Merge pull request #30 from Iditbnaya/feature/orphaned_resources_tool

feat: update orphaned resource detection to 11 resource types, Remove…

Author: msftnadavbh

docs/FEATURES.md

@@ -102,10 +102,16 @@ Detect orphaned Azure resources across subscriptions and calculate their real wa
 | Resource Type | Detection Criteria |
 |---------------|--------------------|
 | Unattached Disks | Managed disks with no `managedBy` (not attached to any VM) |
-| Orphaned NICs | Network interfaces not attached to a VM or private endpoint |
 | Orphaned Public IPs | Public IPs not associated with any IP configuration or NAT gateway |
-| Orphaned NSGs | Network security groups not attached to any NIC or subnet |
 | Empty App Service Plans | App Service Plans with zero hosted apps |
+| Orphaned SQL Elastic Pools | SQL Elastic Pools with no databases in the pool |
+| Orphaned Application Gateways | Application gateways with no backend address pools or targets |
+| Orphaned NAT Gateways | NAT gateways not associated with any subnet |
+| Orphaned Load Balancers | Load balancers with no backend address pools |
+| Orphaned Private DNS Zones | Private DNS zones with no virtual network links |
+| Orphaned Private Endpoints | Private endpoints with no connections or unapproved connections |
+| Orphaned Virtual Network Gateways | Virtual network gateways with no IP configurations |
+| Orphaned DDoS Protection Plans | DDoS protection plans with no associated virtual networks |
 
 ### Authentication Required
 

docs/ORPHANED_RESOURCES.md

@@ -7,7 +7,14 @@ Orphaned resources are Azure resources that were created but are no longer servi
 - 💿 **Unattached Managed Disks** - Storage volumes that were detached from virtual machines (often after VM deletion) but remain in your subscription
 - 🌐 **Unattached Public IPs** - IP addresses that are no longer associated with any network interface or load balancer
 - 📋 **Empty App Service Plans** - Hosting plans that have no web apps deployed but still reserve compute capacity
-- ⚖️ **Orphaned Load Balancers** - Load balancers with no backend pools or targets
+- 🗄️ **Orphaned SQL Elastic Pools** - Elastic pools with no databases, still incurring reserved compute and storage costs
+- 🚪 **Orphaned Application Gateways** - Application gateways with no backend address pools or targets configured
+- 🔀 **Orphaned NAT Gateways** - NAT gateways not associated with any subnet
+- ⚖️ **Orphaned Load Balancers** - Load balancers with no backend address pools configured
+- 🔒 **Orphaned Private DNS Zones** - Private DNS zones with no virtual network links
+- 🔗 **Orphaned Private Endpoints** - Private endpoints with no connections or unapproved connection state
+- 🌉 **Orphaned Virtual Network Gateways** - Virtual network gateways with no IP configurations
+- 🛡️ **Orphaned DDoS Protection Plans** - DDoS protection plans with no associated virtual networks
 
 These resources can accumulate silently over time, creating unnecessary costs. A single forgotten public IP might seem insignificant, but across multiple subscriptions and resource groups, orphaned resources can add up to hundreds or thousands of dollars per month.
 
@@ -59,7 +66,14 @@ Once configured, you can ask Claude:
 - ✅ **Unattached Managed Disks** - Disks not attached to any VM
 - ✅ **Unattached Public IPs** - Public IPs with no configuration
 - ✅ **Orphaned App Service Plans** - Plans with no web apps
-- ✅ **Orphaned Load Balancers** - LBs with no backends
+- ✅ **Orphaned SQL Elastic Pools** - Elastic pools with no databases
+- ✅ **Orphaned Application Gateways** - Application gateways with no backend targets
+- ✅ **Orphaned NAT Gateways** - NAT gateways with no associated subnets
+- ✅ **Orphaned Load Balancers** - Load balancers with no backend address pools
+- ✅ **Orphaned Private DNS Zones** - Private DNS zones with no virtual network links
+- ✅ **Orphaned Private Endpoints** - Private endpoints with no or unapproved connections
+- ✅ **Orphaned Virtual Network Gateways** - Virtual network gateways with no IP configurations
+- ✅ **Orphaned DDoS Protection Plans** - DDoS protection plans with no associated virtual networks
 
 ## 💵 Cost Calculation:
 
@@ -120,13 +134,6 @@ ID: `e4303b68-1de0-4a9d-ad35-5c3eb13c05e7`
 
 ## 🛠️ Troubleshooting:
 
-### "No module named 'azure.mgmt.web'"
-
-Install the missing package:
-```bash
-pip install azure-mgmt-web
-```
-
 ### "Authentication failed"
 
 Verify you're logged in:

docs/TOOLS.md

@@ -39,7 +39,7 @@ These tools require Azure authentication. See [FEATURES.md](FEATURES.md#orphaned
 
 | Tool | Description |
 |------|-------------|
-| `find_orphaned_resources` | Detect orphaned resources (unattached disks, NICs, public IPs, NSGs, empty App Service Plans) and compute wasted cost |
+| `find_orphaned_resources` | Detect orphaned resources (unattached disks, public IPs, empty App Service Plans, SQL Elastic Pools, Application Gateways, NAT Gateways, Load Balancers, Private DNS Zones, Private Endpoints, Virtual Network Gateways, DDoS Protection Plans) and compute wasted cost |
 
