pkg/providers/azure/auth.go (1)

146-155: Clarify DefaultAzureCredential chain in logs

DefaultAzureCredential tries more sources than the message suggests (includes SharedTokenCache and, on some platforms, other dev credentials). Update the log to avoid misleading users.

- gologger.Info().Msg("DefaultAzureCredential will try: Environment → Workload Identity → Managed Identity → Azure CLI")
+ gologger.Info().Msg("DefaultAzureCredential chain: Environment → Workload Identity → Managed Identity → SharedTokenCache → Azure CLI")

pkg/providers/azure/azure.go (1)

54-60: Trim services when parsing CSV

Split entries may contain spaces (e.g., "vm, publicip"). Trim before lookup to avoid silently dropping valid services.

- for _, s := range strings.Split(ss, ",") {
-   if _, ok := supportedServicesMap[s]; ok {
+ for _, s := range strings.Split(ss, ",") {
+   s = strings.TrimSpace(s)
+   if _, ok := supportedServicesMap[s]; ok {
      services[s] = struct{}{}
    }
  }

pkg/providers/azure/vm.go (3)

127-146: Handle private IPv6 addresses

PrivateIPAddress can be IPv4 or IPv6. Currently it always populates PrivateIpv4. Use PrivateIPAddressVersion to route to the correct field.

- // Add private IP if available
- if ipConfig.Properties.PrivateIPAddress != nil {
-   resource.PrivateIpv4 = *ipConfig.Properties.PrivateIPAddress
- }
+ // Add private IP if available (respect IP version)
+ if ipConfig.Properties.PrivateIPAddress != nil {
+   if ipConfig.Properties.PrivateIPAddressVersion != nil &&
+     *ipConfig.Properties.PrivateIPAddressVersion == armnetwork.IPVersionIPv6 {
+     resource.PrivateIpv6 = *ipConfig.Properties.PrivateIPAddress
+   } else {
+     resource.PrivateIpv4 = *ipConfig.Properties.PrivateIPAddress
+   }
+ }

---

172-186: Resource ID parser is minimal; confirm scope

This parser assumes the resource name is the last segment and only extracts resource group by scanning for "resourceGroups". It works for NIC/PIP but may fail for nested child resources. If you reuse it elsewhere, consider a more robust parser or constrain usage to top-level resources.

---

37-38: Typo: fetchResouceGroups → fetchResourceGroups

Rename for clarity.

- groups, err := fetchResouceGroups(ctx, d.SubscriptionID, d.Credential)
+ groups, err := fetchResourceGroups(ctx, d.SubscriptionID, d.Credential)

-func fetchResouceGroups(ctx context.Context, subscriptionID string, credential azcore.TokenCredential) (resGrpList []string, err error) {
+func fetchResourceGroups(ctx context.Context, subscriptionID string, credential azcore.TokenCredential) (resGrpList []string, err error) {

Also applies to: 188-210

pkg/providers/azure/trafficmanager.go (1)

87-96: Reuse existing resource ID parsing

You already have parseAzureResourceID in this package. Consider reusing it to extract resource_group to avoid duplicated parsing logic and keep behavior consistent.

pkg/providers/azure/publicips.go (4)

61-75: Mark DNS resource as public

DNS names derived from Public IPs are public-facing. Set Public=true for consistency with IP resources.

 		if pip.extendedMetadata && ip.Properties.DNSSettings != nil && ip.Properties.DNSSettings.Fqdn != nil {
 			dnsResource := &schema.Resource{
 				Provider: providerName,
 				ID:       pip.id,
-				DNSName:  *ip.Properties.DNSSettings.Fqdn,
+				DNSName:  *ip.Properties.DNSSettings.Fqdn,
+				Public:   true,
 				Service:  pip.name(),
 			}

---

84-101: Improve error context and consider heavy ListAll behavior

Include subscription ID in errors for triage; ListAll across a large subscription can be heavy.

-	ipClient, err := armnetwork.NewPublicIPAddressesClient(pip.SubscriptionID, pip.Credential, nil)
+	ipClient, err := armnetwork.NewPublicIPAddressesClient(pip.SubscriptionID, pip.Credential, nil)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create public IP client: %w", err)
+		return nil, fmt.Errorf("subscription %s: failed to create public IP client: %w", pip.SubscriptionID, err)
 	}
@@
-		page, err := pager.NextPage(ctx)
+		page, err := pager.NextPage(ctx)
 		if err != nil {
-			return nil, fmt.Errorf("failed to list public IPs: %w", err)
+			return nil, fmt.Errorf("subscription %s: failed to list public IPs: %w", pip.SubscriptionID, err)
 		}

Operational note:

• For very large tenants, consider processing per page directly in GetResource (streaming) instead of materializing all IPs first, or using per‑RG List where possible. This reduces peak memory.

---

112-121: Use arm.ParseResourceID for robust resource group extraction

Manual splitting is brittle. The SDK provides a parser.

-	// Track 2: Parse resource group from ID manually (no ParseResourceID in Track 2)
-	if ip.ID != nil {
-		// Azure resource ID format: /subscriptions/{subId}/resourceGroups/{rgName}/...
-		parts := strings.Split(*ip.ID, "/")
-		for i, part := range parts {
-			if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-				metadata["resource_group"] = parts[i+1]
-				break
-			}
-		}
-	}
+	if ip.ID != nil {
+		if rid, err := arm.ParseResourceID(*ip.ID); err == nil && rid.ResourceGroupName != "" {
+			metadata["resource_group"] = rid.ResourceGroupName
+		}
+	}

Add import:

 import (
@@
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	arm "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
 )

---

34-37: Optional: emit DNS resource even when IP is not yet assigned

Currently, continue skips DNS-only records. If you want DNS assets regardless of IP assignment, move DNS resource creation before the early continue or guard IP resource creation with a hasIP check.

Example approach (conceptual):

• Compute hasIP := ip.Properties != nil && ip.Properties.IPAddress != nil
• If pip.extendedMetadata && DNSSettings present, append dnsResource first
• Only build the IP Resource when hasIP

Also applies to: 61-75

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

pkg/providers/azure/azure.go (1)

312-321: Verify() can pass without confirming any subscriptions were returned

You check pager.More() then fetch a single page without asserting non-empty results.

Suggested approach: iterate pages until you see at least one item; error otherwise (see prior review’s diff in this file’s history).

pkg/providers/azure/functions.go (1)

41-46: Prefer DefaultHostName over formatting to avoid wrong host for sovereign clouds/slots

Use app.Properties.DefaultHostName when available; fallback to formatted name only if missing.

-		// Default hostname: <function-name>.azurewebsites.net
-		var defaultHostname string
-		if app.Name != nil {
-			defaultHostname = fmt.Sprintf("%s.azurewebsites.net", *app.Name)
-		}
+		// Default hostname: prefer DefaultHostName to support sovereign clouds/slots
+		var defaultHostname string
+		if app.Properties != nil && app.Properties.DefaultHostName != nil {
+			defaultHostname = *app.Properties.DefaultHostName
+		} else if app.Name != nil {
+			defaultHostname = fmt.Sprintf("%s.azurewebsites.net", *app.Name)
+		}

Also applies to: 52-61

pkg/providers/azure/containerapps.go (2)

155-164: Use existing parseAzureResourceID for resource group extraction

Simpler and consistent across providers.

-	// Parse resource group from ID manually
-	if app.ID != nil {
-		parts := strings.Split(*app.ID, "/")
-		for i, part := range parts {
-			if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-				metadata["resource_group"] = parts[i+1]
-				break
-			}
-		}
-	}
+	// Parse resource group from ID
+	if app.ID != nil {
+		_, rg := parseAzureResourceID(*app.ID)
+		if rg != "" {
+			metadata["resource_group"] = rg
+		}
+	}

---

67-74: DRY: replace manual metadata copying with copyMetadata helper

Reduces repetition and avoids subtle aliasing mistakes.

