parity: mega audit fixes v2 (new parity.md §E–R) — WIP, DO NOT MERGE#2227
Draft
agbishop wants to merge 23 commits into
Draft
parity: mega audit fixes v2 (new parity.md §E–R) — WIP, DO NOT MERGE#2227agbishop wants to merge 23 commits into
agbishop wants to merge 23 commits into
Conversation
Add real create→read/list→delete integration tests for §G-flagged untested services: comprehend, translate, polly, rekognition, guardduty, accessanalyzer, detective, apprunner, fsx, datasync, directoryservice, workspaces, appstream. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add real lifecycle integration tests for remaining §G services: securityhub (insight), macie2 (custom data identifier), inspector2 (filter), appmesh (mesh + virtual node), forecast (dataset group), personalize (dataset group), rolesanywhere (trust anchor), dax (subnet + parameter group), mediapackage (channel), mediatailor (source location), workmail (org + group), quicksight (group), medialive (input security group). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add Terraform fixtures and parity_mega_test.go (own provider block with the §H endpoints) for high-value §H/§O services: guardduty detector, securityhub account, workspaces ip_group, appstream stack, classic waf ipset+rule, and fsx lustre (VPC+subnet+filesystem). Each verifies the applied resource via the AWS SDK. Document the integration + terraform coverage added and the deferred §G/§H/§O remaining list (opsworks/account lack SDK modules; remaining terraform fixtures; cross-service e2e) in parity.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Implement the genuine items from parity.md §P (pass 4); verify and skip the false positives that would have regressed AWS fidelity. Fixed: - Cognito IDP: ListUserPools/ListUserPoolClients/ListUsers honor MaxResults/Limit + emit NextToken/PaginationToken (validateCognitoMaxResults 1-60); AdminSetUserPassword now enforces pool password policy. - Glue: StopCrawler transitions STOPPING->READY (was stuck forever). - RDS: AllocatedStorage range 20-65536; BackupRetentionPeriod always emitted. - KMS: ListKeys/ListAliases Limit 1-1000, ListResourceTags 1-50 -> ValidationException. - IAM: parseMaxItems clamps to <=1000. - CodePipeline: ListPipelineExecutions honors maxResults + nextToken. - Athena: ListQueryExecutions honors MaxResults(50)+NextToken, omits on last page. - IoT: ListThings/ListTopicRules/ListPolicies paginate. - EC2: DescribeInstanceStatus emits systemStatus/instanceStatus health objects. - S3: DeleteObjects >1000 -> MalformedXML; MaxKeys clamped to 1000; ListMultipartUploadsResult.Prefix always emitted. - StepFunctions/EventBridge: list output NextToken gained omitempty. False positives left unchanged (would diverge from AWS): all pagination cursor 'off-by-one' items (consistent conventions), SNS XML casing (SDK case-insensitive, AWS uses lowercase), SQS queueUrls (AWS lowercase), DynamoDB Scan count + StreamSpecification, Lambda memory validation, SecretsManager/SecurityHub defaults, CloudFormation MaxResults (no such param). Remaining §P items and rationale appended to parity.md. Added table-driven tests per fix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Implements parity.md §E by adding list/detail dashboard pages for 18 AWS services that had working backends but no UI route, making them reachable in the console: accessanalyzer, account, appmesh, databrew, datasync, dax, detective, directoryservice, dlm, forecast, macie2, medialive, mediapackage, mediatailor, personalize, quicksight, rolesanywhere, workmail Each page follows the existing fsx/shield template: tabbed list views wired to real backend data via the typed AWS JS SDK (through the gopherstack endpoint), client-side search, refresh, status pills and empty/error states. Pages requiring a parent id (App Mesh meshName, MediaTailor source location, WorkMail organization) expose a filter input; QuickSight exposes an editable AwsAccountId. All routes registered in nav.ts (implementedDashboardRouteIds + sidebarCategories) with getXClient factories in aws-client.ts. New SDK clients pinned to 3.1053.0 to match the existing UI SDK and keep @smithy/core at 3.24.4 (newer clients pull an incompatible @smithy/core that breaks the bundle). opsworks and qldb deferred (documented in parity.md §E status): opsworks has no compatible client release, qldb has no backend. §F (per-service UI features) not started this pass; backlog noted in parity.md. Scope: dashboard UI only (ui/*). No services/test/terraform changes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| n = defaultMaxKeys | ||
| } | ||
|
|
||
| maxKeys = int32(n) //nolint:gosec // Clamped to [0, 1000] |
- cognitoidp: enforce token_use=="access" in ParseAccessToken so an ID token is rejected where an access token is required (GetUser, GlobalSignOut). - cognitoidp: preserve original auth_time across REFRESH_TOKEN_AUTH instead of resetting it on each refresh (stored on refreshTokenEntry). - cognitoidp: ConfirmSignUp rejects an empty/cleared stored code for an unconfirmed user (close empty-code bypass); keep re-confirm idempotent. - cognitoidentity: GetCredentialsForIdentity rejects an empty Logins map for an authenticated identity (close auth bypass) with NotAuthorized. Table-driven tests for each fix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- CreateStack/UpdateStack: map backend errors to distinct AWS codes
(AlreadyExistsException, InsufficientCapabilitiesException, ValidationError)
instead of collapsing all to one code.
