🐛 Fix foundation model duplicates and privateca tags N+1

Foundation models: query once from default region instead of all regions,
since ListFoundationModels returns a global catalog. Private CA tags:
lazy-load via computed method to avoid N+1 ListTags calls during listing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

.github/actions/spelling/expect.txt

@@ -52,6 +52,7 @@ cname
 compressratio
 cooldown
 cpe
+crowdstrike
 cryptokey
 ctx
 customresources

providers/aws/resources/aws.lr

@@ -10692,7 +10692,7 @@ private aws.privateca.certificateAuthority @defaults("arn status type") {
   // Failure reason if the CA is in a failed state
   failureReason string
   // Tags for the certificate authority
-  tags map[string]string
+  tags() map[string]string
   // PEM-encoded CA certificate
   certificate() string
   // PEM-encoded CA certificate chain

providers/aws/resources/aws.lr.go

@@ -26,78 +26,43 @@ func (a *mqlAwsBedrock) id() (string, error) {
 
 func (a *mqlAwsBedrock) foundationModels() ([]any, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
-	res := []any{}
-	poolOfJobs := jobpool.CreatePool(a.getFoundationModels(conn), 5)
-	poolOfJobs.Run()
-
-	if poolOfJobs.HasErrors() {
-		return nil, poolOfJobs.GetErrors()
-	}
-	for i := range poolOfJobs.Jobs {
-		if poolOfJobs.Jobs[i].Result != nil {
-			res = append(res, poolOfJobs.Jobs[i].Result.([]any)...)
-		}
-	}
-	return res, nil
-}
+	// ListFoundationModels returns a global catalog, identical across all regions.
+	// Query once from the default region to avoid duplicates.
+	svc := conn.Bedrock("")
+	ctx := context.Background()
 
-func (a *mqlAwsBedrock) getFoundationModels(conn *connection.AwsConnection) []*jobpool.Job {
-	tasks := make([]*jobpool.Job, 0)
-	regions, err := conn.Regions()
+	resp, err := svc.ListFoundationModels(ctx, &bedrock.ListFoundationModelsInput{})
 	if err != nil {
-		return []*jobpool.Job{{Err: err}}
+		return nil, err
 	}
 
-	for _, region := range regions {
-		f := func() (jobpool.JobResult, error) {
-			svc := conn.Bedrock(region)
-			ctx := context.Background()
-			res := []any{}
-
-			// ListFoundationModels is not paginated
-			resp, err := svc.ListFoundationModels(ctx, &bedrock.ListFoundationModelsInput{})
-			if err != nil {
-				if Is400AccessDeniedError(err) {
-					log.Warn().Str("region", region).Msg("error accessing region for AWS API")
-					return res, nil
-				}
-				if IsServiceNotAvailableInRegionError(err) {
-					log.Debug().Str("region", region).Msg("bedrock is not available in region")
-					return res, nil
-				}
-				return nil, err
-			}
-
-			for _, fm := range resp.ModelSummaries {
-				var lifecycleStatus string
-				if fm.ModelLifecycle != nil {
-					lifecycleStatus = string(fm.ModelLifecycle.Status)
-				}
+	res := []any{}
+	for _, fm := range resp.ModelSummaries {
+		var lifecycleStatus string
+		if fm.ModelLifecycle != nil {
+			lifecycleStatus = string(fm.ModelLifecycle.Status)
+		}
 
-				mqlFM, err := CreateResource(a.MqlRuntime, "aws.bedrock.foundationModel",
-					map[string]*llx.RawData{
-						"__id":                       llx.StringDataPtr(fm.ModelArn),
-						"modelArn":                   llx.StringDataPtr(fm.ModelArn),
-						"modelId":                    llx.StringDataPtr(fm.ModelId),
-						"modelName":                  llx.StringDataPtr(fm.ModelName),
-						"providerName":               llx.StringDataPtr(fm.ProviderName),
-						"inputModalities":            llx.ArrayData(enumSliceToAny(fm.InputModalities), types.String),
-						"outputModalities":           llx.ArrayData(enumSliceToAny(fm.OutputModalities), types.String),
-						"customizationsSupported":    llx.ArrayData(enumSliceToAny(fm.CustomizationsSupported), types.String),
-						"inferenceTypesSupported":    llx.ArrayData(enumSliceToAny(fm.InferenceTypesSupported), types.String),
-						"responseStreamingSupported": llx.BoolDataPtr(fm.ResponseStreamingSupported),
-						"modelLifecycleStatus":       llx.StringData(lifecycleStatus),
-					})
-				if err != nil {
-					return nil, err
-				}
-				res = append(res, mqlFM)
-			}
-			return jobpool.JobResult(res), nil
+		mqlFM, err := CreateResource(a.MqlRuntime, "aws.bedrock.foundationModel",
+			map[string]*llx.RawData{
+				"__id":                       llx.StringDataPtr(fm.ModelArn),
+				"modelArn":                   llx.StringDataPtr(fm.ModelArn),
+				"modelId":                    llx.StringDataPtr(fm.ModelId),
+				"modelName":                  llx.StringDataPtr(fm.ModelName),
+				"providerName":               llx.StringDataPtr(fm.ProviderName),
+				"inputModalities":            llx.ArrayData(enumSliceToAny(fm.InputModalities), types.String),
+				"outputModalities":           llx.ArrayData(enumSliceToAny(fm.OutputModalities), types.String),
+				"customizationsSupported":    llx.ArrayData(enumSliceToAny(fm.CustomizationsSupported), types.String),
+				"inferenceTypesSupported":    llx.ArrayData(enumSliceToAny(fm.InferenceTypesSupported), types.String),
+				"responseStreamingSupported": llx.BoolDataPtr(fm.ResponseStreamingSupported),
+				"modelLifecycleStatus":       llx.StringData(lifecycleStatus),
+			})
+		if err != nil {
+			return nil, err
 		}
-		tasks = append(tasks, jobpool.NewJob(f))
+		res = append(res, mqlFM)
 	}
-	return tasks
+	return res, nil
 }
 