-					if metadata != nil {
-						customResource.Metadata = make(map[string]string)
-						for k, v := range metadata {
-							customResource.Metadata[k] = v
-						}
-						customResource.Metadata["is_custom_domain"] = "true"
-					}
+					if metadata != nil {
+						customResource.Metadata = copyMetadata(metadata)
+						customResource.Metadata["is_custom_domain"] = "true"
+					}

-					if metadata != nil {
-						ipResource.Metadata = make(map[string]string)
-						for k, v := range metadata {
-							ipResource.Metadata[k] = v
-						}
-						ipResource.Metadata["ip_type"] = "outbound"
-					}
+					if metadata != nil {
+						ipResource.Metadata = copyMetadata(metadata)
+						ipResource.Metadata["ip_type"] = "outbound"
+					}

-			if metadata != nil {
-				revisionResource.Metadata = make(map[string]string)
-				for k, v := range metadata {
-					revisionResource.Metadata[k] = v
-				}
-				revisionResource.Metadata["is_revision_fqdn"] = "true"
-			}
+			if metadata != nil {
+				revisionResource.Metadata = copyMetadata(metadata)
+				revisionResource.Metadata["is_revision_fqdn"] = "true"
+			}

Also applies to: 90-97, 110-117

pkg/providers/azure/storage.go (2)

218-224: Hoist network clients out of the loop to avoid N^2 client creation

Creating clients per-PE and per-NIC is costly. Create them once.

 func (sp *storageProvider) extractPrivateEndpointIPs(ctx context.Context, account *armstorage.Account) []string {
 	var privateIPs []string
 
 	if account.Properties == nil || account.Properties.PrivateEndpointConnections == nil {
 		return privateIPs
 	}
+
+	// Create network clients once per call
+	peClient, err := armnetwork.NewPrivateEndpointsClient(sp.SubscriptionID, sp.Credential, nil)
+	if err != nil {
+		gologger.Warning().Msgf("failed to create private endpoints client: %s", err)
+		return privateIPs
+	}
+	nicClient, err := armnetwork.NewInterfacesClient(sp.SubscriptionID, sp.Credential, nil)
+	if err != nil {
+		gologger.Warning().Msgf("failed to create network interfaces client: %s", err)
+		return privateIPs
+	}
 
 	for _, peConn := range account.Properties.PrivateEndpointConnections {
 		if peConn.Properties == nil || peConn.Properties.PrivateEndpoint == nil || peConn.Properties.PrivateEndpoint.ID == nil {
 			continue
 		}
 
 		// Parse Private Endpoint resource ID
 		peName, peRG := parseAzureResourceID(*peConn.Properties.PrivateEndpoint.ID)
 		if peName == "" || peRG == "" {
 			continue
 		}
 
-		// Fetch Private Endpoint details
-		peClient, err := armnetwork.NewPrivateEndpointsClient(sp.SubscriptionID, sp.Credential, nil)
-		if err != nil {
-			gologger.Warning().Msgf("failed to create private endpoints client: %s", err)
-			continue
-		}
-
 		pe, err := peClient.Get(ctx, peRG, peName, nil)
 		if err != nil {
 			gologger.Warning().Msgf("failed to get private endpoint %s: %s", peName, err)
 			continue
 		}
 
 		// Extract private IPs from network interfaces
 		if pe.Properties != nil && pe.Properties.NetworkInterfaces != nil {
 			for _, nic := range pe.Properties.NetworkInterfaces {
 				if nic.ID == nil {
 					continue
 				}
 
 				nicName, nicRG := parseAzureResourceID(*nic.ID)
 				if nicName == "" || nicRG == "" {
 					continue
 				}
 
-				nicClient, err := armnetwork.NewInterfacesClient(sp.SubscriptionID, sp.Credential, nil)
-				if err != nil {
-					gologger.Warning().Msgf("failed to create network interfaces client: %s", err)
-					continue
-				}
-
 				nicRes, err := nicClient.Get(ctx, nicRG, nicName, nil)
 				if err != nil {
 					gologger.Warning().Msgf("failed to get network interface %s: %s", nicName, err)
 					continue
 				}

Also applies to: 236-246, 261-269

---

481-486: Avoid shadowing built-in name 'copy'

Minor readability nit.

-	copy := make(map[string]string)
-	for k, v := range metadata {
-		copy[k] = v
-	}
-	return copy
+	out := make(map[string]string)
+	for k, v := range metadata {
+		out[k] = v
+	}
+	return out

pkg/providers/azure/azure.go (1)

55-59: Trim service names when parsing options

Prevents mismatches from whitespace.

-	if ss, ok := options.GetMetadata("services"); ok {
-		for _, s := range strings.Split(ss, ",") {
-			if _, ok := supportedServicesMap[s]; ok {
-				services[s] = struct{}{}
-			}
-		}
-	}
+	if ss, ok := options.GetMetadata("services"); ok {
+		for _, raw := range strings.Split(ss, ",") {
+			s := strings.TrimSpace(raw)
+			if s == "" {
+				continue
+			}
+			if _, ok := supportedServicesMap[s]; ok {
+				services[s] = struct{}{}
+			}
+		}
+	}

pkg/providers/azure/staticwebapps.go (1)

145-149: Avoid metadata key collision with top-level Provider field.

Using metadata["provider"] for repo provider (GitHub/GitLab) is ambiguous. Prefer a distinct key.

Apply this diff:

-        // Provider (GitHub, GitLab, etc.)
-        if props.Provider != nil {
-            metadata["provider"] = *props.Provider
-        }
+        // Repository provider (GitHub, GitLab, etc.)
+        if props.Provider != nil {
+            metadata["repo_provider"] = *props.Provider
+        }

pkg/providers/azure/loadbalancer.go (2)

39-41: Verify pond v2 API usage (NewPool vs New).

pond/v2 typically uses New(maxWorkers, maxCapacity). Ensure NewPool exists in your pinned version, or switch to New to avoid build errors.

If needed, apply:

-    pool := pond.NewPool(10)
+    // maxWorkers=10, unbounded queue (0) or set a sensible capacity
+    pool := pond.New(10, 0)

---

140-144: Prune dead condition: resource.DNSName is never set on this resource.

This branch always evaluates that part to false; keep the check to IPs only.

Apply this diff:

-                if resource.PublicIPv4 != "" || resource.PublicIPv6 != "" || resource.PrivateIpv4 != "" || resource.DNSName != "" {
+                if resource.PublicIPv4 != "" || resource.PublicIPv6 != "" || resource.PrivateIpv4 != "" {
                     resources = append(resources, resource)
                 }

pkg/providers/azure/applicationgateway.go (2)

67-78: Mark public IP resources as Public.

Set Public=true when emitting a resource tied to a Public IP.

Apply this diff:

                             // Determine IP version
                             if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv4 {
                                 resource.PublicIPv4 = *publicIP.Properties.IPAddress
                             } else if publicIP.Properties.PublicIPAddressVersion != nil {
                                 resource.PublicIPv6 = *publicIP.Properties.IPAddress
                             } else {
                                 // Default to IPv4 if not specified
                                 resource.PublicIPv4 = *publicIP.Properties.IPAddress
                             }
+                            resource.Public = true
 
                             list.Append(resource)

---

196-205: Use existing helper to parse resource group from ID.

Prefer parseAzureResourceID for consistency and correctness.

Apply this diff:

-    // Parse resource group from ID
-    if gateway.ID != nil {
-        parts := strings.Split(*gateway.ID, "/")
-        for i, part := range parts {
-            if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-                metadata["resource_group"] = parts[i+1]
-                break
-            }
-        }
-    }
+    // Parse resource group from ID
+    if gateway.ID != nil {
+        _, rg := parseAzureResourceID(*gateway.ID)
+        if rg != "" {
+            metadata["resource_group"] = rg
+        }
+    }

pkg/providers/azure/appservice.go (3)

91-94: Comment says “log warning” but no log is emitted.

Log the slot listing error and continue.

Apply this diff:

-        if err != nil {
-            // Don't fail the entire operation, just log warning
-            continue
-        }
+        if err != nil {
+            // Don't fail the entire operation, just log warning
+            gologger.Warning().Msgf("error listing deployment slots for app %s: %v", func() string { if app.Name != nil { return *app.Name }; return "(unknown)" }(), err)
+            continue
+        }

Add import if not present:

import "github.com/projectdiscovery/gologger"

---

184-193: Use helper to parse resource group from ID.

Align with other providers for consistency.

Apply this diff:

-    // Parse resource group from ID
-    if app.ID != nil {
-        parts := strings.Split(*app.ID, "/")
-        for i, part := range parts {
-            if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-                metadata["resource_group"] = parts[i+1]
-                break
-            }
-        }
-    }
+    // Parse resource group from ID
+    if app.ID != nil {
+        _, rg := parseAzureResourceID(*app.ID)
+        if rg != "" {
+            metadata["resource_group"] = rg
+        }
+    }

---

214-218: Unify resource group metadata key.

Use “resource_group” (used elsewhere) instead of “resource_group_name” to avoid duplicate/confusing keys.

Apply this diff:

-        schema.AddMetadata(metadata, "resource_group_name", props.ResourceGroup)
+        schema.AddMetadata(metadata, "resource_group", props.ResourceGroup)

pkg/providers/azure/frontdoor.go (2)

101-110: Use shared resource ID parser instead of manual split

Prefer parseAzureResourceID for consistency and fewer edge cases.

-	// Track 2: Parse resource group from ID manually
-	if frontDoor.ID != nil {
-		parts := strings.Split(*frontDoor.ID, "/")
-		for i, part := range parts {
-			if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-				metadata["resource_group"] = parts[i+1]
-				break
-			}
-		}
-	}
+	// Parse resource group from ID
+	if frontDoor.ID != nil {
+		_, rg := parseAzureResourceID(*frontDoor.ID)
+		if rg != "" {
+			metadata["resource_group"] = rg
+		}
+	}

---

47-51: Avoid recomputing base metadata per endpoint

getFrontDoorMetadata recomputes many Front Door-level fields for every endpoint. Precompute base metadata once per Front Door and merge endpoint-specific fields in-loop. Low-priority, but improves efficiency on tenants with many endpoints.

pkg/providers/azure/aks.go (1)

40-55: Build metadata once per cluster

You recompute getAKSMetadata twice. Compute once and reuse.

