feat(connectors): Implement remaining terraform-modules functions

[jbdevprimary]

Summary

Add 7 functions migrated from terraform-modules to vendor-connectors, bringing migration progress to 97% (134/138 functions).

New Methods

Connector	Method	Purpose
AWS S3	get_bucket_sizes()	List all S3 buckets with their sizes
Google Workspace	list_available_licenses()	List available Google Workspace licenses
Google Billing	get_bigquery_billing_dataset()	Get billing export dataset info
Google Services	get_project_iam_users()	List IAM users for a project
Google Services	get_pubsub_resources_for_project()	List Pub/Sub topics and subscriptions
Google Services	find_inactive_projects()	Find projects without recent activity
GitHub	get_users_with_verified_emails()	GraphQL query for verified emails

Migration Status

Progress: [█████████████████░] 97%

Completed: 134 functions
Remaining: 4 functions (complex preprocessing)
Not Migrating: 7 functions (FSC-specific)

Remaining Functions (4)

• label_aws_account - Terraform preprocessing
• classify_aws_accounts - Depends on label_account
• preprocess_aws_organization - Terraform preprocessing
• build_github_actions_workflow - Complex YAML builder

Test Plan

• 74 tests passing
• Lint checks pass

cd packages/vendor-connectors && uv run pytest tests/ -v --override-ini="addopts="
uv run ruff check packages/vendor-connectors

Dependencies

• Depends on:
  • docs: Update wiki and orchestration for architectural evolution #246 (docs/wiki-orchestration-update)
  • feat(dic): Add decorator-based input handling API #247 (feat/directed-inputs-decorator-api)
  • feat: Add python-terraform-bridge package #248 (feat/python-terraform-bridge)

Handoff Context

📚 Documentation:

• .cursor/agents/terraform-modules-migration/ORCHESTRATION.md - Full context
• packages/vendor-connectors/API_REFERENCE.md - API documentation
• packages/vendor-connectors/MIGRATION_STATUS.md - Migration tracking

For @cursor

After this PR merges:

1. All packages are ready for release
2. Next step: Update terraform-modules to consume these packages
3. Complete remaining 4 function migrations
4. See ORCHESTRATION.md for full handoff instructions

---

Note

Adds 7 migrated methods across AWS, Google, and GitHub, and updates docs to reflect 97% migration coverage.

• Connectors:
  • AWS S3 (AWSS3Mixin):
    • get_bucket_sizes(execution_role_arn?): Fetch S3 bucket sizes from CloudWatch across storage classes.
  • Google Billing (GoogleBillingMixin):
    • get_bigquery_billing_dataset(project_id, ...): Get or create billing export dataset in BigQuery.
  • Google Services (GoogleServicesMixin):
    • get_project_iam_users(project_id): Extract human users and roles from project IAM policy.
    • get_pubsub_resources_for_project(project_id): Aggregate Pub/Sub topics and subscriptions.
    • find_inactive_projects(...): Identify projects with no recent billing activity via BigQuery.
  • Google Workspace (GoogleWorkspaceMixin):
    • list_available_licenses(customer_id, ...): List license assignments by product/SKU.
  • GitHub (GithubConnector):
    • get_users_with_verified_emails(key_by_email?): GraphQL-based org members with verified domain emails.
• Docs:
  • Add packages/vendor-connectors/API_REFERENCE.md and packages/vendor-connectors/MIGRATION_STATUS.md; update API coverage to 97% with 4 functions remaining.

