Fix s3 bucket linking (#3000)

Previously, we were incorrectly assuming that the ARN for an S3 bucket
would contain an account ID and region, If it did not, we were skipping
execution of the query. This makes sense in some scenarios because we
might have a search query that hits all scopes and we want to minimise
the amount of work done to just scopes that are likely to be able to
find it, However, this doesn't make sense when it comes to S3 because
everything is globally unique

GitOrigin-RevId: d913b5c7c58dc156be6cae2c6993a6069e5e2cde

Author: dylanratcliffe

aws-source/adapterhelpers/util.go

@@ -25,8 +25,14 @@ import (
 )
 
 // FormatScope Formats an account ID and region into the corresponding Overmind
-// scope. This will be in the format {accountID}.{region}
+// scope. This will be in the format {accountID}.{region}. If both accountID and
+// region are empty, returns sdp.WILDCARD (for resources like S3 buckets that
+// don't include account/region in their ARNs).
 func FormatScope(accountID, region string) string {
+	if accountID == "" && region == "" {
+		return sdp.WILDCARD
+	}
+
 	if region == "" {
 		return accountID
 	}

aws-source/adapters/ecs-capacity-provider_test.go

@@ -127,7 +127,7 @@ func TestCapacityProviderAdapter(t *testing.T) {
 	adapter := NewECSCapacityProviderAdapter(&ecsTestClient{}, "", "")
 
 	stream := discovery.NewRecordingQueryResultStream()
-	adapter.ListStream(context.Background(), "", false, stream)
+	adapter.ListStream(context.Background(), "*", false, stream)
 
 	errs := stream.GetErrors()
 	if len(errs) > 0 {

aws-source/adapters/s3.go

@@ -667,11 +667,16 @@ func searchImpl(ctx context.Context, cache *sdpcache.Cache, client S3Client, sco
 		return nil, sdp.NewQueryError(err)
 	}
 
-	if arnScope := adapterhelpers.FormatScope(a.AccountID, a.Region); arnScope != scope {
-		return nil, &sdp.QueryError{
-			ErrorType:   sdp.QueryError_NOSCOPE,
-			ErrorString: fmt.Sprintf("ARN scope %v does not match adapters scope %v", arnScope, scope),
-			Scope:       scope,
+	// For S3 bucket ARNs, account ID and region are empty, so we skip scope validation
+	// and use the adapter's scope (which is account-scoped)
+	// If the ARN does have an account ID, validate it matches the adapter scope
+	if a.AccountID != "" {
+		if arnScope := adapterhelpers.FormatScope(a.AccountID, a.Region); arnScope != scope {
+			return nil, &sdp.QueryError{
+				ErrorType:   sdp.QueryError_NOSCOPE,
+				ErrorString: fmt.Sprintf("ARN scope %v does not match adapters scope %v", arnScope, scope),
+				Scope:       scope,
+			}
 		}
 	}
 

aws-source/adapters/s3_test.go

@@ -3,6 +3,7 @@ package adapters
 import (
 	"context"
 	"errors"
+	"strings"
 	"testing"
 	"time"
 
@@ -16,48 +17,48 @@ import (
 
 func TestS3SearchImpl(t *testing.T) {
 	cache := sdpcache.NewCache()
-	t.Run("with a good ARN", func(t *testing.T) {
-		items, err := searchImpl(context.Background(), cache, TestS3Client{}, "account-id.region", "arn:partition:service:region:account-id:resource-type:resource-id", false)
 
+	t.Run("with S3 bucket ARN format (empty account ID and region)", func(t *testing.T) {
+		// This test verifies that S3 bucket ARNs with empty account ID and region work correctly
+		// Format: arn:aws:s3:::bucket-name
+		// When parsed, AccountID="", Region="", so FormatScope("", "") returns sdp.WILDCARD
+		// The adapter skips scope validation when accountID is empty and uses its own scope
+		//
+		// EXPECTED BEHAVIOR: Search should succeed because S3 bucket ARNs don't include account/region
+		// (S3 is global), and the adapter should use its own scope since it knows the account ID.
+		bucketName := "test-bucket-name"
+		s3ARN := "arn:aws:s3:::" + bucketName
+		adapterScope := "account-id" // S3 scopes are account-only (no region)
+
+		items, err := searchImpl(context.Background(), cache, TestS3Client{}, adapterScope, s3ARN, false)
+
+		// We EXPECT this to succeed, but it currently fails with NOSCOPE error
+		// This test demonstrates the bug existing
 		if err != nil {
-			t.Error(err)
-		}
-		if len(items) != 1 {
-			t.Errorf("expected 1 item, got %v", len(items))
-		}
-	})
-
-	t.Run("with a bad ARN", func(t *testing.T) {
-		_, err := searchImpl(context.Background(), cache, TestS3Client{}, "account-id.region", "foo", false)
-
-		if err == nil {
-			t.Error("expected error")
-		} else {
 			var ire *sdp.QueryError
 			if errors.As(err, &ire) {
-				if ire.GetErrorType() != sdp.QueryError_OTHER {
-					t.Errorf("expected error type to be OTHER, got %v", ire.GetErrorType().String())
+				if ire.GetErrorType() == sdp.QueryError_NOSCOPE && strings.Contains(ire.GetErrorString(), "ARN scope") {
+					// This is the bug - the search fails when it should succeed
+					t.Errorf("BUG REPRODUCED: Search failed with NOSCOPE error when it should succeed. "+
+						"Error: %v. S3 bucket ARNs don't include account/region, so the adapter should use its own scope.",
+						ire.GetErrorString())
+					t.Logf("Expected: Search succeeds and returns bucket item")
+					t.Logf("Actual: Search fails with NOSCOPE error: %v", ire.GetErrorString())
+				} else {
+					t.Errorf("unexpected error: %v", err)
 				}
 			} else {
-				t.Errorf("expected item request error, got %T", err)
+				t.Errorf("unexpected error type: %T: %v", err, err)
 			}
+			return
 		}
-	})
 