-		// Extract cluster FQDN as primary DNS resource
-		if cluster.Properties.Fqdn != nil && *cluster.Properties.Fqdn != "" {
-			var metadata map[string]string
-			if ap.extendedMetadata {
-				metadata = ap.getAKSMetadata(cluster)
-			}
+		// Precompute metadata once
+		var md map[string]string
+		if ap.extendedMetadata {
+			md = ap.getAKSMetadata(cluster)
+		}
+
+		// Extract cluster FQDN as primary DNS resource
+		if cluster.Properties.Fqdn != nil && *cluster.Properties.Fqdn != "" {
 			resource := &schema.Resource{
 				Provider: providerName,
 				ID:       ap.id,
 				DNSName:  *cluster.Properties.Fqdn,
 				Service:  ap.name(),
-				Metadata: metadata,
+				Metadata: md,
 			}
 			list.Append(resource)
 		}
 
 		// Extract private FQDN if available
 		if cluster.Properties.PrivateFQDN != nil && *cluster.Properties.PrivateFQDN != "" {
-			var metadata map[string]string
-			if ap.extendedMetadata {
-				metadata = ap.getAKSMetadata(cluster)
-			}
-
 			resource := &schema.Resource{
 				Provider: providerName,
 				ID:       ap.id,
 				DNSName:  *cluster.Properties.PrivateFQDN,
 				Service:  ap.name(),
-				Metadata: metadata,
+				Metadata: md,
 			}
 			list.Append(resource)
 		}

Also applies to: 57-72

pkg/providers/azure/containerinstances.go (3)

3-11: Import net to detect IPv4 vs IPv6

Required for proper IP family handling below.

 import (
 	"context"
 	"fmt"
+	"net"
 	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerinstance/armcontainerinstance"
 	"github.com/projectdiscovery/cloudlist/pkg/schema"
 )

---

45-58: Set PublicIPv4 vs PublicIPv6 correctly

Don’t stuff IPv6 into PublicIPv4.

-		// Extract public IP and FQDN from IPAddress
+		// Extract public IP and FQDN from IPAddress
 		if cg.Properties.IPAddress != nil {
 			// Public IP resource
-			if cg.Properties.IPAddress.IP != nil {
-				resource := &schema.Resource{
-					Provider:    providerName,
-					ID:          cip.id,
-					Public:      true,
-					Service:     cip.name(),
-					PublicIPv4:  *cg.Properties.IPAddress.IP,
-					Metadata:    metadata,
-				}
-				list.Append(resource)
-			}
+			if cg.Properties.IPAddress.IP != nil && *cg.Properties.IPAddress.IP != "" {
+				if ip := net.ParseIP(*cg.Properties.IPAddress.IP); ip != nil {
+					res := &schema.Resource{
+						Provider: providerName,
+						ID:       cip.id,
+						Public:   true,
+						Service:  cip.name(),
+						Metadata: metadata,
+					}
+					if ip.To4() != nil {
+						res.PublicIPv4 = *cg.Properties.IPAddress.IP
+					} else {
+						res.PublicIPv6 = *cg.Properties.IPAddress.IP
+					}
+					list.Append(res)
+				}
+			}

---

78-96: Set PrivateIpv4 vs PrivateIpv6 correctly

Also handle IPv6 private addresses.

-		// Extract private IPs from subnet IDs (VNet integration)
+		// Extract private IPs from subnet IDs (VNet integration)
 		if cg.Properties.SubnetIDs != nil && len(cg.Properties.SubnetIDs) > 0 {
 			// Container groups with VNet integration have private IPs
 			// The private IP is available in IPAddress even for VNet-integrated groups
 			if cg.Properties.IPAddress != nil && cg.Properties.IPAddress.IP != nil {
 				// Check if this is a private IP (VNet-integrated)
 				if cg.Properties.IPAddress.Type != nil && *cg.Properties.IPAddress.Type == armcontainerinstance.ContainerGroupIPAddressTypePrivate {
-					resource := &schema.Resource{
-						Provider:     providerName,
-						ID:           cip.id,
-						Public:       false,
-						Service:      cip.name(),
-						PrivateIpv4:  *cg.Properties.IPAddress.IP,
-						Metadata:     metadata,
-					}
-					list.Append(resource)
+					ipStr := *cg.Properties.IPAddress.IP
+					if ip := net.ParseIP(ipStr); ip != nil {
+						res := &schema.Resource{
+							Provider: providerName,
+							ID:       cip.id,
+							Public:   false,
+							Service:  cip.name(),
+							Metadata: metadata,
+						}
+						if ip.To4() != nil {
+							res.PrivateIpv4 = ipStr
+						} else {
+							res.PrivateIpv6 = ipStr
+						}
+						list.Append(res)
+					}
 				}
 			}
 		}

pkg/providers/azure/apimanagement.go (4)

199-208: Use shared resource ID parser instead of manual split

Align with other providers and reduce edge cases.

-	// Parse resource group from ID
-	if service.ID != nil {
-		parts := strings.Split(*service.ID, "/")
-		for i, part := range parts {
-			if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-				metadata["resource_group"] = parts[i+1]
-				break
-			}
-		}
-	}
+	// Parse resource group from ID
+	if service.ID != nil {
+		_, rg := parseAzureResourceID(*service.ID)
+		if rg != "" {
+			metadata["resource_group"] = rg
+		}
+	}

---

121-140: Populate PublicIPv4 vs PublicIPv6 correctly

IPs may be IPv6; set the right field.

-		// Extract public IP addresses
+		// Extract public IP addresses
 		if service.Properties.PublicIPAddresses != nil {
 			for _, ip := range service.Properties.PublicIPAddresses {
 				if ip != nil {
-					resource := &schema.Resource{
-						Provider:   providerName,
-						ID:         amp.id,
-						PublicIPv4: *ip,
-						Service:    amp.name(),
-					}
-					if metadata != nil {
-						resource.Metadata = make(map[string]string)
-						for k, v := range metadata {
-							resource.Metadata[k] = v
-						}
-					}
-					list.Append(resource)
+					ipStr := *ip
+					res := &schema.Resource{
+						Provider: providerName,
+						ID:       amp.id,
+						Service:  amp.name(),
+						Public:   true,
+					}
+					if metadata != nil {
+						res.Metadata = make(map[string]string)
+						for k, v := range metadata {
+							res.Metadata[k] = v
+						}
+					}
+					if parsed := net.ParseIP(ipStr); parsed != nil {
+						if parsed.To4() != nil {
+							res.PublicIPv4 = ipStr
+						} else {
+							res.PublicIPv6 = ipStr
+						}
+					}
+					list.Append(res)
 				}
 			}
 		}

---

143-161: Populate PrivateIpv4 vs PrivateIpv6 correctly

Mirror IP family handling for private addresses.

-		// Extract private IP addresses (VNet integration)
+		// Extract private IP addresses (VNet integration)
 		if service.Properties.PrivateIPAddresses != nil {
 			for _, ip := range service.Properties.PrivateIPAddresses {
 				if ip != nil {
-					resource := &schema.Resource{
-						Provider:    providerName,
-						ID:          amp.id,
-						PrivateIpv4: *ip,
-						Service:     amp.name(),
-					}
-					if metadata != nil {
-						resource.Metadata = make(map[string]string)
-						for k, v := range metadata {
-							resource.Metadata[k] = v
-						}
-					}
-					list.Append(resource)
+					ipStr := *ip
+					res := &schema.Resource{
+						Provider: providerName,
+						ID:       amp.id,
+						Service:  amp.name(),
+						Public:   false,
+					}
+					if metadata != nil {
+						res.Metadata = make(map[string]string)
+						for k, v := range metadata {
+							res.Metadata[k] = v
+						}
+					}
+					if parsed := net.ParseIP(ipStr); parsed != nil {
+						if parsed.To4() != nil {
+							res.PrivateIpv4 = ipStr
+						} else {
+							res.PrivateIpv6 = ipStr
+						}
+					}
+					list.Append(res)
 				}
 			}
 		}

---

97-120: Set hostname_type even when extended metadata is off

Currently gated by metadata != nil. Always populate hostname_type on these resources.

