Expand AWS provider: 7 services, 24 ARN→typed conversions, Step Functions, Batch, AppMesh#7161
Closed
Expand AWS provider: 7 services, 24 ARN→typed conversions, Step Functions, Batch, AppMesh#7161
Conversation
Add security-relevant fields and typed sub-resources across five AWS
services to improve visibility into queue policies, container
vulnerabilities, file system replication, and function versioning.
SQS: tags, contentBasedDeduplication, redriveAllowPolicy
SNS: fifoTopic, contentBasedDeduplication, dataProtectionPolicy,
tracingConfig, deliveryPolicy, displayName
ECR: repository tags, image scan findings (typed), scan status,
severity counts, registry scanning configuration (typed)
EFS: performanceMode, throughputMode, sizeInBytes, lifecycleState,
lifecycle configuration (typed), replication configuration
(typed with destinations), file system protection
Lambda: function versions (typed), layer versions (typed)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
KMS key: Add rotation details (rotationPeriodInDays, nextRotationDate, onDemandRotationStartDate) from cached GetKeyRotationStatus. Add algorithm fields (encryptionAlgorithms, signingAlgorithms, keyAgreementAlgorithms) and key material expiration (expirationModel, validTo) from cached DescribeKey. Add key() typed reference on grants, deprecate keyArn. CloudTrail trail: Add snsTopic() typed aws.sns.topic reference, deprecate snsTopicARN. Add cloudWatchLogsRole() typed aws.iam.role reference, deprecate cloudWatchLogsRoleArn. Add delivery and notification attempt fields (latestDeliveryAttemptedAt, latestDeliveryAttemptSucceededAt, latestNotificationAttemptedAt, latestNotificationAttemptSucceededAt). Add new *At naming convention for existing time fields (latestDeliveredAt, latestNotifiedAt, latestCloudWatchLogsDeliveredAt, latestDigestDeliveredAt), deprecate old *Time names. CloudTrail event data store: Add federationStatus and federationRole() typed aws.iam.role reference from cached GetEventDataStore. Zero new API calls — all fields from already-cached responses. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tas50
changed the title
This comment has been minimized.
This comment has been minimized.
Contributor
…elling - SQS redriveAllowPolicy: use convert.JsonToDict instead of raw unmarshal - SNS dataProtectionPolicy: use convert.JsonToDict instead of raw unmarshal - ECR scan findings: cache public flag on image Internal struct instead of checking registryId=="" which is unreliable for public images - Add RSAES and RSASSA to spell-check expect.txt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ARN→typed reference conversions (24 fields across 15 services): - ECS: taskDefinition(), task() on container; cluster() on service/taskSet; service() on taskSet - Backup: encryptionKey() on vault/recoveryPoint; iamRole() on recoveryPoint; destinationVault() on copyAction - CloudWatch: iamRole() on subscription filter - Route53: logGroup() on queryLoggingConfig - Config: snsTopic() on delivery channel - Neptune: monitoringRole() on instance - DRS: ebsEncryptionKey() on replicationConfiguration - API Gateway: webAcl() on stage - Lambda: function() on eventSourceMapping - ELB: loadBalancer() on listener - CodeDeploy: serviceRole() on deploymentGroup - AppStream: iamRole() on fleet and imageBuilder - Bedrock: baseModel() on customModel; foundationModel() on provisionedModelThroughput - WorkspacesWeb: kinesisStream() on userAccessLoggingSetting All old ARN fields deprecated with comments, kept for backwards compat. Batch expansion: - containerProperties: typed resource with image, vcpus, memory, command, jobRole/executionRole typed refs, environment, privileged, readonlyRootFilesystem - retryStrategy: typed resource with attempts and evaluateOnExit - timeout: typed resource with attemptDurationSeconds AppMesh expansion: - New aws.appmesh.virtualRouter resource with listeners and routes - New aws.appmesh.route resource with spec and tags - virtualNode.backends changed from count to []dict with actual backend data - New APIs: ListVirtualRouters, DescribeVirtualRouter, ListRoutes, DescribeRoute Step Functions (new service): - aws.stepfunctions with stateMachines() discovery - aws.stepfunctions.stateMachine with definition, iamRole() typed ref, loggingConfiguration, tracingEnabled, tags - aws.stepfunctions.stateMachine.loggingConfiguration sub-resource - APIs: ListStateMachines, DescribeStateMachine, ListTagsForResource Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tas50
changed the title
This comment has been minimized.
This comment has been minimized.
- AppMesh virtualNode.backends: restore as int (count), add new backendServices() []dict for actual backend data. Deprecate backends(). - Add stepfunctions, vcpus to spell-check expect.txt - Remove Vcpus from expect.txt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ElastiCache cluster: add tags() via ListTagsForResource API Timestream LiveAnalytics database: add tags() via ListTagsForResource API MQ broker and Glue catalog encryption were already implemented. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both aws.rds.dbinstance and aws.rds.dbcluster now expose performanceInsightsRetentionPeriod (int) from the already-fetched DescribeDBInstances/DescribeDBClusters responses. No new API calls. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Batch containerProperties: propagate errors from 5 JsonToDict/DictSlice calls instead of silently discarding them. Batch retryStrategy: same for evaluateOnExit conversion. Step Functions loggingConfiguration: propagate error from destination conversion instead of appending nil. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add fallback format "2006-01-02T15:04:05.000-0700" to parseAwsTimestamp for AWS APIs (e.g., Lambda layers) that return timestamps with non-RFC3339 timezone offsets like "+0000" instead of "+00:00". Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Member
Author
|
/review |
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
Comment on lines
11479
to
11481
| // Tags for the job definition | ||
| tags map[string]string | ||
| } |
There was a problem hiding this comment.
