⚡ Lazy-load Azure network, AKS, IAM, and Redis sub-resources by tas50 · Pull Request #7014 · mondoohq/mql

tas50 · 2026-03-21T00:36:39Z

Summary

Converts 23 eagerly-loaded sub-resource fields across 6 Azure resource types to lazy-loaded computed methods. This means sub-resource data is only fetched when a query actually references it, instead of being materialized on every scan.

What changed

Network resources (network.go):

Load Balancer — 7 fields lazy-loaded: probes, backendPools, frontendIpConfigs, inboundNatPools, inboundNatRules, outboundRules, loadBalancerRules. Previously every LB list call parsed all 7 sub-resource arrays upfront. Now the list call returns just the LB metadata; sub-resources are only materialized from the cached Properties when accessed.
Firewall — 5 fields: ipConfigurations, managementIpConfiguration, networkRules, natRules, applicationRules.
Security Group — 3 fields: interfaces, securityRules, defaultSecurityRules.
Virtual Network Gateway — 3 fields: ipConfigurations, bgpSettings, natRules.

AKS (aks.go):

AKS Cluster — 2 fields: aadProfile, autoUpgradeProfile. These were parsed from the cluster Properties on every list even though most queries don't inspect them.

IAM (iam.go):

Role Definition — 1 field: permissions. The permissions array is now lazy-loaded from the cached role definition properties.

Redis (redis.go):

Redis Instance — 1 field: privateEndpointConnections. Parsed on demand instead of during the list call.

API call savings

Azure List APIs return the full resource object including all sub-resource arrays in the Properties blob. Before this PR, we were parsing all of those into MQL resources during the list call — meaning every sub-resource got CreateResource called even if no query ever touched it.

After this PR, the raw Properties struct is cached on the Internal struct, and sub-resources are only materialized when a query accesses the field. This eliminates thousands of unnecessary CreateResource + convert.JsonToDict calls during scan initialization.

Example: A subscription with 20 Load Balancers, each with ~5 probes, 3 backend pools, 4 frontend IPs, 2 NAT rules, 2 outbound rules, and 3 LB rules:

Before: 20 × (5+3+4+2+2+3) = 380 CreateResource calls at scan start, even if the query is just azure.subscription.networkService.loadBalancers { name }
After: 20 CreateResource calls at scan start. Sub-resources only created if the query traverses into them.

Also fixed

Typo: outbundRule → outboundRule (resource name was misspelled)
Added nil-safety guards on Properties access throughout network.go

Test plan

make test/lint passes
make providers/build/azure && make providers/install/azure
Interactive verification with mql shell azure:
- azure.subscription.networkService.loadBalancers { name probes backendPools }
- azure.subscription.networkService.firewalls { name ipConfigurations networkRules }
- azure.subscription.networkService.securityGroups { name securityRules defaultSecurityRules }
- azure.subscription.aksService.clusters { name aadProfile autoUpgradeProfile }
- azure.subscription.authorizationService.roleDefinitions { name permissions }
- azure.subscription.cacheService.redisInstances { hostName privateEndpointConnections }

🤖 Generated with Claude Code

mondoo-code-review

Lazy-loading Azure network sub-resources reduces unnecessary API data processing, but a pre-existing resource name typo will cause outbound rule creation to fail at runtime.

Additional findings (file/line not in diff):

🟡 providers/azure/resources/network.go:2279 — Same pre-existing nil-safety issue: ipConfig.Properties.PrivateIPAddress accessed without checking ipConfig.Properties != nil in firewall ipConfigurations().

providers/azure/resources/network.go

github-actions · 2026-03-21T00:40:53Z

Test Results

5 741 tests ±0 5 737 ✅ ±0 2m 13s ⏱️ ±0s
425 suites ±0 4 💤 ±0
33 files ±0 0 ❌ ±0

Results for commit 4d9c42c. ± Comparison against base commit a2d3027.

♻️ This comment has been updated with latest results.

Superseded by new review

mondoo-code-review

Azure network queries will be faster by lazy-loading sub-resources; also fixes a pre-existing outbound rule typo.

providers/azure/resources/network.go

mondoo-code-review

Lazy-loading Azure network sub-resources improves query performance by deferring sub-resource creation until accessed.

mondoo-code-review

Duplicate struct definition in redis.go will cause a compilation failure, blocking all Azure Redis queries.

