feat(aws): expand SES/STS/Secrets Manager tool coverage, fix API alignment gaps#5450
feat(aws): expand SES/STS/Secrets Manager tool coverage, fix API alignment gaps#5450waleedlatif1 wants to merge 4 commits into
Conversation
…nment gaps - SES: add suppression list management, email identity CRUD, template update, configuration set creation, custom verification email (10 new tools); fix silent httpsPolicy drop in create_configuration_set and unvalidated suppression reason enum in list_suppressed_destinations - STS: add AssumeRoleWithWebIdentity and AssumeRoleWithSAML (unsigned, no static credentials required); extend assume_role with policyArns/tags/transitiveTagKeys session params - Secrets Manager: add describe_secret, tag_resource, untag_resource, restore_secret, rotate_secret; fix list_secrets dropping rotation/version metadata fields; normalize tool versions to 1.0.0 and alphabetize registry entries All 31 tools verified param-by-param against live AWS API docs across two independent audit passes.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryHigh Risk Overview Secrets Manager gains describe, tag/untag, restore, and rotate actions; list secrets responses now include rotation rules, version stages, and related dates so list output matches what governance templates expect. SES adds template updates, account suppression list CRUD/list, email identity create/get/delete, configuration set creation, and custom verification email sends, with stricter validation (e.g. suppression reasons enum, configuration set httpsPolicy requiring a redirect domain). STS adds assume role with web identity and assume role with SAML (no static keys on those paths via an unauthenticated regional client), and extends classic assume role with managed policyArns, session tags, and transitiveTagKeys. Reviewed by Cursor Bugbot for commit b94cf1d. Configure here. |
Greptile SummaryThis PR expands AWS tool coverage across SES (10 new tools), STS (2 new tools + session-tag/policy-ARN support on
Confidence Score: 5/5The change is additive — all new routes, tools, and contracts. No existing tool IDs, params, or response fields were removed or renamed. Both validation defects called out in the PR description are fixed. All 17 new routes use Zod contracts for input validation; critical invariants (BOUNCE/COMPLAINT enum, httpsPolicy co-dependency, JSON-object tags, mutually-exclusive rotation fields) are enforced before any AWS call. Client lifecycle is consistently managed with try/finally. The only findings are minor defensive-coding and documentation nits that do not affect correctness in the current call paths. apps/sim/app/api/tools/sts/utils.ts — parseTags lacks a defensive try/catch around JSON.parse (safe in current paths due to contract validation, but worth hardening). Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Client as Tool / Block
participant Route as Next.js Route Handler
participant Contract as Zod Contract
participant Util as AWS Utility fn
participant AWS as AWS API
Client->>Route: "POST /api/tools/{service}/{operation}"
Route->>Route: checkInternalAuth()
Route->>Contract: parseToolRequest(contract, request)
Contract-->>Route: 400 if validation fails
Route->>Util: call utility fn
Util->>AWS: SDK Command
AWS-->>Util: response
Util-->>Route: mapped response object
Route-->>Client: 200 NextResponse.json(result)
Note over Route,Util: client.destroy() in finally block
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Client as Tool / Block
participant Route as Next.js Route Handler
participant Contract as Zod Contract
participant Util as AWS Utility fn
participant AWS as AWS API
Client->>Route: "POST /api/tools/{service}/{operation}"
Route->>Route: checkInternalAuth()
Route->>Contract: parseToolRequest(contract, request)
Contract-->>Route: 400 if validation fails
Route->>Util: call utility fn
Util->>AWS: SDK Command
AWS-->>Util: response
Util-->>Route: mapped response object
Route-->>Client: 200 NextResponse.json(result)
Note over Route,Util: client.destroy() in finally block
Reviews (4): Last reviewed commit: "fix(ses): stop coercing switch string 'f..." | Re-trigger Greptile |
…Manager rotation - ses_create_configuration_set: validate suppressedReasons against BOUNCE/COMPLAINT enum before calling AWS (was silently reaching AWS as a generic 500 for bad values); tags now a proper Zod array schema instead of a string with route-side JSON.parse - ses_create_email_identity: dkimSigningAttributes and tags now proper Zod object/array schemas instead of strings with route-side JSON.parse, matching the pattern used elsewhere (e.g. sts_assume_role tags, secrets_manager_tag_resource) - secrets_manager_rotate_secret: reject automaticallyAfterDays and scheduleExpression when both are supplied — AWS RotationRules accepts only one - sts createUnauthenticatedSTSClient: corrected a misleading comment claiming these calls are fully unsigned; the SDK still falls through its default credential provider chain
|
@greptile please re-review |
|
@cursor review |
The SES block declared the tags and dkimSigningAttributes block inputs as 'string' instead of 'json', so the generic block executor never parsed the JSON code-editor value before forwarding it — workflow runs sent a raw JSON string where the contract now expects a structured object/array, failing validation. Also corrected the corresponding tool param TypeScript types, which were still typed as string | null.
|
@greptile please re-review |
|
@cursor review |
…guration_set
Boolean('false') evaluates to true, so turning off the
reputationMetricsEnabled or sendingEnabled switch sent the opposite of
the user's choice to SES. Match the established === 'true' string
comparison pattern used elsewhere in the codebase.
|
@greptile please re-review |
|
@cursor review |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b94cf1d. Configure here.
| durationSeconds: { type: 'string', description: 'Session duration in seconds' }, | ||
| policy: { type: 'string', description: 'JSON IAM session policy to restrict permissions' }, | ||
| policyArns: { type: 'string', description: 'Comma-separated managed policy ARNs' }, | ||
| tags: { type: 'json', description: 'Session tags (Key/Value pairs) for ABAC' }, |
There was a problem hiding this comment.
STS session tags schema mismatch
Medium Severity
For assume_role, session tags are serialized to a JSON string for the STS API, but the block marks tags as json, so the generic executor parses that string into an object before the tool request. The route contract expects tags as a string, so valid block runs fail request validation instead of calling AWS.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit b94cf1d. Configure here.


Summary
Type of Change
Testing
bunx tsc --noEmit,bun run lint,bun run check:api-validationall passChecklist