website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by
Archbee
Azure
Services

Resource Group

16min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes and connections on an Azure Resource Group

GraphQL
|
query {
  queryazureResourceGroup{
    id
    name
    type
    kind
    subscriptionId
    region
    managedBy
    disks {
      id
      # Other fields and connections here...
    }
    dns {
      id
      # Other fields and connections here...
    }
    firewalls {
      id
      # Other fields and connections here...
    }
    functionApps {
      id
      # Other fields and connections here...
    }
    keyVaults {
      id
      # Other fields and connections here...
    }
    networkInterfaces {
      id
      # Other fields and connections here...
    }
    publicIps {
      id
      # Other fields and connections here...
    }
    securityGroups {
      id
      # Other fields and connections here...
    }
    storageAccounts {
      id
      # Other fields and connections here...
    }
    storageContainers {
      id
      # Other fields and connections here...
    }
    virtualMachines {
      id
      # Other fields and connections here...
    }
    virtualMachineScaleSets{
      id
      # Other fields and connections here...
    }
    virtualNetworks {
      id
      # Other fields and connections here...
    }
    tags{
      id
      key
      value
    }
  }
}


Filtering

Get data for a single Azure Resource Group key that you know the ID for:

GraphQL
|
query {
  getazureResourceGroup(id: "12345") {
    id
    # Other fields and connections here...
  }
}


Get data for all of the Resource Groups in a certain Azure subscription:

GraphQL
|
query {
  queryazureResourceGroup(filter: { subscriptionId: { eq: "12345" } }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "subscriptionId" you can
# Filter based on any of the following attributes:

# id
# name
# type
# kind
# subscriptionId
# region
# managedBy

# And the following Dgraph filters can also be applied:

# has
# and
# or
# not
# regexp (regular expressions)

# fulltext filters

# alloftext
# anyoftext


Get data for all of the Resource Groups that are NOT in a certain Azure subscription:

GraphQL
|
query {
  queryazureResourceGroup(filter: { not: { subscriptionId: { eq: "12345" } } }) {
    id
    # Other fields and connections here...
  }
}


Advanced Filtering

Get data for all of the Resource Groups that are connected to a virtualMachine:

GraphQL
|
query {
  queryazureResourceGroup(filter: { has: virtualMachines }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "virtualMachines" you can filter
# Using "has" based on any of the following attributes:

# id
# name
# type
# kind
# subscriptionId
# region
# managedBy
# disks
# dns
# firewalls
# functionApps
# keyVaults
# networkInterfaces
# publicIps
# securityGroups
# storageAccounts
# storageContainers
# virtualMachines
# virtualMachineScaleSets
# virtualNetworks
# tags


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  queryazureResourceGroup(order: { desc: name }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "name" you can filter
# Using "asc" or "desc" based on any of the following attributes:

#  id
# name
# type
# kind
# subscriptionId
# region
# managedBy


Only select and return the first two Resource Groups that are found:

GraphQL
|
query {
  queryazureResourceGroup(first: 2, order: { desc: name }) {
    id
    # Other fields and connections here...
  }
}


Only select and return the first two Resource Groups that are found, but offset by one so keys two & three are returned:

GraphQL
|
query {
  queryazureResourceGroup(first: 2, order: { desc: name }, offset: 1) {
    id
    # Other fields and connections here...
  }
}


Aggregation

Count the number of Resource Groups across all scanned Azure subscriptions:

GraphQL
|
query {
  aggregateazureResourceGroup {
    count
    # Other fields and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your Resource Groups:

# idMin
# idMax
# nameMin
# nameMax
# typeMin
# typeMax
# kindMin
# kindMax
# subscriptionIdMin
# subscriptionIdMax
# regionMin
# regionMax
# managedByMin
# managedByMax


Count the number of Resource Groups in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:

GraphQL
|
query {
  aggregateazureResourceGroup(filter: { subscriptionId: { eq: "12345" } }) {
    count
    # Other fields and connections here...
  }
}


Examples

Find all of the Resource Groups that are in the eastus region across all your accounts:

GraphQL
|
query {
  queryazureResourceGroup(filter: { region: { eq: "eastus" } }) {
    id
    # Other fields and connections here...
  }
}


Find all of the Resource Groups that have a tag of Environment:Production for a single Azure Subscription:

GraphQL
|
query {
  queryazureTag(
    filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
  ) {
    resourceGroups(filter: { subscriptionId: { eq: "12345" } }) {
      id
      # Other fields and connections here...
    }
  }
}


