OSIRIS JSON Producer for Microsoft Azure
The OSIRIS JSON Azure producer connects to Microsoft Azure via the Azure CLI (az) and generates OSIRIS JSON snapshots of your subscription topology - virtual networks, subnets, NICs, NSGs, load balancers, firewalls, VMs, and more.
To begin using OSIRIS JSON for Microsoft Azure, install the core dispatcher and the Azure producer:
go install go.osirisjson.org/producers/cmd/osirisjson-producer@latest
go install go.osirisjson.org/producers/cmd/osirisjson-producer-azure@latestThe core dispatcher lets you run osirisjson-producer azure .... Without it, invoke the vendor binary directly as osirisjson-producer-azure ....
Make sure $GOPATH/bin (or $HOME/go/bin) is in your PATH. See the getting started page for more install options.
Prerequisites
- Install the Azure CLI
- Authenticate:
az login - The authenticate user must have a read permission to one or multiple target subscriptions, you can execute the producer on your local machine or decide to invoke the producer using a scheduled job using a service account with your favourite software or platform.
CLI usage
osirisjson-producer azure [flags]
osirisjson-producer azure template --generateSingle mode
Start by collecting one subscription that will be automatically saved as microsoft-azure-<timestamp>-<name>.json:
osirisjson-producer azure -S a1b2c3d4-e5f6-7890-abcd-ef1234567890Interactive mode
Run without flags to get an interactive subscription picker:
osirisjson-producer azureThe producer discovers all accessible subscriptions and presents a numbered list. Select one or more (comma-separated) or type all.
Multi-subscription mode
Collect multiple subscriptions to an output directory:
# Specific subscriptions
osirisjson-producer azure -S sub-id-1,sub-id-2,sub-id-3 -o ./output
# All accessible subscriptions (auto-discover)
osirisjson-producer azure --all -o ./output
# All subscriptions in a specific tenant
osirisjson-producer azure --all --tenant f1e2d3c4-b5a6-9078-fedc-ba9876543210 -o ./outputBatch mode (CSV)
Generate a CSV template:
osirisjson-producer azure template --generateCollect from a CSV file:
osirisjson-producer azure -s subscriptions.csv -o ./outputThe CSV template uses these columns:
| Column | Required | Description |
|---|---|---|
subscription_id | yes | Azure subscription UUID |
subscription_name | yes | Human-readable label (used as output filename) |
tenant_id | Azure AD / Entra ID tenant UUID | |
environment | Deployment stage: dv, np, pr (development, non-production, production) | |
region | Filter to Azure region (empty = all regions) | |
notes | Free-text notes (ignored by producer) |
Output hierarchy
Single mode: saves to microsoft-azure-<timestamp>-<name>.json in the current directory.
Multi/batch/all modes: organized by tenant and timestamp:
output/
<TenantID>/
<timestamp>/
<SubscriptionName>.jsonEach subscription produces a self-contained OSIRIS document. Cross-subscription references (e.g. VNet peerings to remote subscriptions) use deterministic resource IDs that consumers can correlate across documents.
Multi-tenant environments
Run the producer once per tenant. Each az login authenticates to one tenant. Use az login --tenant <tenant-id> to switch. The output hierarchy groups documents by tenant automatically.
Flags reference
| Flag | Short | Description |
|---|---|---|
--subscription | -S | Azure subscription ID(s), comma-separated |
--all | Auto-discover all accessible subscriptions | |
--source | -s | CSV file with subscription targets |
--output | -o | Output directory (required for multi/all/CSV mode) |
--tenant | Azure AD / Entra ID tenant ID (optional) | |
--region | Filter to a specific Azure region (optional) | |
--detail | Detail level: minimal (default) or detailed | |
--safe-failure-mode | Secret handling: fail-closed (default), log-and-redact, off | |
--version / -v | Display version and exit | |
--help | Display help and exit |
What it collects
The Azure producer queries the following resource types via the Azure CLI:
Minimal mode:
| Azure Resource Type | OSIRIS Type | Description |
|---|---|---|
| Virtual Networks | network.vpc | VNets with address space, DNS, peerings |
| Subnets | network.subnet | Subnets with address prefixes, service endpoints |
| Network Interfaces | network.interface | NICs with IP configurations |
| Network Security Groups | network.security.group | NSGs with rule summaries |
| Route Tables | osiris.azure.routetable | UDRs with route counts |
| Public IP Addresses | osiris.azure.publicip | Public IPs with allocation method |
| Load Balancers | network.loadbalancer | L4 load balancers |
| Application Gateways | network.loadbalancer | L7 load balancers (app gateways) |
| Private Endpoints | osiris.azure.privateendpoint | Private link endpoints |
| VNet Gateways | osiris.azure.gateway.vnet | ExpressRoute / VPN gateways |
| NAT Gateways | osiris.azure.gateway.nat | Outbound NAT gateways |
| Azure Firewalls | network.firewall | Azure Firewall instances |
| DNS Zones | osiris.azure.dns.zone | Public DNS zones |
| Private DNS Zones | osiris.azure.dns.privatezone | Private DNS zones with VNet links |
| ExpressRoute Circuits | osiris.azure.expressroute | ExpressRoute circuits |
| Virtual Machines | compute.vm | VMs with size, power state |
| Resource Groups | container.resourcegroup | Resource groups as container resources |
Detailed mode adds route table route details, load balancer rules, and extended properties.