-					resource := &schema.Resource{
+					resource := &schema.Resource{
 						Provider: providerName,
 						ID:       amp.id,
 						DNSName:  *hostnameConfig.HostName,
 						Service:  amp.name(),
 					}
-					if metadata != nil {
-						resource.Metadata = make(map[string]string)
-						for k, v := range metadata {
-							resource.Metadata[k] = v
-						}
-						if hostnameConfig.Type != nil {
-							resource.Metadata["hostname_type"] = string(*hostnameConfig.Type)
-						}
-					}
+					md := map[string]string{}
+					if metadata != nil {
+						for k, v := range metadata {
+							md[k] = v
+						}
+					}
+					if hostnameConfig.Type != nil {
+						md["hostname_type"] = string(*hostnameConfig.Type)
+					}
+					if len(md) > 0 {
+						resource.Metadata = md
+					}
 					list.Append(resource)

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

pkg/providers/azure/azure.go (1)

312-325: Verify() may pass with zero subscriptions (use page iteration)

Same concern as previously flagged; switch to iterating pages and ensure at least one item exists.

 func (p *Provider) Verify(ctx context.Context) error {
-  // Simple verification: try to create a subscriptions client and list one subscription
+  // Simple verification: ensure at least one subscription exists
   subsClient, err := armsubscriptions.NewClient(p.Credential, nil)
   if err != nil {
     return fmt.Errorf("failed to create subscriptions client: %w", err)
   }
-  // Try to list at least one subscription
-  pager := subsClient.NewListPager(nil)
-  if !pager.More() {
-    return fmt.Errorf("no subscriptions found with provided credentials")
-  }
-  _, err = pager.NextPage(ctx)
-  if err != nil {
-    return fmt.Errorf("failed to verify Azure credentials: %w", err)
-  }
+  pager := subsClient.NewListPager(nil)
+  found := false
+  for pager.More() {
+    page, err := pager.NextPage(ctx)
+    if err != nil {
+      return fmt.Errorf("failed to verify Azure credentials: %w", err)
+    }
+    if len(page.Value) > 0 {
+      found = true
+      break
+    }
+  }
+  if !found {
+    return fmt.Errorf("no subscriptions found with provided credentials")
+  }
   gologger.Info().Msg("Azure credentials verified successfully")
   return nil
 }

pkg/providers/azure/appservice.go (2)

77-82: Consider extracting metadata copy logic to a helper function.

The manual map copy pattern (lines 77-82) is repeated in the codebase. While correct, extracting this into a helper like copyMetadata(src map[string]string) map[string]string would reduce duplication and cognitive load.

Example helper that could be added to a shared utils file or the azure package:

func copyMetadata(src map[string]string) map[string]string {
	if src == nil {
		return nil
	}
	dst := make(map[string]string, len(src))
	for k, v := range src {
		dst[k] = v
	}
	return dst
}

Then use it as:

-				if metadata != nil {
-					customResource.Metadata = make(map[string]string)
-					for k, v := range metadata {
-						customResource.Metadata[k] = v
-					}
+				if metadata != nil {
+					customResource.Metadata = copyMetadata(metadata)
 					customResource.Metadata["is_custom_domain"] = "true"
 				}

---

163-165: Clarify the error handling comment.

The comment "might not have slots" is slightly misleading, as errors here could also indicate permission issues, network failures, or API errors—not just the absence of slots. Consider rephrasing for accuracy.

-			// Don't fail if slots listing fails (might not have slots)
+			// Don't fail if slots listing fails (may have no slots or encounter API errors)
 			return nil, nil

pkg/providers/azure/cdn.go (1)

156-165: Optional: use the shared resource ID parser instead of manual split.

You already depend on parseAzureResourceID. Prefer reusing it for resource_group extraction to reduce duplication.

pkg/providers/azure/apimanagement.go (1)

349-366: Harden URL parsing using net/url.

Manual string ops miss cases (upper-case schemes, no scheme, ports). Use net/url and add a fallback for schemeless inputs.

Apply this diff:

-func extractDNSFromURL(url string) string {
-    // Remove protocol prefix (https://, http://)
-    url = strings.TrimPrefix(url, "https://")
-    url = strings.TrimPrefix(url, "http://")
-
-    // Remove path and query string
-    if idx := strings.Index(url, "/"); idx > 0 {
-        url = url[:idx]
-    }
-
-    // Remove port
-    if idx := strings.Index(url, ":"); idx > 0 {
-        url = url[:idx]
-    }
-
-    return url
-}
+func extractDNSFromURL(raw string) string {
+    u, err := url.Parse(raw)
+    if err != nil || u.Host == "" {
+        // Fallback for schemeless inputs
+        if !strings.Contains(raw, "://") {
+            u2, err2 := url.Parse("https://" + raw)
+            if err2 == nil && u2.Host != "" {
+                return u2.Hostname()
+            }
+        }
+        return ""
+    }
+    return u.Hostname()
+}

Add import:

import "net/url"

pkg/providers/azure/loadbalancer.go (2)

104-111: Be explicit when detecting IPv6.

Current else-if treats any non-IPv4 version as IPv6. Prefer explicit check for IPv6 to avoid misclassification on unexpected values.

Apply this diff:

-                            if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv4 {
-                                resource.PublicIPv4 = *publicIP.Properties.IPAddress
-                            } else if publicIP.Properties.PublicIPAddressVersion != nil {
-                                resource.PublicIPv6 = *publicIP.Properties.IPAddress
-                            } else {
+                            if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv4 {
+                                resource.PublicIPv4 = *publicIP.Properties.IPAddress
+                            } else if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv6 {
+                                resource.PublicIPv6 = *publicIP.Properties.IPAddress
+                            } else {
                                 // Default to IPv4 if not specified
                                 resource.PublicIPv4 = *publicIP.Properties.IPAddress
                             }

---

33-36: Rename fetchResouceGroups to fetchResourceGroups: the helper is defined and referenced with the missing ‘r’; updating the function name and all its calls will correct the spelling and improve clarity.

pkg/providers/azure/applicationgateway.go (1)

116-121: Optional: avoid recomputing metadata.

You already computed metadata per gateway above; reuse it here to avoid duplicate calls.

pkg/providers/azure/storage.go (3)

218-285: Avoid per-item client creation; instantiate network clients once

Creating armnetwork clients inside the loop is wasteful and increases API/token churn. Create them once per call and reuse.

 func (sp *storageProvider) extractPrivateEndpointIPs(ctx context.Context, account *armstorage.Account) []string {
   var privateIPs []string

   if account.Properties == nil || account.Properties.PrivateEndpointConnections == nil {
     return privateIPs
   }

+  // Create clients once
+  peClient, err := armnetwork.NewPrivateEndpointsClient(sp.SubscriptionID, sp.Credential, nil)
+  if err != nil {
+    gologger.Warning().Msgf("failed to create private endpoints client: %s", err)
+    return privateIPs
+  }
+  nicClient, err := armnetwork.NewInterfacesClient(sp.SubscriptionID, sp.Credential, nil)
+  if err != nil {
+    gologger.Warning().Msgf("failed to create network interfaces client: %s", err)
+    return privateIPs
+  }
+
   for _, peConn := range account.Properties.PrivateEndpointConnections {
     if peConn.Properties == nil || peConn.Properties.PrivateEndpoint == nil || peConn.Properties.PrivateEndpoint.ID == nil {
       continue
     }

     // Parse Private Endpoint resource ID
     peName, peRG := parseAzureResourceID(*peConn.Properties.PrivateEndpoint.ID)
     if peName == "" || peRG == "" {
       continue
     }

-    // Fetch Private Endpoint details
-    peClient, err := armnetwork.NewPrivateEndpointsClient(sp.SubscriptionID, sp.Credential, nil)
-    if err != nil {
-      gologger.Warning().Msgf("failed to create private endpoints client: %s", err)
-      continue
-    }
-
-    pe, err := peClient.Get(ctx, peRG, peName, nil)
+    // Fetch Private Endpoint details
+    pe, err := peClient.Get(ctx, peRG, peName, nil)
     if err != nil {
       gologger.Warning().Msgf("failed to get private endpoint %s: %s", peName, err)
       continue
     }

     // Extract private IPs from network interfaces
-    if pe.Properties != nil && pe.Properties.NetworkInterfaces != nil {
-      for _, nic := range pe.Properties.NetworkInterfaces {
+    if pe.Properties != nil && pe.Properties.NetworkInterfaces != nil {
+      for _, nic := range pe.Properties.NetworkInterfaces {
         if nic.ID == nil {
           continue
         }

         nicName, nicRG := parseAzureResourceID(*nic.ID)
         if nicName == "" || nicRG == "" {
           continue
         }

-        nicClient, err := armnetwork.NewInterfacesClient(sp.SubscriptionID, sp.Credential, nil)
-        if err != nil {
-          gologger.Warning().Msgf("failed to create network interfaces client: %s", err)
-          continue
-        }
-
-        nicRes, err := nicClient.Get(ctx, nicRG, nicName, nil)
+        nicRes, err := nicClient.Get(ctx, nicRG, nicName, nil)
         if err != nil {
           gologger.Warning().Msgf("failed to get network interface %s: %s", nicName, err)
           continue
         }

         if nicRes.Properties != nil && nicRes.Properties.IPConfigurations != nil {
           for _, ipConfig := range nicRes.Properties.IPConfigurations {
             if ipConfig.Properties != nil && ipConfig.Properties.PrivateIPAddress != nil {
               privateIPs = append(privateIPs, *ipConfig.Properties.PrivateIPAddress)
             }
           }
         }
       }
     }
   }
   return privateIPs
 }

---

297-306: Use existing resource ID parser for resource group extraction

You already have parseAzureResourceID elsewhere. Reuse it for consistency and less brittle parsing.

- // Parse resource group from ID
- if account.ID != nil {
-   parts := strings.Split(*account.ID, "/")
-   for i, part := range parts {
-     if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-       metadata["resource_group"] = parts[i+1]
-       break
-     }
-   }
- }
+ // Parse resource group from ID
+ if account.ID != nil {
+   _, rg := parseAzureResourceID(*account.ID)
+   if rg != "" {
+     metadata["resource_group"] = rg
+   }
+ }

---

461-473: Prefer net/url for robust host extraction (optional)

Manual string trimming can miss edge cases (ports, credentials, queries). net/url.Parse is safer.

