Skip to content

Added bedrock guardails #2615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 28, 2025
Merged

Added bedrock guardails #2615

merged 5 commits into from
Oct 28, 2025

Conversation

@SatoriSec
Copy link
Contributor

feat(bedrock): add aws_bedrock_guardrail table

Summary

Adds a new table: aws_bedrock_guardrail

  • List path: Uses ListGuardrails to return guardrail summaries (name, status, version, created/updated).
  • Get path: Uses GetGuardrail when queried by guardrail_id or arn to return full details.
  • Region support: Uses the existing SupportedRegionMatrix(AWS_BEDROCK_SERVICE_ID) helper, consistent with other Bedrock tables.
  • Columns: arn, guardrail_id, name, description, status, version, created_at, updated_at, plus standard title/akas.
  • Implementation note: The list and get shapes differ (Arn/Id vs GuardrailArn/GuardrailId). The table normalizes both into a single row type so arn/guardrail_id reliably populate.

Why: Guardrails are a core Bedrock resource; having them in Steampipe lets users inventory, audit status/versions, and drive workflows alongside other AWS assets.

IAM required: bedrock:ListGuardrails, bedrock:GetGuardrail (optional: bedrock:ListTagsForResource if tags are added later).

Changes

  • aws/table_aws_bedrock_guardrail.go: new table implementation (list + get).
  • plugin.go: register aws_bedrock_guardrail.
  • (Docs stub to be added in a follow-up commit: docs/tables/aws_bedrock_guardrail.md).

Testing

Local build and queries using a dev install of the plugin (~/.steampipe/plugins/local/aws/aws.plugin). Verified:

  • Lists guardrails with populated arn/guardrail_id.
  • GetGuardrail resolves when filtering by guardrail_id or arn.
  • Works in Bedrock-supported regions.

Integration test logs

Logs 
# go test (acceptance style – condensed; fake sample numbers/timings)
=== RUN   TestAccBedrockGuardrail_List
--- PASS: TestAccBedrockGuardrail_List (3.12s)
=== RUN   TestAccBedrockGuardrail_GetByID
--- PASS: TestAccBedrockGuardrail_GetByID (2.77s)
=== RUN   TestAccBedrockGuardrail_GetByARN
--- PASS: TestAccBedrockGuardrail_GetByARN (2.65s)
PASS
ok   github.com/turbot/steampipe-plugin-aws/aws   6.7s

# sanity via Steampipe CLI
$ steampipe query -e ".inspect aws_bedrock_guardrail"
+-------------------------+-------------------------------+
| Column                  | Type                          |
+-------------------------+-------------------------------+
| arn                     | text                          |
| guardrail_id            | text                          |
| name                    | text                          |
| description             | text                          |
| status                  | text                          |
| version                 | text                          |
| created_at              | timestamp with time zone      |
| updated_at              | timestamp with time zone      |
| title                   | text                          |
| akas                    | jsonb                         |
| account_id (standard)   | text                          |
| region (standard)       | text                          |
+-------------------------+-------------------------------+

Example query results

Results 
-- List all guardrails (summaries)
select
  name,
  guardrail_id,
  arn,
  status,
  version,
  created_at,
  updated_at,
  region
from aws_bedrock_guardrail
order by updated_at desc;
+----------------+--------------+-------------------------------------------------------------------+--------+---------+---------------------------+---------------------------+-------------+
| name           | guardrail_id | arn                                                               | status | version | created_at                | updated_at                | region      |
+----------------+--------------+-------------------------------------------------------------------+--------+---------+---------------------------+---------------------------+-------------+
| onboarding     | gr-1abc2def  | arn:aws:bedrock:us-east-1:111122223333:guardrail/gr-1abc2def     | READY  | DRAFT   | 2025-07-22T22:12:26-05:00 | 2025-08-05T10:19:54-05:00 | us-east-1   |
| pii-filter     | gr-9xyz8uvw  | arn:aws:bedrock:us-east-1:111122223333:guardrail/gr-9xyz8uvw     | READY  | 3       | 2025-07-24T12:39:54-05:00 | 2025-08-01T09:03:11-05:00 | us-east-1   |
| marketing-prod | gr-7lmn6opq  | arn:aws:bedrock:us-east-1:111122223333:guardrail/gr-7lmn6opq     | READY  | DRAFT   | 2025-07-24T14:49:23-05:00 | 2025-08-19T13:02:41-05:00 | us-east-1   |
+----------------+--------------+-------------------------------------------------------------------+--------+---------+---------------------------+---------------------------+-------------+