-	t.Run("with an ARN in another scope", func(t *testing.T) {
-		_, err := searchImpl(context.Background(), cache, TestS3Client{}, "account-id.region", "arn:partition:service:region:account-id-2:resource-type:resource-id", false)
-
-		if err == nil {
-			t.Error("expected error")
-		} else {
-			var ire *sdp.QueryError
-			if errors.As(err, &ire) {
-				if ire.GetErrorType() != sdp.QueryError_NOSCOPE {
-					t.Errorf("expected error type to be OTHER, got %v", ire.GetErrorType().String())
-				}
-			} else {
-				t.Errorf("expected item request error, got %T", err)
-			}
+		// If we get here, the search succeeded (expected behavior)
+		if len(items) != 1 {
+			t.Errorf("expected 1 item, got %v", len(items))
+		}
+		if items[0] == nil {
+			t.Error("expected non-nil item")
 		}
 	})
 }
@@ -116,14 +117,14 @@ func TestS3GetImpl(t *testing.T) {
 		{
 			ExpectedType:   "s3-bucket",
 			ExpectedMethod: sdp.QueryMethod_SEARCH,
-			ExpectedQuery:  "arn:partition:service:region:account-id:resource-type:resource-id",
-			ExpectedScope:  "account-id.region",
+			ExpectedQuery:  "arn:aws:s3:::amzn-s3-demo-bucket",
+			ExpectedScope:  sdp.WILDCARD,
 		},
 		{
 			ExpectedType:   "s3-bucket",
 			ExpectedMethod: sdp.QueryMethod_SEARCH,
-			ExpectedQuery:  "arn:partition:service:region:account-id:resource-type:resource-id",
-			ExpectedScope:  "account-id.region",
+			ExpectedQuery:  "arn:aws:s3:::amzn-s3-demo-bucket",
+			ExpectedScope:  sdp.WILDCARD,
 		},
 	}
 
@@ -206,7 +207,7 @@ func (t TestS3Client) GetBucketAnalyticsConfiguration(ctx context.Context, param
 				DataExport: &types.StorageClassAnalysisDataExport{
 					Destination: &types.AnalyticsExportDestination{
 						S3BucketDestination: &types.AnalyticsS3BucketDestination{
-							Bucket:          adapterhelpers.PtrString("arn:partition:service:region:account-id:resource-type:resource-id"),
+							Bucket:          adapterhelpers.PtrString("arn:aws:s3:::amzn-s3-demo-bucket"),
 							Format:          types.AnalyticsS3ExportFileFormatCsv,
 							BucketAccountId: adapterhelpers.PtrString("id"),
 							Prefix:          adapterhelpers.PtrString("pre"),
@@ -279,7 +280,7 @@ func (t TestS3Client) GetBucketInventoryConfiguration(ctx context.Context, param
 		InventoryConfiguration: &types.InventoryConfiguration{
 			Destination: &types.InventoryDestination{
 				S3BucketDestination: &types.InventoryS3BucketDestination{
-					Bucket:    adapterhelpers.PtrString("arn:partition:service:region:account-id:resource-type:resource-id"),
+					Bucket:    adapterhelpers.PtrString("arn:aws:s3:::amzn-s3-demo-bucket"),
 					Format:    types.InventoryFormatCsv,
 					AccountId: adapterhelpers.PtrString("id"),
 					Encryption: &types.InventoryEncryption{
@@ -675,3 +676,66 @@ func TestNewS3Adapter(t *testing.T) {
 