-// extractHostFromURL extracts the hostname from a URL (removes https:// and trailing /)
-func extractHostFromURL(urlStr string) string {
-  // Remove protocol
-  urlStr = strings.TrimPrefix(urlStr, "https://")
-  urlStr = strings.TrimPrefix(urlStr, "http://")
-
-  // Remove trailing slash and path
-  if idx := strings.Index(urlStr, "/"); idx != -1 {
-    urlStr = urlStr[:idx]
-  }
-  return strings.TrimSpace(urlStr)
-}
+// extractHostFromURL extracts the hostname from a URL
+func extractHostFromURL(u string) string {
+  if u == "" {
+    return ""
+  }
+  if !strings.HasPrefix(u, "http") {
+    u = "https://" + u
+  }
+  parsed, err := url.Parse(u)
+  if err != nil {
+    return strings.TrimSpace(u)
+  }
+  return parsed.Hostname()
+}

pkg/providers/azure/azure.go (1)

54-59: Normalize user-specified services (trim/lowercase) to avoid mismatches

Prevents subtle config issues like " VM " or "DNS".

 if ss, ok := options.GetMetadata("services"); ok {
   for _, s := range strings.Split(ss, ",") {
-    if _, ok := supportedServicesMap[s]; ok {
+    svc := strings.ToLower(strings.TrimSpace(s))
+    if _, ok := supportedServicesMap[svc]; ok {
-      services[s] = struct{}{}
+      services[svc] = struct{}{}
     }
   }
 }

pkg/providers/azure/containerapps.go (3)

67-75: Use package-level copyMetadata helper instead of manual loops

Simpler and consistent.

-          if metadata != nil {
-            customResource.Metadata = make(map[string]string)
-            for k, v := range metadata {
-              customResource.Metadata[k] = v
-            }
-            customResource.Metadata["is_custom_domain"] = "true"
-          }
+          if metadata != nil {
+            customResource.Metadata = copyMetadata(metadata)
+            customResource.Metadata["is_custom_domain"] = "true"
+          }

---

90-97: Use copyMetadata for IP resource metadata cloning

Avoid manual map copy.

-          if metadata != nil {
-            ipResource.Metadata = make(map[string]string)
-            for k, v := range metadata {
-              ipResource.Metadata[k] = v
-            }
-            ipResource.Metadata["ip_type"] = "outbound"
-          }
+          if metadata != nil {
+            ipResource.Metadata = copyMetadata(metadata)
+            ipResource.Metadata["ip_type"] = "outbound"
+          }

---

110-116: Use copyMetadata for revision resource metadata cloning

Consistent helper usage.

-      if metadata != nil {
-        revisionResource.Metadata = make(map[string]string)
-        for k, v := range metadata {
-          revisionResource.Metadata[k] = v
-        }
-        revisionResource.Metadata["is_revision_fqdn"] = "true"
-      }
+      if metadata != nil {
+        revisionResource.Metadata = copyMetadata(metadata)
+        revisionResource.Metadata["is_revision_fqdn"] = "true"
+      }

pkg/providers/azure/dns.go (1)

79-81: Prefer recordSet.Properties.Fqdn when available; fallback to composed FQDN

Azure returns the canonical FQDN; composing can be error-prone for edge cases.

-            // Build FQDN: <record-name>.<zone-name>
-            fqdn := buildFQDN(*recordSet.Name, *zone.Name)
+            // Prefer canonical FQDN if provided; fallback to composed
+            var fqdn string
+            if recordSet.Properties != nil && recordSet.Properties.Fqdn != nil && *recordSet.Properties.Fqdn != "" {
+              fqdn = *recordSet.Properties.Fqdn
+            } else {
+              fqdn = buildFQDN(*recordSet.Name, *zone.Name)
+            }

-            fqdn := buildFQDN(*recordSet.Name, *zone.Name)
+            var fqdn string
+            if recordSet.Properties != nil && recordSet.Properties.Fqdn != nil && *recordSet.Properties.Fqdn != "" {
+              fqdn = *recordSet.Properties.Fqdn
+            } else {
+              fqdn = buildFQDN(*recordSet.Name, *zone.Name)
+            }

-          fqdn := buildFQDN(*recordSet.Name, *zone.Name)
+          var fqdn string
+          if recordSet.Properties != nil && recordSet.Properties.Fqdn != nil && *recordSet.Properties.Fqdn != "" {
+            fqdn = *recordSet.Properties.Fqdn
+          } else {
+            fqdn = buildFQDN(*recordSet.Name, *zone.Name)
+          }

Also applies to: 107-109, 130-132

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

pkg/providers/azure/azure.go (1)

297-323: Verify() fix is correct

Now fetches pages and asserts at least one subscription exists before success. Good.

pkg/providers/azure/apimanagement.go (1)

46-55: Guard against empty DNS from GatewayURL

extractDNSFromURL can return "", which would append an invalid resource. Add the same guard you use for Portal/Management URLs.

Apply this diff:

-    if service.Properties.GatewayURL != nil {
-      resource := &schema.Resource{
-        Provider: providerName,
-        ID:       amp.id,
-        DNSName:  extractDNSFromURL(*service.Properties.GatewayURL),
-        Service:  amp.name(),
-        Metadata: metadata,
-      }
-      list.Append(resource)
-    }
+    if service.Properties.GatewayURL != nil {
+      gwDNS := extractDNSFromURL(*service.Properties.GatewayURL)
+      if gwDNS != "" {
+        resource := &schema.Resource{
+          Provider: providerName,
+          ID:       amp.id,
+          DNSName:  gwDNS,
+          Service:  amp.name(),
+          Metadata: metadata,
+        }
+        list.Append(resource)
+      }
+    }

pkg/providers/azure/appservice.go (3)

90-94: Log the deployment slot fetch error before continuing.

As noted in a previous review, the error from fetchDeploymentSlots is silently suppressed. While it's appropriate not to fail the entire operation, the error should be logged for observability.

Apply this diff to add error logging:

 		// Extract deployment slot hostnames
 		slots, err := asp.fetchDeploymentSlots(ctx, app)
 		if err != nil {
-			// Don't fail the entire operation, just log warning
+			gologger.Warning().Msgf("failed to fetch deployment slots for app %v: %v", ptrStringValue(app.Name), err)
 			continue
 		}

---

185-193: Use the parseAzureResourceID helper to extract resource group.

As noted in a previous review, this manual string parsing duplicates the logic of parseAzureResourceID used elsewhere in this file (line 146). Using the helper reduces code duplication and ensures consistent parsing.

Apply this diff:

 	// Parse resource group from ID
 	if app.ID != nil {
-		parts := strings.Split(*app.ID, "/")
-		for i, part := range parts {
-			if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-				metadata["resource_group"] = parts[i+1]
-				break
-			}
-		}
+		_, resourceGroup := parseAzureResourceID(*app.ID)
+		if resourceGroup != "" {
+			metadata["resource_group"] = resourceGroup
+		}
 	}

---

324-332: Use the parseAzureResourceID helper to extract resource group.

As noted in a previous review, this manual string parsing duplicates the logic of parseAzureResourceID. This is the second occurrence of the same duplication (also at lines 185-193).

Apply this diff:

 	// Parse resource group from ID
 	if slot.ID != nil {
-		parts := strings.Split(*slot.ID, "/")
-		for i, part := range parts {
-			if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-				metadata["resource_group"] = parts[i+1]
-				break
-			}
-		}
+		_, resourceGroup := parseAzureResourceID(*slot.ID)
+		if resourceGroup != "" {
+			metadata["resource_group"] = resourceGroup
+		}
 	}

pkg/providers/azure/dns.go (3)

65-141: Consider logging skipped record types.

The implementation currently handles only A, AAAA, and CNAME records. Other DNS record types (MX, TXT, NS, SOA, SRV, etc.) are silently ignored. Consider adding a default case to log when record types are skipped to aid debugging and help users understand which records are enumerated.

Apply this diff to add logging for unhandled record types:

 			}
 		}
 	}
+	default:
+		// Log unsupported record types for debugging
+		gologger.Debug().Msgf("Skipping unsupported DNS record type: %s for record %s in zone %s", recordType, *recordSet.Name, *zone.Name)
 	}
 }

---

148-188: LGTM! Track 2 pager pattern correctly implemented.

Both fetchDNSZones and fetchRecordSets correctly use the Track 2 SDK pager pattern with proper error handling and context propagation.

For large DNS deployments, consider pre-allocating slices to reduce reallocations:

 func (dp *dnsProvider) fetchDNSZones(ctx context.Context) ([]*armdns.Zone, error) {
 	client, err := armdns.NewZonesClient(dp.SubscriptionID, dp.Credential, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create DNS zones client: %w", err)
 	}
 
-	var zones []*armdns.Zone
+	zones := make([]*armdns.Zone, 0, 32) // Pre-allocate with reasonable capacity
 	pager := client.NewListPager(nil)

Similarly for fetchRecordSets:

-	var recordSets []*armdns.RecordSet
+	recordSets := make([]*armdns.RecordSet, 0, 64)

---

201-209: Reduce code duplication in resource group parsing.