^{Written by Cursor Bugbot for commit 5c00a6e. This will update automatically on new commits. Configure here.}

[amazon-q-developer]

⏳ Code review in progress. Analyzing for code quality issues and best practices. You can monitor the review status in the checks section at the bottom of this pull request. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer¹ is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command	Description
/q <message>	Chat with the agent to ask questions or request revisions
/q review	Requests an Amazon Q powered code review
/q help	Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

1. Create a .amazonq/rules folder in your project root.
2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
3. Write detailed prompts in these files, such as coding standards or best practices.
4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy. ↩

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[gemini-code-assist]

Summary of Changes

Hello @jbcom, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly advances the migration of cloud-specific functions from "terraform-modules" to the "vendor-connectors" package. It introduces seven new methods across AWS S3, Google Workspace, Google Billing, Google Services, and GitHub, bringing the overall migration completion to 97%. The changes aim to centralize and standardize cloud API interactions within a generic Python library, enhancing reusability and maintainability.

Highlights

• AWS S3 Bucket Sizes: Implemented "get_bucket_sizes()" to list all S3 buckets with their sizes by querying CloudWatch metrics.
• Google Workspace Licenses: Added "list_available_licenses()" to retrieve available Google Workspace licenses.
• Google Billing Dataset: Introduced "get_bigquery_billing_dataset()" to get or create billing export dataset information in BigQuery.
• Google Project IAM Users: Implemented "get_project_iam_users()" to list IAM users for a given Google Cloud project.
• Google Pub/Sub Resources: Added "get_pubsub_resources_for_project()" to aggregate and list Pub/Sub topics and subscriptions for a project.
• Google Inactive Projects: Introduced "find_inactive_projects()" to identify Google Cloud projects without recent billing activity.
• GitHub Verified Emails: Implemented "get_users_with_verified_emails()" using GraphQL to fetch GitHub organization members with verified domain emails.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[amazon-q-developer]

Code Review Summary

This PR successfully implements 7 remaining terraform-modules functions, bringing the migration progress to 97% (134/138 functions). The implementation follows the established patterns and maintains consistency with the existing codebase.

Key Findings

🔴 Critical Issues:

1. Performance Risk in S3 CloudWatch queries - The get_bucket_sizes() method could cause API throttling and high costs due to nested loops creating up to 26 API calls per bucket
2. SQL Injection vulnerability - The BigQuery query in find_inactive_projects() uses f-string formatting with user input without proper validation

🟡 Minor Issues:

1. Data consistency issue - GitHub verified emails method could overwrite users with duplicate primary emails
2. Unused parameter - billing_account_name parameter in BigQuery billing dataset method

Recommendations

The critical performance and security issues should be addressed before merging. The suggested code improvements include:

• Adding rate limiting and concurrent processing for S3 CloudWatch queries
• Implementing parameterized queries for BigQuery to prevent SQL injection
• Adding duplicate email detection for GitHub user queries
• Removing unused parameters for cleaner API design

Migration Progress

Excellent progress on the terraform-modules migration! The remaining 4 functions are appropriately identified as complex/FSC-specific and don't need immediate migration. The API documentation and migration tracking are comprehensive and well-maintained.

Overall, this is solid work that significantly advances the migration goals. Please address the security and performance concerns before merging.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Performance Issue: This method could cause significant CloudWatch API throttling and high costs when querying many buckets with many storage types. The nested loop creates up to 26 API calls per bucket (one for each storage type), which could result in hundreds of API calls for accounts with many buckets.