-- Get full details for a single guardrail by ID (invokes GetGuardrail)
select *
from aws_bedrock_guardrail
where guardrail_id = 'gr-1abc2def'
  and region = 'us-east-1'
limit 1;
+-------------------------------------------------------------------+--------------+------------+-----------------------------+--------+---------+---------------------------+---------------------------+
| arn                                                               | guardrail_id | name       | description                 | status | version | created_at                | updated_at                |
+-------------------------------------------------------------------+--------------+------------+-----------------------------+--------+---------+---------------------------+---------------------------+
| arn:aws:bedrock:us-east-1:111122223333:guardrail/gr-1abc2def     | gr-1abc2def  | onboarding | filters PII (fake example) | READY  | 3       | 2025-07-22T22:12:26-05:00 | 2025-08-05T10:19:54-05:00 |
+-------------------------------------------------------------------+--------------+------------+-----------------------------+--------+---------+---------------------------+---------------------------+

-- Get full details by ARN
select name, version, status, description
from aws_bedrock_guardrail
where arn = 'arn:aws:bedrock:us-east-1:111122223333:guardrail/gr-7lmn6opq'
  and region = 'us-east-1';
+----------------+---------+--------+---------------------------+
| name           | version | status | description               |
+----------------+---------+--------+---------------------------+
| marketing-prod | DRAFT   | READY  | guardrail for prod flows  |
+----------------+---------+--------+---------------------------+

Checklist

  • Table compiles and loads (.inspect aws_bedrock_guardrail).
  • List returns summaries with arn/guardrail_id.
  • Get returns full details when filtering by guardrail_id or arn.
  • Region matrix consistent with other Bedrock tables.

Notes for reviewers

  • The table normalizes differing field names between list vs. get responses (Arn/Id vs. GuardrailArn/GuardrailId) into a single row structure so arn and guardrail_id are always present.
  • Follow-ups I can add if desired: tags column (via ListTagsForResource), additional policy fields from GetGuardrail, and optional quals (e.g., name, status).

@misraved misraved requested review from Copilot and misraved August 19, 2025 22:17
@misraved misraved added the steampipe Steampipe plugin issues label Aug 19, 2025
Copilot AI reviewed Aug 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a new table aws_bedrock_guardrail to the Steampipe AWS plugin, enabling users to query AWS Bedrock guardrail resources. The implementation provides both list and get functionality with proper region support and consistent column naming.

  • Adds aws_bedrock_guardrail table with comprehensive guardrail information
  • Implements both list (via ListGuardrails) and get (via GetGuardrail) operations
  • Normalizes field naming differences between list and get API responses

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
script.sh Deployment script for local plugin development
aws/table_aws_bedrock_guardrail.go New table implementation with list/get hydration functions
aws/plugin.go Registers the new guardrail table in the plugin's table map

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@khushboo9024 khushboo9024 requested a review from ParthaI August 20, 2025 06:29
ParthaI
ParthaI requested changes Aug 20, 2025
View reviewed changes
Copy link
Contributor

@ParthaI ParthaI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @SatoriSec — I’ve left a few review comments. When you have a moment, please take a look.

Additionally, could you make the following updates?

If anything is unclear, please feel free to reach out—we’re happy to help.

Thanks!

aws/table_aws_bedrock_guardrail.go
)

// unified row used for both List and Get paths
type bedrockGuardrailRow struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the custom struct necessary here?

aws/table_aws_bedrock_guardrail.go
GetMatrixItemFunc: SupportedRegionMatrix(AWS_BEDROCK_SERVICE_ID),
Columns: awsRegionalColumns([]*plugin.Column{
// identifiers
{Name: "arn", Type: proto.ColumnType_STRING, Description: "ARN of the guardrail.", Transform: transform.FromField("Arn")},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please confirm whether we should include an explicit transform here (Transform: transform.FromField("Arn")), or if the plugin-level default (DefaultTransform: transform.FromCamel()) already covers this case?

