mondoohq · syrull · Feb 25, 2026 · Feb 15, 2026 · Feb 25, 2026 · tas50
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -91,6 +91,7 @@
 manageddevice
 managedrulegroupstatement
 managedzone
+maxmemory
 mcp
 mcr
 meid
@@ -171,15 +172,17 @@
 toplevel
 tpu
 serviceconnection
 Vnet
 udid
 Uocm
 usb
+Utc
 valkey
 VAULTNAME
 vdcs
 virtualmachine
 vlans
+vnet
 vrf
 vtpm
 vulnerabilityassessmentsettings

diff --git a/providers/azure/config/config.go b/providers/azure/config/config.go
@@ -27,9 +27,9 @@ var Config = plugin.Provider{
 			Long: `Use the azure provider to query resources within Microsoft Azure, including storage, compute instances, snapshots, databases, and more.
 
 Examples run in your shell:
-  cnspec scan azure compute instance <name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value>
-  cnspec scan azure compute snapshot <name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value>
-	cnquery shell azure <name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value>
+  cnspec scan azure compute instance <instance-name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value>
+  cnspec scan azure compute snapshot <snapshot-name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value>
+  cnquery shell azure <subscription-name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value>
 
 Examples run in the Azure CLI:	
   cnquery shell azure
@@ -47,10 +47,15 @@ Examples run in the Azure CLI:
 				resources.DiscoveryMySqlServers,
 				resources.DiscoveryMySqlFlexibleServers,
 				resources.DiscoveryMariaDbServers,
+				resources.DiscoveryAksClusters,
+				resources.DiscoveryAppServiceApps,
+				resources.DiscoveryCacheRedis,
+				resources.DiscoveryBatchAccounts,
 				resources.DiscoveryStorageAccounts,
 				resources.DiscoveryStorageContainers,
 				resources.DiscoveryKeyVaults,
 				resources.DiscoverySecurityGroups,
+				resources.DiscoveryCosmosDb,
 			},
 			Flags: []plugin.Flag{
 				{
@@ -118,12 +123,16 @@ Examples run in the Azure CLI:
 						"*": {
 							Key: "service",
 							Values: map[string]*inventory.AssetUrlBranch{
-								"account":    nil,
-								"compute":    nil,
-								"mysql":      nil,
-								"postgresql": nil,
-								"mariadb":    nil,
-								"sql":        nil,
+								"account":     nil,
+								"compute":     nil,
+								"mysql":       nil,
+								"postgresql":  nil,
+								"mariadb":     nil,
+								"aks":         nil,
+								"app-service": nil,
+								"cache":       nil,
+								"batch":       nil,
+								"sql":         nil,
 								"storage": {
 									Key: "object",
 									Values: map[string]*inventory.AssetUrlBranch{
@@ -140,6 +149,7 @@ Examples run in the Azure CLI:
 									},
 								},
 								"keyvault": nil,
+								"cosmosdb": nil,
 							},
 						},
 					},

diff --git a/providers/azure/resources/aks.go b/providers/azure/resources/aks.go
@@ -21,7 +21,7 @@ func (a *mqlAzureSubscriptionAksService) id() (string, error) {
 	return "azure.subscription.aks/" + a.SubscriptionId.Data, nil
 }
 
-func initAzureSubscriptionAks(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
+func initAzureSubscriptionAksService(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
 	if len(args) > 0 {
 		return args, nil, nil
 	}
@@ -35,6 +35,49 @@ func initAzureSubscriptionAks(runtime *plugin.Runtime, args map[string]*llx.RawD
 	return args, nil, nil
 }
 
+func initAzureSubscriptionAksServiceCluster(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
+	if len(args) > 1 {
+		return args, nil, nil
+	}
+
+	if len(args) == 0 {
+		if ids := getAssetIdentifier(runtime); ids != nil {
+			args["id"] = llx.StringData(ids.id)
+		}
+	}
+
+	if args["id"] == nil {
+		return nil, nil, errors.New("id required to fetch azure aks cluster")
+	}
+	conn, ok := runtime.Connection.(*connection.AzureConnection)
+	if !ok {
+		return nil, nil, errors.New("invalid connection provided, it is not an Azure connection")
+	}
+	res, err := NewResource(runtime, "azure.subscription.aksService", map[string]*llx.RawData{
+		"subscriptionId": llx.StringData(conn.SubId()),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	aksSvc := res.(*mqlAzureSubscriptionAksService)
+	clusterList := aksSvc.GetClusters()
+	if clusterList.Error != nil {
+		return nil, nil, clusterList.Error
+	}
+	id, ok := args["id"].Value.(string)
+	if !ok {
+		return nil, nil, errors.New("id must be a non-nil string value")
+	}
+	for _, entry := range clusterList.Data {
+		cluster := entry.(*mqlAzureSubscriptionAksServiceCluster)
+		if cluster.Id.Data == id {
+			return args, cluster, nil
+		}
+	}
+
+	return nil, nil, errors.New("azure aks cluster does not exist")
+}
+
 func (a *mqlAzureSubscriptionAksServiceCluster) id() (string, error) {
 	return a.Id.Data, nil
 }