Suggested change

	def get_bucket_sizes(
	self,
	execution_role_arn: Optional[str] = None,
	) -> dict[str, dict[str, float]]:
	"""Get S3 bucket sizes from CloudWatch metrics.
	Queries CloudWatch for BucketSizeBytes metrics across all storage types
	for each bucket in the account.
	Args:
	execution_role_arn: ARN of role to assume for cross-account access.
	Returns:
	Dictionary mapping bucket names to storage type sizes:
	{
	"my-bucket": {
	"StandardStorage": 1234567890.0,
	"IntelligentTieringFAStorage": 0.0,
	...
	}
	}
	"""
	from datetime import datetime, timedelta
	from extended_data_types import is_nothing
	self.logger.info("Getting S3 bucket sizes from CloudWatch")
	role_arn = execution_role_arn or getattr(self, "execution_role_arn", None)
	s3_resource: ServiceResource = self.get_aws_resource(
	service_name="s3",
	execution_role_arn=role_arn,
	)
	cloudwatch = self.get_aws_client(
	client_name="cloudwatch",
	execution_role_arn=role_arn,
	)
	seconds_in_one_day = 86400
	buckets: dict[str, dict[str, float]] = {}
	def get_avg_for_bucket_storage_type(bucket_name: str, storage_type: str) -> Optional[float]:
	"""Get average size for a bucket/storage type from CloudWatch."""
	datapoints = cloudwatch.get_metric_statistics(
	Namespace="AWS/S3",
	Dimensions=[
	{"Name": "BucketName", "Value": bucket_name},
	{"Name": "StorageType", "Value": storage_type},
	],
	MetricName="BucketSizeBytes",
	StartTime=datetime.now() - timedelta(days=7),
	EndTime=datetime.now(),
	Period=seconds_in_one_day,
	Statistics=["Average"],
	Unit="Bytes",
	).get("Datapoints", [])
	for datapoint in datapoints:
	avg = datapoint.get("Average")
	if not is_nothing(avg):
	return avg
	return None
	for bucket in s3_resource.buckets.all():
	bucket_name = bucket.name
	self.logger.info(f"Getting bucket size for {bucket_name}")
	buckets[bucket_name] = {}
	for storage_type in self.S3_STORAGE_TYPES:
	avg = get_avg_for_bucket_storage_type(bucket_name, storage_type)
	if avg is not None:
	self.logger.debug(
	f"Average for {bucket_name} storage type {storage_type}: {avg}"
	)
	buckets[bucket_name][storage_type] = avg
	self.logger.info(f"Retrieved sizes for {len(buckets)} buckets")
	return buckets
	def get_bucket_sizes(
	self,
	execution_role_arn: Optional[str] = None,
	max_buckets: Optional[int] = None,
	batch_size: int = 10,
	) -> dict[str, dict[str, float]]:
	"""Get S3 bucket sizes from CloudWatch metrics.
	Queries CloudWatch for BucketSizeBytes metrics across all storage types
	for each bucket in the account.
	Args:
	execution_role_arn: ARN of role to assume for cross-account access.
	max_buckets: Maximum number of buckets to process (for rate limiting).
	batch_size: Number of concurrent CloudWatch requests. Defaults to 10.
	Returns:
	Dictionary mapping bucket names to storage type sizes:
	{
	"my-bucket": {
	"StandardStorage": 1234567890.0,
	"IntelligentTieringFAStorage": 0.0,
	...
	}
	}
	"""
	from datetime import datetime, timedelta
	import time
	from concurrent.futures import ThreadPoolExecutor, as_completed
	from extended_data_types import is_nothing
	self.logger.info("Getting S3 bucket sizes from CloudWatch")
	role_arn = execution_role_arn or getattr(self, "execution_role_arn", None)
	s3_resource: ServiceResource = self.get_aws_resource(
	service_name="s3",
	execution_role_arn=role_arn,
	)
	cloudwatch = self.get_aws_client(
	client_name="cloudwatch",
	execution_role_arn=role_arn,
	)
	seconds_in_one_day = 86400
	buckets: dict[str, dict[str, float]] = {}
	def get_avg_for_bucket_storage_type(bucket_name: str, storage_type: str) -> tuple[str, str, Optional[float]]:
	"""Get average size for a bucket/storage type from CloudWatch."""
	try:
	datapoints = cloudwatch.get_metric_statistics(
	Namespace="AWS/S3",
	Dimensions=[
	{"Name": "BucketName", "Value": bucket_name},
	{"Name": "StorageType", "Value": storage_type},
	],
	MetricName="BucketSizeBytes",
	StartTime=datetime.now() - timedelta(days=7),
	EndTime=datetime.now(),
	Period=seconds_in_one_day,
	Statistics=["Average"],
	Unit="Bytes",
	).get("Datapoints", [])
	for datapoint in datapoints:
	avg = datapoint.get("Average")
	if not is_nothing(avg):
	return bucket_name, storage_type, avg
	return bucket_name, storage_type, None
	except Exception as e:
	self.logger.warning(f"Failed to get metrics for {bucket_name}/{storage_type}: {e}")
	return bucket_name, storage_type, None
	# Get bucket list with optional limit
	bucket_list = list(s3_resource.buckets.all())
	if max_buckets:
	bucket_list = bucket_list[:max_buckets]
	self.logger.info(f"Limited to first {max_buckets} buckets")
	# Process buckets in batches to avoid overwhelming CloudWatch API
	with ThreadPoolExecutor(max_workers=batch_size) as executor:
	futures = []
	for bucket in bucket_list:
	bucket_name = bucket.name
	buckets[bucket_name] = {}
	# Submit all storage type queries for this bucket
	for storage_type in self.S3_STORAGE_TYPES:
	future = executor.submit(get_avg_for_bucket_storage_type, bucket_name, storage_type)
	futures.append(future)
	# Add small delay between buckets to avoid rate limiting
	time.sleep(0.1)
	# Collect results
	for future in as_completed(futures):
	bucket_name, storage_type, avg = future.result()
	if avg is not None:
	self.logger.debug(
	f"Average for {bucket_name} storage type {storage_type}: {avg}"
	)
	buckets[bucket_name][storage_type] = avg
	self.logger.info(f"Retrieved sizes for {len(buckets)} buckets")
	return buckets