 ---
 

src/azure_pricing_mcp/formatters.py

@@ -634,7 +634,9 @@ def format_orphaned_resources_response(result: dict[str, Any]) -> str:
         return (
             "### ✅ No Orphaned Resources Found\n\n"
             f"Scanned {len(subscriptions)} subscription(s) — "
-            "no orphaned disks, NICs, public IPs, NSGs, or empty App Service Plans detected."
+            "no orphaned disks, public IPs, App Service Plans, SQL Elastic Pools, "
+            "Application Gateways, NAT Gateways, Load Balancers, Private DNS Zones, "
+            "Private Endpoints, Virtual Network Gateways, or DDoS Protection Plans detected."
         )
 
     # Collect all orphaned resources across subscriptions

src/azure_pricing_mcp/services/orphaned_resources.py

@@ -1,8 +1,10 @@
 """Orphaned Azure resource scanning and cost lookup service.
 
-This service detects orphaned resources (unattached disks, NICs, public IPs,
-NSGs, App Service Plans) across Azure subscriptions and computes their
-historical cost via the Azure Cost Management API.
+This service detects orphaned resources (unattached disks, public IPs,
+App Service Plans, SQL Elastic Pools, Application Gateways, NAT Gateways,
+Load Balancers, Private DNS Zones, Private Endpoints, Virtual Network Gateways,
+DDoS Protection Plans) across Azure subscriptions and computes their historical
+cost via the Azure Cost Management API.
 
 All methods require Azure authentication. If not authenticated, they return
 a friendly error message with instructions for how to authenticate.
@@ -27,9 +29,7 @@
 # Azure Resource Manager API versions per resource type
 ARM_API_VERSIONS = {
     "disks": "2023-10-02",
-    "networkInterfaces": "2023-11-01",
     "publicIPAddresses": "2023-11-01",
-    "networkSecurityGroups": "2023-11-01",
     "serverfarms": "2023-12-01",
     "subscriptions": "2022-12-01",
 }
@@ -46,16 +46,6 @@
     timeCreated = tostring(properties.timeCreated)
 """
 
-# Resource Graph query for orphaned NICs (not attached to any VM)
-ORPHANED_NICS_QUERY = """
-Resources
-| where type =~ 'microsoft.network/networkinterfaces'
-| where isnull(properties.virtualMachine.id) or properties.virtualMachine.id == ''
-| where isnull(properties.privateEndpoint.id) or properties.privateEndpoint.id == ''
-| project id, name, type, location, resourceGroup,
-    subscriptionId
-"""
-
 # Resource Graph query for orphaned public IPs (not associated)
 ORPHANED_PUBLIC_IPS_QUERY = """
 Resources
@@ -67,25 +57,100 @@
     allocationMethod = tostring(properties.publicIPAllocationMethod)
 """
 
-# Resource Graph query for orphaned NSGs (not associated with subnet or NIC)
-ORPHANED_NSGS_QUERY = """
+# Resource Graph query for empty App Service Plans
+ORPHANED_ASP_QUERY = """
+Resources
+| where type =~ 'microsoft.web/serverfarms'
+| where properties.numberOfSites == 0
+| project id, name, type, location, resourceGroup,
+    subscriptionId,
+    sku = tostring(sku.name),
+    tier = tostring(sku.tier)
+"""
+
+# Resource Graph query for orphaned SQL Elastic Pools (no databases)
+ORPHANED_SQL_ELASTIC_POOLS_QUERY = """
+Resources
+| where type =~ 'microsoft.sql/servers/elasticpools'
+| project id, name, type, location, resourceGroup,
+    subscriptionId,
+    sku = tostring(sku.name),
+    tier = tostring(sku.tier),
+    dtu = tostring(properties.dtu),
+    serverName = tostring(split(id, '/')[8])
+"""
+
+# Resource Graph query for orphaned Application Gateways (no backend targets)
+ORPHANED_APP_GATEWAYS_QUERY = """
+Resources
+| where type =~ 'microsoft.network/applicationgateways'
+| where isnull(properties.backendAddressPools) or array_length(properties.backendAddressPools) == 0
+    or properties.backendAddressPools == '[]'
+| project id, name, type, location, resourceGroup,
+    subscriptionId,
+    sku = tostring(sku.name),
+    tier = tostring(sku.tier)
+"""
+
+# Resource Graph query for orphaned NAT Gateways (not associated with any subnet)
+ORPHANED_NAT_GATEWAYS_QUERY = """
 Resources
-| where type =~ 'microsoft.network/networksecuritygroups'
-| where isnull(properties.networkInterfaces) or array_length(properties.networkInterfaces) == 0
+| where type =~ 'microsoft.network/natgateways'
 | where isnull(properties.subnets) or array_length(properties.subnets) == 0
 | project id, name, type, location, resourceGroup,
     subscriptionId
 """
 