🟡 warning — containerProperties(), retryStrategy(), and timeout() changed from returning dict to typed resources. This is a breaking change for any existing MQL queries that use dict-style access on these fields (e.g., aws.batch.jobDefinition { containerProperties["image"] }). If this is intentional, consider noting it in release notes. If not, the old dict return types should be preserved alongside the new typed resources (similar to how ARN→typed conversions elsewhere keep the old string field with a deprecation comment).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Commit 1: SQS, SNS, ECR, EFS, Lambda expansion
tags,contentBasedDeduplication,redriveAllowPolicyfifoTopic,contentBasedDeduplication,dataProtectionPolicy,tracingConfig,deliveryPolicy,displayNametags, typedaws.ecr.image.scanFindingwithscanStatus/scanFindings/scanFindingSeverityCounts,aws.ecr.scanningConfigurationwith rulesperformanceMode,throughputMode,sizeInBytes,lifecycleState, typedlifecycleConfiguration, typedreplicationConfigurationwith destinations,fileSystemProtectionversions()→ typedaws.lambda.function.version;versions()→ typedaws.lambda.layer.versionCommit 2: KMS and CloudTrail expansion
rotationPeriodInDays,nextRotationDate,onDemandRotationStartDate,encryptionAlgorithms,signingAlgorithms,keyAgreementAlgorithms,expirationModel,validTo. Grantkey()typed ref (deprecateskeyArn)snsTopic(),cloudWatchLogsRole()typed refs.latestDeliveredAt,latestNotifiedAt,latestCloudWatchLogsDeliveredAt,latestDigestDeliveredAt(deprecate*Timenames).latestDeliveryAttemptedAt,latestDeliveryAttemptSucceededAt,latestNotificationAttemptedAt,latestNotificationAttemptSucceededAt. Event data storefederationStatus,federationRole()typed refCommit 3: Review fixes
convert.JsonToDict()for SQS redriveAllowPolicy and SNS dataProtectionPolicycachePublicinstead ofregistryId == ""Commit 4: ARN→typed conversions + Batch/AppMesh/StepFunctions
24 ARN→typed reference conversions (deprecate old, keep for compat):
taskDefinitionArntaskDefinition()taskArntask()clusterArncluster()clusterArncluster()serviceArnservice()encryptionKeyArnencryptionKey()iamRoleArniamRole()encryptionKeyArnencryptionKey()destinationBackupVaultArndestinationVault()roleArniamRole()cloudWatchLogsLogGroupArnlogGroup()snsTopicARNsnsTopic()monitoringRoleArnmonitoringRole()ebsEncryptionKeyArnebsEncryptionKey()webAclArnwebAcl()functionArnfunction()loadBalancerArnloadBalancer()serviceRoleArnserviceRole()iamRoleArniamRole()iamRoleArniamRole()baseModelArnbaseModel()foundationModelArnfoundationModel()kinesisStreamArnkinesisStream()Batch expansion — dict fields → typed sub-resources:
aws.batch.jobDefinition.containerProperties— image, vcpus, memory, command, jobRole/executionRole typed refs, environment, privileged, readonlyRootFilesystem, resourceRequirementsaws.batch.jobDefinition.retryStrategy— attempts, evaluateOnExitaws.batch.jobDefinition.timeout— attemptDurationSecondsAppMesh expansion — new resources:
aws.appmesh.virtualRouter— listeners, routes, tagsaws.appmesh.route— spec, tagsvirtualNode.backendschanged from count (int) to actual backend data ([]dict)Step Functions — new service from scratch:
aws.stepfunctions.stateMachine— arn, name, type, status, definition, iamRole() typed ref, loggingConfiguration, tracingEnabled, tagsaws.stepfunctions.stateMachine.loggingConfiguration— level, includeExecutionData, destinationsNew API calls
ListQueueTagsGetDataProtectionPolicyListTagsForResource,DescribeImageScanFindings,GetRegistryScanningConfigurationDescribeLifecycleConfiguration,DescribeReplicationConfigurationsListVersionsByFunction,ListLayerVersionsListVirtualRouters,DescribeVirtualRouter,ListRoutes,DescribeRouteListStateMachines,DescribeStateMachine,ListTagsForResourceKMS, CloudTrail, and all ARN→typed conversions require zero new API calls.
Test plan
make providers/build/awsmql run aws -c "aws.sqs.queues { tags contentBasedDeduplication }"mql run aws -c "aws.sns.topics { fifoTopic dataProtectionPolicy }"mql run aws -c "aws.ecr.privateRepositories { tags images { scanStatus } }"mql run aws -c "aws.efs.filesystems { performanceMode lifecycleConfiguration replicationConfiguration }"mql run aws -c "aws.lambda.functions { versions { version state } }"mql run aws -c "aws.kms.keys { rotationPeriodInDays encryptionAlgorithms }"mql run aws -c "aws.cloudtrail.trails { snsTopic cloudWatchLogsRole latestDeliveredAt }"mql run aws -c "aws.batch.jobDefinitions { containerProperties { image vcpus jobRole } }"mql run aws -c "aws.appmesh.meshes { virtualRouters { routes } }"mql run aws -c "aws.stepfunctions.stateMachines { name type iamRole loggingConfiguration }"mql run aws -c "aws.ecs.containers { taskDefinition task }"mql run aws -c "aws.backup.vaults { encryptionKey }"🤖 Generated with Claude Code