Feat/risk and subject templates

[reecebedding]

Summary by CodeRabbit

• Documentation

  • Expanded README with comprehensive guidance on plugin functionality, supported AWS resources (EC2, EBS, snapshots, AMIs), configuration requirements, credential setup, and development commands.

• Build & Infrastructure

  • Updated build process for improved plugin compilation.
  • Enhanced plugin initialization mechanism.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds EC2 instance subject template registration to the AWS EC2 compliance plugin. Subject templates are defined with templated metadata, integrated into plugin initialization, and tested for correctness. The build system and documentation are updated to reflect this new initialization flow.

Changes

Subject Template Initialization and Documentation

Layer / File(s)	Summary
Subject template definitions and helpers subject_templates.go	buildSubjectTemplates constructs an EC2 instance template with templated title, description, and purpose strings; identity label keys (provider, region, instance-id); a type=ec2 selector label; and a label schema describing provider, type, instance-id, vpc-id, subnet-id, and region. Helpers build label selectors and schemas.
Subject template testing subject_templates_test.go	TestBuildSubjectTemplates validates template structure and schema. TestBuildSubjectTemplatesRenderCurrentLabels verifies title and description template rendering with EC2 instance label data. executeTemplate helper parses and executes templates.
Plugin initialization with subject templates main.go	CompliancePlugin.Init now calls runner.InitWithSubjectsAndRisksFromPolicies with the built subject templates and a background context, replacing the prior empty response.
Build configuration and documentation Makefile, README.md	Makefile build target compiles the full Go package (.) instead of main.go. README is rewritten to document plugin purpose (EC2/EBS/snapshot metadata collection), supported resources, CCF integration (go-plugin, gRPC, template registration), configuration (credentials, regions, policy data), collected evidence scope, and development commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Templates bloom where subjects stand,
EC2 instances now understand
Their labels, types, and regions too,
Init builds subjects fresh and new.
A plugin grows with tested grace!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Feat/risk and subject templates' accurately reflects the main changes: introducing risk and subject template functionality to the plugin.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@subject_templates_test.go`:
- Around line 18-48: Replace direct proto field accesses on tpl in
subject_templates_test.go with the protobuf getter methods: use tpl.GetName()
instead of tpl.Name, tpl.GetType() instead of tpl.Type,
tpl.GetIdentityLabelKeys() for IdentityLabelKeys, tpl.GetSelectorLabels() for
SelectorLabels, and tpl.GetLabelSchema() for LabelSchema; for nested label
entries use entry.GetKey() and entry.GetValue() instead of .Key/.Value. Update
the comparisons and loops to call these getters (e.g., iterate over
tpl.GetIdentityLabelKeys(), compare
tpl.GetSelectorLabels()[0].GetKey()/GetValue(), and
tpl.GetLabelSchema()[i].GetKey()) so the test uses protogetter accessors
throughout.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 35ce44f6-06a2-45ac-8a3b-cebccae38a06

📥 Commits

Reviewing files that changed from the base of the PR and between 3000cd4 and f0cc334.

📒 Files selected for processing (5)

• Makefile
• README.md
• main.go
• subject_templates.go
• subject_templates_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify remaining direct proto field access in test file (should return no matches after fix)
rg -nP 'tpl\.(Name|Type|IdentityLabelKeys|SelectorLabels|LabelSchema)\b' subject_templates_test.go

Repository: compliance-framework/plugin-aws-ec2

Length of output: 1114

---

Fix protogetter lint failures by using protobuf getters in subject_templates_test.go
Direct proto field access (tpl.Name, tpl.Type, tpl.IdentityLabelKeys, tpl.SelectorLabels, tpl.LabelSchema, and their nested .Key/.Value) still exists in this test (lines 18-48) and will trip protogetter-style lint. Replace with GetX() accessors.

Proposed fix

-	if tpl.Name != "aws-ec2-instance" {
-		t.Fatalf("unexpected template name: %s", tpl.Name)
+	if tpl.GetName() != "aws-ec2-instance" {
+		t.Fatalf("unexpected template name: %s", tpl.GetName())
 	}
-	if tpl.Type != proto.SubjectType_SUBJECT_TYPE_COMPONENT {
-		t.Fatalf("unexpected template type: %v", tpl.Type)
+	if tpl.GetType() != proto.SubjectType_SUBJECT_TYPE_COMPONENT {
+		t.Fatalf("unexpected template type: %v", tpl.GetType())
 	}