OSIRIS JSON output structure for Microsoft Azure
{
"$schema": "https://osirisjson.org/schema/v1.0/osiris.schema.json",
"version": "1.0.0",
"metadata": {
"generator": {
"name": "osirisjson-producer-azure",
"version": "0.1.0"
},
"scope": {
"providers": ["azure"],
"accounts": ["<tenant-id>"],
"subscriptions": ["<subscription-id>"],
"regions": ["westeurope", "eastus"]
}
},
"topology": {
"resources": [ ... ],
"connections": [ ... ],
"groups": [ ... ]
}
}Resource types
Resource types follow the OSIRIS JSON v1.0 specification. Standard types are used where defined; Azure-specific types use the osiris.azure.* namespace.
Standard types:
container.resourcegroup- Resource groupsnetwork.vpc- Virtual networksnetwork.subnet- Subnetsnetwork.interface- Network interfacesnetwork.security.group- Network security groupsnetwork.loadbalancer- Load balancers (L4 and L7)network.firewall- Azure Firewallscompute.vm- Virtual machines
Custom types (osiris.azure.*):
osiris.azure.routetable- Route tablesosiris.azure.publicip- Public IP addressesosiris.azure.privateendpoint- Private endpointsosiris.azure.gateway.vnet- VNet gateways (VPN/ExpressRoute)osiris.azure.gateway.nat- NAT gatewaysosiris.azure.dns.zone- DNS zonesosiris.azure.dns.privatezone- Private DNS zonesosiris.azure.expressroute- ExpressRoute circuits
Connection types
network- Network connectivity (VNet peerings, NIC-to-subnet, NSG associations, DNS links, gateway connections)contains- Containment (subnet-to-VNet membership)
Group types
logical.subscription- Top-level subscription grouplogical.resourcegroup- Resource group groups (children of subscription)
Provider metadata
Every resource includes provider.type with the native ARM resource type (e.g. Microsoft.Network/virtualNetworks, Microsoft.Compute/virtualMachines). Cross-subscription peering stubs include provider.subscription with the remote subscription ID.
Resource IDs
Azure resource IDs follow the pattern azure::<ARM-resource-id>, using the full ARM resource ID as the native identifier. This ensures globally unique, deterministic IDs.
Examples
Single subscription
We are going to explore a single subscription in our tenant and generate from Microsoft Azure an OSIRIS JSON document.
osirisjson-producer azure -S a1b2c3d4-e5f6-7890-abcd-ef1234567890OSIRIS JSON output document (trimmed):
{
"$schema": "https://osirisjson.org/schema/v1.0/osiris.schema.json",
"version": "1.0.0",
"metadata": {
"generator": {
"name": "osirisjson-producer-azure",
"version": "0.1.0"
},
"scope": {
"providers": ["azure"],
"accounts": ["f1e2d3c4-b5a6-9078-fedc-ba9876543210"],
"subscriptions": ["a1b2c3d4-e5f6-7890-abcd-ef1234567890"],
"regions": ["westeurope"]
}
},
"topology": {
"resources": [
{
"id": "azure::/subscriptions/a1b2c3d4/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/hub-vnet",
"type": "network.vpc",
"name": "hub-vnet",
"status": "active",
"provider": {
"name": "azure",
"native_id": "/subscriptions/a1b2c3d4/resourceGroups/network-rg/providers/Microsoft.Network/virtualNetworks/hub-vnet",
"type": "Microsoft.Network/virtualNetworks",
"region": "westeurope",
"subscription": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"tenant": "f1e2d3c4-b5a6-9078-fedc-ba9876543210"
},
"properties": {
"resource_group": "network-rg",
"address_space": ["10.0.0.0/16"],
"dns_servers": ["10.0.0.4"]
}
},
{
"id": "azure::/subscriptions/a1b2c3d4/resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/web-vm-01",
"type": "compute.vm",
"name": "web-vm-01",
"status": "active",
"provider": {
"name": "azure",
"native_id": "/subscriptions/a1b2c3d4/resourceGroups/compute-rg/providers/Microsoft.Compute/virtualMachines/web-vm-01",
"type": "Microsoft.Compute/virtualMachines",
"region": "westeurope",
"subscription": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"tenant": "f1e2d3c4-b5a6-9078-fedc-ba9876543210"
},
"properties": {
"resource_group": "compute-rg",
"vm_size": "Standard_D2s_v3",
"power_state": "VM running"
}
}
],
"connections": [
{
"source": "azure::/subscriptions/a1b2c3d4/.../subnets/default",
"target": "azure::/subscriptions/a1b2c3d4/.../virtualNetworks/hub-vnet",
"type": "contains",
"direction": "forward"
}
],
"groups": [
{
"id": "azure::subscription::a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"type": "logical.subscription",
"name": "my-nonprod-subscription",
"children": [
"azure::resourcegroup::network-rg",
"azure::resourcegroup::compute-rg"
]
},
{
"id": "azure::resourcegroup::network-rg",
"type": "logical.resourcegroup",
"name": "network-rg",
"members": [
"azure::/subscriptions/a1b2c3d4/.../virtualNetworks/hub-vnet"
]
}
]
}
}