Feat/support aws

[j3ttt]

Thank you for your contribution to CloudRec!

What About:

• Server (java)
• Collector (go)
• Rule (opa)

Description:

Implement about 30 new AWS resource collectors

Summary by Sourcery

Add comprehensive AWS support by implementing about 30 new resource collectors, updating service initialization and platform configuration, refactoring collector patterns for concurrency and pagination, and updating AWS SDK dependencies.

New Features:

• Add collectors for ~30 AWS resources across IAM, EC2, S3, KMS, Lambda, CloudFormation, CloudWatch, CloudTrail, SNS, SQS, and more

Enhancements:

• Extend Services struct to include and initialize clients for all AWS services
• Refactor collectors to use AWS SDK v2 paginators, worker pools, and include tags, inline/attached policies, and additional details
• Expand platform configuration to register all new AWS resource types

Build:

• Upgrade AWS SDK v2 to v1.37.1 and add service-specific modules in go.mod and go.sum

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[sourcery-ai]

Reviewer's Guide

This PR implements support for ~30 new AWS resource collectors by parallelizing data fetching, refactoring existing IAM collectors to use AWS SDK v2 paginators and worker pools, and updating service initialization, constants, and platform configuration.

Class diagram for new and updated AWS resource collectors

classDiagram
    class Services {
        +EC2
        +IAM
        +S3
        +Lambda
        +KMS
        +ECR
        +ElastiCache
        +ELB
        +CLB
        +FSx
        +RDS
        +Route53Domains
        +Route53
        +CloudFront
        +WAFv2
        +CloudTrail
        +APIGatewayV2
        +ACM
        +SecretsManager
        +AutoScaling
        +ECS
        +EKS
        +DynamoDB
        +CloudFormation
        +GuardDuty
        +EFS
        +SNS
        +SQS
        +CloudWatch
        +CloudWatchLogs
        +Account
        +Config
        +AppStream
        +AccessAnalyzer
        +CognitoIdentityProvider
        +CognitoIdentity
        +FMS
        +Inspector2
        +SecurityHub
        +Macie
        +NetworkFirewall
        +OpenSearch
    }
    class UserDetail {
        +User
        +AttachedPolicies
        +InlinePolicies
        +MFADevices
        +AccessKeys
        +LoginProfile
        +Tags
    }
    class RoleDetail {
        +Role
        +AttachedPolicies
        +InlinePolicies
        +Tags
    }
    class VPCDetail {
        +RouteTables
        +InternetGateways
        +VPCEndpoints
        +VPCPeeringConnections
        +VPNConnections
    }
    class UserPoolDetail {
        +UserPool
        +UserPoolClients
        +Users
        +Tags
    }
    class IdentityPoolDetail {
        +IdentityPool
        +Tags
    }
    class KeyDetail {
        +Key
        +RotationEnabled
        +Policy
        +Tags
    }
    class SNSTopicDetail {
        +Topic
        +Attributes
        +Policy
        +Subscriptions
        +Tags
    }
    class SQSQueueDetail {
        +Url
        +Name
        +Region
        +Attributes
        +Policy
        +Tags
    }
    class PolicyDetail {
        +Policy
        +ComplianceStatus
        +Tags
    }
    class ClusterDetail {
        +Cluster
        +Services
        +Tasks
    }
    class DomainDetail {
        +Domain
        +Tags
    }
    class FunctionDetail {
        +Function
        +Policy
        +URLConfigs
        +Tags
    }
    class AnalyzerDetail {
        +Analyzer
        +Findings
        +Tags
    }
    class StackDetail {
        +Stack
    }

Loading

Class diagram for IAM User and Role collector refactor

classDiagram
    class UserDetail {
        +User
        +AttachedPolicies
        +InlinePolicies
        +MFADevices
        +AccessKeys
        +LoginProfile
        +Tags
    }
    class RoleDetail {
        +Role
        +AttachedPolicies
        +InlinePolicies
        +Tags
    }

Loading

Class diagram for Cognito UserPool and IdentityPool collectors

classDiagram
    class UserPoolDetail {
        +UserPool
        +UserPoolClients
        +Users
        +Tags
    }
    class IdentityPoolDetail {
        +IdentityPool
        +Tags
    }

Loading

Class diagram for KMS Key collector

classDiagram
    class KeyDetail {
        +Key
        +RotationEnabled
        +Policy
        +Tags
    }

Loading

Class diagram for SNS Topic and SQS Queue collectors

classDiagram
    class SNSTopicDetail {
        +Topic
        +Attributes
        +Policy
        +Subscriptions
        +Tags
    }
    class SQSQueueDetail {
        +Url
        +Name
        +Region
        +Attributes
        +Policy
        +Tags
    }

Loading

Class diagram for ECS Cluster collector

classDiagram
    class ClusterDetail {
        +Cluster
        +Services
        +Tasks
    }