With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:

GraphQL
|
query {
  queryazureResourceGroup(filter: { region: { eq: "eastus" } }) {
    id
    # Other fields and connections here...
  }
  queryazureTag(
    filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
  ) {
    resourceGroups(filter: { subscriptionId: { eq: "12345" } }) {
      id
      # Other fields and connections here...
    }
  }
}


Kitchen Sink

Putting it all together; get all data for all Resource Groups across all regions for all scanned Azure subscriptions in a single query. For the purposes of this example, we will only get direct children of the keys but if you want to it's easy to go from say, resourceGroup -> virtualMachine -> networkInterface ...etc:

GraphQL
|
query {
  queryazureResourceGroup{
    id
    name
    type
    kind
    subscriptionId
    region
    managedBy
    disks {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      managedBy
      zones
      timeCreated
      osType
      hyperVGeneration
      createOption
      imageReferenceId
      diskSizeGb
      diskSizeBytes
      uniqueId
      diskIopsReadWrite
      diskMbpsReadWrite
      diskState
      networkAccessPolicy
      tier
      encryptionSettings
      tags{
        id
        key
        value
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
      virtualMachine{
        id
        # Other fields and connections here...
      }
    }
    dns {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      maxNumberOfRecordSets
      numberOfRecordSets
      nameServers
      zoneType
      recordSets{
				ttl
        fqdn
        provisioningState
        targetResourceId
        aRecords
        aaaaRecords
        mxRecords{
          id
          exchange
          preference
        }
        nsRecords
        ptrRecords
        srvRecords{
          id
          priority
          weight
          port
          target
        }
        txtRecords{
          id
          value
        }
        cnameRecord
        soaRecord{
          host
          email
          serialNumber
          refreshTime
          retryTime
          expireTime
          minimumTtl
        }
        caaRecords{
          id
          flags
          tag
          value
        }
        resourceGroupId
      }
      tags{
        id
        key
        value
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
    }
    firewalls {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      applicationRuleCollections{
        id
        name
        priority
        action
        rules{
          id
          name
          description
          sourceAddresses
          protocols{
            id
            protocolType
            port
          }
          targetFqdns
          fqdnTags
          sourceIpGroups
        }
        provisioningState
      }
      natRuleCollections{
        id
        name
        priority
        action
        rules{
          id
          name
          description
          sourceAddresses
          destinationAddresses
          destinationPorts
          protocols
          translatedAddress
          translatedPort
          translatedFqdn
          sourceIpGroups
        }
        provisioningState
      }
      networkRuleCollections{
        id
        name
        priority
        action
        rules{
          id
          name
          description
          protocols
          sourceAddresses
          destinationAddresses
          destinationPorts
          destinationFqdns
          sourceIpGroups
          destinationIpGroups
        }
        provisioningState
      }
      ipConfigurations{
        id
        name
        privateIPAddress
        subnet
        publicIPAddress
        provisioningState
        type
      }
      managementIpConfiguration{
        id
        privateIPAddress
        subnet
        publicIPAddress
        provisioningState
        name
        type
      }
      provisioningState
      threatIntelMode
      virtualHub
      firewallPolicy
      hubIPAddresses{
        publicIPs
        privateIPAddress
      }
      ipGroups{
        id
        changeNumber
      }
      additionalProperties{
        id
        key
        value
      }
      zones
      region
      tags{
        id
        key
        value
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
      virtualNetworks{
        id
        # Other fields and connections here...
      }
      publicIps{
        id
        # Other fields and connections here...
      }
    }
    functionApps {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      availabilityState
      clientAffinityEnabled
      clientCertEnabled
      clientCertExclusionPaths
      clientCertMode
      containerSize
      customDomainVerificationId
      dailyMemoryTimeQuota
      defaultHostName
      enabled
      enabledHostNames
      extendedLocation{
        name
        type
      }
      hostNames
      hostNamesDisabled
      hostingEnvironmentProfile{
        id
      }
      httpsOnly
      hyperV
      inProgressOperationId
      isDefaultContainer
      isXenon
      keyVaultReferenceIdentity
      lastModifiedTimeUtc
      maxNumberOfWorkers
      outboundIpAddresses
      possibleOutboundIpAddresses
      redundancyMode
