feat: migrate workflow-plugin-aws to strict gRPC proto contracts

.github/workflows/ci.yml

@@ -29,3 +29,19 @@ jobs:
 
       - name: Vet
         run: go vet ./...
+
+  wfctl-strict-contracts:
+    name: Strict Contract Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Validate strict plugin contracts
+        run: go run github.com/GoCodeAlone/workflow/cmd/wfctl@v0.20.1 plugin validate --file plugin.json --strict-contracts

.goreleaser.yaml

@@ -6,6 +6,7 @@ before:
   hooks:
     - go mod tidy
     - "sed -i.bak 's/\"version\": \".*\"/\"version\": \"{{ .Version }}\"/' plugin.json && rm -f plugin.json.bak"
+    - "sed -E -i.bak 's|releases/download/v[0-9]+\\.[0-9]+\\.[0-9]+/workflow-plugin-aws_[0-9]+\\.[0-9]+\\.[0-9]+_|releases/download/v{{ .Version }}/workflow-plugin-aws_{{ .Version }}_|g' plugin.json && rm -f plugin.json.bak"
 
 builds:
   - id: workflow-plugin-aws
@@ -28,6 +29,7 @@ archives:
     name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     files:
       - plugin.json
+      - plugin.contracts.json
       - LICENSE
 
 checksum:

drivers/acm.go

@@ -21,6 +21,7 @@ type ACMClient interface {
 
 // ACMDriver manages ACM certificates (infra.certificate).
 type ACMDriver struct {
+	noSensitiveKeys
 	client ACMClient
 }
 

drivers/alb.go

@@ -21,6 +21,7 @@ type ELBv2Client interface {
 
 // ALBDriver manages Application/Network Load Balancers (infra.load_balancer).
 type ALBDriver struct {
+	noSensitiveKeys
 	client ELBv2Client
 }
 

drivers/apigateway.go

@@ -22,6 +22,7 @@ type APIGatewayClient interface {
 
 // APIGatewayDriver manages API Gateway v2 APIs (infra.api_gateway).
 type APIGatewayDriver struct {
+	noSensitiveKeys
 	client APIGatewayClient
 }
 

drivers/ecr.go

@@ -21,6 +21,7 @@ type ECRClient interface {
 
 // ECRDriver manages ECR repositories (infra.registry).
 type ECRDriver struct {
+	noSensitiveKeys
 	client ECRClient
 }
 

drivers/ecs.go

@@ -23,6 +23,7 @@ type ECSClient interface {
 
 // ECSDriver manages ECS Fargate services (infra.container_service).
 type ECSDriver struct {
+	noSensitiveKeys
 	client  ECSClient
 	cluster string
 }

drivers/eks.go

@@ -21,6 +21,7 @@ type EKSClient interface {
 
 // EKSDriver manages EKS clusters (infra.k8s_cluster).
 type EKSDriver struct {
+	noSensitiveKeys
 	client EKSClient
 }
 

drivers/elasticache.go

@@ -21,6 +21,7 @@ type ElastiCacheClient interface {
 
 // ElastiCacheDriver manages ElastiCache replication groups (infra.cache).
 type ElastiCacheDriver struct {
+	noSensitiveKeys
 	client ElastiCacheClient
 }
 

drivers/helpers.go

@@ -6,6 +6,12 @@ import (
 	"github.com/GoCodeAlone/workflow/interfaces"
 )
 
+// noSensitiveKeys is a zero-size mixin that satisfies the SensitiveKeys method
+// of interfaces.ResourceDriver for drivers that have no sensitive output keys.
+type noSensitiveKeys struct{}
+
+func (noSensitiveKeys) SensitiveKeys() []string { return nil }
+
 // strPtr returns a pointer to the given string.
 func strPtr(s string) *string { return &s }
 

drivers/iam.go

@@ -24,6 +24,7 @@ type IAMClient interface {
 
 // IAMDriver manages IAM roles and policies (infra.iam_role).
 type IAMDriver struct {
+	noSensitiveKeys
 	client IAMClient
 }
 

drivers/rds.go

@@ -21,6 +21,7 @@ type RDSClient interface {
 
 // RDSDriver manages RDS database instances (infra.database).
 type RDSDriver struct {
+	noSensitiveKeys
 	client RDSClient
 }
 

drivers/route53.go

@@ -22,6 +22,7 @@ type Route53Client interface {
 
 // Route53Driver manages Route53 hosted zones (infra.dns).
 type Route53Driver struct {
+	noSensitiveKeys
 	client Route53Client
 }
 

drivers/s3.go

@@ -23,6 +23,7 @@ type S3Client interface {
 
 // S3Driver manages S3 buckets (infra.storage).
 type S3Driver struct {
+	noSensitiveKeys
 	client S3Client
 	region string
 }

drivers/sg.go

@@ -23,6 +23,7 @@ type SGClient interface {
 
 // SecurityGroupDriver manages EC2 security groups (infra.firewall).
 type SecurityGroupDriver struct {
+	noSensitiveKeys
 	client SGClient
 }
 

drivers/vpc.go

@@ -21,6 +21,7 @@ type VPCClient interface {
 
 // VPCDriver manages AWS VPC resources (infra.vpc).
 type VPCDriver struct {
+	noSensitiveKeys
 	client VPCClient
 }
 

go.mod

@@ -20,6 +20,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/rds v1.115.0
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.5
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.97.2
+	google.golang.org/protobuf v1.36.11
 )
 
 require (
@@ -226,7 +227,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d // indirect
 	google.golang.org/grpc v1.80.0 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.70.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect

internal/contracts/aws.proto

@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package workflow.plugins.aws.v1;
+
+option go_package = "github.com/GoCodeAlone/workflow-plugin-aws/internal/contracts;contracts";
+
+// AWSProviderConfig is the typed configuration for the iac.provider module
+// provided by workflow-plugin-aws. All fields correspond to the map keys
+// accepted by the legacy Initialize(ctx, map[string]any) path.
+message AWSProviderConfig {
+  // region is the AWS region (default: us-east-1).
+  string region = 1;
+  // access_key_id is the AWS access key ID for static credentials.
+  string access_key_id = 2;
+  // secret_access_key is the AWS secret access key for static credentials.
+  string secret_access_key = 3;
+  // ecs_cluster is the default ECS cluster name used by the ECS driver.
+  string ecs_cluster = 4;
+}