Loading

Class diagram for OpenSearch Domain collector

classDiagram
    class DomainDetail {
        +Domain
        +Tags
    }

Loading

Class diagram for Lambda Function collector

classDiagram
    class FunctionDetail {
        +Function
        +Policy
        +URLConfigs
        +Tags
    }

Loading

Class diagram for Access Analyzer collector

classDiagram
    class AnalyzerDetail {
        +Analyzer
        +Findings
        +Tags
    }

Loading

Class diagram for CloudFormation Stack collector

classDiagram
    class StackDetail {
        +Stack
    }

Loading

Class diagram for FMS Policy collector

classDiagram
    class PolicyDetail {
        +Policy
        +ComplianceStatus
        +Tags
    }

Loading

File-Level Changes

Change	Details	Files
Refactor existing IAM collectors to use concurrent pagination and updated schemas	Replaced manual pagination with AWS SDK v2 Paginators Introduced worker pools (numWorkers=10) for parallel detail fetching Updated ResourceDetailFunc to aggregate attached/inline policies, tags, and metadata Switched ResourceId to use AWS ARN and set Dimension to Global	collector/aws/collector/iam/user.go collector/aws/collector/iam/role.go collector/aws/collector/iam/group.go collector/aws/collector/iam/account_settings.go collector/aws/collector/iam/policy.go
Add new AWS collectors for ~30 services using paginators and worker pools	Implemented GetResource/GetDetail for each service (Cognito, KMS, SNS, SQS, FMS, ECS, EKS, Lambda, CloudTrail, Config, CloudWatch, CloudFormation, DynamoDB, Inspector2, Macie, GuardDuty, AccessAnalyzer, AppStream, API Gateway V2, Network Firewall, OpenSearch, ACM, SecurityHub, Account, Auto Scaling, VPC Endpoint Service, Flow Log, Network Interface) Used AWS SDK v2 Paginators for list operations and goroutine pools for concurrent Describe calls Defined resource-specific Detail structs to aggregate API output and tags	collector/aws/collector/cognito/userpool.go collector/aws/collector/kms/key.go collector/aws/collector/sns/topic.go collector/aws/collector/sqs/queue.go collector/aws/collector/fms/policy.go collector/aws/collector/ecs/cluster.go collector/aws/collector/ecs/task_definition.go collector/aws/collector/eks/cluster.go collector/aws/collector/lambda/function.go collector/aws/collector/cloudtrail/trail.go collector/aws/collector/config/recorder.go collector/aws/collector/cloudwatch/alarm.go collector/aws/collector/cloudwatch/log_group.go collector/aws/collector/dynamodb/table.go collector/aws/collector/cloudformation/stack.go collector/aws/collector/account/account.go collector/aws/collector/autoscaling/group.go collector/aws/collector/ec2/vpcendpointservice.go collector/aws/collector/ec2/flowlog.go collector/aws/collector/ec2/networkinterface.go collector/aws/collector/apigateway/api_v2.go collector/aws/collector/guardduty/detector.go collector/aws/collector/networkfirewall/firewall.go collector/aws/collector/networkfirewall/rulegroup.go collector/aws/collector/accessanalyzer/analyzer.go collector/aws/collector/opensearch/domain.go collector/aws/collector/acm/certificate.go collector/aws/collector/securityhub/finding.go collector/aws/collector/inspector2/finding.go collector/aws/collector/inspector2/coverage.go collector/aws/collector/macie/finding.go collector/aws/collector/macie/job.go collector/aws/collector/macie/session.go
Update AWS service initialization, constants, platform config, and dependencies	Extended Services struct and InitServices switch to include new AWS clients Added initClient helpers for each new service Updated constant.go with new resource type constants Registered new resources in platform_config.go Bumped aws-sdk-go-v2 versions and added new service modules in go.mod/go.sum	collector/aws/collector/services.go collector/aws/collector/constant.go collector/aws/platform/platform_config.go collector/aws/go.mod collector/aws/go.sum collector/go.mod collector/go.sum

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @j3ttt - I've reviewed your changes - here's some feedback:

• The worker‐pool concurrency pattern is duplicated across most collectors—consider extracting a reusable helper to reduce boilerplate and improve consistency.
• The giant switch in Services.InitServices makes adding new services cumbersome—refactor to use a map of resource types to client initializers for easier maintenance.
• Inside your worker goroutines errors are logged but not propagated—consider capturing and returning errors from workers so failed descriptors don’t go unnoticed.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- The worker‐pool concurrency pattern is duplicated across most collectors—consider extracting a reusable helper to reduce boilerplate and improve consistency.
- The giant switch in Services.InitServices makes adding new services cumbersome—refactor to use a map of resource types to client initializers for easier maintenance.
- Inside your worker goroutines errors are logged but not propagated—consider capturing and returning errors from workers so failed descriptors don’t go unnoticed.

