fix(rules): renumber ec2 rule ids (#40)

Author: dannysteenman

.changeset/clean-rules-renumber.md

@@ -0,0 +1,5 @@
+---
+'@cloudburn/rules': patch
+---
+
+Renumber the AWS EC2 built-in rule IDs to keep the service sequence contiguous and add metadata coverage that fails when rule numbers are duplicated or skipped.

docs/guides/adding-a-rule.md

@@ -9,7 +9,7 @@ Use this guide for both:
 
 ## 1. Choose an ID
 
-Format: `CLDBRN-{PROVIDER}-{SERVICE}-{N}`. Check [rule-ids.md](../reference/rule-ids.md) for the next available number in your service. Never reuse or renumber existing IDs.
+Format: `CLDBRN-{PROVIDER}-{SERVICE}-{N}`. Check [rule-ids.md](../reference/rule-ids.md) for the next contiguous number in your service. Keep each provider/service sequence gap-free, and if you remove or reorder a rule, renumber later IDs and update references in the same change.
 
 ## 2. Decide Whether You Need a Dataset Change
 

docs/reference/rule-ids.md

@@ -8,7 +8,7 @@ Format: `CLDBRN-{PROVIDER}-{SERVICE}-{N}`
 
 - All uppercase
 - No zero-padding on the sequence number
-- IDs are stable — no renumbering when rules are removed (gaps are allowed)
+- IDs stay contiguous within each provider/service sequence; when a change affects the sequence, renumber later entries and update references in the same change
 - Provider: `AWS`, `AZURE`, `GCP`
 - Service: short name matching the directory (e.g. `EBS`, `EC2`, `RDS`, `S3`, `LAMBDA`)
 
@@ -25,10 +25,10 @@ Format: `CLDBRN-{PROVIDER}-{SERVICE}-{N}`
 | `CLDBRN-AWS-EC2-3`    | Elastic IP Address Unassociated           | ec2     | discovery      | Implemented |
 | `CLDBRN-AWS-EC2-4`    | VPC Interface Endpoint Inactive           | ec2     | discovery      | Implemented |
 | `CLDBRN-AWS-EC2-5`    | EC2 Instance Low Utilization              | ec2     | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-9`    | EC2 Instance Without Graviton             | ec2     | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-10`   | EC2 Reserved Instance Expiring            | ec2     | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-11`   | EC2 Instance Large Size                   | ec2     | discovery      | Implemented |
-| `CLDBRN-AWS-EC2-12`   | EC2 Instance Long Running                 | ec2     | discovery      | Implemented |
+| `CLDBRN-AWS-EC2-6`    | EC2 Instance Without Graviton             | ec2     | discovery      | Implemented |
+| `CLDBRN-AWS-EC2-7`    | EC2 Reserved Instance Expiring            | ec2     | discovery      | Implemented |
+| `CLDBRN-AWS-EC2-8`    | EC2 Instance Large Size                   | ec2     | discovery      | Implemented |
+| `CLDBRN-AWS-EC2-9`    | EC2 Instance Long Running                 | ec2     | discovery      | Implemented |
 | `CLDBRN-AWS-ECS-1`    | ECS Container Instance Without Graviton   | ecs     | discovery      | Implemented |
 | `CLDBRN-AWS-ECS-2`    | ECS Cluster Low CPU Utilization           | ecs     | discovery      | Implemented |
 | `CLDBRN-AWS-ECS-3`    | ECS Service Missing Autoscaling Policy    | ecs     | discovery      | Implemented |
@@ -56,13 +56,13 @@ Format: `CLDBRN-{PROVIDER}-{SERVICE}-{N}`
 
 `CLDBRN-AWS-CLOUDWATCH-2` flags log streams with no observed event history and log streams whose `lastIngestionTime` is more than 90 days old. Delivery-managed log groups remain exempt.
 
-`CLDBRN-AWS-EC2-9` flags only families with a curated Graviton-equivalent path. Instances without architecture metadata or outside the curated family set are skipped.
+`CLDBRN-AWS-EC2-6` flags only families with a curated Graviton-equivalent path. Instances without architecture metadata or outside the curated family set are skipped.
 
-`CLDBRN-AWS-EC2-10` reviews only active reserved instances with an `endTime` inside the next 60 days.
+`CLDBRN-AWS-EC2-7` reviews only active reserved instances with an `endTime` inside the next 60 days.
 