 	expectedIdentityKeys := []string{"provider", "region", "instance-id"}
-	if len(tpl.IdentityLabelKeys) != len(expectedIdentityKeys) {
-		t.Fatalf("unexpected identity key count: %d", len(tpl.IdentityLabelKeys))
+	if len(tpl.GetIdentityLabelKeys()) != len(expectedIdentityKeys) {
+		t.Fatalf("unexpected identity key count: %d", len(tpl.GetIdentityLabelKeys()))
 	}
 	for i, key := range expectedIdentityKeys {
-		if tpl.IdentityLabelKeys[i] != key {
-			t.Fatalf("unexpected identity key at %d: %s", i, tpl.IdentityLabelKeys[i])
+		if tpl.GetIdentityLabelKeys()[i] != key {
+			t.Fatalf("unexpected identity key at %d: %s", i, tpl.GetIdentityLabelKeys()[i])
 		}
 	}

-	if len(tpl.SelectorLabels) != 1 {
-		t.Fatalf("unexpected selector count: %d", len(tpl.SelectorLabels))
+	if len(tpl.GetSelectorLabels()) != 1 {
+		t.Fatalf("unexpected selector count: %d", len(tpl.GetSelectorLabels()))
 	}
-	if tpl.SelectorLabels[0].Key != "type" || tpl.SelectorLabels[0].Value != "ec2" {
-		t.Fatalf("unexpected selector label: %s=%s", tpl.SelectorLabels[0].Key, tpl.SelectorLabels[0].Value)
+	if tpl.GetSelectorLabels()[0].GetKey() != "type" || tpl.GetSelectorLabels()[0].GetValue() != "ec2" {
+		t.Fatalf("unexpected selector label: %s=%s", tpl.GetSelectorLabels()[0].GetKey(), tpl.GetSelectorLabels()[0].GetValue())
 	}

 	expectedSchemaKeys := []string{"provider", "type", "instance-id", "_vpc-id", "_subnet-id", "region"}
-	if len(tpl.LabelSchema) != len(expectedSchemaKeys) {
-		t.Fatalf("unexpected label schema count: %d", len(tpl.LabelSchema))
+	if len(tpl.GetLabelSchema()) != len(expectedSchemaKeys) {
+		t.Fatalf("unexpected label schema count: %d", len(tpl.GetLabelSchema()))
 	}
 	for i, key := range expectedSchemaKeys {
-		if tpl.LabelSchema[i].Key != key {
-			t.Fatalf("unexpected label schema key at %d: %s", i, tpl.LabelSchema[i].Key)
+		if tpl.GetLabelSchema()[i].GetKey() != key {
+			t.Fatalf("unexpected label schema key at %d: %s", i, tpl.GetLabelSchema()[i].GetKey())
 		}
 	}

🧰 Tools

🪛 golangci-lint (2.12.2)

[error] 18-18: avoid direct access to proto field tpl.Name, use tpl.GetName() instead

(protogetter)

---

[error] 19-19: avoid direct access to proto field tpl.Name, use tpl.GetName() instead

(protogetter)

---

[error] 21-21: avoid direct access to proto field tpl.Type, use tpl.GetType() instead

(protogetter)

---

[error] 22-22: avoid direct access to proto field tpl.Type, use tpl.GetType() instead

(protogetter)

---

[error] 26-26: avoid direct access to proto field tpl.IdentityLabelKeys, use tpl.GetIdentityLabelKeys() instead

(protogetter)

---

[error] 27-27: avoid direct access to proto field tpl.IdentityLabelKeys, use tpl.GetIdentityLabelKeys() instead

(protogetter)

---

[error] 30-30: avoid direct access to proto field tpl.IdentityLabelKeys, use tpl.GetIdentityLabelKeys() instead

(protogetter)

---

[error] 35-35: avoid direct access to proto field tpl.SelectorLabels, use tpl.GetSelectorLabels() instead

(protogetter)

---

[error] 36-36: avoid direct access to proto field tpl.SelectorLabels, use tpl.GetSelectorLabels() instead

(protogetter)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@subject_templates_test.go` around lines 18 - 48, Replace direct proto field
accesses on tpl in subject_templates_test.go with the protobuf getter methods:
use tpl.GetName() instead of tpl.Name, tpl.GetType() instead of tpl.Type,
tpl.GetIdentityLabelKeys() for IdentityLabelKeys, tpl.GetSelectorLabels() for
SelectorLabels, and tpl.GetLabelSchema() for LabelSchema; for nested label
entries use entry.GetKey() and entry.GetValue() instead of .Key/.Value. Update
the comparisons and loops to call these getters (e.g., iterate over
tpl.GetIdentityLabelKeys(), compare
tpl.GetSelectorLabels()[0].GetKey()/GetValue(), and
tpl.GetLabelSchema()[i].GetKey()) so the test uses protogetter accessors
throughout.