cloudgov: strip to AWS-only + maintenance pass#4
Merged
Conversation
Refocuses cloudgov from a multi-cloud (AWS/GCP/Azure) CLI into an
AWS-only tool, matching the AWS-specific org it lives in, and folds in
related maintenance cleanup.
─── Multi-cloud strip-down (AWS-only) ───
Deleted the internal/cloud/gcp and internal/cloud/azure provider
packages in full, along with the cis-gcp-v2 and cis-azure-v2 compliance
benchmarks. AWS is now the only cloud backend; the Kubernetes RBAC
scanner (cloudgov k8s rbac) stays.
Removed the --provider flag from every command. Each resolve*Providers()
now builds a single AWS provider via cloudaws.New / NewWithProfile, gated
by a Detect() credential check that returns a clean "no AWS credentials
detected" message. The cloud.Provider and per-domain interfaces
(IAMProvider, CostProvider, ...) are kept as test seams with AWS as the
sole cloud implementation.
Excised GCP/Azure from the remaining shared code:
- compliance/{benchmark,evaluate}.go — dropped the GCP/Azure
evaluators; only cis-aws-v3 and soc2 remain
- fix/terraform.go — removed formatGCPTF, writeAzureJSON,
extractGCPPermissions; AWS Terraform output only
- drift/tfstate.go — provider inference is AWS-only
- iam/analyzer.go — dropped the Microsoft.Authorization admin pattern
- cloud/provider.go — removed the GCP/Azure principal-type constants
and multi-cloud doc comments
go mod tidy dropped all azure/gcp/google SDK dependencies.
Kept intentionally: the secrets scanner still detects leaked GCP
service-account keys and Azure connection strings — embedded-credential
hygiene inside AWS resources, not cloud scanning, and the one remaining
GCP/Azure reference by design.
Docs and release metadata moved to AWS-only framing: README.md,
CONTRIBUTING.md, CLAUDE.md, the .goreleaser.yaml Homebrew description,
and the ci.yml coverage comment.
─── Maintenance pass ───
- Deleted the orphaned internal/config package — nothing imported it,
and its DefaultProviders field was a dead multi-cloud selection knob.
This let go mod tidy drop spf13/viper.
- report.Generate now delegates to report.Render instead of duplicating
the buildTemplateData/parseTemplate/Execute sequence, making the
previously-unused render-to-writer API live.
- Removed two vestigial test-only helpers and their tests:
aws.accountIDFromPrincipal and drift.StringMapKeys.
- README storage-audit flag table now documents the real sarif output.
Kept as grow-into API: iam.BuildMinimalPermissions / GroupByResource. The
AWS MinimalPolicy currently reinvents GroupByResource inline; lifting the
shared policy-shaping out is a follow-up that would otherwise invert the
cmd -> iam -> cloud <- aws layering.
─── Verification ───
go build ./..., go vet ./..., go test ./..., and task build all pass. A
multi-agent adversarial review confirmed no GCP/Azure residue outside the
intentional secret-detection keep. 94 files changed (54 deletions),
+283/-8432.
Co-authored-by: stxkxsbot <275011021+stxkxsbot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See the commit message for full detail.
Summary
internal/cloud/gcpandinternal/cloud/azureprovider packages, removes the--providerflag (AWS-only now), and drops all gcp/azure deps, benchmarks, config, and multi-cloud framing. The Kubernetes RBAC scanner stays. Provider interface seams are kept with AWS as the sole cloud impl.internal/configpackage (dropsspf13/viper), wiresreport.Generate→report.Render(DRY, makes the render-to-writer API live), removes two vestigial test-only helpers (aws.accountIDFromPrincipal,drift.StringMapKeys), and fixes the README storage-audit--outputtable to listsarif.Verification
go build ./...,go vet ./...,go test ./..., andtask buildall pass. A multi-agent adversarial review confirmed no GCP/Azure residue outside the intentional secret-detection keep. 94 files changed (54 deletions), +283/-8432.Notes / follow-ups
iam.BuildMinimalPermissions/GroupByResourcewere kept as grow-into API.MinimalPolicycurrently reinventsGroupByResourceinline; lifting the shared policy-shaping out is a follow-up that would otherwise invert thecmd → iam → cloud ← awslayering."gcp"/"azure"as arbitrary distinct sort/group keys to exercise the retained generic aggregation seams.