Commit 8aa1d30
⭐ Enhance VPC coverage with new fields, resources, and sub-resources (#7112)
* ⭐ Enhance VPC coverage with new fields and sub-resources
Add typed references, lazy-loaded fields, and new sub-resources to improve
VPC configuration audit coverage for CIS/SOC 2/PCI compliance checks.
New resources:
- aws.ec2.dhcpOptions (DNS/NTP configuration inspection)
- aws.ec2.transitgateway.attachment (VPC, VPN, peering attachments)
- aws.ec2.transitgateway.routeTable (TGW routing configuration)
New fields on existing resources:
- aws.vpc: dhcpOptions(), enableDnsSupport(), enableDnsHostnames()
- aws.vpc.endpoint: securityGroups(), routeTables(), networkInterfaces(), dnsEntries
- aws.vpc.flowlog: iamRole(), logGroup(), s3Bucket()
- aws.vpc.subnet: networkAcl(), natGateway(), flowLogs(), ipv6CidrBlock
- aws.ec2.networkacl.association: subnet() (deprecates subnetId)
- aws.ec2.eip: networkInterface()
- aws.ec2.transitgateway: attachments(), routeTables()
- aws.vpc.vpnGateway: vpnConnections()
- aws.vpc.peeringConnection: requesterAccountId, accepterAccountId, dnsResolutionEnabled
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* ⭐ Add VPC coverage phase 2: new resources and VPN connection enhancement
New resources:
- aws.ec2.managedPrefixList (with lazy-loaded entries)
- aws.ec2.clientVpnEndpoint (with typed VPC and security group refs)
- aws.ec2.customerGateway
- aws.ec2.egressOnlyInternetGateway
- aws.ec2.vpcEndpointServiceConfiguration (PrivateLink provider side)
- aws.ec2.transitgateway.peeringAttachment
Enhanced existing resource:
- aws.ec2.vpnconnection: expose 15+ fields already fetched from API
(id, region, state, type, category, vpnGateway, transitGateway,
customerGateway, staticRoutesOnly, enableAcceleration, network CIDRs,
tunnelInsideIpVersion, tags)
Also:
- Add "tgw" to spelling expect.txt
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🧹 Add openvpn to spelling expect.txt
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🧹 Fix license headers in new files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🐛 Address PR review comments
- Fix EIP initAwsEc2Eip: populate eipCache so networkInterface() and
instance() work when EIP is resolved via init path
- Fix subnet initAwsVpcSubnet: populate cacheVpcId so flowLogs() and
other methods work when subnet is resolved via init path
- Fix prefix list entry ID collision: use composite key (prefixListId/cidr)
instead of bare CIDR to prevent cache collisions across prefix lists
- Document cross-account TGW ARN limitation on vpnconnection.transitGateway()
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update permissions
Signed-off-by: Tim Smith <tsmith84@gmail.com>
* 🧹 Remove redundant InternetGatewayBlockMode assignment in initAwsVpcSubnet
The field is already set via args passed to CreateResource.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🟢 Add unit tests for VPC coverage changes
Tests cover:
- newMqlVpnConnection: field extraction, nil Options, nil gateway IDs
- EIP networkInterface: null state on nil/empty NetworkInterfaceId
- Flow log iamRole/logGroup/s3Bucket: null state on missing cache,
wrong destinationType, unparseable S3 ARN
- Peering connection: DNS resolution enabled logic, account ID extraction
- VPN connection typed refs: null state on nil/empty gateway IDs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🟢 Add tests for VPC helper functions and ARN patterns
- ec2TagsToMap: nil key/value handling, empty/nil slices
- toInterfaceMap: string-to-any conversion
- vpcFilter: filter name and values
- parseTimeOrZero: RFC3339, ISO 8601, nil, empty, garbage input
- ARN patterns: format verification for 8 resource types
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🐛 Fix nil dnsEntries causing type conversion error on gateway endpoints
Gateway endpoints have no DNS entries, so convert.JsonToDictSlice returns
nil. Passing nil to llx.ArrayData creates an array with no type info,
causing "cannot convert primitive with NO type information" at query time.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🐛 Fix dnsEntries: build dict manually instead of JsonToDictSlice
The DnsEntry SDK type has unexported fields which cause
convert.JsonToDictSlice to produce entries the runtime can't
serialize. Build the dict slice manually from the exported fields.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🐛 Fix nil subnets array on gateway endpoints
Same issue as dnsEntries — gateway endpoints have no subnets, so
the nil slice causes a type conversion error at query time.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🐛 Add init functions for VPN gateway and customer gateway
Without init functions, NewResource with an ARN creates a shell
resource that can't populate its fields, causing "cannot convert
primitive with NO type information" when the typed reference is
accessed from vpnconnection.vpnGateway() or .customerGateway().
- initAwsVpcVpnGateway: calls DescribeVpnGateways by ID
- initAwsEc2CustomerGateway: loads all customer gateways and matches
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🐛 Add init function for network interface
Without an init function, NewResource with just an ID creates a shell
resource that can't populate fields like privateIpAddress, macAddress,
securityGroups, etc. This caused "cannot convert primitive with NO type
information" when accessing eip.networkInterface or
endpoint.networkInterfaces.
Also refactors instance.networkInterfaces() to use shared
buildNetworkInterfaceResource helper.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🧹 Add @defaults to networkacl.association: associationId subnetId
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* 🐛 Iterate regions in initAwsVpcVpnGateway when region is empty
When a VPN gateway is resolved by ID alone (no ARN or region),
iterate all enabled regions to find it — matching the pattern
used by initAwsEc2Networkinterface.
Extracts buildVpnGatewayResource helper to share between the
region-search path and the direct-lookup path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Signed-off-by: Tim Smith <tsmith84@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent db012a9 commit 8aa1d30
File tree
11 files changed
+5052
-77
lines changed- .github/actions/spelling
- providers/aws/resources
11 files changed
+5052
-77
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
198 | 198 | | |
199 | 199 | | |
200 | 200 | | |
| 201 | + | |
201 | 202 | | |
202 | 203 | | |
203 | 204 | | |
| |||
273 | 274 | | |
274 | 275 | | |
275 | 276 | | |
| 277 | + | |
276 | 278 | | |
277 | 279 | | |
278 | 280 | | |
| |||
0 commit comments