feat: add core data collection for eks coverage

.gitignore

@@ -3,3 +3,5 @@ dist/
 .DS_Store
 # TODO: Change this to match the specific plugin name
 /plugin-*
+
+.ai/

Makefile

@@ -15,6 +15,8 @@ ifeq ($(OPA),)
 $(error "opa CLI not found. Please install it: https://www.openpolicyagent.org/docs/latest/cli/")
 endif
 
+.PHONY: test clean build run
+
 ##@ Help
 help: ## Display this concise help, ie only the porcelain target
 	@awk 'BEGIN {FS = ":.*##"; printf "\033[1mUsage\033[0m\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-30s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
@@ -31,7 +33,7 @@ clean: # Cleanup build artifacts
 
 build: clean ## Build the plugin package
 	@mkdir -p dist/
-	@go build -o dist/plugin main.go
+	@go build -o dist/plugin .
 
 run: build ## Execute the Concom agent with the built plugin
-	@../agent/dist/./concom agent --config ./.config/config.yaml
+	@../agent/dist/./concom agent --config ./.config/config.yaml

README.md

@@ -1,62 +1,101 @@
-# Compliance Framework Plugin Template
+# AWS EKS CCF Plugin
 
-This is a template for building a compliance framework plugin.
+This plugin collects read-only Amazon EKS data, evaluates CCF Rego policy bundles, and emits evidence back through the CCF agent.
 
-Inspect main.go for a detailed description of how to build the plugin.
+## Supported Resource Families
 
-## Prerequisites
+The collector evaluates policies for:
 
-* GoReleaser https://goreleaser.com/install/
+- EKS clusters
+- EKS managed node groups
+- EKS managed add-ons
 
-## Building
+## How It Fits In CCF
 
-Once you are ready to serve the plugin, you need to build the binaries which can be used by the agent.
+The CCF agent starts this binary through HashiCorp `go-plugin`, passes configuration and policy paths over gRPC, and receives generated evidence through the runner callback. This repository does not call the CCF API directly.
 
-```shell
-goreleaser release --snapshot --clean
-```
+## Default Policy Bundle Mapping
 
-## Usage
+| Repository | Behavior | Primary input |
+| --- | --- | --- |
+| `plugin-aws-eks-policies` | `cluster` | `input.cluster` + `input.cluster_context` |
+| `plugin-aws-eks-nodegroup-policies` | `nodegroup` | `input.nodegroup` + `input.nodegroup_context` |
+| `plugin-aws-eks-addon-policies` | `addon` | `input.addon` + `input.addon_context` |
 
-You can use this plugin by passing it to the compliance agent or by specifying it in the agent config
+Each bundle evaluates one resource family at a time. Cluster context includes summarized related managed node groups and add-ons so cluster-level policies can check required add-ons without evaluating add-on policies against cluster input.
 
-```shell
-agent --plugin=[PATH_TO_YOUR_BINARY]
-```
+## Configuration
 
-```yaml
-# AGENT CONFIG
+The plugin expects:
+
+- AWS credentials through the default AWS SDK credential chain
+- target regions from `config.regions` or `config.region`
+- `AWS_REGION` as a fallback when plugin config does not provide a region
 
-verbosity: 2
+Any agent-supplied `policy_data` is passed through to Rego as `data.*`.
 
-api:
-  url: http://localhost:8080
+Example agent plugin config:
 