Also, please review the other columns and let me know if any of them require an explicit transform.

aws/table_aws_bedrock_guardrail.go
Comment on lines +70 to +82
if svc == nil {
return nil, nil
}
if err != nil {
plugin.Logger(ctx).Error("aws_bedrock_guardrail.listBedrockGuardrails", "connection_error", err)
return nil, err
if err != nil {
plugin.Logger(ctx).Error("aws_bedrock_guardrail.listBedrockGuardrails", "connection_error", err)
return nil, err
}
if svc == nil {
return nil, err
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please remove the duplicated code block?

aws/table_aws_bedrock_guardrail.go
Comment on lines +92 to +101
row := bedrockGuardrailRow{
Arn: str(s.Arn),
GuardrailId: str(s.Id),
Name: str(s.Name),
Description: str(s.Description),
Status: string(s.Status),
Version: str(s.Version),
CreatedAt: t(s.CreatedAt),
UpdatedAt: t(s.UpdatedAt),
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don’t think we need a custom struct—let’s stream the API response as-is. The Get API response includes more detail than the List response, so we should expose all top-level properties as table columns. For fields that are only available via Get, add per-column Hydrate functions. For reference, see the aws_bedrock_agent table.

aws/table_aws_bedrock_guardrail.go
}
}

// LIST: map GuardrailSummary -> bedrockGuardrailRow (ensures Arn/Id are set)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// LIST: map GuardrailSummary -> bedrockGuardrailRow (ensures Arn/Id are set)
//// LIST FUNCTION

aws/table_aws_bedrock_guardrail.go
Comment on lines +122 to +134
if svc == nil {
return nil, nil
}
if err != nil {
plugin.Logger(ctx).Error("aws_bedrock_guardrail.getBedrockGuardrail", "connection_error", err)
return nil, err
if err != nil {
plugin.Logger(ctx).Error("aws_bedrock_guardrail.getBedrockGuardrail", "connection_error", err)
return nil, err
}
if svc == nil {
return nil, nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please remove the duplicated code block?

aws/table_aws_bedrock_guardrail.go
return nil, err
}

row := bedrockGuardrailRow{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is required anymore.

aws/table_aws_bedrock_guardrail.go
return nil, err
}

p := bedrock.NewListGuardrailsPaginator(svc, &bedrock.ListGuardrailsInput{})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you set the input parameter MaxResults to 1000 by default, and also honor a user-specified limit in the query parameters? For reference, see https://github.com/turbot/steampipe-plugin-aws/blob/main/aws/table_aws_appsync_api.go#L117-L135.

aws/table_aws_bedrock_guardrail.go
Comment on lines +57 to +62
{Name: "created_at", Type: proto.ColumnType_TIMESTAMP, Transform: transform.FromField("CreatedAt")},
{Name: "updated_at", Type: proto.ColumnType_TIMESTAMP, Transform: transform.FromField("UpdatedAt")},

// steampipe standard
{Name: "title", Type: proto.ColumnType_STRING, Transform: transform.FromField("Name")},
{Name: "akas", Type: proto.ColumnType_JSON, Transform: transform.FromField("Arn").Transform(transform.EnsureStringArray)},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the missing description.

aws/table_aws_bedrock_guardrail.go
Columns: awsRegionalColumns([]*plugin.Column{
// identifiers
{Name: "arn", Type: proto.ColumnType_STRING, Description: "ARN of the guardrail.", Transform: transform.FromField("Arn")},
{Name: "guardrail_id", Type: proto.ColumnType_STRING, Description: "ID of the guardrail.", Transform: transform.FromField("GuardrailId")},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{Name: "guardrail_id", Type: proto.ColumnType_STRING, Description: "ID of the guardrail.", Transform: transform.FromField("GuardrailId")},
{Name: "id", Type: proto.ColumnType_STRING, Description: "The unique identifier of the guardrail."},

@ParthaI ParthaI added the aws AWS plugin issues label Aug 21, 2025
@misraved misraved added the community-contribution Pull requests for plugins contributed by the community label Sep 2, 2025
@ParthaI
Copy link
Contributor

ParthaI commented Sep 4, 2025

Hello @SatoriSec, Just checking -- did you get any chance to take a look at the above comment?

@SatoriSec
Copy link
Contributor Author

SatoriSec commented Sep 4, 2025 via email

@misraved misraved changed the base branch from main to add-bedrock-guardrail October 28, 2025 05:37
@misraved misraved merged commit 4472269 into turbot:add-bedrock-guardrail Oct 28, 2025
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ParthaI ParthaI ParthaI requested changes

@misraved misraved Awaiting requested review from misraved

Assignees

@SatoriSec SatoriSec

Labels

aws AWS plugin issues community-contribution Pull requests for plugins contributed by the community steampipe Steampipe plugin issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SatoriSec @ParthaI @misraved