Tables for Roles Anywhere Profiles and Trust Anchors

[2XXE-SRA]

This PR adds two new tables for the Roles Anywhere service. Specifically, it adds support for enumerating Trust Anchors (aws_rolesanywhere_trust_anchor) and Profiles (aws_rolesanywhere_profile).

Example query results

Results

select 
  arn, 
  inline_policy 
from aws_rolesanywhere_profile

+-------------------------------------------------------------------------------------------+----------------------------------------------------------------+
| arn                                                                                       | role_arns                                                      |
+-------------------------------------------------------------------------------------------+----------------------------------------------------------------+
| arn:aws:rolesanywhere:us-east-1:123456789012:profile/fb3dcdae-b099-49ef-bdaf-69590f64c55d | ["arn:aws:iam::123456789012:role/RoleFoo"]                     |
| arn:aws:rolesanywhere:us-east-1:123456789012:profile/7df9cbb7-36c1-432b-b07d-cf6d83de46ef | ["arn:aws:iam::123456789012:role/RoleBar"]                     |
| arn:aws:rolesanywhere:us-east-1:123456789012:profile/8ca8dcf3-1692-478b-8976-1179e47af2d2 | ["arn:aws:iam::123456789012:role/RoleBaz"]                     |
+-------------------------------------------------------------------------------------------+----------------------------------------------------------------+

select 
  arn, 
  source_type
from aws_rolesanywhere_trust_anchor

+------------------------------------------------------------------------------------------------+--------------------+
| arn                                                                                            | source_type        |
+------------------------------------------------------------------------------------------------+--------------------+
| arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/7cb25065-23c9-451f-bd1e-3e6ba321a6af | CERTIFICATE_BUNDLE |
| arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/45e48edd-d495-499f-96f2-c9544fe02b64 | CERTIFICATE_BUNDLE |
| arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/6fbe3a43-df3d-4fbe-a8e8-723bdb430ca7 | CERTIFICATE_BUNDLE |
+------------------------------------------------------------------------------------------------+--------------------+

[misraved]

@2XXE-SRA thank you so much for the new tables 🎉 !!

Could you please fix the lint failure?

[Copilot]

Pull Request Overview

This PR adds support for AWS Roles Anywhere by introducing two new Steampipe tables: one for Trust Anchors and one for Profiles. Key changes include the addition of documentation, table definition implementations, and integration into the plugin service.

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
docs/tables/aws_rolesanywhere_trust_anchor.md	Added documentation outlining the trust anchor table usage.
docs/tables/aws_rolesanywhere_profile.md	Added documentation outlining the profile table usage.
aws/table_aws_rolesanywhere_trust_anchor.go	Implemented table definition and query functions for trust anchors.
aws/table_aws_rolesanywhere_profile.go	Implemented table definition and query functions for profiles.
aws/service.go	Added RolesAnywhereClient to support new Roles Anywhere APIs.
aws/plugin.go	Registered the new Roles Anywhere tables with the plugin.

Files not reviewed (1)

• go.mod: Language not supported

[ParthaI]

Hello @2XXE-SRA, great to see the PR with the new table addition!

Just a quick note:

• This PR includes an update to the AWS SDK v2, upgrading it to version v1.36.3.
• However, this version introduces breaking changes related to ResolverEndpointV2. Which need some efforts to make the changes across the tables.
• Would it be possible to downgrade or retain the existing SDK version v1.27.0 instead?
• From what I’ve seen, the github.com/aws/aws-sdk-go-v2/service/rolesanywhere package (version v1.11.4) should still be compatible with github.com/aws/aws-sdk-go-v2 version v1.27.0.
  • Running the command go get github.com/aws/aws-sdk-go-v2@v1.27.0 might help you do that.

Thanks!

[2XXE-SRA]

Hello @2XXE-SRA, great to see the PR with the new table addition!

Just a quick note:

* This PR includes an update to the AWS SDK v2, upgrading it to version `v1.36.3`.

* However, this version introduces breaking changes related to `ResolverEndpointV2`. Which need some efforts to make the changes across the tables.

* Would it be possible to **downgrade or retain the existing SDK version `v1.27.0`** instead?

* From what I’ve seen, the `github.com/aws/aws-sdk-go-v2/service/rolesanywhere` package (version `v1.11.4`) should still be compatible with `github.com/aws/aws-sdk-go-v2` version `v1.27.0`.
  
  * Running the command `go get github.com/aws/aws-sdk-go-v2@v1.27.0` might help you do that.

Thanks!

Yeah, no problem. I think it was just an auto-upgrade when I grabbed the service package. I will test on the lower version and then update the PR.

[2XXE-SRA]

Looks like the did the trick!

[Copilot]

Pull Request Overview

This PR introduces two new Steampipe table implementations for AWS Roles Anywhere by adding support for querying Trust Anchors and Profiles. Key changes include the addition of documentation files for both tables, implementation of the corresponding table definitions and list/get functions in Go, and registration of these new tables via AWS clients in the plugin.