[amazon-q-developer]

Potential data inconsistency when key_by_email=True and multiple users share the same primary email. The later user will overwrite the earlier one in users_by_email dictionary.

Suggested change

	if primary_email:
	users_by_email[primary_email] = user_data
	self.logger.debug(f"Found user {login} with verified email {primary_email}")
	if primary_email:
	if primary_email in users_by_email:
	self.logger.warning(f"Duplicate primary email {primary_email} for users {users_by_email[primary_email]['login']} and {login}")
	users_by_email[primary_email] = user_data
	self.logger.debug(f"Found user {login} with verified email {primary_email}")

[amazon-q-developer]

Unused parameter billing_account_name is documented but never used in the method implementation. Either remove it or use it for enhanced logging.

Suggested change

	billing_account_name: Optional[str] = None,
	create_if_missing: bool = True,
	) -> str:
	def get_bigquery_billing_dataset(
	self,
	project_id: str,
	dataset_name: str = "billing_dataset",
	create_if_missing: bool = True,
	) -> str:

[amazon-q-developer]

🛑 SQL Injection Risk: The BigQuery query uses f-string formatting with user-controlled input inactivity_period_days, which could allow SQL injection if the parameter is not properly validated.

Suggested change

	query = f"""
	SELECT project.id AS project_id, SUM(cost) AS total_cost
	FROM `{billing_project_id}.{billing_dataset_id}.*`
	WHERE usage_start_time >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL {inactivity_period_days} DAY)
	GROUP BY project.id
	HAVING total_cost IS NULL OR total_cost = 0
	"""
	# Validate input to prevent SQL injection
	if not isinstance(inactivity_period_days, int) or inactivity_period_days <= 0:
	raise ValueError("inactivity_period_days must be a positive integer")
	# Construct the query with parameterized values
	query = """
	SELECT project.id AS project_id, SUM(cost) AS total_cost
	FROM `{}.{}.*`
	WHERE usage_start_time >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL @inactivity_days DAY)
	GROUP BY project.id
	HAVING total_cost IS NULL OR total_cost = 0
	""".format(billing_project_id, billing_dataset_id)

[amazon-q-developer]

Update the BigQuery query execution to use parameterized queries for the validated input.

