Merge remote-tracking branch 'origin/main' into codex/aws-discovery-nat-sagemaker-checks

* origin/main:
  feat(rules): add AWS IaC cost review rules (#52)

# Conflicts:
#	docs/reference/rule-ids.md
#	packages/rules/src/aws/ec2/index.ts
#	packages/rules/test/exports.test.ts
#	packages/rules/test/rule-metadata.test.ts
#	packages/sdk/test/exports.test.ts

Author: axonstone

.changeset/aws-iac-cost-rules-rules.md

@@ -0,0 +1,5 @@
+---
+"@cloudburn/rules": minor
+---
+
+Add new AWS IaC cost review rules for versioned S3 cleanup, ECR lifecycle quality, gp3 tuning, EC2 detailed monitoring, DynamoDB autoscaling ranges, Lambda provisioned concurrency, and RDS Performance Insights retention, and extend ECS and Redshift rules to support IaC.

.changeset/aws-iac-cost-rules-sdk.md

@@ -0,0 +1,5 @@
+---
+"@cloudburn/sdk": minor
+---
+
+Add AWS static IaC dataset support for new cost review rules across S3, ECR, EBS, EC2, DynamoDB, ECS, Lambda, RDS, and Redshift.

docs/architecture/rules.md

@@ -102,7 +102,8 @@ Rule evaluators consume static and live datasets through `context.resources.get(
 | `CLDBRN-AWS-EC2-3`        | Elastic IP Address Unassociated            | ec2        | discovery      | Implemented |
 | `CLDBRN-AWS-EC2-4`        | VPC Interface Endpoint Inactive            | ec2        | discovery      | Implemented |
 | `CLDBRN-AWS-EC2-5`        | EC2 Instance Low Utilization               | ec2        | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-10`       | NAT Gateway Idle                           | ec2        | discovery      | Implemented |
+| `CLDBRN-AWS-EC2-10`       | EC2 Instance Detailed Monitoring Enabled   | ec2        | iac            | Implemented |
+| `CLDBRN-AWS-EC2-11`       | NAT Gateway Idle                           | ec2        | discovery      | Implemented |
 | `CLDBRN-AWS-EBS-1`        | EBS Volume Type Not Current Generation     | ebs        | discovery, iac | Implemented |
 | `CLDBRN-AWS-EBS-2`        | EBS Volume Unattached                      | ebs        | discovery      | Implemented |
 | `CLDBRN-AWS-EBS-3`        | EBS Volume Attached To Stopped Instances   | ebs        | discovery      | Implemented |

docs/reference/rule-ids.md

@@ -0,0 +1,46 @@
+import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
+
+const RULE_ID = 'CLDBRN-AWS-DYNAMODB-4';
+const RULE_SERVICE = 'dynamodb';
+const RULE_MESSAGE = 'Provisioned DynamoDB autoscaling should allow capacity to change.';
+
+const hasFixedRange = (minCapacity: number | null | undefined, maxCapacity: number | null | undefined): boolean =>
+  typeof minCapacity === 'number' && typeof maxCapacity === 'number' && minCapacity === maxCapacity;
+
+/** Flag provisioned-capacity DynamoDB tables whose table autoscaling min and max capacity are identical. */
+export const dynamoDbAutoscalingRangeFixedRule = createRule({
+  id: RULE_ID,
+  name: 'DynamoDB Autoscaling Range Fixed',
+  description: 'Flag provisioned-capacity DynamoDB tables whose table autoscaling min and max capacity are identical.',
+  message: RULE_MESSAGE,
+  provider: 'aws',
+  service: RULE_SERVICE,
+  supports: ['iac'],
+  staticDependencies: ['aws-dynamodb-tables', 'aws-dynamodb-autoscaling'],
+  evaluateStatic: ({ resources }) => {
+    const autoscalingByTable = new Map(
+      resources
+        .get('aws-dynamodb-autoscaling')
+        .filter((table) => table.tableName !== null)
+        .map((table) => [table.tableName, table] as const),
+    );
+    const findings = resources
+      .get('aws-dynamodb-tables')
+      .filter((table) => table.billingMode === 'PROVISIONED' && table.tableName !== null)
+      .filter((table) => {
+        const autoscaling = autoscalingByTable.get(table.tableName);
+
+        if (!autoscaling) {
+          return false;
+        }
+
+        return (
+          hasFixedRange(autoscaling.readMinCapacity, autoscaling.readMaxCapacity) ||
+          hasFixedRange(autoscaling.writeMinCapacity, autoscaling.writeMaxCapacity)
+        );
+      })
+      .map((table) => createFindingMatch(table.resourceId, undefined, undefined, table.location));
+
+    return createFinding({ id: RULE_ID, service: RULE_SERVICE, message: RULE_MESSAGE }, 'iac', findings);
+  },
+});

packages/rules/src/aws/dynamodb/autoscaling-range-fixed.ts

@@ -1,6 +1,12 @@
+import { dynamoDbAutoscalingRangeFixedRule } from './autoscaling-range-fixed.js';
 import { dynamoDbStaleTableDataRule } from './stale-table-data.js';
 import { dynamoDbTableWithoutAutoscalingRule } from './table-without-autoscaling.js';
 import { dynamoDbUnusedTableRule } from './unused-table.js';
 