- CreateChangeSet: a change set with no changes is FAILED / UNAVAILABLE (with
AWS status reason), not AVAILABLE.
- DescribeStacks: always serialize DisableRollback (drop omitempty) to match AWS.
- resolveDynamicRef: fix off-by-one so a value with exactly the iteration-limit
number of {{resolve:...}} refs resolves successfully instead of erroring.
Table-driven tests for each fix.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Fix nextTokenFromSlice, which always returned "" so pagination never advanced; it now returns the ID of the first item of the next page (passed getID through). - parsePageParams now returns ValidationException for a non-numeric maxResults instead of silently dropping non-digit characters / coercing to 0. Table-driven tests: full token-walk visits every item once; invalid maxResults yields HTTP 400. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- OpsWorks: unknown action returns HTTP 400 ValidationException, not 501. - VerifiedPermissions: CreatePolicyStore bounds description at 150 chars (AWS PolicyStoreDescription max length). Table-driven tests for both. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- EMR Serverless: ListApplications/ListJobRuns/ListJobRunAttempts reject a maxResults outside 1-50 with ValidationException (was silently ignored). - MediaStore Data: ListItems rejects MaxResults outside 1-1000 with ValidationException. Table-driven tests; updated EMR Serverless pagination test to expect 400 for invalid maxResults. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- IdentityStore: ListUsers rejects MaxResults outside 1-100 with ValidationException (was silently capped). IsMemberInGroups MaxResults item skipped — that op has no MaxResults parameter in AWS (false-positive). - Batch: ListJobs requires jobQueue (AWS ClientException without a grouping key); jobStatus stays optional. Updated existing test that asserted the non-AWS list-all behavior. Table-driven tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Polly: ListSpeechSynthesisTasks and ListLexicons omit NextToken from the
response when empty instead of always emitting an empty key.
- API Gateway Management: GoneException returned in the AWS rest-json shape —
type in the X-Amzn-Errortype header and body __type, with a human-readable
message (was {"message":"GoneException"}).
False-positives skipped: DynamoDB Streams MillisBeforeExpiration (no such field
in DDB Streams GetRecords), Scheduler MaximumWindowInMinutes (already omitempty).