Suggested change

	.query(
	projectId=billing_project_id,
	body={"query": query, "useLegacySql": False},
	)
	.execute()
	)
	results = (
	bigquery.jobs()
	.query(
	projectId=billing_project_id,
	body={
	"query": query,
	"useLegacySql": False,
	"parameterMode": "NAMED",
	"queryParameters": [
	{
	"name": "inactivity_days",
	"parameterType": {"type": "INT64"},
	"parameterValue": {"value": str(inactivity_period_days)}
	}
	]
	},
	)
	.execute()
	)

[Copilot]

Pull request overview

This PR migrates 7 additional functions from terraform-modules to vendor-connectors, achieving 97% migration completion (134/138 functions). The additions span AWS S3 CloudWatch metrics, Google Workspace licensing, Google Billing dataset management, Google IAM/Pub/Sub resource aggregation, and GitHub GraphQL-based user queries. Two comprehensive documentation files track migration progress and provide a complete API reference for all implemented connectors.

Key Changes

• Add 7 cloud provider methods for S3 bucket sizing, Google Workspace licenses, BigQuery billing datasets, project IAM users, Pub/Sub resources, inactive project detection, and GitHub verified emails
• Introduce API_REFERENCE.md and MIGRATION_STATUS.md to document 97% migration coverage with 4 complex functions remaining
• Update progress metrics showing 134 completed functions vs. 4 remaining (3 AWS Organizations preprocessing, 1 GitHub workflow builder)

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
packages/vendor-connectors/src/vendor_connectors/aws/s3.py	Add get_bucket_sizes() to query CloudWatch metrics for bucket storage across 25 storage types
packages/vendor-connectors/src/vendor_connectors/google/workspace.py	Add list_available_licenses() to retrieve Google Workspace license assignments by product/SKU
packages/vendor-connectors/src/vendor_connectors/google/billing.py	Add get_bigquery_billing_dataset() to check/create billing export datasets in BigQuery
packages/vendor-connectors/src/vendor_connectors/google/services.py	Add 3 methods: get_project_iam_users(), get_pubsub_resources_for_project(), find_inactive_projects() for resource aggregation
packages/vendor-connectors/src/vendor_connectors/github/__init__.py	Add get_users_with_verified_emails() using GraphQL to fetch org members with domain-verified emails
packages/vendor-connectors/API_REFERENCE.md	Comprehensive API documentation with 134 implemented methods across all connectors
packages/vendor-connectors/MIGRATION_STATUS.md	Track migration progress from terraform-modules with detailed status tables

[Copilot]

The 'Completed' count states 42 functions, but the PR title and description indicate 134 functions have been completed (97% of 138 total). Line 146 should read 'Completed: 134 functions' to match the actual migration status.

Suggested change

	Completed: 42 functions
	Completed: 134 functions

[Copilot]

The dictionary construction and append operation on line 621-627 happens inside a loop over potentially many license items. Consider using list comprehension or batch operations if the API supports pagination to reduce the number of individual append operations and temporary dictionary constructions.

Suggested change

	for item in response.get("items", []):
	sku_id = item.get("skuId", "")
	if not sku_id:
	continue
	if sku_id not in licenses[product_id]["skus"]:
	licenses[product_id]["skus"][sku_id] = {
	"name": sku_id,
	"assignments": {"total": 0, "users": []},
	}
	user_data = {
	"user_id": item.get("userId", ""),
	"self_link": item.get("selfLink", ""),
	"sku_id": sku_id,
	"product_id": product_id,
	}
	licenses[product_id]["skus"][sku_id]["assignments"]["users"].append(user_data)
	licenses[product_id]["skus"][sku_id]["assignments"]["total"] += 1
	# Group items by sku_id
	items_by_sku: dict[str, list[dict[str, Any]]] = {}
	for item in response.get("items", []):
	sku_id = item.get("skuId", "")
	if not sku_id:
	continue
	items_by_sku.setdefault(sku_id, []).append(item)
	for sku_id, sku_items in items_by_sku.items():
	if sku_id not in licenses[product_id]["skus"]:
	licenses[product_id]["skus"][sku_id] = {
	"name": sku_id,
	"assignments": {"total": 0, "users": []},
	}
	users = [
	{
	"user_id": item.get("userId", ""),
	"self_link": item.get("selfLink", ""),
	"sku_id": sku_id,
	"product_id": product_id,
	}
	for item in sku_items
	]
	licenses[product_id]["skus"][sku_id]["assignments"]["users"] = users
	licenses[product_id]["skus"][sku_id]["assignments"]["total"] = len(users)

