⭐ Add AWS Route 53 resources

[tas50]

Summary

Add Route 53 support with new resource types:

• aws.route53: Top-level resource with access to hosted zones, health checks,
  and query logging configs
• aws.route53.hostedZone: DNS zones with records, VPCs, tags, DNSSEC status,
  nameservers, query logging, and key signing keys
• aws.route53.record: DNS record sets with support for alias records, weighted/
  latency/failover/geolocation routing policies, and health check associations
• aws.route53.healthCheck: HTTP/HTTPS/TCP/calculated/CloudWatch health checks
  with full configuration, tags, and status
• aws.route53.queryLoggingConfig: Query logging configs with CloudWatch targets
• aws.route53.keySigningKey: DNSSEC key signing keys with KMS key references

Includes Route 53 client caching in the AWS connection layer, cross-resource
references (records -> health checks, KSKs -> KMS keys, instances -> zones),
and proper handling of private hosted zones (DNSSEC not supported).

> aws.route53.hostedZones.first{*}
aws.route53.hostedZones.first: {
  tags: {}
  isPrivate: true
  id: "/hostedzone/1234"
  resourceRecordSetCount: 3
  vpcs: [
    0: {
      vpcId: "vpc-1234"
      vpcRegion: "us-west-2"
    }
  ]
  name: "foo.com."
  nameServers: []
  type: "PRIVATE"
  arn: "arn:aws:route53:::hostedzone/1234"
  queryLoggingConfig: null
  dnssecStatus: {
    serveSignature: "NOT_SIGNING"
    statusMessage: "DNSSEC is not supported for private hosted zones"
  }
  comment: "internal stuff"
  config: {
    comment: "internal stuff"
    privateZone: true
  }
  records: [
    0: aws.route53.record name="foo.com." type="NS"
    1: aws.route53.record name="foo.com." type="SOA"
    2: aws.route53.record name="tim.foo.com." type="A"
  ]
  keySigningKeys: []
}

aws.route53.healthChecks.first: {
  inverted: false
  callerReference: "12345"
  cloudWatchAlarmConfiguration: {}
  failureThreshold: 3
  port: 80
  id: "12345"
  measureLatency: false
  ipAddress: "63.192.209.236"
  childHealthChecks: []
  fullyQualifiedDomainName: ""
  status: "Failure: Connection timed out. The endpoint or the internet connection is down, or requests are being blocked by your firewall. See https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-router-firewall-rules.html"
  requestInterval: 30
  resourcePath: "/healthcheck"
  type: "HTTP_STR_MATCH"
  enableSNI: false
  searchString: "foo"
  disabled: false
  regions: [
    0: "ap-northeast-1"
    1: "ap-southeast-1"
    2: "ap-southeast-2"
    3: "eu-west-1"
    4: "sa-east-1"
    5: "us-east-1"
    6: "us-west-1"
    7: "us-west-2"
  ]
  tags: {
    Name: "test"
  }
  healthThreshold: 0
  protocol: "HTTP"
  arn: "arn:aws:route53:::healthcheck/12345"
}

[github-actions]

Test Results

5 167 tests  +31   5 163 ✅ +31   2m 15s ⏱️ +16s
  409 suites ± 0       4 💤 ± 0 
   31 files   ± 0       0 ❌ ± 0 

Results for commit cbae34d. ± Comparison against base commit 45e1726.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

Route 53 implementation is mostly solid, but health check status field is incorrectly populated with version number instead of actual status

Superseded by new review

[mondoo-code-review]

These are pre-existing issues — the mock files (mock_coordinator.go, mock_schema.go, mock_plugin_interface.go, mock_volumemounter.go) are absent from the repo because go generate / make mql/generate was never run after the //go:generate mockgen ... directives were added. None of the files involved (providers/coordinator.go, providers/runtime_test.go, providers/coordinator_test.go, providers/os/connection/snapshot/volumemounter.go) were touched by the Route 53 PR.

To fix them, run the go:generate directives:

# From repo root
go generate ./providers/...
go generate ./providers/os/connection/snapshot/...

Or via the full pipeline:

make mql/generate

That will create:

• providers/mock_coordinator.go
• providers/mock_plugin_interface.go
• providers/mock_schema.go
• providers/os/connection/snapshot/mock_volumemounter.go

These errors are not related to the Route 53 PR and were present before it landed.

[mondoo-code-review]

Solid Route 53 implementation with good pagination and caching, but has nil pointer dereference risks on API responses and a few unchecked pointer dereferences inside field mappings.

[mondoo-code-review]

Solid implementation with one nil-dereference risk, redundant API calls, and a PR description that claims resources (delegationSet, trafficPolicy, trafficPolicyInstance) that don't exist in the actual diff.

[mondoo-code-review]

Solid Route 53 implementation, but two methods redundantly call GetDNSSEC and one method does a full health-check list scan when a direct API call is available.

[mondoo-code-review]

Solid implementation with good pagination and error handling, but has three notable performance issues.

[mondoo-code-review]

Unable to complete the code review.

Reason: An internal error occurred during the review.

Error details

claude failed with exit code: signal: interrupt

You can try /review again or reduce the PR size.

Dismissed: review could not be completed

[tas50]

/review

[mondoo-code-review]

Well-structured Route 53 resource implementation with good patterns; a few correctness and robustness issues to address.

Superseded by new review

[mondoo-code-review]

Previous review feedback well addressed; new tests are clean and comprehensive.