 func (a *mqlAwsBedrockFoundationModel) id() (string, error) {

providers/aws/resources/aws_bedrock.go

@@ -16,7 +16,6 @@ import (
 	"go.mondoo.com/mql/v13/providers-sdk/v1/util/convert"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/util/jobpool"
 	"go.mondoo.com/mql/v13/providers/aws/connection"
-	"go.mondoo.com/mql/v13/types"
 )
 
 func (a *mqlAwsPrivateca) id() (string, error) {
@@ -69,7 +68,7 @@ func (a *mqlAwsPrivateca) getCertificateAuthorities(conn *connection.AwsConnecti
 				}
 
 				for _, ca := range page.CertificateAuthorities {
-					mqlCA, err := newMqlPrivatecaCertificateAuthority(a.MqlRuntime, ca, region, svc)
+					mqlCA, err := newMqlPrivatecaCertificateAuthority(a.MqlRuntime, ca, region)
 					if err != nil {
 						return nil, err
 					}
@@ -83,7 +82,7 @@ func (a *mqlAwsPrivateca) getCertificateAuthorities(conn *connection.AwsConnecti
 	return tasks
 }
 
-func newMqlPrivatecaCertificateAuthority(runtime *plugin.Runtime, ca acmpcatypes.CertificateAuthority, region string, svc *acmpca.Client) (*mqlAwsPrivatecaCertificateAuthority, error) {
+func newMqlPrivatecaCertificateAuthority(runtime *plugin.Runtime, ca acmpcatypes.CertificateAuthority, region string) (*mqlAwsPrivatecaCertificateAuthority, error) {
 	var subject any
 	if ca.CertificateAuthorityConfiguration != nil {
 		subject, _ = convert.JsonToDict(ca.CertificateAuthorityConfiguration.Subject)
@@ -99,30 +98,6 @@ func newMqlPrivatecaCertificateAuthority(runtime *plugin.Runtime, ca acmpcatypes
 		signingAlgorithm = string(ca.CertificateAuthorityConfiguration.SigningAlgorithm)
 	}
 
-	tags := make(map[string]any)
-	if ca.Arn != nil {
-		ctx := context.Background()
-		var nextToken *string
-		for {
-			tagsResp, err := svc.ListTags(ctx, &acmpca.ListTagsInput{
-				CertificateAuthorityArn: ca.Arn,
-				NextToken:               nextToken,
-			})
-			if err != nil {
-				break
-			}
-			for _, tag := range tagsResp.Tags {
-				if tag.Key != nil && tag.Value != nil {
-					tags[*tag.Key] = *tag.Value
-				}
-			}
-			if tagsResp.NextToken == nil {
-				break
-			}
-			nextToken = tagsResp.NextToken
-		}
-	}
-
 	res, err := CreateResource(runtime, "aws.privateca.certificateAuthority",
 		map[string]*llx.RawData{
 			"__id":                       llx.StringDataPtr(ca.Arn),
@@ -143,7 +118,6 @@ func newMqlPrivatecaCertificateAuthority(runtime *plugin.Runtime, ca acmpcatypes
 			"createdAt":                  llx.TimeDataPtr(ca.CreatedAt),
 			"lastStateChangeAt":          llx.TimeDataPtr(ca.LastStateChangeAt),
 			"failureReason":              llx.StringData(string(ca.FailureReason)),
-			"tags":                       llx.MapData(tags, types.String),
 		})
 	if err != nil {
 		return nil, err
@@ -217,6 +191,35 @@ func (a *mqlAwsPrivatecaCertificateAuthority) certificateChain() (string, error)
 	return a.certChainData, nil
 }
 
+func (a *mqlAwsPrivatecaCertificateAuthority) tags() (map[string]any, error) {
+	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
+	svc := conn.Acmpca(a.cacheRegion)
+	ctx := context.Background()
+
+	arn := a.Arn.Data
+	res := map[string]any{}
+	var nextToken *string
+	for {
+		resp, err := svc.ListTags(ctx, &acmpca.ListTagsInput{
+			CertificateAuthorityArn: &arn,
+			NextToken:               nextToken,
+		})
+		if err != nil {
+			return nil, err
+		}
+		for _, tag := range resp.Tags {
+			if tag.Key != nil && tag.Value != nil {
+				res[*tag.Key] = *tag.Value
+			}
+		}
+		if resp.NextToken == nil {
+			break
+		}
+		nextToken = resp.NextToken
+	}
+	return res, nil
+}
+
 func (a *mqlAwsPrivatecaCertificateAuthority) policy() (string, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
 	svc := conn.Acmpca(a.cacheRegion)