This manual resource group parsing duplicates the logic from lines 41-46 where parseAzureResourceID is called. Use the same helper function for consistency and maintainability.

Apply this diff to use the helper function:

 	// Parse resource group from zone ID
 	if zone.ID != nil {
-		parts := strings.Split(*zone.ID, "/")
-		for i, part := range parts {
-			if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-				metadata["resource_group"] = parts[i+1]
-				break
-			}
-		}
+		_, resourceGroup := parseAzureResourceID(*zone.ID)
+		if resourceGroup != "" {
+			metadata["resource_group"] = resourceGroup
+		}
 	}

pkg/providers/azure/vm.go (3)

139-146: Consider explicit IPv6 check for clarity.

The else-if condition on line 141 assigns any non-IPv4 version to PublicIPv6 without explicitly verifying it's IPVersionIPv6. While Azure only supports IPv4/IPv6 in practice, an explicit check improves code clarity and guards against unexpected enum values.

Apply this diff to make the IPv6 check explicit:

-		} else if publicIP.Properties.PublicIPAddressVersion != nil {
-			resource.PublicIPv6 = *publicIP.Properties.IPAddress
+		} else if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv6 {
+			resource.PublicIPv6 = *publicIP.Properties.IPAddress
+		} else if publicIP.Properties.PublicIPAddressVersion != nil {
+			// Unexpected IP version, log and default to IPv4
+			gologger.Warning().Msgf("unexpected IP version: %v, defaulting to IPv4", *publicIP.Properties.PublicIPAddressVersion)
+			resource.PublicIPv4 = *publicIP.Properties.IPAddress
 		} else {

---

174-186: Document assumptions for resource ID parsing.

The parser assumes standard Azure resource ID format and uses case-insensitive matching for "resourceGroups". While this works for typical scenarios, documenting the expected format and limitations would help maintainability.

Consider adding a more detailed comment:

 // parseAzureResourceID parses an Azure resource ID and returns the resource name and resource group
 // Azure resource ID format: /subscriptions/{subId}/resourceGroups/{rgName}/providers/{provider}/{type}/{name}
+// Note: This parser handles standard ARM resource IDs. It may not work for non-standard formats
+// (e.g., classic resources, cross-tenant references, or malformed IDs).
+// Returns empty strings if resourceGroups segment or resource name cannot be extracted.
 func parseAzureResourceID(resourceID string) (resourceName, resourceGroup string) {

---

87-92: Use Azure SDK’s built-in parser or harden parseAzureResourceID for edge cases
Replace the custom split-and-fold logic with arm.ParseResourceID (from azcore/arm) or extend your manual parser to explicitly validate nested resource segments, trailing slashes, and malformed IDs.

pkg/providers/azure/azure.go (1)

52-58: Trim service names when parsing the CSV list

Currently, "vm, dns" (with spaces) won’t match; trim each token before lookup.

Apply this diff:

-    for _, s := range strings.Split(ss, ",") {
-      if _, ok := supportedServicesMap[s]; ok {
+    for _, raw := range strings.Split(ss, ",") {
+      s := strings.TrimSpace(raw)
+      if _, ok := supportedServicesMap[s]; ok {
         services[s] = struct{}{}
       }
     }

pkg/providers/azure/cdn.go (2)

156-165: Avoid duplicate Resource ID parsing logic

getCDNMetadata re-implements resource_group extraction; reuse parseAzureResourceID for consistency and single source of truth.

---

1-200: Centralize resource ID parsing in getCDNMetadata
In pkg/providers/azure/cdn.go:getCDNMetadata, replace the manual strings.Split logic for extracting "resource_group" with a call to parseAzureResourceID(*profile.ID) to reuse the existing helper and eliminate duplication.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

pkg/providers/azure/aks.go (1)

74-103: Remove dead scaffolding loop/comments

This loop does nothing (continues immediately) and the following comment block adds noise. Please delete.

-    // Extract LoadBalancer IPs from agent pools
-    if cluster.Properties.AgentPoolProfiles != nil {
-      for _, pool := range cluster.Properties.AgentPoolProfiles {
-        if pool.Name == nil {
-          continue
-        }
-
-        // Get public IPs from node resource group if available
-        // Note: LoadBalancer IPs are in the managed node resource group
-        // This requires additional API calls to the network resource provider
-        // We'll extract what's available from the cluster properties directly
-
-        // Extract node pool metadata if extended metadata is enabled
-        if ap.extendedMetadata {
-          // Node pools don't have direct IP exposure in the cluster object
-          // IPs are managed by Azure in the node resource group
-          continue
-        }
-      }
-    }
-
-    // Extract network profile information for potential IPs
-    // Note: LoadBalancer outbound IPs are in the managed infrastructure
-    // These are not directly exposed in the cluster API response
-    // To get LoadBalancer service IPs, we would need to:
-    // 1. Connect to the Kubernetes API using the cluster credentials
-    // 2. List services with type=LoadBalancer
-    // 3. Extract their external IPs
-    // This is beyond the scope of Azure Resource Manager API

pkg/providers/azure/storage.go (1)

236-279: Fix Track 2 Get() response handling and avoid per-iteration client creation

You’re treating Get() results as the resource and creating clients inside the loop. Track 2 returns response-wrapper types; also instantiate clients once per call.

Apply this consolidated diff:

@@
 func (sp *storageProvider) extractPrivateEndpointIPs(ctx context.Context, account *armstorage.Account) []string {
   var privateIPs []string
 
   if account.Properties == nil || account.Properties.PrivateEndpointConnections == nil {
     return privateIPs
   }
 
+  // Create clients once
+  peClient, err := armnetwork.NewPrivateEndpointsClient(sp.SubscriptionID, sp.Credential, nil)
+  if err != nil {
+    gologger.Warning().Msgf("failed to create private endpoints client: %s", err)
+    return privateIPs
+  }
+  nicClient, err := armnetwork.NewInterfacesClient(sp.SubscriptionID, sp.Credential, nil)
+  if err != nil {
+    gologger.Warning().Msgf("failed to create network interfaces client: %s", err)
+    return privateIPs
+  }
+
   for _, peConn := range account.Properties.PrivateEndpointConnections {
     if peConn.Properties == nil || peConn.Properties.PrivateEndpoint == nil || peConn.Properties.PrivateEndpoint.ID == nil {
       continue
     }
@@
-    // Fetch Private Endpoint details
-    peClient, err := armnetwork.NewPrivateEndpointsClient(sp.SubscriptionID, sp.Credential, nil)
-    if err != nil {
-      gologger.Warning().Msgf("failed to create private endpoints client: %s", err)
-      continue
-    }
-
-    pe, err := peClient.Get(ctx, peRG, peName, nil)
+    // Fetch Private Endpoint details
+    peResp, err := peClient.Get(ctx, peRG, peName, nil)
     if err != nil {
       gologger.Warning().Msgf("failed to get private endpoint %s: %s", peName, err)
       continue
     }
 
     // Extract private IPs from network interfaces
-    if pe.Properties != nil && pe.Properties.NetworkInterfaces != nil {
-      for _, nic := range pe.Properties.NetworkInterfaces {
+    if peResp.PrivateEndpoint != nil && peResp.PrivateEndpoint.Properties != nil && peResp.PrivateEndpoint.Properties.NetworkInterfaces != nil {
+      for _, nic := range peResp.PrivateEndpoint.Properties.NetworkInterfaces {
         if nic.ID == nil {
           continue
         }
@@
-        nicClient, err := armnetwork.NewInterfacesClient(sp.SubscriptionID, sp.Credential, nil)
-        if err != nil {
-          gologger.Warning().Msgf("failed to create network interfaces client: %s", err)
-          continue
-        }
-
-        nicRes, err := nicClient.Get(ctx, nicRG, nicName, nil)
+        nicResp, err := nicClient.Get(ctx, nicRG, nicName, nil)
         if err != nil {
           gologger.Warning().Msgf("failed to get network interface %s: %s", nicName, err)
           continue
         }
 
-        if nicRes.Properties != nil && nicRes.Properties.IPConfigurations != nil {
-          for _, ipConfig := range nicRes.Properties.IPConfigurations {
+        if nicResp.Interface != nil && nicResp.Interface.Properties != nil && nicResp.Interface.Properties.IPConfigurations != nil {
+          for _, ipConfig := range nicResp.Interface.Properties.IPConfigurations {
             if ipConfig.Properties != nil && ipConfig.Properties.PrivateIPAddress != nil {
               privateIPs = append(privateIPs, *ipConfig.Properties.PrivateIPAddress)
             }
           }
         }
       }
     }
   }
 
   return privateIPs
 }

pkg/providers/azure/loadbalancer.go (1)

90-93: Private IP assigned without version check.

The private IP address is unconditionally assigned to PrivateIpv4 without checking frontendIPConfig.Properties.PrivateIPAddressVersion. If the frontend uses IPv6, this will incorrectly populate the IPv4 field. The public IP handling at lines 104-111 correctly checks the version—apply the same pattern here.