 	test.Run(t)
 }
+
+func TestS3SearchWithARNFormat(t *testing.T) {
+	// This E2E test reproduces the customer issue:
+	// - Get works with bucket name: harness-sample-three-qa-us-west-2-20251022151048279100000001
+	// - Search fails with ARN: arn:aws:s3:::harness-sample-three-qa-us-west-2-20251022151048279100000001
+	//
+	// EXPECTED BEHAVIOR: Both Get and Search should work
+	// CURRENT BEHAVIOR: Get works, Search fails with NOSCOPE error - THIS IS THE BUG
+	config, account, _ := adapterhelpers.GetAutoConfig(t)
+
+	adapter := NewS3Adapter(config, account)
+	scope := adapter.Scopes()[0]
+
+	bucketName := "harness-sample-three-qa-us-west-2-20251022151048279100000001"
+	s3ARN := "arn:aws:s3:::" + bucketName
+
+	ctx := context.Background()
+
+	// First, verify that Get works with the bucket name directly
+	t.Run("Get with bucket name", func(t *testing.T) {
+		item, err := adapter.Get(ctx, scope, bucketName, false)
+		if err != nil {
+			t.Logf("Get failed (this is OK if bucket doesn't exist): %v", err)
+		} else if item != nil {
+			t.Logf("Get succeeded: found bucket %v", bucketName)
+		}
+	})
+
+	// Then, test Search with ARN format - this SHOULD succeed, but currently fails with NOSCOPE error
+	t.Run("Search with S3 ARN format", func(t *testing.T) {
+		items, err := adapter.Search(ctx, scope, s3ARN, false)
+
+		// EXPECTED: Search succeeds because S3 bucket ARNs don't include account/region
+		// (S3 is global), and the adapter should use its own scope since it knows the account ID.
+		// CURRENT: Search fails with NOSCOPE error - THIS IS THE BUG
+		if err != nil {
+			var ire *sdp.QueryError
+			if errors.As(err, &ire) {
+				if ire.GetErrorType() == sdp.QueryError_NOSCOPE && strings.Contains(ire.GetErrorString(), "ARN scope") {
+					// This is the bug - the search fails when it should succeed
+					t.Errorf("BUG REPRODUCED: Search failed with NOSCOPE error when it should succeed. "+
+						"Error: %v. S3 bucket ARNs don't include account/region, so the adapter should use its own scope.",
+						ire.GetErrorString())
+					t.Logf("Expected: Search succeeds and returns bucket item (like Get does)")
+					t.Logf("Actual: Search fails with NOSCOPE error: %v", ire.GetErrorString())
+				} else {
+					// Other errors (like bucket not found) are acceptable
+					t.Logf("Search failed with error (may be expected if bucket doesn't exist): %v", err)
+				}
+			} else {
+				t.Errorf("unexpected error type: %T: %v", err, err)
+			}
+			return
+		}
+
+		// If we get here, the search succeeded (expected behavior)
+		if len(items) == 0 {
+			t.Error("expected at least 1 item from Search")
+		} else {
+			t.Logf("Search succeeded: found %v item(s)", len(items))
+		}
+	})
+}

k8s-source/adapters/configmap_test.go

@@ -1,6 +1,10 @@
 package adapters
 
-import "testing"
+import (
+	"testing"
+
+	"github.com/overmindtech/cli/sdp-go"
+)
 
 var configMapYAML = `
 apiVersion: v1
@@ -12,6 +16,16 @@ data:
   APP_SECRET_KEY: "mysecretkey123"
 `
 
+var configMapWithS3ARNYAML = `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-with-s3-arn
+data:
+  S3_BUCKET_ARN: "arn:aws:s3:::example-bucket-name"
+  S3_BUCKET_NAME: "example-bucket-name"
+`
+
 func TestConfigMapAdapter(t *testing.T) {
 	sd := ScopeDetails{
 		ClusterName: CurrentCluster.Name,
@@ -30,3 +44,29 @@ func TestConfigMapAdapter(t *testing.T) {
 
 	st.Execute(t)
 }
+
+func TestConfigMapAdapterWithS3ARN(t *testing.T) {
+	sd := ScopeDetails{
+		ClusterName: CurrentCluster.Name,
+		Namespace:   "default",
+	}
+
+	adapter := newConfigMapAdapter(CurrentCluster.ClientSet, sd.ClusterName, []string{sd.Namespace})
+
+	st := AdapterTests{
+		Adapter:   adapter,
+		GetQuery:  "configmap-with-s3-arn",
+		GetScope:  sd.String(),
+		SetupYAML: configMapWithS3ARNYAML,
+		GetQueryTests: QueryTests{
+			{
+				ExpectedType:   "s3-bucket",
+				ExpectedMethod: sdp.QueryMethod_SEARCH,
+				ExpectedQuery:  "arn:aws:s3:::example-bucket-name",
+				ExpectedScope:  sdp.WILDCARD,
+			},
+		},
+	}
+
+	st.Execute(t)
+}