[Copilot]

The BigQuery SQL query uses f-string interpolation for billing_project_id, billing_dataset_id, and inactivity_period_days without sanitization. If these parameters come from user input, this could lead to SQL injection. Consider using parameterized queries or validating input format (e.g., ensuring project IDs match expected patterns).

[Copilot]

[nitpick] The nested function get_avg_for_bucket_storage_type accesses the outer scope's cloudwatch client directly. Consider passing cloudwatch as a parameter to make the function more testable and reduce implicit dependencies on closure state.

[Copilot]

The GraphQL query uses f-string interpolation with self.GITHUB_OWNER and after_cursor without escaping. If GITHUB_OWNER or cursor values contain double quotes or GraphQL special characters, this could break the query or introduce injection risks. Consider using GraphQL variables instead of string interpolation.

[Copilot]

[nitpick] Accessing verified_emails[0] without checking if the list is non-empty could be clearer. While the if verified_emails check prevents IndexError, using verified_emails[0] if verified_emails else ... in a single expression may reduce readability. Consider extracting to a variable with an explicit check for clarity.

Suggested change

	primary_email = verified_emails[0] if verified_emails else node.get("email")
	if verified_emails:
	primary_email = verified_emails[0]
	else:
	primary_email = node.get("email")

[Copilot]

Line 89 lists get_aws_s3_bucket_sizes_in_account under 'Remaining Migrations', but line 152 and the code changes show this function has been completed as AWSS3Mixin.get_bucket_sizes. This entry should be removed from the 'Remaining Migrations' section.

Suggested change

| `get_aws_s3_bucket_sizes_in_account` | Medium | CloudWatch metrics query |

[Copilot]

Lines 95-99 list five Google functions under 'Remaining Migrations', but these have all been implemented in this PR (as confirmed in lines 152-158). These entries should be removed from the 'Remaining Migrations' section and the count should reflect only the 4 actual remaining functions.

Suggested change

	| `list_available_google_workspace_licenses` | Low | License API query |
	| `get_google_bigquery_billing_dataset` | Low | BigQuery dataset lookup |
	| `get_users_for_google_project` | Low | IAM policy parsing |
	| `get_pubsub_queues_for_google_project` | Low | Aggregate topics/subs |
	| `get_dead_google_projects` | Medium | Activity detection |

[Copilot]

Line 105 lists get_github_users (full) under 'Remaining Migrations', but line 158 and the code changes show this has been completed as GithubConnector.get_users_with_verified_emails. This entry should be removed from the 'Remaining Migrations' section.

Suggested change

| `get_github_users` (full) | Medium | Requires verified email GraphQL |

[gemini-code-assist]

Code Review

This pull request is a great step forward in the terraform-modules migration, adding 7 new functions and bringing the total coverage to 97%. The new functions for AWS, Google, and GitHub are well-implemented. I've identified a few areas for improvement, mainly concerning performance, security, and documentation clarity. My main concerns are a potential N+1 API call issue in the AWS S3 get_bucket_sizes function and SQL injection risks in the Google Services and GitHub connectors. I've also noted some inconsistencies in the migration tracking documents. Please see my detailed comments below.

[gemini-code-assist]

The current implementation of get_bucket_sizes makes an API call to get_metric_statistics for every bucket and for each of the 22 storage types. This is highly inefficient and can lead to a large number of API calls (e.g., 2200 calls for 100 buckets), potentially hitting API rate limits.

To improve performance, I recommend refactoring this to use the get_metric_data API call, which allows batching up to 500 metric queries in a single request.