Apply this diff to add IP version checking:

 				// Extract private IP (available for both public and internal LBs)
 				if frontendIPConfig.Properties.PrivateIPAddress != nil {
-					resource.PrivateIpv4 = *frontendIPConfig.Properties.PrivateIPAddress
+					if frontendIPConfig.Properties.PrivateIPAddressVersion != nil && *frontendIPConfig.Properties.PrivateIPAddressVersion == armnetwork.IPVersionIPv6 {
+						resource.PrivateIpv6 = *frontendIPConfig.Properties.PrivateIPAddress
+					} else {
+						// Default to IPv4 if not specified
+						resource.PrivateIpv4 = *frontendIPConfig.Properties.PrivateIPAddress
+					}
 				}

pkg/providers/azure/storage.go (1)

461-473: Use url.Parse for robust host extraction

Safer and simpler with net/url; handles schemes, paths, and ports.

+import "net/url"
@@
 func extractHostFromURL(urlStr string) string {
-  // Remove protocol
-  urlStr = strings.TrimPrefix(urlStr, "https://")
-  urlStr = strings.TrimPrefix(urlStr, "http://")
-
-  // Remove trailing slash and path
-  if idx := strings.Index(urlStr, "/"); idx != -1 {
-    urlStr = urlStr[:idx]
-  }
-
-  return strings.TrimSpace(urlStr)
+  u, err := url.Parse(urlStr)
+  if err != nil {
+    return strings.TrimSpace(urlStr)
+  }
+  return strings.TrimSpace(u.Hostname())
 }

pkg/providers/azure/publicips.go (1)

70-84: Emit FQDN resources regardless of extendedMetadata

Currently DNS FQDN emission is gated by extendedMetadata, unlike other providers where hostnames are always emitted.

-    if pip.extendedMetadata && ip.Properties.DNSSettings != nil && ip.Properties.DNSSettings.Fqdn != nil {
+    if ip.Properties.DNSSettings != nil && ip.Properties.DNSSettings.Fqdn != nil && *ip.Properties.DNSSettings.Fqdn != "" {
       dnsResource := &schema.Resource{
         Provider: providerName,
         ID:       pip.id,
         DNSName:  *ip.Properties.DNSSettings.Fqdn,
         Service:  pip.name(),
       }
-      if metadata != nil {
+      if metadata != nil {
         dnsResource.Metadata = make(map[string]string)
         for k, v := range metadata {
           dnsResource.Metadata[k] = v
         }
       }
       list.Append(dnsResource)
     }

Would you like this applied to align with CDN/app gateway/staticwebapps behavior mentioned in the PR?

pkg/providers/azure/dns.go (2)

200-209: Prefer arm.ParseResourceID over manual string split

Use the SDK helper for correctness across ID shapes.

+import "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
@@
-  if zone.ID != nil {
-    parts := strings.Split(*zone.ID, "/")
-    for i, part := range parts {
-      if strings.EqualFold(part, "resourceGroups") && i+1 < len(parts) {
-        metadata["resource_group"] = parts[i+1]
-        break
-      }
-    }
-  }
+  if zone.ID != nil {
+    if rid, err := arm.ParseResourceID(*zone.ID); err == nil && rid.ResourceGroupName != "" {
+      metadata["resource_group"] = rid.ResourceGroupName
+    }
+  }

Also consider applying the same in GetResource (Lines 41-47).

---

65-141: Broaden record type coverage (TXT, MX, NS, SRV) later

Non-blocking: support additional types commonly used in zones.

pkg/providers/azure/azure.go (1)

297-322: Add success log after verification.

The verification logic is now correct and properly checks for at least one subscription. Consider adding a success log message after verification completes to confirm to users that their credentials are valid.

Apply this diff to add the log message:

 	if !found {
 		return fmt.Errorf("no subscriptions found with provided credentials")
 	}
 
+	gologger.Info().Msg("Azure credentials verified successfully")
 	return nil
 }

pkg/providers/azure/vm.go (1)

139-146: Tighten IP version check for IPv6.

Line 141 checks only for non-nil PublicIPAddressVersion without verifying it equals armnetwork.IPVersionIPv6. This means any future or unknown IP version would be treated as IPv6. Consider explicitly checking for IPv6 to make the logic more robust.

Apply this diff to tighten the check:

 				// Track 2: Check IP version
 				if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv4 {
 					resource.PublicIPv4 = *publicIP.Properties.IPAddress
-				} else if publicIP.Properties.PublicIPAddressVersion != nil {
+				} else if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv6 {
 					resource.PublicIPv6 = *publicIP.Properties.IPAddress
 				} else {
 					// Default to IPv4 if not specified
 					resource.PublicIPv4 = *publicIP.Properties.IPAddress
 				}

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

pkg/providers/azure/storage.go (1)

243-251: Fix Track 2 Get() response wrapper usage (compilation/logic bug).

armnetwork clients return response wrappers. Use resp.PrivateEndpoint and resp.Interface before accessing Properties; current code dereferences Properties on the wrapper itself.

Apply this diff:

-		pe, err := peClient.Get(ctx, peRG, peName, nil)
+		peResp, err := peClient.Get(ctx, peRG, peName, nil)
 		if err != nil {
 			gologger.Warning().Msgf("failed to get private endpoint %s: %s", peName, err)
 			continue
 		}

-		// Extract private IPs from network interfaces
-		if pe.Properties != nil && pe.Properties.NetworkInterfaces != nil {
-			for _, nic := range pe.Properties.NetworkInterfaces {
+		// Extract private IPs from network interfaces
+		if peResp.PrivateEndpoint != nil && peResp.PrivateEndpoint.Properties != nil && peResp.PrivateEndpoint.Properties.NetworkInterfaces != nil {
+			for _, nic := range peResp.PrivateEndpoint.Properties.NetworkInterfaces {
 				if nic.ID == nil {
 					continue
 				}
@@
-				nicRes, err := nicClient.Get(ctx, nicRG, nicName, nil)
+				nicResp, err := nicClient.Get(ctx, nicRG, nicName, nil)
 				if err != nil {
 					gologger.Warning().Msgf("failed to get network interface %s: %s", nicName, err)
 					continue
 				}
 
-				if nicRes.Properties != nil && nicRes.Properties.IPConfigurations != nil {
-					for _, ipConfig := range nicRes.Properties.IPConfigurations {
+				if nicResp.Interface != nil && nicResp.Interface.Properties != nil && nicResp.Interface.Properties.IPConfigurations != nil {
+					for _, ipConfig := range nicResp.Interface.Properties.IPConfigurations {
 						if ipConfig.Properties != nil && ipConfig.Properties.PrivateIPAddress != nil {
 							privateIPs = append(privateIPs, *ipConfig.Properties.PrivateIPAddress)
 						}
 					}
 				}

Also applies to: 267-279

pkg/providers/azure/aks.go (1)

74-103: Remove dead code scaffolding.

Lines 74-93 iterate over agent pools but only continue when extendedMetadata is true, performing no useful work. Lines 95-103 contain only explanatory comments about LoadBalancer IPs without any implementation. These scaffolding blocks add complexity without benefit and should be removed until the functionality is ready to implement.

pkg/providers/azure/loadbalancer.go (1)

90-93: Verify IP version before assigning to PrivateIpv4.

The private IP address is unconditionally assigned to PrivateIpv4 without checking frontendIPConfig.Properties.PrivateIPAddressVersion. If the frontend uses IPv6, this will incorrectly populate the IPv4 field. The public IP handling at lines 104-111 correctly checks the version—apply the same pattern here.

Apply this diff to add IP version checking:

 				// Extract private IP (available for both public and internal LBs)
 				if frontendIPConfig.Properties.PrivateIPAddress != nil {
-					resource.PrivateIpv4 = *frontendIPConfig.Properties.PrivateIPAddress
+					if frontendIPConfig.Properties.PrivateIPAddressVersion != nil && *frontendIPConfig.Properties.PrivateIPAddressVersion == armnetwork.IPVersionIPv6 {
+						resource.PrivateIpv6 = *frontendIPConfig.Properties.PrivateIPAddress
+					} else {
+						// Default to IPv4 if not specified
+						resource.PrivateIpv4 = *frontendIPConfig.Properties.PrivateIPAddress
+					}
 				}

pkg/providers/azure/storage.go (2)

171-187: Set PrivateIpv4 vs PrivateIpv6 correctly for private endpoints.

Avoid assigning all private IPs to PrivateIpv4; classify by version.

-			for _, privateIP := range privateIPs {
+			for _, privateIP := range privateIPs {
 				var metadata map[string]string
 				if sp.extendedMetadata {
 					metadata = sp.getStorageMetadata(account)
 					if metadata != nil {
 						metadata["connection_type"] = "private_endpoint"
 					}
 				}
 
-				resource := &schema.Resource{
-					Provider:    providerName,
-					ID:          sp.id,
-					PrivateIpv4: privateIP,
-					Service:     sp.name(),
-					Metadata:    metadata,
-				}
+				resource := &schema.Resource{
+					Provider: providerName,
+					ID:       sp.id,
+					Service:  sp.name(),
+					Metadata: metadata,
+				}
+				if strings.Contains(privateIP, ":") {
+					resource.PrivateIpv6 = privateIP
+				} else {
+					resource.PrivateIpv4 = privateIP
+				}
 				list.Append(resource)
 			}

---

3-13: Use time.RFC3339 for creation_time (and add time import).