+```yaml
 plugins:
-  # Plugin execution identifier
-  myplugin:
-    # Config mapping passed through to Configure lifecycle event
-    config:
-      anykey: "anyval"
-      policy_labels: "{\"my_key\":\"my_value\"}"
-    # Compatible protocol version: Defaults to 1, can also be determined a plugin image manifest annotation of "org.ccf.plugin.protocol.version=2"
+  aws-eks:
     protocol_version: 2
-    # Source to plugin executable location. Can be an OCI image or local executable
     source: /path/to/dist/plugin
-    # List to all policies to pass to plugin, all may be processed or filtered later via policy_behavior
+    config:
+      regions: "eu-west-2,us-east-1"
     policies:
-       - /path/to/policy/bundle.tar.gz
-    # Policy behaviour can be defined to later filter policies to specific bundles per execution
-    # This is useful if your plugin proccesses more than 1 type of component
-    policy_behavior:
-      string-to-match-to-policy:
-        - "associated-behavior-1"
-    # Policy data is passed to the plugin for evaluation, can be used to customize evaluation parameters
-    policy_data:
-      policy_data_key: "policy_data_value"
-
+      - /path/to/plugin-aws-eks-policies/dist/bundle.tar.gz
+      - /path/to/plugin-aws-eks-nodegroup-policies/dist/bundle.tar.gz
+      - /path/to/plugin-aws-eks-addon-policies/dist/bundle.tar.gz
+```
+
+## Data Collected
+
+Depending on the selected policy bundles, the plugin collects and reuses:
+
+- `ListClusters` and `DescribeCluster`
+- `ListNodegroups` and `DescribeNodegroup`
+- `ListAddons` and `DescribeAddon`
+
+The plugin collects shared regional datasets once and reuses them across resource-family evaluation to reduce AWS API calls.
 