The suggested approach is:

1. Build a list of MetricDataQueries for all buckets and storage types.
2. Batch these queries into chunks of up to 500.
3. Make a single get_metric_data call for each chunk.
4. Process the batched results to populate the bucket sizes.

This will drastically reduce the number of API calls and improve the function's performance and reliability.

[gemini-code-assist]

The BigQuery query is constructed using f-strings with billing_project_id and billing_dataset_id. This could be vulnerable to SQL injection if these parameters are not properly sanitized.

To mitigate this risk, I recommend adding validation to ensure these identifiers only contain allowed characters (letters, numbers, underscores, hyphens, and dots for project ID) before they are used in the query.

        if not billing_project_id:
            raise ValueError("billing_project_id is required")

        import re
        # Validate project and dataset IDs to prevent SQL injection.
        if not re.match(r"^[a-z0-9][a-z0-9-.]*$", billing_project_id):
            raise ValueError(f"Invalid characters in billing_project_id: {billing_project_id}")
        if not re.match(r"^[a-zA-Z0-9_]+$", billing_dataset_id):
            raise ValueError(f"Invalid characters in billing_dataset_id: {billing_dataset_id}")

        self.logger.info(
            f"Finding inactive projects (no activity in {inactivity_period_days} days)"
        )

        bigquery = self.get_service("bigquery", "v2")

        # Construct the query
        query = f"""
            SELECT project.id AS project_id, SUM(cost) AS total_cost
            FROM `{billing_project_id}.{billing_dataset_id}.*`
            WHERE usage_start_time >= TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL {inactivity_period_days} DAY)
            GROUP BY project.id
            HAVING total_cost IS NULL OR total_cost = 0
        """

[gemini-code-assist]

This 'Remaining Migrations' section appears to be outdated. The functions listed here have either been implemented in this PR (and are now in 'Recently Completed') or are covered in the 'Remaining Work' section. To avoid confusion and keep the document concise, I recommend removing this entire section.

[gemini-code-assist]

The count of completed functions seems to be incorrect. The 'Completed Migrations' tables list 32 functions, and this PR adds 7 more from the 'Recently Completed' section, for a total of 39. Please update the count from 42 to 39 for accuracy.

Suggested change

	Completed: 42 functions
	Completed: 39 functions

[gemini-code-assist]

The GraphQL query is constructed using an f-string, which can be a security risk if the self.GITHUB_OWNER variable is not properly sanitized. It's a best practice to use query variables for dynamic values.

I suggest modifying the query to use variables for $owner and $after, and then passing them in the execute_graphql call. This improves security and readability.

        query = """
        query GetOrgMembers($owner: String!, $after: String) {
          organization(login: $owner) {
            membersWithRole(first: 100, after: $after) {
              pageInfo {
                hasNextPage
                endCursor
              }
              edges {
                node {
                  login
                  name
                  email
                  organizationVerifiedDomainEmails(login: $owner)
                }
                role
              }
            }
          }
        }
        """

        users: dict[str, dict[str, Any]] = {}
        users_by_email: dict[str, dict[str, Any]] = {}

        has_next_page = True
        after_cursor = None

        while has_next_page:
            variables = {"owner": self.GITHUB_OWNER, "after": after_cursor}
            result = self.execute_graphql(query, variables=variables)

[cursor]

Bug: Missing pagination in list_available_licenses method

The list_available_licenses method only retrieves the first page of results from the Google Licensing API's listForProduct endpoint. Unlike other list methods in the codebase (e.g., list_users, list_storage_buckets) that properly handle pagination using a while loop and nextPageToken, this method makes a single API call and processes only the initial response. Organizations with many license assignments will have incomplete data returned, potentially missing all users beyond the default page size.

 

[jbdevprimary]

Closing as redundant - PR #245 provides more complete vendor-connectors migration coverage including organizations.py changes. The documentation files (API_REFERENCE.md, MIGRATION_STATUS.md) can be added to #245 or a follow-up PR.