      repositorySiteName
      reserved
      scmSiteAlsoStopped
      serverFarmId
      state
      storageAccountRequired
      suspendedTill
      targetSwapSlot
      trafficManagerHostNames
      usageState
      virtualNetworkSubnetId
      functions{
        configHref
        functionAppId
        href
        invokeUrlTemplate
        isDisabled
        language
        location
        resourceGroupId
        scriptHref
        scriptRootPathHref
        secretsFileHref
        testData
        testDataHref
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
    }
    keyVaults {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      tenantId
      accessPolicies{
        id
        objectId
        applicationId
        permissionKeys
        permissionSecrets
        permissionCertificates
        permissionStorage
      }
      vaultUri
      enabledForDeployment
      enabledForDiskEncryption
      enabledForTemplateDeployment
      enableSoftDelete
      createMode
      enablePurgeProtection
      networkAclBypass
      networkAclDefaultAction
      networkAclIpRules
      networkAclVirtualNetworkRules
      tags{
        id
        key
        value
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
    }
    networkInterfaces {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      macAddress
      privateIpAddress
      internalDnsNameLabel
      enableIpForwarding
      virtualMachineId
      enableAcceleratedNetworking
      internalDomainNameSuffix
      ipConfiguration{
        gatewayLoadBalancer{
          id
        }
        privateIPAddress
        privateIPAllocationMethod
        privateIPAddressVersion
        subnetId
        primary
        provisioningState
        id
        name
        etag
        type
      }
      appliedDnsServers
      dnsServers
      publicIps{
        id
        # Other fields and connections here...
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
      securityGroups{
        id
        # Other fields and connections here...
      }
      virtualMachines{
        id
        # Other fields and connections here...
      }
      virtualNetworks{
        id
        # Other fields and connections here...
      }
    }
    publicIps {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      tier
      allocationMethod
      ipVersion
      dnsSettings{
        domainNameLabel
        fqdn
        reverseFqdn
      }
      ipTags {
        ipTagType
        tag
      }
      ipAddress
      idleTimeoutInMinutes
      resourceGuid
      zones
      firewalls{
        id
        # Other fields and connections here...
      }
      networkInterface{
        id
        # Other fields and connections here...
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
      tags{
        id
        key
        value
      }
    }
    securityGroups {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      resourceGuid
      provisioningState
      etag
      securityRules{
        description
        protocol
        sourcePortRange
        destinationPortRange
        sourceAddressPrefix
        sourceAddressPrefixes
        sourceApplicationSecurityGroups{
          provisioningState
          etag
        }
        destinationAddressPrefix
        destinationAddressPrefixes
        destinationApplicationSecurityGroups{
          provisioningState
          etag
        }
        sourcePortRanges
        destinationPortRanges
        access
        priority
        direction
        provisioningState
        name
        etag
        type
      }
      defaultSecurityRules{
        description
        protocol
        sourcePortRange
        destinationPortRange
        sourceAddressPrefix
        sourceAddressPrefixes
        sourceApplicationSecurityGroups{
          provisioningState
          etag
        }
        destinationAddressPrefix
        destinationAddressPrefixes
        destinationApplicationSecurityGroups{
          provisioningState
          etag
        }
        sourcePortRanges
        destinationPortRanges
        access
        priority
        direction
        provisioningState
        name
        etag
        type
      }
      networkInterfaces{
        id
        # Other fields and connections here...
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
      tags{
        id
        key
        value
      }
    }
    storageAccounts {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      extendedLocationName
      extendedLocationType
      provisioningState
      primaryEndpoints{
        blob
        queue
        table
        file
        web
        dfs
      }
      primaryMicrosoftEndpoints {
        blob
        queue
        table
        file
        web
        dfs
      }
      primaryInternetEndpoints{
        blob
        file
        web
        dfs
      }
      primaryLocation
      statusOfPrimary
      lastGeoFailoverTime
      secondaryLocation
      statusOfSecondary
      customDomainName
      customDomainUseSubDomainName
      sasPolicyExpirationPeriod
      keyPolicyExpirationPeriodInDays
      keyCreationTimeKey1
      keyCreationTimeKey2
      encryptionServiceBlob{
        enabled
        lastEnabledTime
        keyType
      }
      encryptionServiceFile{
        enabled
        lastEnabledTime