diff --git a/providers/azure/resources/azure.lr b/providers/azure/resources/azure.lr
@@ -1352,6 +1352,10 @@ private azure.subscription.webService {
   availableRuntimes() []azure.subscription.webService.appRuntimeStack
   // List of hosting environments
   hostingEnvironments() []azure.subscription.webService.hostingEnvironment
+  // List of App Service plans
+  appServicePlans() []azure.subscription.webService.appServicePlan
+  // List of certificates
+  certificates() []azure.subscription.webService.certificate
 }
 
 // Azure Web App runtime stack
@@ -1377,7 +1381,7 @@ private azure.subscription.webService.appRuntimeStack @defaults("preferredOs run
 }
 
 // Azure Web app site
-private azure.subscription.webService.appsite @defaults("id name location") {
+azure.subscription.webService.appsite @defaults("id name location") {
   // App site ID
   id string
   // App site name
@@ -1430,6 +1434,10 @@ private azure.subscription.webService.appsite @defaults("id name location") {
   privateEndpointConnections() []azure.subscription.privateEndpointConnection
   // Whether end-to-end encryption is enabled between FrontEnd and Worker
   endToEndEncryptionEnabled bool
+  // Hostname bindings for the web app site
+  hostNameBindings() []azure.subscription.webService.appsite.hostNameBinding
+  // Virtual network connections for the web app site
+  virtualNetworkConnections() []azure.subscription.webService.appsite.virtualNetworkConnection
 }
 
 // Azure private endpoint connection
@@ -1618,6 +1626,98 @@ private azure.subscription.webService.hostingEnvironment.virtualNetwork @default
   subnet string
 }
 
+// Azure App Service Plan
+private azure.subscription.webService.appServicePlan @defaults("id name location") {
+  // App Service plan ID
+  id string
+  // App Service plan name
+  name string
+  // App Service plan location
+  location string
+  // App Service plan kind (e.g., "linux", "app")
+  kind string
+  // App Service plan tags
+  tags map[string]string
+  // App Service plan properties
+  properties dict
+  // SKU description (name, tier, size, family, capacity)
+  sku dict
+  // Whether the plan is zone-redundant
+  zoneRedundant bool
+  // Number of web apps assigned to this plan
+  numberOfSites int
+  // Maximum number of workers
+  maximumNumberOfWorkers int
+  // Geographic region of the plan
+  geoRegion string
+  // Whether the plan is for Linux apps
+  reserved bool
+  // Current status of the plan. Possible values: "Ready", "Pending", "Creating"
+  status string
+  // Whether per-site scaling is enabled
+  perSiteScaling bool
+  // Whether elastic scale is enabled
+  elasticScaleEnabled bool
+}
+
+// Azure App Service Certificate
+private azure.subscription.webService.certificate @defaults("id name") {
+  // Certificate ID
+  id string
+  // Certificate name
+  name string
+  // Certificate location
+  location string
+  // Certificate tags
+  tags map[string]string
+  // Certificate properties
+  properties dict
+  // Certificate thumbprint
+  thumbprint string
+  // Certificate subject name
+  subjectName string
+  // Certificate issuer
+  issuer string
+  // Certificate issue date
+  issueDate time
+  // Certificate expiration date
+  expirationDate time
+  // Hostnames the certificate applies to
+  hostNames []string
+  // Whether the certificate is valid
+  valid bool
+}
+
+// Azure App Service Hostname Binding
+private azure.subscription.webService.appsite.hostNameBinding @defaults("id name") {
+  // Hostname binding ID
+  id string
+  // Hostname binding name
+  name string
+  // Hostname type. Possible values: "Verified", "Managed"
+  hostNameType string
+  // SSL state. Possible values: "Disabled", "SniEnabled", "IpBasedEnabled"
+  sslState string
+  // SSL certificate thumbprint
+  thumbprint string
+  // Virtual IP address assigned to the hostname
+  virtualIP string
+}
+
+// Azure App Service Virtual Network Connection
+private azure.subscription.webService.appsite.virtualNetworkConnection @defaults("id name") {
+  // VNet connection ID
+  id string
+  // VNet connection name
+  name string
+  // Resource ID of the connected VNet
+  vnetResourceId string
+  // Whether this is a Swift connection
+  isSwift bool
+  // Whether a resync is required
+  resyncRequired bool
+}
+
 // Azure SQL
 private azure.subscription.sqlService {
   // Subscription identifier
@@ -2108,7 +2208,7 @@ private azure.subscription.cosmosDbService {
 }
 
