Expand Azure provider using fields in new SDKs

The new SDKs unlock new fields outside the mega properties dict. We
should use those as they are more discoverable and we control the
stability longterm.

Signed-off-by: Tim Smith <tsmith84@gmail.com>

Author: tas50

.github/actions/spelling/expect.txt

@@ -1,5 +1,6 @@
+aad
 ACCOUNTADMIN
-Adddays
+advancedthreatprotection
 antispam
 appslot
 atlassian
@@ -12,11 +13,11 @@ awslogs
 awsvpc
 backupconfiguration
 backupsetting
+backupshorttermretentionpolicy
 bigquery
 bytematchstatement
 cavium
 cdn
-cea
 certificatechains
 clcerts
 cloudflare
@@ -27,7 +28,6 @@ copywrite
 cpe
 cryptokey
 ctx
-CUSTOMERID
 customresources
 cyclonedx
 dast
@@ -58,7 +58,6 @@ gcfs
 gcs
 geomatchstatement
 gistfile
-googleworkplace
 gotestsum
 gpu
 groupname
@@ -79,16 +78,15 @@ iotedge
 ipc
 ipsetforwardedipconfig
 ipsetreferencestatement
-isdir
 istio
 jira
 jsonbody
-kexts
 kqueue
 labelmatchstatement
 lfs
 liveanalytics
 loggingservice
+longtermretentionpolicy
 lsp
 manageddevice
 managedrulegroupstatement
@@ -122,7 +120,6 @@ OIDs
 ondemand
 opcplc
 opensearch
-openssh
 openssl
 orstatement
 ospf
@@ -173,6 +170,8 @@ testutils
 timestream
 toplevel
 tpu
+serviceconnection
+Vnet
 udid
 Uocm
 usb
@@ -182,12 +181,11 @@ vdcs
 virtualmachine
 vlans
 vrf
-Vtpm
+vtpm
 vulnerabilityassessmentsettings
 vulnmgmt
 webide
 WEBSERVERS
 wil
-xoxp
 xssmatchstatement
 zrt

CLAUDE.md

@@ -189,15 +189,6 @@ go test -v ./providers/core/...
 
 Step 3 is the core of the work here (e.g. doing the ticket's local dev work). The start and end should wrap 3.
 
-### Performance Monitoring with Prometheus and Grafana
-When debugging performance issues, you can monitor memory and CPU usage:
-1. Install Prometheus (macOS: `brew install prometheus`)
-2. Start monitoring stack: `make metrics/start`
-3. Configure Grafana at http://localhost:3000 (one-time setup):
-    - Add Prometheus data source (URL: `http://host.docker.internal:9009`)
-    - Import a Go profiling dashboard (e.g., Grafana dashboard #10826)
-4. Run mql with metrics enabled: `DEBUG=1 mql run local -c "asset"`
-
 ### Remote Debugging
 For providers that need to run on specific VMs (e.g., GCP snapshot scanning):
 1. Install Go and Delve on the remote VM

providers/azure/resources/aks.go

@@ -39,6 +39,14 @@ func (a *mqlAzureSubscriptionAksServiceCluster) id() (string, error) {
 	return a.Id.Data, nil
 }
 
+func (a *mqlAzureSubscriptionAksServiceClusterAadProfile) id() (string, error) {
+	return a.Id.Data, nil
+}
+
+func (a *mqlAzureSubscriptionAksServiceClusterAutoUpgradeProfile) id() (string, error) {
+	return a.Id.Data, nil
+}
+
 func (a *mqlAzureSubscriptionAksService) clusters() ([]any, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AzureConnection)
 	ctx := context.Background()
@@ -127,6 +135,66 @@ func (a *mqlAzureSubscriptionAksService) clusters() ([]any, error) {
 				}
 			}
 