        keyType
      }
      encryptionServiceTable{
        enabled
        lastEnabledTime
        keyType
      }
      encryptionServiceQueue{
        enabled
        lastEnabledTime
        keyType
      }
      encryptionKeySource
      encryptionRequireInfrastructureEncryption
      encryptionKeyVaultPropertyKeyName
      encryptionKeyVaultPropertyKeyVersion
      encryptionKeyVaultPropertyKeyVaultUri
      encryptionKeyVaultPropertyCurrentVersionedKeyIdentifier
      encryptionKeyVaultPropertyLastKeyRotationTimestamp
      encryptionUserAssignedIdentity
      accessTier
      azureFilesIdentityBasedAuthenticationDirectoryServiceOptions
      azureFilesIdentityBasedAuthenticationADProperties{
        domainName
        netBiosDomainName
        forestName
        domainGuid
        domainSid
        azureStorageSid
      }
      enableHttpsTrafficOnly
      networkRuleSetByPass
      networkRuleResourceAccessRules {
        id
        tenantId
        resourceId
      }
      networkRuleVirtualNetworkRules {
        id
        virtualNetworkResourceId
        action
        state
      }
      networkRuleIpRules{
        id
        iPAddressOrRange
        action
      }
      networkRuleSetDefaultAction
      isHnsEnabled
      geoReplicationStatsStatus
      geoReplicationStatsLastSyncTime
      geoReplicationStatsCanFailover
      failoverInProgress
      largeFileSharesState
      privateEndpointConnections{
        id
        privateEndpointId
        privateLinkServiceConnectionStateStatus
        privateLinkServiceConnectionStateDescription
        privateLinkServiceConnectionStateActionRequired
        provisioningState
      }
      routingPreferenceChoice
      routingPreferencePublishMicrosoftEndpoints
      routingPreferencePublishInternetEndpoints
      allowBlobPublicAccess
      minimumTlsVersion
      allowSharedKeyAccess
      enableNfsV3
      resourceGroup {
        id
        # Other fields and connections here...
      }
      storageContainers {
        id
        # Other fields and connections here...
      }
      tags{
        id
        key
        value
      }
    }
    storageContainers {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      version
      deleted
      deletedTime
      remainingRetentionDays
      denyEncryptionScopeOverride
      publicAccess
      lastModifiedTime
      leaseStatus
      leaseDuration
      immutabilityPolicyPeriodSinceCreationInDays
      immutabilityPolicyState
      immutabilityPolicyAllowProtectedAppendWrites
      immutabilityPolicyUpdateHistory {
        id
        update
        immutabilityPeriodSinceCreationInDays
        timestamp
        objectIdentifier
        tenantId
        upn
      }
      legalHoldTags{
        id
        tag
        timestamp
        objectIdentifier
        tenantId
        upn
      }
      hasLegalHold
      hasImmutabilityPolicy
      resourceGroup{
        id
        # Other fields and connections here...
      }
      storageAccount{
        id
        # Other fields and connections here...
      }
    }
    virtualMachines {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      managedBy
      vmSize
      osProfile{
        computerName
        windowsConfiguration{
          provisionVMAgent
          enableAutomaticUpdates
          timeZone
        }
        linuxConfiguration{
          disablePasswordAuthentication
          provisionVMAgent
        }
        allowExtensionOperations
        requireGuestProvisionSignal
      }
      osType
      storageImageReference {
        publisher
        offer
        sku
        version
        exactVersion
      }
      bootDiagnostics
      licenseType
      tags{
        id
        key
        value
      }
      disks{
        id
        # Other fields and connections here...
      }
      networkInterfaces{
        id
        # Other fields and connections here...
      }
      virtualNetworks{
        id
        # Other fields and connections here...
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
    }
    virtualMachineScaleSets{
      id
      # Other fields and connections here...
    }
    virtualNetworks {
      id
      name
      type
      kind
      subscriptionId
      region
      resourceGroupId
      addressSpacePrefixes
      dnsServers
      ddosProtectionPlans{
        id
        name
        type
        resourceGuid
        etag
      }
      enableDdosProtection
      enableVmProtection
      flowTimeoutInMinutes
      provisioningState
      resourceGuid
      firewalls{
        id
        # Other fields and connections here...
      }
      networkInterfaces{
        id
        # Other fields and connections here...
      }
      virtualMachines{
        id
        # Other fields and connections here...
      }
      resourceGroup{
        id
        # Other fields and connections here...
      }
      tags{
        id
        key
        value
      }
    }
    tags{
      id
      key
      value
    }
  }
}


References

Dgraph documentation on querying

Azure Resource Group Documentation

Updated 03 Mar 2023
Did this page help you?
PREVIOUS
Public IP
NEXT
Security Assessments
Docs powered by
Archbee
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Examples
Kitchen Sink
References
Docs powered by
Archbee