feat: add full bucket data collection

[reecebedding]

Summary by CodeRabbit

Release Notes

• New Features

  • Added AWS S3 bucket discovery and configuration analysis
  • Implemented S3 bucket policy compliance evaluation
  • Added multi-region AWS support

• Tests

  • Added unit tests for bucket operations and policy evaluation functions

[coderabbitai]

Warning

Review limit reached

@reecebedding, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 minute. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f4c11a1d-3be6-4b72-9f1d-25dea2d7aceb

📥 Commits

Reviewing files that changed from the base of the PR and between e220af2 and 94c28d5.

📒 Files selected for processing (6)

• README.md
• internal/bucket_apis.go
• internal/bucket_apis_test.go
• main.go
• main_test.go
• subject_templates.go

📝 Walkthrough

Walkthrough

This PR implements a complete AWS S3 compliance plugin that collects S3 bucket configurations, evaluates bucket policies against configured compliance rules, and reports evidence through the compliance framework. The plugin resolves AWS regions, fetches bucket metadata across accounts/regions, generates policy evidence via a reusable evaluation pipeline, and returns status with error aggregation.

Changes

AWS S3 Compliance Plugin Implementation

Layer / File(s)	Summary
Project setup and module identity go.mod, Makefile, .gitignore, main.go	Go module renamed to github.com/compliance-framework/plugin-aws-s3 with AWS SDK v2 and Smithy dependencies added; build target updated to compile the current package rather than main.go directly; .ai/ directory ignored; startup log adjusted to identify the AWS S3 plugin.
Utility functions: region resolution and hashing internal/util.go, internal/util_test.go	ResolveRegions derives an ordered, deduplicated list of AWS regions from comma-separated config, fallback region field, environment variable, or default us-east-1; SHA256Hex computes policy document hashes for change detection; both functions tested for configuration precedence and deterministic output.
S3 bucket data model and collection API internal/bucket_apis.go, internal/buckets.go, internal/buckets_test.go	Exported types model S3 bucket resource identity and configuration state (encryption, public access block, policy metadata, ownership controls, versioning, object lock, lifecycle, replication, logging, website settings); getBucketX helpers query AWS SDK APIs with appropriate error handling for missing configuration; CollectBucketDatasets lists buckets, resolves regions, collects per-bucket state across allowed regions, and aggregates errors; BuildBucketPolicyInput converts bucket state to policy input maps; test validates policy input includes both bucket and context keys.
Generic resource policy evaluation framework internal/policy_evaluation.go	Reusable resource evaluation pipeline that builds evidence context per resource, generates policy evidences across multiple policy paths, distinguishes input-build failures from evaluation errors, accumulates errors, optionally calls post-generation hooks, and submits evidences via API helper while returning fatal send errors.
S3 bucket evidence context and plugin integration internal/evidence.go, main.go, main_test.go	BuildBucketEvidenceContext constructs standardized S3 bucket labels, Amazon S3 component entries, inventory items with bucket metadata (name, region, ARN), and evidence subjects; EvaluateBucketPolicies wires bucket datasets through the generic evaluation framework with bucket-specific evidence context and display name prefixes; plugin Eval refactored to resolve regions, collect bucket datasets, evaluate bucket policies, aggregate errors, and return execution status; Configure now preserves raw configuration; Init simplified to no-op; tests verify supported policy behaviors and required dataset mapping.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Hops through S3 buckets with glee,
Collecting compliance policies with care,
Tags and encryption, regions declared,
Evidence whiskers twitch in the breeze,
An AWS S3 plugin done with ease! 🏗️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding comprehensive bucket data collection functionality for S3 buckets.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/util_test.go`:
- Around line 14-19: The test TestSHA256HexIsStable only checks non-empty and
repeatable output; update it to assert a known, precomputed SHA-256 hex for the
input "bucket-policy": compute the expected digest (as a constant named e.g.
expected) and replace the current if-check with an assertion that first ==
expected (and still ensure second == first), referencing the SHA256Hex function
and TestSHA256HexIsStable to locate the test to change.

In `@main.go`:
- Line 49: Replace the unbounded context created with context.Background() in
Eval with a bounded context (e.g., ctx, cancel :=
context.WithTimeout(parentCtxOrBackground, ExternalCallTimeout)) and use that
ctx for all external calls (AWS SDK calls and submitEvidence); defer cancel()
immediately after creating the context. Update the same pattern for other
external call blocks referenced (lines 94-122) so every external dependency call
uses the bounded ctx; introduce a configurable ExternalCallTimeout constant or
parameter if not present and ensure submitEvidence and AWS client calls accept
the new ctx.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6da0826c-219a-43fe-84aa-6e348f2ea49e

📥 Commits

Reviewing files that changed from the base of the PR and between 171c00a and e220af2.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• .gitignore
• Makefile
• go.mod
• internal/bucket_apis.go
• internal/buckets.go
• internal/buckets_test.go
• internal/evidence.go
• internal/policy_evaluation.go
• internal/util.go
• internal/util_test.go
• main.go
• main_test.go

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Assert a known digest, not just stability.

Line 17 only verifies non-empty + repeatable output. A deterministic but incorrect implementation would still pass. Add an expected hash assertion for "bucket-policy".

Suggested test update

 func TestSHA256HexIsStable(t *testing.T) {
 	first := SHA256Hex("bucket-policy")
 	second := SHA256Hex("bucket-policy")
 	if first == "" || first != second {
 		t.Fatalf("SHA256Hex() produced unstable output: %q vs %q", first, second)
 	}
+	if first != "d1089f92b307de96f56fbe535f90f2af70e763353a5f5bfde33935f54f06454f" {
+		t.Fatalf("SHA256Hex() unexpected digest: %q", first)
+	}
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func TestSHA256HexIsStable(t *testing.T) {
	first := SHA256Hex("bucket-policy")
	second := SHA256Hex("bucket-policy")
	if first == "" || first != second {
	t.Fatalf("SHA256Hex() produced unstable output: %q vs %q", first, second)
	}
	func TestSHA256HexIsStable(t *testing.T) {
	first := SHA256Hex("bucket-policy")
	second := SHA256Hex("bucket-policy")
	if first == "" || first != second {
	t.Fatalf("SHA256Hex() produced unstable output: %q vs %q", first, second)
	}
	if first != "d1089f92b307de96f56fbe535f90f2af70e763353a5f5bfde33935f54f06454f" {
	t.Fatalf("SHA256Hex() unexpected digest: %q", first)
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/util_test.go` around lines 14 - 19, The test TestSHA256HexIsStable
only checks non-empty and repeatable output; update it to assert a known,
precomputed SHA-256 hex for the input "bucket-policy": compute the expected
digest (as a constant named e.g. expected) and replace the current if-check with
an assertion that first == expected (and still ensure second == first),
referencing the SHA256Hex function and TestSHA256HexIsStable to locate the test
to change.