 // Intent: aggregate AWS DynamoDB rule definitions.
-export const dynamodbRules = [dynamoDbStaleTableDataRule, dynamoDbTableWithoutAutoscalingRule, dynamoDbUnusedTableRule];
+export const dynamodbRules = [
+  dynamoDbStaleTableDataRule,
+  dynamoDbTableWithoutAutoscalingRule,
+  dynamoDbUnusedTableRule,
+  dynamoDbAutoscalingRangeFixedRule,
+];

packages/rules/src/aws/dynamodb/index.ts

@@ -0,0 +1,25 @@
+import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
+
+const RULE_ID = 'CLDBRN-AWS-EBS-9';
+const RULE_SERVICE = 'ebs';
+const RULE_MESSAGE = 'EBS gp3 volumes should avoid paid IOPS above the included baseline unless required.';
+
+/** Flag gp3 volumes that provision IOPS above the included 3000 baseline. */
+export const ebsGp3ExtraIopsRule = createRule({
+  id: RULE_ID,
+  name: 'EBS gp3 Volume Extra IOPS Provisioned',
+  description: 'Flag gp3 volumes that provision IOPS above the included 3000 baseline.',
+  message: RULE_MESSAGE,
+  provider: 'aws',
+  service: RULE_SERVICE,
+  supports: ['iac'],
+  staticDependencies: ['aws-ebs-volumes'],
+  evaluateStatic: ({ resources }) => {
+    const findings = resources
+      .get('aws-ebs-volumes')
+      .filter((volume) => volume.volumeType === 'gp3' && volume.iops !== null && volume.iops > 3000)
+      .map((volume) => createFindingMatch(volume.resourceId, undefined, undefined, volume.location));
+
+    return createFinding({ id: RULE_ID, service: RULE_SERVICE, message: RULE_MESSAGE }, 'iac', findings);
+  },
+});

packages/rules/src/aws/ebs/gp3-extra-iops.ts

@@ -0,0 +1,28 @@
+import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
+
+const RULE_ID = 'CLDBRN-AWS-EBS-8';
+const RULE_SERVICE = 'ebs';
+const RULE_MESSAGE = 'EBS gp3 volumes should avoid paid throughput above the included baseline unless required.';
+
+/** Flag gp3 volumes that provision throughput above the included 125 MiB/s baseline. */
+export const ebsGp3ExtraThroughputRule = createRule({
+  id: RULE_ID,
+  name: 'EBS gp3 Volume Extra Throughput Provisioned',
+  description: 'Flag gp3 volumes that provision throughput above the included 125 MiB/s baseline.',
+  message: RULE_MESSAGE,
+  provider: 'aws',
+  service: RULE_SERVICE,
+  supports: ['iac'],
+  staticDependencies: ['aws-ebs-volumes'],
+  evaluateStatic: ({ resources }) => {
+    const findings = resources
+      .get('aws-ebs-volumes')
+      .filter(
+        (volume) =>
+          volume.volumeType === 'gp3' && typeof volume.throughputMiBps === 'number' && volume.throughputMiBps > 125,
+      )
+      .map((volume) => createFindingMatch(volume.resourceId, undefined, undefined, volume.location));
+
+    return createFinding({ id: RULE_ID, service: RULE_SERVICE, message: RULE_MESSAGE }, 'iac', findings);
+  },
+});

packages/rules/src/aws/ebs/gp3-extra-throughput.ts

@@ -1,4 +1,6 @@
 import { ebsAttachedToStoppedInstancesRule } from './attached-to-stopped-instances.js';
+import { ebsGp3ExtraIopsRule } from './gp3-extra-iops.js';
+import { ebsGp3ExtraThroughputRule } from './gp3-extra-throughput.js';
 import { ebsHighIopsVolumeRule } from './high-iops-volume.js';
 import { ebsLargeVolumeRule } from './large-volume.js';
 import { ebsLowIopsVolumeRule } from './low-iops-volume.js';
@@ -15,4 +17,6 @@ export const ebsRules = [
   ebsHighIopsVolumeRule,
   ebsLowIopsVolumeRule,
   ebsSnapshotMaxAgeRule,
+  ebsGp3ExtraThroughputRule,
+  ebsGp3ExtraIopsRule,
 ];

packages/rules/src/aws/ebs/index.ts

@@ -0,0 +1,25 @@
+import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
+
+const RULE_ID = 'CLDBRN-AWS-EC2-10';
+const RULE_SERVICE = 'ec2';
+const RULE_MESSAGE = 'EC2 instances should review detailed monitoring because it adds CloudWatch cost.';
+
+/** Flag EC2 instances that explicitly enable detailed monitoring. */
+export const ec2DetailedMonitoringEnabledRule = createRule({
+  id: RULE_ID,
+  name: 'EC2 Instance Detailed Monitoring Enabled',
+  description: 'Flag EC2 instances that explicitly enable detailed monitoring.',
+  message: RULE_MESSAGE,
+  provider: 'aws',
+  service: RULE_SERVICE,
+  supports: ['iac'],
+  staticDependencies: ['aws-ec2-instances'],
+  evaluateStatic: ({ resources }) => {
+    const findings = resources
+      .get('aws-ec2-instances')
+      .filter((instance) => instance.detailedMonitoringEnabled)
+      .map((instance) => createFindingMatch(instance.resourceId, undefined, undefined, instance.location));
+
+    return createFinding({ id: RULE_ID, service: RULE_SERVICE, message: RULE_MESSAGE }, 'iac', findings);
+  },
+});