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
docs/tables/aws_rolesanywhere_trust_anchor.md	Adds documentation for the aws_rolesanywhere_trust_anchor table
docs/tables/aws_rolesanywhere_profile.md	Adds documentation for the aws_rolesanywhere_profile table
aws/table_aws_rolesanywhere_trust_anchor.go	Implements table definition and list/get functions for Trust Anchors
aws/table_aws_rolesanywhere_profile.go	Implements table definition and list/get functions for Profiles
aws/service.go	Adds a new AWS client creation function (RolesAnywhereClient)
aws/plugin.go	Registers the new Roles Anywhere tables in the plugin

Files not reviewed (1)

• go.mod: Language not supported

Comments suppressed due to low confidence (2)

aws/table_aws_rolesanywhere_profile.go:121

• [nitpick] Consider using Go naming conventions (e.g., profileID) instead of snake_case for variable names.

profile_id := d.EqualsQuals["id"].GetStringValue()

aws/table_aws_rolesanywhere_profile.go:114

• Ensure that the transform functions 'unescape' and 'policyToCanonical' are properly defined and imported, as their absence may lead to runtime errors.

Transform:   transform.FromField("SessionPolicy").Transform(unescape).Transform(policyToCanonical),

[ParthaI]

Hello @2XXE-SRA,

I’ve left a few review comments for you to take a look at.

Additionally, here are some suggestions:

• Name the table columns to match the API response, with the exception of the arn column.
• Include the standard Steampipe columns.
• Update the column descriptions based on the AWS documentation for the API.
• Organize the function ordering as follows:
  • List Hydrate function
  • Get Hydrate function
  • Any other Hydrate functions
  • Transform functions
• It would be great to include more example queries in the table documentation.

Please note: I haven't added any comments for the table aws_rolesanywhere_trust_anchor, but the suggestions above is also applicable for this table.

Thanks!

[ParthaI]

Suggested change

	GetMatrixItemFunc: SupportedRegionMatrix(rolesanywherev1.EndpointsID),
	GetMatrixItemFunc: SupportedRegionMatrix(AWS_ROLESANYWHERE_SERVICE_ID),

We are halfway through removing support for AWS SDK V1 from the plugin, as the V1 SDK has reached its End of Life.
We have listed all the AWS-supported service IDs in the following file: endpoint_service_ids_gen.go.

[ParthaI]

Could you please rename the column to profile_id? The table schema should exactly match the API response, except for the arn column.

[ParthaI]

Could you please update the column descriptions to align with the API response descriptions? You can refer to the details here: API_ProfileDetail.

Kindly update the descriptions for the remaining columns as well.

[ParthaI]

Suggested change

	Name: "duration",
	Name: "duration_seconds",

[ParthaI]

Please include the steampipe standard column here. For reference: aws_acm_certificate

[ParthaI]

Suggested change

	if d.RowsRemaining(ctx) == 0 {
	return nil, nil
	}
	// Context may get cancelled due to manual cancellation or if the limit has been reached
	if d.RowsRemaining(ctx) == 0 {
	return nil, nil
	}

[2XXE-SRA]

Thanks for the review! I will address these in the next day or two and get back to you.

[2XXE-SRA]

I have pushed changes to both tables per your above suggestions. Please let me know if there are any other required changes.

[ParthaI]

Hi @2XXE-SRA,

The changes look great! However, I left a few minor review comments—could you please take another look?

I noticed that a couple of columns were missed based on the API response. For example, the name column is missing from the aws_rolesanywhere_trust_anchor table.

Could you please cross-verify if any columns are missing according to the API response?

Note: Please validate both the GET and List API calls response and add the missing columns.

Thanks!

[ParthaI]

Please move the column upwards as it is a non-JSON column.

[ParthaI]

Suggested change

	Transform: transform.FromField("ProfileId"),
	Transform: transform.FromField("Name"),

[ParthaI]

Suggested change

	Transform: transform.FromField("ProfileArn").Transform(arnToAkas),
	Transform: transform.FromField("ProfileArn").Transform(transform.EnsureStringArray),

[ParthaI]

Suggested change

	Transform: transform.FromField("TrustAnchorArn").Transform(arnToAkas),
	Transform: transform.FromField("TrustAnchorArn").Transform(transform.EnsureStringArray),

[ParthaI]

Suggested change

	Transform: transform.FromField("TrustAnchorId"),
	Transform: transform.FromField("Name"),

[2XXE-SRA]

Above items addressed!

Could you please cross-verify if any columns are missing according to the API response?

Looks like it was just the name column.

[ParthaI]

Hello @2XXE-SRA, the changes look great! I’ve left a minor comment regarding a doc update. Could you please take a look?

[ParthaI]

Could you please fix the indentation? We should be using 2-space indentation. Also, I don’t think SQLite supports the jsonb_array_elements_text function.

[2XXE-SRA]

Fixed

[misraved]

@2XXE-SRA @ParthaI are the tables named correctly?

The AWS documentation seems a bit different - https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/Welcome.html

Should it be aws_iam_roles_anywhere?

[2XXE-SRA]

@2XXE-SRA @ParthaI are the tables named correctly?

The AWS documentation seems a bit different - https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/Welcome.html

Should it be aws_iam_roles_anywhere?

I used rolesanywhere as the identifier since that is the API namespace. The service endpoint (rolesanywhere.amazonaws.com), IAM permissions (rolesanywhere:Foo), etc all use that. Otoh, the service's full name is "IAM Roles Anywhere". Ultimately, I don't feel strongly either way so I'll defer to you all as it should be consistent with your naming conventions.