+## IAM Permissions
+
+The AWS principal used by the plugin needs read-only EKS permissions for the configured regions:
+
+```json
+{
+  "Effect": "Allow",
+  "Action": [
+    "eks:ListClusters",
+    "eks:DescribeCluster",
+    "eks:ListNodegroups",
+    "eks:DescribeNodegroup",
+    "eks:ListAddons",
+    "eks:DescribeAddon"
+  ],
+  "Resource": "*"
+}
+```
+
+## Development
+
+Run the local test suite with:
+
+```shell
+go test ./...
 ```
 
-You can also use `make run` to build this plugin and execute against the agent, if the agent is located in the parent directory. See Makefile:run
+Or use the Makefile wrapper:
+
+```shell
+make test
+```
+
+Build the plugin binary with:
+
+```shell
+make build
+```
 
+This writes the compiled plugin to `dist/plugin`.

go.mod

@@ -1,15 +1,30 @@
-module github.com/compliance-framework/plugin-template
+module github.com/compliance-framework/plugin-aws-eks
 
 go 1.26.1
 
 require (
+	github.com/aws/aws-sdk-go-v2 v1.41.12
+	github.com/aws/aws-sdk-go-v2/config v1.32.23
+	github.com/aws/aws-sdk-go-v2/service/eks v1.84.5
 	github.com/compliance-framework/agent v0.7.0
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.7.0
 )
 
 require (
 	github.com/agnivade/levenshtein v1.2.1 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.22 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.29 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.28 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.1.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.31.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.43.2 // indirect
+	github.com/aws/smithy-go v1.27.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/compliance-framework/api v0.16.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect

go.sum

@@ -14,38 +14,38 @@ github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNg
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
-github.com/aws/aws-sdk-go-v2 v1.41.2 h1:LuT2rzqNQsauaGkPK/7813XxcZ3o3yePY0Iy891T2ls=
-github.com/aws/aws-sdk-go-v2 v1.41.2/go.mod h1:IvvlAZQXvTXznUPfRVfryiG1fbzE2NGK6m9u39YQ+S4=
-github.com/aws/aws-sdk-go-v2/config v1.32.10 h1:9DMthfO6XWZYLfzZglAgW5Fyou2nRI5CuV44sTedKBI=
-github.com/aws/aws-sdk-go-v2/config v1.32.10/go.mod h1:2rUIOnA2JaiqYmSKYmRJlcMWy6qTj1vuRFscppSBMcw=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.10 h1:EEhmEUFCE1Yhl7vDhNOI5OCL/iKMdkkYFTRpZXNw7m8=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.10/go.mod h1:RnnlFCAlxQCkN2Q379B67USkBMu1PipEEiibzYN5UTE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 h1:Ii4s+Sq3yDfaMLpjrJsqD6SmG/Wq/P5L/hw2qa78UAY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18/go.mod h1:6x81qnY++ovptLE6nWQeWrpXxbnlIex+4H4eYYGcqfc=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 h1:F43zk1vemYIqPAwhjTjYIz0irU2EY7sOb/F5eJ3HuyM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18/go.mod h1:w1jdlZXrGKaJcNoL+Nnrj+k5wlpGXqnNrKoP22HvAug=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 h1:xCeWVjj0ki0l3nruoyP2slHsGArMxeiiaoPN5QZH6YQ=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18/go.mod h1:r/eLGuGCBw6l36ZRWiw6PaZwPXb6YOj+i/7MizNl5/k=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 h1:CjMzUs78RDDv4ROu3JnJn/Ig1r6ZD7/T2DXLLRpejic=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16/go.mod h1:uVW4OLBqbJXSHJYA9svT9BluSvvwbzLQ2Crf6UPzR3c=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 h1:CeY9LUdur+Dxoeldqoun6y4WtJ3RQtzk0JMP2gfUay0=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5/go.mod h1:AZLZf2fMaahW5s/wMRciu1sYbdsikT/UHwbUjOdEVTc=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 h1:LTRCYFlnnKFlKsyIQxKhJuDuA3ZkrDQMRYm6rXiHlLY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18/go.mod h1:XhwkgGG6bHSd00nO/mexWTcTjgd6PjuvWQMqSn2UaEk=
+github.com/aws/aws-sdk-go-v2 v1.41.12 h1:DIKX2c31ekm9RA2D9FBj1EWXx++9AdAqRw+e78Tq2Ck=
+github.com/aws/aws-sdk-go-v2 v1.41.12/go.mod h1:27+ACypSLljLAEKsCYOmrjKh83vuTRkuAe9Uv/3A4bg=