 // Azure Cosmos DB account
-private azure.subscription.cosmosDbService.account @defaults("name kind location") {
+azure.subscription.cosmosDbService.account @defaults("name kind location") {
   // Cosmos DB account ID
   id string
   // Cosmos DB account name
@@ -2658,7 +2758,7 @@ private azure.subscription.aksService {
 }
 
 // Azure Kubernetes Service cluster
-private azure.subscription.aksService.cluster @defaults("name location kubernetesVersion") {
+azure.subscription.aksService.cluster @defaults("name location kubernetesVersion") {
   // ID of the AKS cluster
   id string
   // Name of the AKS cluster
@@ -2876,7 +2976,7 @@ private azure.subscription.cacheService @defaults("subscriptionId") {
 }
 
 // Azure Cache for Redis instance
-private azure.subscription.cacheService.redisInstance @defaults("id hostName") {
+azure.subscription.cacheService.redisInstance @defaults("id hostName") {
   // ID of the Redis cache
   id string
   // Name of the Redis cache
@@ -2910,5 +3010,67 @@ private azure.subscription.cacheService.redisInstance @defaults("id hostName") {
   // SKU information for the Redis cache
   sku dict
   // Tags of redis cache
-  tags dict
+  tags map[string]string
+  // Redis configuration settings (maxmemory-policy, persistence, auth, etc.)
+  redisConfiguration dict
+  // Number of shards (Premium Cluster Cache only)
+  shardCount int
+  // Static IP address (when deployed in a VNet)
+  staticIp string
+  // Subnet ID for VNet-injected caches
+  subnetId string
+  // Availability zones for the cache
+  zones []string
+  // Managed identity information
+  identity dict
+  // Private endpoint connections for the Redis cache
+  privateEndpointConnections []azure.subscription.cacheService.redisInstance.privateEndpointConnection
+  // Firewall rules for the Redis cache
+  firewallRules() []azure.subscription.cacheService.redisInstance.firewallRule
+  // Patch schedules for the Redis cache
+  patchSchedules() []azure.subscription.cacheService.redisInstance.patchSchedule
+}
+
+// Azure Cache for Redis firewall rule
+private azure.subscription.cacheService.redisInstance.firewallRule @defaults("id name") {
+  // Firewall rule ID
+  id string
+  // Firewall rule name
+  name string
+  // Firewall rule type
+  type string
+  // Lowest IP address in the range
+  startIpAddress string
+  // Highest IP address in the range
+  endIpAddress string
+}
+
+// Azure Cache for Redis patch schedule
+private azure.subscription.cacheService.redisInstance.patchSchedule @defaults("name entries") {
+  // Patch schedule ID
+  id string
+  // Patch schedule name
+  name string
+  // Patch schedule location
+  location string
+  // List of schedule entries (dayOfWeek, startHourUtc, maintenanceWindow)
+  entries []dict
+}
+
+// Azure Cache for Redis private endpoint connection
+private azure.subscription.cacheService.redisInstance.privateEndpointConnection @defaults("id name") {
+  // Private endpoint connection ID
+  id string
+  // Private endpoint connection name
+  name string
+  // Private endpoint connection type
+  type string
+  // Private endpoint resource ID
+  privateEndpointId string
+  // Connection status (Approved, Pending, Rejected)
+  status string
+  // Reason for approval/rejection of the connection
+  description string
+  // Provisioning state. Possible values: "Succeeded", "Creating", "Deleting", "Failed", "Updating"
+  provisioningState string
 }