+			var defenderEnabled, imageCleanerEnabled, workloadIdentityEnabled, azureKeyVaultKmsEnabled *bool
+			var imageCleanerIntervalHours *int32
+			var azureKeyVaultKmsNetworkAccess *string
+			if entry.Properties.SecurityProfile != nil {
+				sp := entry.Properties.SecurityProfile
+				if sp.Defender != nil && sp.Defender.SecurityMonitoring != nil {
+					defenderEnabled = sp.Defender.SecurityMonitoring.Enabled
+				}
+				if sp.ImageCleaner != nil {
+					imageCleanerEnabled = sp.ImageCleaner.Enabled
+					imageCleanerIntervalHours = sp.ImageCleaner.IntervalHours
+				}
+				if sp.WorkloadIdentity != nil {
+					workloadIdentityEnabled = sp.WorkloadIdentity.Enabled
+				}
+				if sp.AzureKeyVaultKms != nil {
+					azureKeyVaultKmsEnabled = sp.AzureKeyVaultKms.Enabled
+					azureKeyVaultKmsNetworkAccess = (*string)(sp.AzureKeyVaultKms.KeyVaultNetworkAccess)
+				}
+			}
+
+			// Create AAD Profile sub-resource
+			var aadProfileData *llx.RawData = llx.NilData
+			if entry.Properties.AADProfile != nil {
+				aadP := entry.Properties.AADProfile
+				adminGroupObjectIDs := []any{}
+				for _, gid := range aadP.AdminGroupObjectIDs {
+					if gid != nil {
+						adminGroupObjectIDs = append(adminGroupObjectIDs, *gid)
+					}
+				}
+				aadRes, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster.aadProfile",
+					map[string]*llx.RawData{
+						"id":                  llx.StringData(*entry.ID + "/aadProfile"),
+						"managed":             llx.BoolDataPtr(aadP.Managed),
+						"enableAzureRBAC":     llx.BoolDataPtr(aadP.EnableAzureRBAC),
+						"adminGroupObjectIDs": llx.ArrayData(adminGroupObjectIDs, types.String),
+					})
+				if err != nil {
+					return nil, err
+				}
+				aadProfileData = llx.ResourceData(aadRes, "azure.subscription.aksService.cluster.aadProfile")
+			}
+
+			// Create Auto-Upgrade Profile sub-resource
+			var autoUpgradeProfileData *llx.RawData = llx.NilData
+			if entry.Properties.AutoUpgradeProfile != nil {
+				aup := entry.Properties.AutoUpgradeProfile
+				autoUpgradeRes, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster.autoUpgradeProfile",
+					map[string]*llx.RawData{
+						"id":                   llx.StringData(*entry.ID + "/autoUpgradeProfile"),
+						"upgradeChannel":       llx.StringDataPtr((*string)(aup.UpgradeChannel)),
+						"nodeOSUpgradeChannel": llx.StringDataPtr((*string)(aup.NodeOSUpgradeChannel)),
+					})
+				if err != nil {
+					return nil, err
+				}
+				autoUpgradeProfileData = llx.ResourceData(autoUpgradeRes, "azure.subscription.aksService.cluster.autoUpgradeProfile")
+			}
+
 			mqlAksCluster, err := CreateResource(a.MqlRuntime, "azure.subscription.aksService.cluster",
 				map[string]*llx.RawData{
 					"id":                             llx.StringDataPtr(entry.ID),
@@ -155,6 +223,16 @@ func (a *mqlAzureSubscriptionAksService) clusters() ([]any, error) {
 					"disableRunCommand":              llx.BoolDataPtr(disableRunCommand),
 					"apiServerAuthorizedIPRanges":    llx.ArrayData(apiServerAuthorizedIPRanges, types.String),
 					"privateDnsZone":                 llx.StringDataPtr(privateDnsZone),
+					"defenderEnabled":                llx.BoolDataPtr(defenderEnabled),
+					"imageCleanerEnabled":            llx.BoolDataPtr(imageCleanerEnabled),
+					"imageCleanerIntervalHours":      llx.IntDataDefault(imageCleanerIntervalHours, 0),
+					"workloadIdentityEnabled":        llx.BoolDataPtr(workloadIdentityEnabled),
+					"azureKeyVaultKmsEnabled":        llx.BoolDataPtr(azureKeyVaultKmsEnabled),
+					"azureKeyVaultKmsNetworkAccess":  llx.StringDataPtr(azureKeyVaultKmsNetworkAccess),
+					"disableLocalAccounts":           llx.BoolDataPtr(entry.Properties.DisableLocalAccounts),
+					"publicNetworkAccess":            llx.StringDataPtr((*string)(entry.Properties.PublicNetworkAccess)),
+					"aadProfile":                     aadProfileData,
+					"autoUpgradeProfile":             autoUpgradeProfileData,
 				})
 			if err != nil {
 				return nil, err