+github.com/aws/aws-sdk-go-v2/config v1.32.23 h1:PYDobtcsJXK6bQe9I8RQk6s19Bz3xa3xRU08Hy1Em3Y=
+github.com/aws/aws-sdk-go-v2/config v1.32.23/go.mod h1:QID4dqUQVgEOYPKsPWd1sNWCCR2c5g7o3jeEtIXPOZU=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.22 h1:SHfH6wyPsEgG7fVsi5rQxWEt7tuIcN2PGhb1mTFv6tE=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.22/go.mod h1:54nO8lKD4aQPOntM/VTWjnR+DYzTwx0YkSMZMhAgewQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.28 h1:b+kcDejJrXc30zU/w8Tc9klISwaO5wh+6T0sMBdDoHM=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.28/go.mod h1:LnI62O9GnSv6GcuLXxOYqlq0C8EmxMcgnF6m7LdYuOY=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.28 h1:Xf2j7NdVcUKomlZ4iihOP4AZ3Fzlr8h4yKpXeP+OFPg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.28/go.mod h1:O8cDo1dW63jU7ki//kRe1z+tLGcpnD1jrouitsQddDw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.28 h1:KqIfN9kpkKkcBqBbNpNGTIrXO6ExTUvFKvXkC+YAzVo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.28/go.mod h1:uxtQiKvLtNS4iXVsH2McVD/ls8FKN/uUhe1hGxPjrw0=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.29 h1:VkE9FuzTQVjBBrnj4+oCdxCLFIz7aqLYKUCjtvxVcOs=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.29/go.mod h1:H32Z2Qth9b+9LqjyBsCnozMQ8H2N7YBUDVXwbs0iggg=
+github.com/aws/aws-sdk-go-v2/service/eks v1.84.5 h1:erqzVPMSmQkBWSovla49E0svTFhyLPRGljZy4hMisIo=
+github.com/aws/aws-sdk-go-v2/service/eks v1.84.5/go.mod h1:UB1zkSdu6MppVpPr0PZc4uNEhQJvaq/icAN+gtUOVo8=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.12 h1:ZD2+BSw9vFsNlKYIasSNt3uDbjqqXIBcM13UJv/Lx2k=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.12/go.mod h1:Ms4zlcVBbXbiP7EVLhl+lgjvA/a7YphqQ3Ih3174EmI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.28 h1:axj4mEDletwKmTm/9jR+DkIMmCfcn5vE4jBMAAN+3Vg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.28/go.mod h1:3Aaz69M0jqfSHLKqxgolgUBFT4hpwSNc7DzC95orEi8=
 github.com/aws/aws-sdk-go-v2/service/sesv2 v1.59.0 h1:HQYog9wJM8D9aF0bOVzzWbjpWZ7exyjc3rLb7P8Qb8E=
 github.com/aws/aws-sdk-go-v2/service/sesv2 v1.59.0/go.mod h1:p0iz0in3/mt3aS2Ovk3aKeOq5vwM/V3prQG9nlBO/OM=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.6 h1:MzORe+J94I+hYu2a6XmV5yC9huoTv8NRcCrUNedDypQ=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.6/go.mod h1:hXzcHLARD7GeWnifd8j9RWqtfIgxj4/cAtIVIK7hg8g=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.11 h1:7oGD8KPfBOJGXiCoRKrrrQkbvCp8N++u36hrLMPey6o=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.11/go.mod h1:0DO9B5EUJQlIDif+XJRWCljZRKsAFKh3gpFz7UnDtOo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 h1:edCcNp9eGIUDUCrzoCu1jWAXLGFIizeqkdkKgRlJwWc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15/go.mod h1:lyRQKED9xWfgkYC/wmmYfv7iVIM68Z5OQ88ZdcV1QbU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 h1:NITQpgo9A5NrDZ57uOWj+abvXSb83BbyggcUBVksN7c=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.7/go.mod h1:sks5UWBhEuWYDPdwlnRFn1w7xWdH29Jcpe+/PJQefEs=
-github.com/aws/smithy-go v1.24.1 h1:VbyeNfmYkWoxMVpGUAbQumkODcYmfMRfZ8yQiH30SK0=
-github.com/aws/smithy-go v1.24.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/aws-sdk-go-v2/service/signin v1.1.4 h1:YcpVyIPLCbiypN6KSphijN5fC7DDjX114SqA7prnnxg=
+github.com/aws/aws-sdk-go-v2/service/signin v1.1.4/go.mod h1:5ZICS++oFTRPfa1GsBqFDWX/8WamZ/QQOcCzIuU/zLw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.31.2 h1:ySNWu7TPmj5fKFIa1GYvX+Ddxd5ccruqC20aMNuyWDM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.31.2/go.mod h1:A+U9luAOwFeB1kseyWCITVg7/NntoPebCFR9pQ4ch9A=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.5 h1:KSzGGqfk39O+WU3OEyYbx6F7sLDQCqxlOJ+2IksfK6U=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.5/go.mod h1:ATs88lXDeQB6CZOgQ5BIl9JbYS+EsCWUSDyff6L/oVo=
+github.com/aws/aws-sdk-go-v2/service/sts v1.43.2 h1:RTO7mmGyedgnNmcPh3yQizNfc6GKoV5iqfdJavuf9vw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.43.2/go.mod h1:fBhUZXDin9YYqhcpOMjIcpdik25rVwWyxLdPH1RZd9s=
