feat: cloud-custodian runner v2 introduction#9
Conversation
feat: makes custodian evidence be resource-linked Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the Cloud Custodian plugin to run inventory baselines per resource type and evaluate OPA policies per-resource (schema v2), including runner-v2 Init support for upserting subject/risk templates.
Changes:
- Add inventory baseline collection and build per-resource standardized payloads (schema
v2) for OPA evaluation. - Implement runner-v2
Initto upsert subject templates and load risk templates from policy bundles. - Update tests/docs and bump dependencies to newer agent/api/OPA versions.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
main.go |
Adds schema v2 per-resource payloads, inventory baseline collection, runner-v2 Init, and label/subject generation changes. |
main_test.go |
Updates tests to reflect inventory + per-resource evaluation and adds new coverage for hosted zone ARN canonicalization and Init upserts. |
README.md |
Documents the new inventory baseline + per-resource payload model and new config field. |
go.mod |
Updates Go directive and bumps core dependencies (agent/api/OPA). |
go.sum |
Refreshes dependency checksums for upgraded modules. |
.gitignore |
Ignores the built plugin binary. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gusfcarvalho
changed the title
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| records = append(records, p.buildResourceRecord(resourceType, resource)) | ||
| } | ||
| collisionIDs := resourceIDCollisions(records) | ||
| _, collisionCount := disambiguateResourceRecords(records, collisionIDs) |
There was a problem hiding this comment.
collectInventoryBaselines calls disambiguateResourceRecords only to obtain collisionCount, but it discards the returned disambiguated records and later disambiguates again when building payloads. This does extra hashing/work during every inventory run. Consider computing collisionCount directly from collisionIDs (or from a simple ID->count map), or alternatively keep and reuse the disambiguated records so this work isn’t repeated.
| _, collisionCount := disambiguateResourceRecords(records, collisionIDs) | |
| collisionCount := len(collisionIDs) |
introduces support to runnerv2 plus adds a check-per-resource