## Individual Comments

### Comment 1
<location> `collector/aws/collector/opensearch/domain.go:129` </location>
<code_context>
+func extractDomainTags(domain *opensearch.DescribeDomainOutput) map[string]string {
</code_context>

<issue_to_address>
Tag extraction in extractDomainTags is not robust and may mislead consumers.

Use the ListTags API to retrieve actual resource tags. If you intend to provide metadata, separate it from tags to prevent confusion.
</issue_to_address>

### Comment 2
<location> `collector/aws/collector/iam/user.go:89` </location>
<code_context>
+func describeUserDetail(ctx context.Context, client *iam.Client, user types.User) UserDetail {
</code_context>

<issue_to_address>
Errors from concurrent fetches in describeUserDetail are ignored.

Please aggregate and handle or log errors from concurrent fetches to prevent incomplete or misleading results.
</issue_to_address>

### Comment 3
<location> `collector/aws/collector/iam/role.go:89` </location>
<code_context>
-	if err != nil {
-		return nil
+// describeRoleDetail fetches all details for a single role.
+func describeRoleDetail(ctx context.Context, client *iam.Client, role types.Role) RoleDetail {
+	var wg sync.WaitGroup
+	var attachedPolicies []types.AttachedPolicy
+	var inlinePolicies []string
+	var tags []types.Tag
+
+	wg.Add(3)
+
+	go func() {
+		defer wg.Done()
+		attachedPolicies, _ = listAttachedRolePolicies(ctx, client, role.RoleName)
+	}()
+
+	go func() {
+		defer wg.Done()
+		inlinePolicies, _ = listRolePolicies(ctx, client, role.RoleName)
+	}()
+
+	go func() {
+		defer wg.Done()
+		tags, _ = listRoleTags(ctx, client, role.RoleName)
+	}()
+
+	wg.Wait()
+
+	return RoleDetail{
+		Role:             role,
+		AttachedPolicies: attachedPolicies,
</code_context>

<issue_to_address>
Errors from concurrent fetches in describeRoleDetail are ignored.

As with the user detail function, unhandled errors from these fetches may lead to incomplete data without any error reporting. Please handle or log these errors to improve reliability and observability.
</issue_to_address>

### Comment 4
<location> `collector/aws/collector/networkfirewall/rulegroup.go:155` </location>
<code_context>
+				tags["StatefulRulesCount"] = string(rune(len(ruleGroup.RuleGroup.RulesSource.StatefulRules)))
+			} else if ruleGroup.RuleGroup.RulesSource.StatelessRulesAndCustomActions != nil {
+				tags["RulesSourceType"] = "StatelessRulesAndCustomActions"
+				if ruleGroup.RuleGroup.RulesSource.StatelessRulesAndCustomActions.StatelessRules != nil {
+					tags["StatelessRulesCount"] = string(rune(len(ruleGroup.RuleGroup.RulesSource.StatelessRulesAndCustomActions.StatelessRules)))
+				}
</code_context>

<issue_to_address>
Incorrect integer-to-string conversion for StatelessRulesCount.

Use strconv.Itoa(len(...)) to convert the integer to a string, as string(rune(len(...))) will not yield the correct string representation.
</issue_to_address>

### Comment 5
<location> `collector/aws/collector/networkfirewall/rulegroup.go:161` </location>
<code_context>
+			}
+		}
+		
+		// Add capacity information
+		if ruleGroup.RuleGroupResponse.Capacity != nil {
+			tags["Capacity"] = string(rune(*ruleGroup.RuleGroupResponse.Capacity))
</code_context>

<issue_to_address>
Capacity should be converted to string using strconv.Itoa.

The current conversion returns a character, not the numeric string. Use strconv.Itoa(int(*ruleGroup.RuleGroupResponse.Capacity)) instead.
</issue_to_address>

### Comment 6
<location> `collector/aws/collector/networkfirewall/firewall.go:126` </location>
<code_context>
+
+	var tags map[string]string
+
+	// Get tags - Network Firewall doesn't have a direct API to list tags
+	// but we can extract relevant information from the firewall itself
+	tags = extractFirewallTags(describeOutput)
</code_context>

<issue_to_address>
Consider using ListTagsForResource API if available for Network Firewall.

If Network Firewall supports ListTagsForResource, use it to retrieve tags directly rather than extracting them from the firewall response.
</issue_to_address>

### Comment 7
<location> `collector/aws/collector/inspector2/coverage.go:73` </location>
<code_context>
+		go func() {
+			defer wg.Done()
+			for coverage := range tasks {
+				coverage := coverage
+				detail := describeCoverageDetail(ctx, client, coverage)
+				if detail != nil {
</code_context>

<issue_to_address>
Redundant variable assignment inside goroutine.

The assignment 'coverage := coverage' can be removed, as the loop variable is already properly scoped within the goroutine.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.