+github.com/aws/smithy-go v1.27.1 h1:4T340VFndXtADGF52gYa1POyL7s9E4Z1OeZ1hCscIw8=
+github.com/aws/smithy-go v1.27.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/FBatYVw=

internal/addon.go

@@ -0,0 +1,118 @@
+package internal
+
+import (
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/eks/types"
+	"github.com/compliance-framework/agent/runner/proto"
+)
+
+func EvaluateAddonPolicies(deps EvaluationDependencies, policyPaths []string, addons []types.Addon, region string, datasets RegionDatasets) ResourceEvaluationErrors {
+	return EvaluateResources(
+		deps,
+		policyPaths,
+		addons,
+		func(addon types.Addon) ResourceEvidenceContext {
+			return BuildAddonEvidenceContext(addon, region)
+		},
+		func(addon types.Addon) (interface{}, error) {
+			return BuildAddonPolicyInput(addon, region, datasets)
+		},
+		func(addon types.Addon, err error) {
+			deps.Logger.Error("unable to build EKS add-on policy input", "cluster_name", aws.ToString(addon.ClusterName), "addon_name", aws.ToString(addon.AddonName), "region", region, "error", err)
+		},
+		func(evidences []*proto.Evidence, addon types.Addon) {
+			PrefixEvidenceTitles(evidences, AddonDisplayName(addon))
+		},
+	)
+}
+
+func BuildAddonPolicyInput(addon types.Addon, region string, datasets RegionDatasets) (map[string]interface{}, error) {
+	addonValue, err := ToInterfaceMap(addon)
+	if err != nil {
+		return nil, err
+	}
+
+	contextValue, err := ToInterfaceMap(buildAddonSupplementaryContext(addon, region, datasets))
+	if err != nil {
+		return nil, err
+	}
+
+	return map[string]interface{}{
+		"addon":         addonValue,
+		"addon_context": contextValue,
+	}, nil
+}
+
+func buildAddonSupplementaryContext(addon types.Addon, region string, datasets RegionDatasets) map[string]interface{} {
+	clusterName := aws.ToString(addon.ClusterName)
+
+	return map[string]interface{}{
+		"current": map[string]interface{}{
+			"cluster_name":             clusterName,
+			"addon_name":               aws.ToString(addon.AddonName),
+			"addon_arn":                aws.ToString(addon.AddonArn),
+			"region":                   region,
+			"status":                   string(addon.Status),
+			"addon_version":            aws.ToString(addon.AddonVersion),
+			"health_issue_count":       addonHealthIssueCount(addon),
+			"owner":                    aws.ToString(addon.Owner),
+			"publisher":                aws.ToString(addon.Publisher),
+			"tags_present":             len(addon.Tags) > 0,
+			"has_service_account_role": aws.ToString(addon.ServiceAccountRoleArn) != "",
+		},
+		"cluster": findClusterByName(datasets.Clusters, clusterName),
+	}
+}
+
+func AddonDisplayName(addon types.Addon) string {
+	return aws.ToString(addon.AddonName)
+}
+
+func addonHealthIssueCount(addon types.Addon) int {
+	if addon.Health == nil {
+		return 0
+	}
+	return len(addon.Health.Issues)
+}
+
+func filterAddonsByCluster(addons []types.Addon, clusterName string) []types.Addon {
+	filtered := make([]types.Addon, 0)
+	for _, addon := range addons {
+		if aws.ToString(addon.ClusterName) == clusterName {
+			filtered = append(filtered, addon)
+		}
+	}
+	return filtered
+}
+
+func addonNames(addons []types.Addon) []string {
+	names := make([]string, 0, len(addons))
+	for _, addon := range addons {
+		if name := aws.ToString(addon.AddonName); name != "" {
+			names = append(names, name)
+		}
+	}
+	return names
+}
+
+func activeAddonNames(addons []types.Addon) []string {
+	names := make([]string, 0, len(addons))
+	for _, addon := range addons {
+		if addon.Status == types.AddonStatusActive {
+			if name := aws.ToString(addon.AddonName); name != "" {
+				names = append(names, name)
+			}
+		}
+	}
+	return names
+}
+
+func findClusterByName(clusters []types.Cluster, clusterName string) *types.Cluster {
+	for _, cluster := range clusters {
+		if aws.ToString(cluster.Name) == clusterName {
+			clusterCopy := cluster
+			return &clusterCopy
+		}
+	}
+	return nil
+}