How to query azure resources with attached resource tags?
4 min readJun 19, 2021
--
There is no direct way to query resource tags in the log analytics workspace. For this, we have to pull azure resource properties/ tags from resource graph explorer to the log analytics workspace.
By default, all azure resource properties logs collect inside Resource Graph Explorer.
To pull out these logs we will be using Azure Logic App.
Architecture Design
Let’s start working with Logic App
- Give a managed identity
2. Provide subscription-level reader access to this logic app, which is mandatory.
3. Trigger as recurrence
4. Initialize Variables
resources
| extend type = case(
type contains 'microsoft.netapp/netappaccounts', 'NetApp Accounts',
type contains "microsoft.compute", "Azure Compute",
type contains "microsoft.logic", "LogicApps",
type contains 'microsoft.keyvault/vaults', "Key Vaults",
type contains 'microsoft.storage/storageaccounts', "Storage Accounts",
type contains 'microsoft.compute/availabilitysets', 'Availability Sets',
type contains 'microsoft.operationalinsights/workspaces', 'Azure Monitor Resources',
type contains 'microsoft.operationsmanagement', 'Operations Management Resources',
type contains 'microsoft.insights', 'Azure Monitor Resources',
type contains 'microsoft.desktopvirtualization/applicationgroups', 'WVD Application Groups',
type contains 'microsoft.desktopvirtualization/workspaces', 'WVD Workspaces',
type contains 'microsoft.desktopvirtualization/hostpools', 'WVD Hostpools',
type contains 'microsoft.recoveryservices/vaults', 'Backup Vaults',
type contains 'microsoft.web', 'App Services',
type contains 'microsoft.managedidentity/userassignedidentities','Managed Identities',
type contains 'microsoft.storagesync/storagesyncservices', 'Azure File Sync',
type contains 'microsoft.hybridcompute/machines', 'ARC Machines',
type contains 'Microsoft.EventHub', 'Event Hub',
type contains 'Microsoft.EventGrid', 'Event Grid',
type contains 'Microsoft.Sql', 'SQL Resources',
type contains 'Microsoft.HDInsight/clusters', 'HDInsight Clusters',
type contains 'microsoft.devtestlab', 'DevTest Labs Resources',
type contains 'microsoft.containerinstance', 'Container Instances Resources',
type contains 'microsoft.portal/dashboards', 'Azure Dashboards',
type contains 'microsoft.containerregistry/registries', 'Container Registry',
type contains 'microsoft.automation', 'Automation Resources',
type contains 'sendgrid.email/accounts', 'SendGrid Accounts',
type contains 'microsoft.datafactory/factories', 'Data Factory',
type contains 'microsoft.databricks/workspaces', 'Databricks Workspaces',
type contains 'microsoft.machinelearningservices/workspaces', 'Machine Learnings Workspaces',
type contains 'microsoft.alertsmanagement/smartdetectoralertrules', 'Azure Monitor Resources',
type contains 'microsoft.apimanagement/service', 'API Management Services',
type contains 'microsoft.dbforpostgresql', 'PostgreSQL Resources',
type contains 'microsoft.scheduler/jobcollections', 'Scheduler Job Collections',
type contains 'microsoft.visualstudio/account', 'Azure DevOps Organization',
type contains 'microsoft.network/', 'Network Resources',
type contains 'microsoft.migrate/' or type contains 'microsoft.offazure', 'Azure Migrate Resources',
type contains 'microsoft.servicebus/namespaces', 'Service Bus Namespaces',
type contains 'microsoft.classic', 'ASM Obsolete Resources',
type contains 'microsoft.resources/templatespecs', 'Template Spec Resources',
type contains 'microsoft.virtualmachineimages', 'VM Image Templates',
type contains 'microsoft.documentdb', 'CosmosDB DB Resources',
type contains 'microsoft.alertsmanagement/actionrules', 'Azure Monitor Resources',
type contains 'microsoft.kubernetes/connectedclusters', 'ARC Kubernetes Clusters',
type contains 'microsoft.purview', 'Purview Resources',
type contains 'microsoft.security', 'Security Resources',
type contains 'microsoft.cdn', 'CDN Resources',
type contains 'microsoft.devices','IoT Resources',
type contains 'microsoft.datamigration', 'Data Migraiton Services',
type contains 'microsoft.cognitiveservices', 'Congitive Services',
type contains 'microsoft.customproviders', 'Custom Providers',
type contains 'microsoft.appconfiguration', 'App Services',
type contains 'microsoft.search', 'Search Services',
type contains 'microsoft.maps', 'Maps',
type contains 'microsoft.containerservice/managedclusters', 'AKS',
type contains 'microsoft.signalrservice', 'SignalR',
type contains 'microsoft.resourcegraph/queries', 'Resource Graph Queries',
type contains 'microsoft.batch', 'MS Batch',
type contains 'microsoft.analysisservices', 'Analysis Services',
type contains 'microsoft.synapse/workspaces', 'Synapse Workspaces',
type contains 'microsoft.synapse/workspaces/sqlpools', 'Synapse SQL Pools',
type contains 'microsoft.kusto/clusters', 'ADX Clusters',
type contains 'microsoft.resources/deploymentscripts', 'Deployment Scripts',
type contains 'microsoft.aad/domainservices', 'AD Domain Services',
type contains 'microsoft.labservices/labaccounts', 'Lab Accounts',
type contains 'microsoft.automanage/accounts', 'Automanage Accounts',
strcat("Not Translated: ", type))
| where isnotempty(tags)
| where tags <> "{}"
| project name,type,resourceGroup,subscriptionId,tags,location
5. Add HTTP Action
6. Parse JSON HTTP body output
7. Next will be For_Each action to split items into multiple rows followed by Compose action.
8. Forward logs in log analytics workspace
For this example, you will find data under table “RGqueryout_CL”.
As an output of this logic app, one resource (VM/VNet, etc.) data will be display under one cell. For better accessibility, you can write a parser that will divide data into different columns.
Note: HTTP action has data rows limitation to 1000, which means this logic app will forward only the first 1000 resource data. If you want to send more data please filter data with resource groups or resource type in “Initialize query variable”.Please write to me if you want to share the parser for this logic app.
Thanks, happy learning!