Consistent with vm.go and standard formats.

 import (
 	"context"
 	"fmt"
 	"strings"
+	"time"
@@
-		if props.CreationTime != nil {
-			metadata["creation_time"] = props.CreationTime.Format("2006-01-02T15:04:05Z")
-		}
+		if props.CreationTime != nil {
+			metadata["creation_time"] = props.CreationTime.Format(time.RFC3339)
+		}

Also applies to: 423-425

pkg/providers/azure/functions.go (2)

41-49: Prefer Properties.DefaultHostName over constructing from Name.

Use the actual default hostname when available; fall back to name-based only if missing.

-		// Default hostname: <function-name>.azurewebsites.net
-		var defaultHostname string
-		if app.Name != nil {
-			defaultHostname = fmt.Sprintf("%s.azurewebsites.net", *app.Name)
-		}
+		// Default hostname
+		var defaultHostname string
+		if app.Properties != nil && app.Properties.DefaultHostName != nil && *app.Properties.DefaultHostName != "" {
+			defaultHostname = *app.Properties.DefaultHostName
+		} else if app.Name != nil {
+			defaultHostname = fmt.Sprintf("%s.azurewebsites.net", *app.Name)
+		}

---

65-83: Avoid duplicating default hostname in custom domains (case-insensitive).

Compare case-insensitively to skip re-emitting the default hostname.

-			for _, hostname := range app.Properties.HostNames {
-				if hostname != nil && *hostname != defaultHostname {
+			for _, hostname := range app.Properties.HostNames {
+				if hostname != nil && !strings.EqualFold(*hostname, defaultHostname) {

pkg/providers/azure/publicips.go (1)

70-84: Always emit FQDN resources (don’t gate on extendedMetadata).

Hostnames are core assets; keep metadata optional but emit DNS unconditionally.

-		if pip.extendedMetadata && ip.Properties.DNSSettings != nil && ip.Properties.DNSSettings.Fqdn != nil {
+		if ip.Properties.DNSSettings != nil && ip.Properties.DNSSettings.Fqdn != nil {
 			dnsResource := &schema.Resource{
 				Provider: providerName,
 				ID:       pip.id,
 				DNSName:  *ip.Properties.DNSSettings.Fqdn,
 				Service:  pip.name(),
 			}
-			if metadata != nil {
+			if metadata != nil {
 				dnsResource.Metadata = make(map[string]string)
 				for k, v := range metadata {
 					dnsResource.Metadata[k] = v
 				}
 			}
 			list.Append(dnsResource)
 		}

pkg/providers/azure/azure.go (1)

3-12: Normalize service names and parse extended_metadata as bool.

Improves config robustness (handles spaces/case) and boolean parsing.

 import (
 	"context"
 	"fmt"
 	"strings"
+	"strconv"
@@
 	services := make(schema.ServiceMap)
 	if ss, ok := options.GetMetadata("services"); ok {
 		for _, s := range strings.Split(ss, ",") {
-			if _, ok := supportedServicesMap[s]; ok {
+			s = strings.ToLower(strings.TrimSpace(s))
+			if _, ok := supportedServicesMap[s]; ok {
 				services[s] = struct{}{}
 			}
 		}
 	}
@@
-	if extendedMetadata, ok := options.GetMetadata("extended_metadata"); ok {
-		provider.extendedMetadata = extendedMetadata == "true"
+	if extendedMetadata, ok := options.GetMetadata("extended_metadata"); ok {
+		if b, err := strconv.ParseBool(strings.TrimSpace(extendedMetadata)); err == nil {
+			provider.extendedMetadata = b
+		}
 	}

Also applies to: 52-58, 70-73

pkg/providers/azure/vm.go (2)

127-131: Classify private IP v4/v6 instead of always setting PrivateIpv4.

Avoid mislabeling IPv6 private addresses.

-				if ipConfig.Properties.PrivateIPAddress != nil {
-					resource.PrivateIpv4 = *ipConfig.Properties.PrivateIPAddress
-				}
+				if ipConfig.Properties.PrivateIPAddress != nil {
+					if strings.Contains(*ipConfig.Properties.PrivateIPAddress, ":") {
+						resource.PrivateIpv6 = *ipConfig.Properties.PrivateIPAddress
+					} else {
+						resource.PrivateIpv4 = *ipConfig.Properties.PrivateIPAddress
+					}
+				}

---

138-146: Infer public IP version when version is nil (consistent with publicips.go).

Defaulting to IPv4 can misclassify IPv6. Use address parsing fallback.

-				if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv4 {
-					resource.PublicIPv4 = *publicIP.Properties.IPAddress
-				} else if publicIP.Properties.PublicIPAddressVersion != nil {
-					resource.PublicIPv6 = *publicIP.Properties.IPAddress
-				} else {
-					// Default to IPv4 if not specified
-					resource.PublicIPv4 = *publicIP.Properties.IPAddress
-				}
+				if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv4 {
+					resource.PublicIPv4 = *publicIP.Properties.IPAddress
+				} else if publicIP.Properties.PublicIPAddressVersion != nil && *publicIP.Properties.PublicIPAddressVersion == armnetwork.IPVersionIPv6 {
+					resource.PublicIPv6 = *publicIP.Properties.IPAddress
+				} else {
+					if strings.Contains(*publicIP.Properties.IPAddress, ":") {
+						resource.PublicIPv6 = *publicIP.Properties.IPAddress
+					} else {
+						resource.PublicIPv4 = *publicIP.Properties.IPAddress
+					}
+				}

pkg/providers/azure/trafficmanager.go (1)

87-96: Consider using parseAzureResourceID helper for consistency.

The manual resource group extraction using strings.Split duplicates logic that exists in the parseAzureResourceID helper used elsewhere in the codebase (e.g., appservice.go line 191, aks.go line 142). Using the helper would improve consistency and reduce maintenance burden.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

pkg/providers/azure/storage.go (1)

241-290: Track 2 response wrappers not handled correctly.

The Track 2 SDK Get methods return response wrappers, not the resources directly:

• PrivateEndpointsClient.Get returns PrivateEndpointsClientGetResponse with a .PrivateEndpoint field
• InterfacesClient.Get returns InterfacesClientGetResponse with an .Interface field

The current code incorrectly accesses properties as if the raw resource is returned.

Based on learnings

Apply this diff to fix the response wrapper handling:

-		pe, err := peClient.Get(ctx, peRG, peName, nil)
+		peResp, err := peClient.Get(ctx, peRG, peName, nil)
 		if err != nil {
 			gologger.Warning().Msgf("failed to get private endpoint %s: %s", peName, err)
 			continue
 		}
 
 		// Extract private IPs from network interfaces
-		if pe.Properties != nil && pe.Properties.NetworkInterfaces != nil {
-			for _, nic := range pe.Properties.NetworkInterfaces {
+		if peResp.PrivateEndpoint.Properties != nil && peResp.PrivateEndpoint.Properties.NetworkInterfaces != nil {
+			for _, nic := range peResp.PrivateEndpoint.Properties.NetworkInterfaces {
 				if nic.ID == nil {
 					continue
 				}
 
 				nicName, nicRG := parseAzureResourceID(*nic.ID)
 				if nicName == "" || nicRG == "" {
 					continue
 				}
 
 				nicClient, err := armnetwork.NewInterfacesClient(sp.SubscriptionID, sp.Credential, nil)
 				if err != nil {
 					gologger.Warning().Msgf("failed to create network interfaces client: %s", err)
 					continue
 				}
 
-				nicRes, err := nicClient.Get(ctx, nicRG, nicName, nil)
+				nicResp, err := nicClient.Get(ctx, nicRG, nicName, nil)
 				if err != nil {
 					gologger.Warning().Msgf("failed to get network interface %s: %s", nicName, err)
 					continue
 				}
 
-				if nicRes.Properties != nil && nicRes.Properties.IPConfigurations != nil {
-					for _, ipConfig := range nicRes.Properties.IPConfigurations {
+				if nicResp.Interface.Properties != nil && nicResp.Interface.Properties.IPConfigurations != nil {
+					for _, ipConfig := range nicResp.Interface.Properties.IPConfigurations {
 						if ipConfig.Properties != nil && ipConfig.Properties.PrivateIPAddress != nil {
 							privateIPs = append(privateIPs, *ipConfig.Properties.PrivateIPAddress)
 						}
 					}
 				}
 			}
 		}

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

pkg/providers/azure/vm.go (1)

246-257: Track 2 response handling is correct.

The code properly unwraps the NIC response by accessing nicResp.Properties directly, which works because the Track 2 response type embeds the Interface fields. The previous build failures have been resolved.

Optionally, clarify the comment to better reflect the actual access pattern:

-	// Track 2: Response embeds Interface directly, access Properties
+	// Track 2: Access Interface properties directly from response
 	if nicResp.Properties != nil && nicResp.Properties.IPConfigurations != nil {

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro