feat: Add AWS external_id support in sigv4 configuration

[dongjiang1989]

Pull Request Checklist

• Is this a new feature?
  • I have added tests that test the new feature's functionality
• I have added/updated the required documentation
• I have signed-off my commits
• I will follow best practices for contributing to this project

Which user-facing changes does this PR introduce?

[ENHANCEMENT] sigv4: Add AWS external_id support

Summary by CodeRabbit

• New Features
  • SNS SigV4 configuration now accepts an optional external ID when role-based credentials are used.
• Documentation
  • Configuration docs updated to describe the new external ID field and its conditional use alongside role ARN.
• Tests
  • Unit tests updated to include scenarios combining role assumption and the external ID.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bb1fdc73-5072-44d3-9c38-db4b52dd6d6e

📥 Commits

Reviewing files that changed from the base of the PR and between 88dbf82 and 4d242dc.

📒 Files selected for processing (3)

• docs/configuration.md
• notify/sns/sns.go
• notify/sns/sns_test.go

✅ Files skipped from review due to trivial changes (1)

• notify/sns/sns_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• notify/sns/sns.go
• docs/configuration.md

---

📝 Walkthrough

Walkthrough

Adds an optional external_id field to SNS SigV4 configuration. Documentation updated; createSNSClient now passes ExternalID to STS AssumeRole when role_arn and external_id are set; tests updated to include the new field.

Changes

Cohort / File(s)	Summary
Documentation Schema docs/configuration.md	Added external_id: <string> to SNS sigv4 schema with constraint: can only be used when role_arn is set.
SNS Client Implementation notify/sns/sns.go	createSNSClient updated to supply ExternalID to STS AssumeRole options when Sigv4.RoleARN is present and Sigv4.ExternalID is non-empty.
SNS Tests notify/sns/sns_test.go	TestNotifyWithInvalidTemplate extended to set Sigv4.RoleARN and Sigv4.ExternalID in the test SigV4 config.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: Add AWS external_id support in sigv4 configuration' clearly and specifically describes the main change—adding AWS external_id support to the sigv4 configuration.
Description check	✅ Passed	The PR description follows the template structure with a completed checklist for new features (tests added, documentation updated, commits signed-off, and contribution best practices commitment) and includes appropriate release notes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

notify/sns/sns.go (1)

143-158: ⚠️ Potential issue | 🟡 Minor

Enforce external_id + role_arn coupling at runtime.

external_id is only read inside the role_arn branch (Line 143), so a config with external_id but no role_arn is silently ignored. Since docs declare this constraint, add an explicit error to fail fast on invalid config.

Suggested guard

 func (n *Notifier) createSNSClient(ctx context.Context, tmpl func(string) string, tmplErr *error) (*sns.Client, error) {
+	if n.conf.Sigv4.ExternalID != "" && n.conf.Sigv4.RoleARN == "" {
+		return nil, fmt.Errorf("sns.sigv4.external_id requires sns.sigv4.role_arn")
+	}
+
 	// Base configuration options that apply to both STS (if used) and the final SNS client.
 	baseCfgOpts := []func(*awsconfig.LoadOptions) error{

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@notify/sns/sns.go` around lines 143 - 158, The code currently ignores
n.conf.Sigv4.ExternalID when n.conf.Sigv4.RoleARN is empty; add a runtime guard
before the STS branch (the block that creates stsClient/stsProvider) that
validates the coupling: if n.conf.Sigv4.ExternalID is set but
n.conf.Sigv4.RoleARN is empty, return an error (from the function that
initializes the SNS client) indicating invalid config. Reference the config
fields n.conf.Sigv4.ExternalID and n.conf.Sigv4.RoleARN and perform this check
prior to calling awsconfig.LoadDefaultConfig / sts.NewFromConfig /
stscreds.NewAssumeRoleProvider so the function fails fast on the invalid
configuration.

🧹 Nitpick comments (1)

notify/sns/sns_test.go (1)

121-123: Current test data includes ExternalID but does not verify the new behavior.

This case still only asserts template failures. Please add a focused test that verifies ExternalID is passed to STS AssumeRole when role_arn is set (and omitted when it is not), so the new feature is actually regression-protected.

Also applies to: 137-139

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@notify/sns/sns_test.go` around lines 121 - 123, Add a focused unit test that
asserts ExternalID is forwarded to STS.AssumeRole when a RoleARN is provided and
omitted when no RoleARN is set: in the sns_test.go tests that set
Region/RoleARN/ExternalID (symbols: RoleARN and ExternalID) create a mock STS
client and verify its AssumeRole invocation includes the ExternalId parameter
when RoleARN is set, and that AssumeRole is called without ExternalId (or not
called at all if implementation skips assume) when RoleARN is empty; update or
add two assertions (one for the positive case and one for the negative case) to
guard the new behavior so ExternalID regressions are caught.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@notify/sns/sns.go`:
- Around line 143-158: The code currently ignores n.conf.Sigv4.ExternalID when
n.conf.Sigv4.RoleARN is empty; add a runtime guard before the STS branch (the
block that creates stsClient/stsProvider) that validates the coupling: if
n.conf.Sigv4.ExternalID is set but n.conf.Sigv4.RoleARN is empty, return an
error (from the function that initializes the SNS client) indicating invalid
config. Reference the config fields n.conf.Sigv4.ExternalID and
n.conf.Sigv4.RoleARN and perform this check prior to calling
awsconfig.LoadDefaultConfig / sts.NewFromConfig / stscreds.NewAssumeRoleProvider
so the function fails fast on the invalid configuration.

---

Nitpick comments:
In `@notify/sns/sns_test.go`:
- Around line 121-123: Add a focused unit test that asserts ExternalID is
forwarded to STS.AssumeRole when a RoleARN is provided and omitted when no
RoleARN is set: in the sns_test.go tests that set Region/RoleARN/ExternalID
(symbols: RoleARN and ExternalID) create a mock STS client and verify its
AssumeRole invocation includes the ExternalId parameter when RoleARN is set, and
that AssumeRole is called without ExternalId (or not called at all if
implementation skips assume) when RoleARN is empty; update or add two assertions
(one for the positive case and one for the negative case) to guard the new
behavior so ExternalID regressions are caught.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f430d2ab-b5e7-4da1-9c8b-ada1ea7d1d05

📥 Commits

Reviewing files that changed from the base of the PR and between d4e8c87 and ca4674a.

📒 Files selected for processing (3)

• docs/configuration.md
• notify/sns/sns.go
• notify/sns/sns_test.go