-# Resource Graph query for empty App Service Plans
-ORPHANED_ASP_QUERY = """
+# Resource Graph query for orphaned Load Balancers (no backend address pools)
+ORPHANED_LOAD_BALANCERS_QUERY = """
 Resources
-| where type =~ 'microsoft.web/serverfarms'
-| where properties.numberOfSites == 0
+| where type =~ 'microsoft.network/loadbalancers'
+| where isnull(properties.backendAddressPools) or array_length(properties.backendAddressPools) == 0
+| project id, name, type, location, resourceGroup,
+    subscriptionId,
+    sku = tostring(sku.name)
+"""
+
+# Resource Graph query for orphaned Private DNS Zones (no virtual network links)
+ORPHANED_PRIVATE_DNS_ZONES_QUERY = """
+Resources
+| where type =~ 'microsoft.network/privatednszones'
+| where isnull(properties.numberOfVirtualNetworkLinks)
+    or properties.numberOfVirtualNetworkLinks == 0
+| project id, name, type, location, resourceGroup,
+    subscriptionId,
+    recordSets = tostring(properties.numberOfRecordSets)
+"""
+
+# Resource Graph query for orphaned Private Endpoints (no connections or not approved)
+ORPHANED_PRIVATE_ENDPOINTS_QUERY = """
+Resources
+| where type =~ 'microsoft.network/privateendpoints'
+| where isnull(properties.privateLinkServiceConnections)
+    or array_length(properties.privateLinkServiceConnections) == 0
+    or properties.privateLinkServiceConnections[0].properties.privateLinkServiceConnectionState.status != 'Approved'
+| project id, name, type, location, resourceGroup,
+    subscriptionId
+"""
+
+# Resource Graph query for orphaned Virtual Network Gateways (no IP configurations)
+ORPHANED_VNET_GATEWAYS_QUERY = """
+Resources
+| where type =~ 'microsoft.network/virtualnetworkgateways'
+| where isnull(properties.ipConfigurations) or array_length(properties.ipConfigurations) == 0
 | project id, name, type, location, resourceGroup,
     subscriptionId,
     sku = tostring(sku.name),
-    tier = tostring(sku.tier)
+    gatewayType = tostring(properties.gatewayType)
+"""
+
+# Resource Graph query for orphaned DDoS Protection Plans (no virtual networks)
+ORPHANED_DDOS_PLANS_QUERY = """
+Resources
+| where type =~ 'microsoft.network/ddosprotectionplans'
+| where isnull(properties.virtualNetworks) or array_length(properties.virtualNetworks) == 0
+| project id, name, type, location, resourceGroup,
+    subscriptionId
 """
 
 
@@ -351,10 +416,16 @@ async def scan(
         # Execute all orphaned resource queries
         queries = {
             "Unattached Disk": ORPHANED_DISKS_QUERY,
-            "Orphaned NIC": ORPHANED_NICS_QUERY,
             "Orphaned Public IP": ORPHANED_PUBLIC_IPS_QUERY,
-            "Orphaned NSG": ORPHANED_NSGS_QUERY,
             "Empty App Service Plan": ORPHANED_ASP_QUERY,
+            "Orphaned SQL Elastic Pool": ORPHANED_SQL_ELASTIC_POOLS_QUERY,
+            "Orphaned Application Gateway": ORPHANED_APP_GATEWAYS_QUERY,
+            "Orphaned NAT Gateway": ORPHANED_NAT_GATEWAYS_QUERY,
+            "Orphaned Load Balancer": ORPHANED_LOAD_BALANCERS_QUERY,
+            "Orphaned Private DNS Zone": ORPHANED_PRIVATE_DNS_ZONES_QUERY,
+            "Orphaned Private Endpoint": ORPHANED_PRIVATE_ENDPOINTS_QUERY,
+            "Orphaned Virtual Network Gateway": ORPHANED_VNET_GATEWAYS_QUERY,
+            "Orphaned DDoS Protection Plan": ORPHANED_DDOS_PLANS_QUERY,
         }
 
         all_orphaned: list[dict[str, Any]] = []

src/azure_pricing_mcp/tools.py

@@ -347,7 +347,7 @@ def get_tool_definitions() -> list[Tool]:
         # Orphaned Resources Tool (requires Azure authentication)
         Tool(
             name="find_orphaned_resources",
-            description="Detect orphaned Azure resources (unattached disks, NICs, public IPs, NSGs, empty App Service Plans) across subscriptions and compute their real historical cost via Azure Cost Management. Requires Azure authentication (az login or environment variables).",
+            description="Detect orphaned Azure resources (unattached disks, public IPs, App Service Plans, SQL Elastic Pools, Application Gateways, NAT Gateways, Load Balancers, Private DNS Zones, Private Endpoints, Virtual Network Gateways, DDoS Protection Plans) across subscriptions and compute their real historical cost via Azure Cost Management. Requires Azure authentication (az login or environment variables).",
             inputSchema={
                 "type": "object",
                 "properties": {