-`CLDBRN-AWS-EC2-11` treats `2xlarge` and above, plus `metal`, as the large-instance review threshold.
+`CLDBRN-AWS-EC2-8` treats `2xlarge` and above, plus `metal`, as the large-instance review threshold.
 
-`CLDBRN-AWS-EC2-12` flags only instances with a parsed launch timestamp at least 180 days old.
+`CLDBRN-AWS-EC2-9` flags only instances with a parsed launch timestamp at least 180 days old.
 
 `CLDBRN-AWS-ECS-1` flags only EC2-backed container instances whose instance families have a curated Graviton-equivalent path. Fargate and unclassified backing instances are skipped.
 

packages/rules/AGENTS.md

@@ -3,7 +3,7 @@
 ## Rule Authoring
 
 - `createRule` is mandatory for built-in rule declarations.
-- Rule IDs must use `CLDBRN-{PROVIDER}-{SERVICE}-{N}` in uppercase with no zero-padding. Never renumber existing IDs; gaps are allowed.
+- Rule IDs must use `CLDBRN-{PROVIDER}-{SERVICE}-{N}` in uppercase with no zero-padding. Keep numbering contiguous within each provider/service sequence; if a rule is removed or reordered, renumber later IDs and update references in the same change.
 - Rule evaluators return lean rule-level groups that include `ruleId`, `service`, `source`, `message`, and nested `FindingMatch[]`.
 - Rule names must describe the policy being enforced, not the migration or fix action.
 - Rule-level `message` is the canonical public policy text for scan output.

packages/rules/src/aws/ec2/graviton-review.ts

@@ -1,7 +1,7 @@
 import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
 import { shouldReviewAwsEc2InstanceForGraviton } from './preferred-instance-families.js';
 
-const RULE_ID = 'CLDBRN-AWS-EC2-9';
+const RULE_ID = 'CLDBRN-AWS-EC2-6';
 const RULE_SERVICE = 'ec2';
 const RULE_MESSAGE = 'EC2 instances without a Graviton equivalent in use should be reviewed.';
 

packages/rules/src/aws/ec2/large-instance.ts

@@ -1,6 +1,6 @@
 import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
 
-const RULE_ID = 'CLDBRN-AWS-EC2-11';
+const RULE_ID = 'CLDBRN-AWS-EC2-8';
 const RULE_SERVICE = 'ec2';
 const RULE_MESSAGE = 'EC2 large instances of 2xlarge or greater should be reviewed.';
 // Treat 2xlarge and above as the right-sizing review threshold.

packages/rules/src/aws/ec2/long-running-instance.ts

@@ -1,6 +1,6 @@
 import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
 
-const RULE_ID = 'CLDBRN-AWS-EC2-12';
+const RULE_ID = 'CLDBRN-AWS-EC2-9';
 const RULE_SERVICE = 'ec2';
 const RULE_MESSAGE = 'EC2 instances running for 180 days or longer should be reviewed.';
 const DAY_MS = 24 * 60 * 60 * 1000;

packages/rules/src/aws/ec2/reserved-instance-expiring.ts

@@ -1,6 +1,6 @@
 import { createFinding, createFindingMatch, createRule } from '../../shared/helpers.js';
 
-const RULE_ID = 'CLDBRN-AWS-EC2-10';
+const RULE_ID = 'CLDBRN-AWS-EC2-7';
 const RULE_SERVICE = 'ec2';
 const RULE_MESSAGE = 'EC2 reserved instances expiring within 60 days should be reviewed.';
 const DAY_MS = 24 * 60 * 60 * 1000;

packages/rules/test/ec2-graviton-review.test.ts

@@ -26,7 +26,7 @@ describe('ec2GravitonReviewRule', () => {
     });
 
     expect(finding).toEqual({
-      ruleId: 'CLDBRN-AWS-EC2-9',
+      ruleId: 'CLDBRN-AWS-EC2-6',
       service: 'ec2',
       source: 'discovery',
       message: 'EC2 instances without a Graviton equivalent in use should be reviewed.',

packages/rules/test/ec2-large-instance.test.ts

@@ -25,7 +25,7 @@ describe('ec2LargeInstanceRule', () => {
     });
 
     expect(finding).toEqual({
-      ruleId: 'CLDBRN-AWS-EC2-11',
+      ruleId: 'CLDBRN-AWS-EC2-8',
       service: 'ec2',
       source: 'discovery',
       message: 'EC2 large instances of 2xlarge or greater should be reviewed.',