Resource Group
Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on an Azure Resource Group
query { queryazureResourceGroup{ id name type kind subscriptionId region managedBy disks { id # Other fields and connections here... } dns { id # Other fields and connections here... } firewalls { id # Other fields and connections here... } functionApps { id # Other fields and connections here... } keyVaults { id # Other fields and connections here... } networkInterfaces { id # Other fields and connections here... } publicIps { id # Other fields and connections here... } securityGroups { id # Other fields and connections here... } storageAccounts { id # Other fields and connections here... } storageContainers { id # Other fields and connections here... } virtualMachines { id # Other fields and connections here... } virtualMachineScaleSets{ id # Other fields and connections here... } virtualNetworks { id # Other fields and connections here... } tags{ id key value } } }
Get data for a single Azure Resource Group key that you know the ID for:
query { getazureResourceGroup(id: "12345") { id # Other fields and connections here... } }
Get data for all of the Resource Groups in a certain Azure subscription:
query { queryazureResourceGroup(filter: { subscriptionId: { eq: "12345" } }) { id # Other fields and connections here... } } # Note that in addition to "subscriptionId" you can # Filter based on any of the following attributes: # id # name # type # kind # subscriptionId # region # managedBy # And the following Dgraph filters can also be applied: # has # and # or # not # regexp (regular expressions) # fulltext filters # alloftext # anyoftext
Get data for all of the Resource Groups that are NOT in a certain Azure subscription:
query { queryazureResourceGroup(filter: { not: { subscriptionId: { eq: "12345" } } }) { id # Other fields and connections here... } }
Get data for all of the Resource Groups that are connected to a virtualMachine:
query { queryazureResourceGroup(filter: { has: virtualMachines }) { id # Other fields and connections here... } } # Note that in addition to "virtualMachines" you can filter # Using "has" based on any of the following attributes: # id # name # type # kind # subscriptionId # region # managedBy # disks # dns # firewalls # functionApps # keyVaults # networkInterfaces # publicIps # securityGroups # storageAccounts # storageContainers # virtualMachines # virtualMachineScaleSets # virtualNetworks # tags
You can order the results you get back either asc or desc depending on your preference:
query { queryazureResourceGroup(order: { desc: name }) { id # Other fields and connections here... } } # Note that in addition to "name" you can filter # Using "asc" or "desc" based on any of the following attributes: # id # name # type # kind # subscriptionId # region # managedBy
Only select and return the first two Resource Groups that are found:
query { queryazureResourceGroup(first: 2, order: { desc: name }) { id # Other fields and connections here... } }
Only select and return the first two Resource Groups that are found, but offset by one so keys two & three are returned:
query { queryazureResourceGroup(first: 2, order: { desc: name }, offset: 1) { id # Other fields and connections here... } }
Count the number of Resource Groups across all scanned Azure subscriptions:
query { aggregateazureResourceGroup { count # Other fields and connections here... } } # Note that in addition to "count" you can request the # Following min and max values based on attributes of your Resource Groups: # idMin # idMax # nameMin # nameMax # typeMin # typeMax # kindMin # kindMax # subscriptionIdMin # subscriptionIdMax # regionMin # regionMax # managedByMin # managedByMax
Count the number of Resource Groups in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:
query { aggregateazureResourceGroup(filter: { subscriptionId: { eq: "12345" } }) { count # Other fields and connections here... } }
Find all of the Resource Groups that are in the eastus region across all your accounts:
query { queryazureResourceGroup(filter: { region: { eq: "eastus" } }) { id # Other fields and connections here... } }
Find all of the Resource Groups that have a tag of Environment:Production for a single Azure Subscription:
query { queryazureTag( filter: { key: { eq: "Environment" }, value: { eq: "Production" } } ) { resourceGroups(filter: { subscriptionId: { eq: "12345" } }) { id # Other fields and connections here... } } }
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
query { queryazureResourceGroup(filter: { region: { eq: "eastus" } }) { id # Other fields and connections here... } queryazureTag( filter: { key: { eq: "Environment" }, value: { eq: "Production" } } ) { resourceGroups(filter: { subscriptionId: { eq: "12345" } }) { id # Other fields and connections here... } } }
Putting it all together; get all data for all Resource Groups across all regions for all scanned Azure subscriptions in a single query. For the purposes of this example, we will only get direct children of the keys but if you want to it's easy to go from say, resourceGroup -> virtualMachine -> networkInterface ...etc:
query { queryazureResourceGroup{ id name type kind subscriptionId region managedBy disks { id name type kind subscriptionId region resourceGroupId managedBy zones timeCreated osType hyperVGeneration createOption imageReferenceId diskSizeGb diskSizeBytes uniqueId diskIopsReadWrite diskMbpsReadWrite diskState networkAccessPolicy tier encryptionSettings tags{ id key value } resourceGroup{ id # Other fields and connections here... } virtualMachine{ id # Other fields and connections here... } } dns { id name type kind subscriptionId region resourceGroupId maxNumberOfRecordSets numberOfRecordSets nameServers zoneType recordSets{ ttl fqdn provisioningState targetResourceId aRecords aaaaRecords mxRecords{ id exchange preference } nsRecords ptrRecords srvRecords{ id priority weight port target } txtRecords{ id value } cnameRecord soaRecord{ host email serialNumber refreshTime retryTime expireTime minimumTtl } caaRecords{ id flags tag value } resourceGroupId } tags{ id key value } resourceGroup{ id # Other fields and connections here... } } firewalls { id name type kind subscriptionId region resourceGroupId applicationRuleCollections{ id name priority action rules{ id name description sourceAddresses protocols{ id protocolType port } targetFqdns fqdnTags sourceIpGroups } provisioningState } natRuleCollections{ id name priority action rules{ id name description sourceAddresses destinationAddresses destinationPorts protocols translatedAddress translatedPort translatedFqdn sourceIpGroups } provisioningState } networkRuleCollections{ id name priority action rules{ id name description protocols sourceAddresses destinationAddresses destinationPorts destinationFqdns sourceIpGroups destinationIpGroups } provisioningState } ipConfigurations{ id name privateIPAddress subnet publicIPAddress provisioningState type } managementIpConfiguration{ id privateIPAddress subnet publicIPAddress provisioningState name type } provisioningState threatIntelMode virtualHub firewallPolicy hubIPAddresses{ publicIPs privateIPAddress } ipGroups{ id changeNumber } additionalProperties{ id key value } zones region tags{ id key value } resourceGroup{ id # Other fields and connections here... } virtualNetworks{ id # Other fields and connections here... } publicIps{ id # Other fields and connections here... } } functionApps { id name type kind subscriptionId region resourceGroupId availabilityState clientAffinityEnabled clientCertEnabled clientCertExclusionPaths clientCertMode containerSize customDomainVerificationId dailyMemoryTimeQuota defaultHostName enabled enabledHostNames extendedLocation{ name type } hostNames hostNamesDisabled hostingEnvironmentProfile{ id } httpsOnly hyperV inProgressOperationId isDefaultContainer isXenon keyVaultReferenceIdentity lastModifiedTimeUtc maxNumberOfWorkers outboundIpAddresses possibleOutboundIpAddresses redundancyMode repositorySiteName reserved scmSiteAlsoStopped serverFarmId state storageAccountRequired suspendedTill targetSwapSlot trafficManagerHostNames usageState virtualNetworkSubnetId functions{ configHref functionAppId href invokeUrlTemplate isDisabled language location resourceGroupId scriptHref scriptRootPathHref secretsFileHref testData testDataHref } resourceGroup{ id # Other fields and connections here... } } keyVaults { id name type kind subscriptionId region resourceGroupId tenantId accessPolicies{ id objectId applicationId permissionKeys permissionSecrets permissionCertificates permissionStorage } vaultUri enabledForDeployment enabledForDiskEncryption enabledForTemplateDeployment enableSoftDelete createMode enablePurgeProtection networkAclBypass networkAclDefaultAction networkAclIpRules networkAclVirtualNetworkRules tags{ id key value } resourceGroup{ id # Other fields and connections here... } } networkInterfaces { id name type kind subscriptionId region resourceGroupId macAddress privateIpAddress internalDnsNameLabel enableIpForwarding virtualMachineId enableAcceleratedNetworking internalDomainNameSuffix ipConfiguration{ gatewayLoadBalancer{ id } privateIPAddress privateIPAllocationMethod privateIPAddressVersion subnetId primary provisioningState id name etag type } appliedDnsServers dnsServers publicIps{ id # Other fields and connections here... } resourceGroup{ id # Other fields and connections here... } securityGroups{ id # Other fields and connections here... } virtualMachines{ id # Other fields and connections here... } virtualNetworks{ id # Other fields and connections here... } } publicIps { id name type kind subscriptionId region resourceGroupId tier allocationMethod ipVersion dnsSettings{ domainNameLabel fqdn reverseFqdn } ipTags { ipTagType tag } ipAddress idleTimeoutInMinutes resourceGuid zones firewalls{ id # Other fields and connections here... } networkInterface{ id # Other fields and connections here... } resourceGroup{ id # Other fields and connections here... } tags{ id key value } } securityGroups { id name type kind subscriptionId region resourceGroupId resourceGuid provisioningState etag securityRules{ description protocol sourcePortRange destinationPortRange sourceAddressPrefix sourceAddressPrefixes sourceApplicationSecurityGroups{ provisioningState etag } destinationAddressPrefix destinationAddressPrefixes destinationApplicationSecurityGroups{ provisioningState etag } sourcePortRanges destinationPortRanges access priority direction provisioningState name etag type } defaultSecurityRules{ description protocol sourcePortRange destinationPortRange sourceAddressPrefix sourceAddressPrefixes sourceApplicationSecurityGroups{ provisioningState etag } destinationAddressPrefix destinationAddressPrefixes destinationApplicationSecurityGroups{ provisioningState etag } sourcePortRanges destinationPortRanges access priority direction provisioningState name etag type } networkInterfaces{ id # Other fields and connections here... } resourceGroup{ id # Other fields and connections here... } tags{ id key value } } storageAccounts { id name type kind subscriptionId region resourceGroupId extendedLocationName extendedLocationType provisioningState primaryEndpoints{ blob queue table file web dfs } primaryMicrosoftEndpoints { blob queue table file web dfs } primaryInternetEndpoints{ blob file web dfs } primaryLocation statusOfPrimary lastGeoFailoverTime secondaryLocation statusOfSecondary customDomainName customDomainUseSubDomainName sasPolicyExpirationPeriod keyPolicyExpirationPeriodInDays keyCreationTimeKey1 keyCreationTimeKey2 encryptionServiceBlob{ enabled lastEnabledTime keyType } encryptionServiceFile{ enabled lastEnabledTime keyType } encryptionServiceTable{ enabled lastEnabledTime keyType } encryptionServiceQueue{ enabled lastEnabledTime keyType } encryptionKeySource encryptionRequireInfrastructureEncryption encryptionKeyVaultPropertyKeyName encryptionKeyVaultPropertyKeyVersion encryptionKeyVaultPropertyKeyVaultUri encryptionKeyVaultPropertyCurrentVersionedKeyIdentifier encryptionKeyVaultPropertyLastKeyRotationTimestamp encryptionUserAssignedIdentity accessTier azureFilesIdentityBasedAuthenticationDirectoryServiceOptions azureFilesIdentityBasedAuthenticationADProperties{ domainName netBiosDomainName forestName domainGuid domainSid azureStorageSid } enableHttpsTrafficOnly networkRuleSetByPass networkRuleResourceAccessRules { id tenantId resourceId } networkRuleVirtualNetworkRules { id virtualNetworkResourceId action state } networkRuleIpRules{ id iPAddressOrRange action } networkRuleSetDefaultAction isHnsEnabled geoReplicationStatsStatus geoReplicationStatsLastSyncTime geoReplicationStatsCanFailover failoverInProgress largeFileSharesState privateEndpointConnections{ id privateEndpointId privateLinkServiceConnectionStateStatus privateLinkServiceConnectionStateDescription privateLinkServiceConnectionStateActionRequired provisioningState } routingPreferenceChoice routingPreferencePublishMicrosoftEndpoints routingPreferencePublishInternetEndpoints allowBlobPublicAccess minimumTlsVersion allowSharedKeyAccess enableNfsV3 resourceGroup { id # Other fields and connections here... } storageContainers { id # Other fields and connections here... } tags{ id key value } } storageContainers { id name type kind subscriptionId region resourceGroupId version deleted deletedTime remainingRetentionDays denyEncryptionScopeOverride publicAccess lastModifiedTime leaseStatus leaseDuration immutabilityPolicyPeriodSinceCreationInDays immutabilityPolicyState immutabilityPolicyAllowProtectedAppendWrites immutabilityPolicyUpdateHistory { id update immutabilityPeriodSinceCreationInDays timestamp objectIdentifier tenantId upn } legalHoldTags{ id tag timestamp objectIdentifier tenantId upn } hasLegalHold hasImmutabilityPolicy resourceGroup{ id # Other fields and connections here... } storageAccount{ id # Other fields and connections here... } } virtualMachines { id name type kind subscriptionId region resourceGroupId managedBy vmSize osProfile{ computerName windowsConfiguration{ provisionVMAgent enableAutomaticUpdates timeZone } linuxConfiguration{ disablePasswordAuthentication provisionVMAgent } allowExtensionOperations requireGuestProvisionSignal } osType storageImageReference { publisher offer sku version exactVersion } bootDiagnostics licenseType tags{ id key value } disks{ id # Other fields and connections here... } networkInterfaces{ id # Other fields and connections here... } virtualNetworks{ id # Other fields and connections here... } resourceGroup{ id # Other fields and connections here... } } virtualMachineScaleSets{ id # Other fields and connections here... } virtualNetworks { id name type kind subscriptionId region resourceGroupId addressSpacePrefixes dnsServers ddosProtectionPlans{ id name type resourceGuid etag } enableDdosProtection enableVmProtection flowTimeoutInMinutes provisioningState resourceGuid firewalls{ id # Other fields and connections here... } networkInterfaces{ id # Other fields and connections here... } virtualMachines{ id # Other fields and connections here... } resourceGroup{ id # Other fields and connections here... } tags{ id key value } } tags{ id key value } } }


