fix: guardrails for secrets marked for deletion#2
Conversation
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis change makes the collector return safe defaults for Secrets Manager secrets with a ChangesDeleted Secret Handling Optimization
Go module dependency updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
There was a problem hiding this comment.
Pull request overview
This PR adds guardrails to handle AWS Secrets Manager secrets that are marked for deletion by avoiding subresource API calls that AWS rejects for pending-deletion secrets, while still emitting useful DescribeSecret metadata and any matched CloudTrail deletion context.
Changes:
- Skip per-secret subresource calls (
GetResourcePolicy,ListSecretVersionIds) whenDescribeSecret.DeletedDateis set, while still emitting consistent default config fields. - Add a regression test ensuring no policy/version calls occur for pending-deletion secrets and that default config values are present.
- Document the pending-deletion behavior in the README coverage section.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Documents that pending-deletion secrets skip policy/version subresource calls while still capturing deletion metadata/context. |
| collector.go | Initializes default resource_policy* and versions fields, then returns early for pending-deletion secrets to avoid rejected AWS calls. |
| collector_test.go | Adds assertions verifying pending-deletion secrets do not trigger policy/version calls and still emit expected defaults. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Summary by CodeRabbit
Bug Fixes
Documentation
Tests