providers/azure/resources/redis.go

Convert 18 eagerly-loaded properties to computed methods across SecurityGroup, Firewall, LoadBalancer, and VirtualNetworkGateway. Sub-resources are now only materialized when the user actually queries those fields, avoiding unnecessary CreateResource calls during list operations. Each resource caches the raw SDK properties in an Internal struct so the data is available for lazy loading without re-fetching. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…load AKS/IAM/Redis sub-resources - Fix pre-existing typo: "outbundRule" → "outboundRule" in CreateResource - Add nil checks on Properties before accessing PrivateIPAddress in: - Firewall ipConfigurations() - Firewall managementIpConfiguration() - VirtualNetworkGateway ipConfigurations() - Lazy-load AKS cluster aadProfile and autoUpgradeProfile - Lazy-load IAM roleDefinition permissions - Lazy-load Redis privateEndpointConnections Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- redis.go: Merge duplicate Internal struct into single definition - network.go: Guard lb.SKU and fw.Properties/SKU nil dereferences - iam.go: Skip nil permission entries in lazy-loaded permissions() Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Superseded by new review

mondoo-code-review

Lazy-loading Azure sub-resources improves query performance by deferring sub-resource creation until accessed.

mondoo-code-review bot previously requested changes Mar 21, 2026

View reviewed changes

providers/azure/resources/network.go Outdated Show resolved Hide resolved

providers/azure/resources/network.go Outdated Show resolved Hide resolved

providers/azure/resources/network.go Outdated Show resolved Hide resolved

mondoo-code-review bot reviewed Mar 21, 2026

View reviewed changes

providers/azure/resources/network.go Outdated Show resolved Hide resolved

providers/azure/resources/network.go Show resolved Hide resolved

tas50 force-pushed the tsmith/azure-lazy-load-network-subresources branch from 27d9615 to ed89d64 Compare March 21, 2026 00:49

mondoo-code-review bot approved these changes Mar 21, 2026

View reviewed changes

tas50 force-pushed the tsmith/azure-lazy-load-network-subresources branch from ed89d64 to 1073709 Compare March 21, 2026 01:39

tas50 changed the title ~~⚡ Azure: lazy-load network sub-resources for SecurityGroup, Firewall, LoadBalancer, VNetGateway~~ Lazy-load Azure network, AKS, IAM, and Redis sub-resources Mar 23, 2026

tas50 force-pushed the tsmith/azure-lazy-load-network-subresources branch from 1b53b4f to 1073709 Compare March 23, 2026 00:52

tas50 changed the title ~~Lazy-load Azure network, AKS, IAM, and Redis sub-resources~~ ⭐ Lazy-load Azure network, AKS, IAM, and Redis sub-resources Mar 25, 2026

tas50 force-pushed the tsmith/azure-lazy-load-network-subresources branch from 1073709 to c44cbf7 Compare March 25, 2026 05:54

tas50 changed the title ~~⭐ Lazy-load Azure network, AKS, IAM, and Redis sub-resources~~ ⚡ Lazy-load Azure network, AKS, IAM, and Redis sub-resources Mar 25, 2026

tas50 force-pushed the tsmith/azure-lazy-load-network-subresources branch from c44cbf7 to ddb17e9 Compare March 27, 2026 20:35

mondoo-code-review bot previously requested changes Mar 27, 2026

View reviewed changes

providers/azure/resources/redis.go Outdated Show resolved Hide resolved

tas50 and others added 3 commits March 27, 2026 15:59

tas50 force-pushed the tsmith/azure-lazy-load-network-subresources branch from ddb17e9 to 4d9c42c Compare March 27, 2026 23:03

tas50 added the pending-testing Waiting on manual testing label Mar 27, 2026

mondoo-code-review bot approved these changes Mar 27, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

⚡ Lazy-load Azure network, AKS, IAM, and Redis sub-resources#7014

⚡ Lazy-load Azure network, AKS, IAM, and Redis sub-resources#7014
tas50 wants to merge 3 commits intomainfrom
tsmith/azure-lazy-load-network-subresources

tas50 commented Mar 21, 2026 •

edited

Loading

Uh oh!

mondoo-code-review bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Mar 21, 2026 •

edited

Loading

Uh oh!

mondoo-code-review bot left a comment

Uh oh!

Uh oh!

Uh oh!

mondoo-code-review bot left a comment

Uh oh!

mondoo-code-review bot left a comment

Uh oh!

Uh oh!

mondoo-code-review bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

tas50 commented Mar 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

What changed

API call savings

Also fixed

Test plan

Uh oh!

mondoo-code-review bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Mar 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Results

Uh oh!

mondoo-code-review bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

mondoo-code-review bot left a comment

Choose a reason for hiding this comment

Uh oh!

mondoo-code-review bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

mondoo-code-review bot left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

tas50 commented Mar 21, 2026 •

edited

Loading

github-actions bot commented Mar 21, 2026 •

edited

Loading