Table-driven tests.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- S3Control: CreateJob rejects a negative Priority (AWS @range min 0). The parity note's 0-256 cap was inaccurate (AWS max is 2147483647); int32 already bounds the top. - Account: PutAlternateContact validates the five required fields (AlternateContactType, EmailAddress, Name, PhoneNumber, Title). False-positives skipped: Account ListRegions (already reads maxResults/nextToken), Account Details.Id casing (PascalCase is consistent and AWS-accurate), Glacier ListJobs lower bound (already validated). Table-driven tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Static-wrap IdentityStore MaxResults error, CFN ValidationError const + drop named returns, remove now-unused rolesanywhere base10, and test-only fixes (field alignment, require-error, InDelta, range-over-int, maps.Copy). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Record implemented items, verified false-positives (skipped to avoid fidelity regressions), and deferred genuine-but-invasive items. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- SQS: batch send (SendMessageBatch) modal, client-side message filter by body/attribute - SNS: structured message-attribute editor (fields + validated JSON toggle) - KMS: ciphertext base64/hex toggle in encrypt/decrypt/re-encrypt, key-policy JSON formatter + inline validation - Secrets Manager: structured key-value editor for secret value Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- SSM: /-path folder tree navigation (Flat/Tree toggle) with collapsible folders alongside the flat parameter list - Lambda: Event Source Mappings (Triggers) panel — list, create (SQS/DynamoDB/Kinesis), enable/disable, delete Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…tatus - Athena: export query results to CSV and JSON - CloudWatch Logs: Insights query result CSV export - parity.md: record §F implementation status and remaining list Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…al UpdateTaskExecution - Inspector2: ListFindings is now seedable + filterCriteria-aware (severity/ type/status/account string filters with EQUALS/NOT_EQUALS/PREFIX), paginated, and ListFindingAggregations reports real per-account severity counts. Exceeds LocalStack's hardwired-empty ListFindings. - ApplicationAutoScaling: DescribeScalableTargets/ScalingPolicies/ScheduledActions now emit a real NextToken via deterministic sorted pagination (were accepting MaxResults but never returning a cursor). - SSOAdmin: ListPermissionSets/Instances/AccountAssignments/Applications now emit a real NextToken (were hardcoded null). - DataSync: UpdateTaskExecution now persists Options (e.g. BytesPerSecond) and rejects terminal-state executions; DescribeTaskExecution returns Options (was a no-op stub that broke the update->describe round-trip). All table-driven tests; go build/vet/test -race + golangci-lint clean on touched pkgs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…acktest metrics GetAccuracyMetrics returned an empty PredictorEvaluationResults; it now returns AWS-shaped backtest windows (RMSE, WeightedQuantileLosses per configured quantile, WAPE/MAPE/MASE error metrics) derived from a stable hash of the predictor ARN so results are deterministic across calls. Exceeds LocalStack's empty result. Table-driven tests; build/vet/test + lint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… deferred) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Wire 22 commonly-used AWS::* resource types to their real service backends (create→backend create, delete→backend delete, Fn::GetAtt→backend fields): Logs LogStream/MetricFilter/SubscriptionFilter/ResourcePolicy/QueryDefinition, EC2 Volume/VolumeAttachment/NetworkInterface, ApiGatewayV2 Integration/Route/Authorizer, KMS Alias, SNS TopicPolicy, Events Connection/Archive, StepFunctions Activity, SSM Document, SecretsManager ResourcePolicy, CloudFront Function/CachePolicy/OriginAccessControl/ ResponseHeadersPolicy. Table-driven tests assert each type's backend resource really exists after create and is cleaned up after delete, plus GetAtt returns real values. Document implemented + remaining sets in parity.md §K. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Wire missing per-service UI features to the live AWS JS SDK on existing dashboard pages (no placeholders), matching each page's tab/list/detail patterns: - S3: access-logging config+view, storage analytics (size by prefix), static-website endpoint URL display - DynamoDB: point-in-time recovery (PITR) enable/disable + window - EC2: security-group rule editor + create/delete, Elastic IP allocate/associate/disassociate/release - Lambda: versions/aliases/concurrency panel - IAM: user inline-policy editor + group membership - CloudWatch: metric charts (GetMetricStatistics SVG time-series) - Step Functions: execution state timeline, redrive, ASL validator - RDS: parameter-group editor + snapshot restore - ECS: service update (desired count/task-def/force deploy) - ECR: CVE scan-findings detail + docker pull/push snippet - EKS: kubeconfig CLI command + node-group scaling - EventBridge: rule targets view/edit + archive replay - CloudFormation: stack-policy editor tab - ElastiCache: parameter-group editor + TestFailover Update parity.md §F status block with done/remaining. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Single mega PR for the NEW parity.md backlog (§E–R; A–D already merged via #2226). Fixes stacked on one branch. DO NOT MERGE until all items complete.
Tracks (landing incrementally):
No stubs, no //nolint, real emulation. Progress updated as batches land.