData{
 					"__id":        llx.StringDataPtr(roleDef.ID),
@@ -95,13 +86,31 @@ func (a *mqlAzureSubscriptionAuthorizationService) roles() ([]any, error) {
 					"description": llx.StringDataPtr(roleDef.Properties.Description),
 					"type":        llx.StringData(roleType),
 					"scopes":      llx.ArrayData(scopes, types.String),
-					"permissions": llx.ArrayData(permissions, types.ResourceLike),
 				})
 			if err != nil {
 				return nil, err
 			}
-			res = append(res, mqlRoleDefinition)
+			mqlRole := mqlRoleDefinition.(*mqlAzureSubscriptionAuthorizationServiceRoleDefinition)
+			mqlRole.cachePermissions = roleDef.Properties.Permissions
+			res = append(res, mqlRole)
+		}
+	}
+	return res, nil
+}
+
+type mqlAzureSubscriptionAuthorizationServiceRoleDefinitionInternal struct {
+	cachePermissions []*authorization.Permission
+}
+
+func (a *mqlAzureSubscriptionAuthorizationServiceRoleDefinition) permissions() ([]any, error) {
+	res := []any{}
+	for idx, p := range a.cachePermissions {
+		id := fmt.Sprintf("%s/azure.subscription.authorizationService.roleDefinition.permission/%d", a.Id.Data, idx)
+		permission, err := newMqlRolePermission(a.MqlRuntime, id, p)
+		if err != nil {
+			return nil, err
 		}
+		res = append(res, permission)
 	}
 	return res, nil
 }

providers/azure/resources/iam.go

@@ -557,7 +557,7 @@ func (a *mqlAzureSubscriptionNetworkServiceLoadBalancer) outboundRules() ([]any,
 		if err != nil {
 			return nil, err
 		}
-		mqlOutbound, err := CreateResource(a.MqlRuntime, "azure.subscription.networkService.outbundRule",
+		mqlOutbound, err := CreateResource(a.MqlRuntime, "azure.subscription.networkService.outboundRule",
 			map[string]*llx.RawData{
 				"id":         llx.StringDataPtr(outboundRule.ID),
 				"type":       llx.StringDataPtr(outboundRule.Type),
@@ -1232,12 +1232,16 @@ func (a *mqlAzureSubscriptionNetworkServiceVirtualNetworkGateway) ipConfiguratio
 		if err != nil {
 			return nil, err
 		}
+		var privateIP *string
+		if ipc.Properties != nil {
+			privateIP = ipc.Properties.PrivateIPAddress
+		}
 		mqlIpc, err := CreateResource(a.MqlRuntime, "azure.subscription.networkService.virtualNetworkGateway.ipConfig", map[string]*llx.RawData{
 			"id":               llx.StringDataPtr(ipc.ID),
 			"name":             llx.StringDataPtr(ipc.Name),
 			"etag":             llx.StringDataPtr(ipc.Etag),
 			"properties":       llx.DictData(props),
-			"privateIpAddress": llx.StringDataPtr(ipc.Properties.PrivateIPAddress),
+			"privateIpAddress": llx.StringDataPtr(privateIP),
 		})
 		if err != nil {
 			return nil, err
@@ -2271,12 +2275,16 @@ func (a *mqlAzureSubscriptionNetworkServiceFirewall) ipConfigurations() ([]any,
 		if err != nil {
 			return nil, err
 		}
+		var privateIP *string
+		if ipConfig.Properties != nil {
+			privateIP = ipConfig.Properties.PrivateIPAddress
+		}
 		mqlIpConfig, err := CreateResource(a.MqlRuntime, "azure.subscription.networkService.firewall.ipConfig",
 			map[string]*llx.RawData{
 				"id":               llx.StringDataPtr(ipConfig.ID),
 				"name":             llx.StringDataPtr(ipConfig.Name),
 				"etag":             llx.StringDataPtr(ipConfig.Etag),
-				"privateIpAddress": llx.StringDataPtr(ipConfig.Properties.PrivateIPAddress),
+				"privateIpAddress": llx.StringDataPtr(privateIP),
 				"properties":       llx.DictData(props),
 			})
 		if err != nil {
@@ -2297,12 +2305,16 @@ func (a *mqlAzureSubscriptionNetworkServiceFirewall) managementIpConfiguration()
 	if err != nil {
 		return nil, err
 	}
+	var privateIP *string
+	if ipConfig.Properties != nil {
+		privateIP = ipConfig.Properties.PrivateIPAddress
+	}
 	mqlIpConfig, err := CreateResource(a.MqlRuntime, "azure.subscription.networkService.firewall.ipConfig",
 		map[string]*llx.RawData{
 			"id":               llx.StringDataPtr(ipConfig.ID),
 			"name":             llx.StringDataPtr(ipConfig.Name),
 			"etag":             llx.StringDataPtr(ipConfig.Etag),
-			"privateIpAddress": llx.StringDataPtr(ipConfig.Properties.PrivateIPAddress),
+			"privateIpAddress": llx.StringDataPtr(privateIP),
 			"properties":       llx.DictData(props),
 		})
 	if err != nil {