Comprehensive audit found 40+ naming inconsistencies across resource types, config keys, and YAML tags. Good candidate to fix as part of v1.0.0 since these are breaking changes.
Target conventions:
- Resource types:
kebab-case (e.g., iam-role, ecs-cluster)
- Config keys (Go field + YAML tag):
PascalCase with uppercase acronyms (e.g., IAMRoles, SESIdentity)
1. Critical bugs
| Resource Type |
Config Key |
Issue |
ec2-dhcp-option |
EC2DedicatedHosts |
Reuses another resource's config key. A dedicated EC2DHCPOption field exists in config.go but is unused — users setting it get silently ignored |
elasticcache-serverless |
ElasticCacheServerless |
Typo: double c in resource type. Should be elasticache-serverless |
2. Resource types not in kebab-case (concatenated words)
| Current |
Proposed |
File |
accessanalyzer |
access-analyzer |
access_analyzer.go |
apigateway |
api-gateway |
apigateway.go |
apigatewayv2 |
api-gateway-v2 |
apigatewayv2.go |
ecscluster |
ecs-cluster |
ecs_cluster.go |
ekscluster |
eks-cluster |
eks.go |
guardduty |
guard-duty |
guardduty.go |
kmscustomerkeys |
kms-customer-key |
kms_customer_key.go |
oidcprovider |
oidc-provider |
oidc_provider.go |
opensearchdomain |
opensearch-domain |
opensearch.go |
secretsmanager |
secrets-manager |
secrets_manager.go |
snstopic |
sns-topic |
sns.go |
3. Resource types using camelCase or underscores
| Current |
Proposed |
File |
elasticacheParameterGroups |
elasticache-parameter-group |
elasticache_parameter_group.go |
elasticacheSubnetGroups |
elasticache-subnet-group |
elasticache_subnet_group.go |
lambda_layer |
lambda-layer |
lambda_layer.go |
4. Cryptic / abbreviated resource types
| Current |
Proposed |
Rationale |
lc |
launch-configuration |
Matches config key LaunchConfiguration |
lt |
launch-template |
Matches config key LaunchTemplate |
snap |
ebs-snapshot |
Matches what it actually is; snap is ambiguous |
ecsserv |
ecs-service |
Matches config key ECSService |
sagemaker-notebook-smni |
sagemaker-notebook-instance |
smni is a redundant abbreviation |
s3-ap |
s3-access-point |
Matches config key S3AccessPoint |
s3-olap |
s3-object-lambda-access-point |
Matches config key S3ObjectLambdaAccessPoint |
s3-mrap |
s3-multi-region-access-point |
Matches config key S3MultiRegionAccessPoint |
5. YAML tag casing — acronyms should be uppercase
| Go Field |
Current YAML Tag |
Proposed YAML Tag |
S3 |
s3 |
S3 |
SESIdentity |
SesIdentity |
SESIdentity |
SESConfigurationSet |
SesConfigurationset |
SESConfigurationSet |
SESReceiptRuleSet |
SesReceiptRuleSet |
SESReceiptRuleSet |
SESReceiptFilter |
SesReceiptFilter |
SESReceiptFilter |
SESEmailTemplates |
SesEmailTemplates |
SESEmailTemplates |
EC2DHCPOption |
EC2DhcpOption |
EC2DHCPOption |
6. Config field casing — acronyms & brand names
| Current Field / YAML |
Proposed |
Rationale |
Cloudfront* |
CloudFront* |
AWS branding is "CloudFront" |
Cloudtrail* |
CloudTrail* |
AWS branding is "CloudTrail" |
NatGateway |
NATGateway |
AWS branding is "NAT gateway" |
Elasticache |
ElastiCache |
AWS branding is "ElastiCache" |
ElasticacheParameterGroups |
ElastiCacheParameterGroup |
Fix casing + drop trailing s for consistency |
ElasticacheSubnetGroups |
ElastiCacheSubnetGroup |
Fix casing + drop trailing s for consistency |
ElasticCacheServerless |
ElastiCacheServerless |
Fix casing to match AWS branding |
RdsParameterGroup |
RDSParameterGroup |
RDS is an acronym |
RdsProxy |
RDSProxy |
RDS is an acronym |
RdsSnapshot |
RDSSnapshot |
RDS is an acronym |
TransitGatewaysVpcAttachment |
TransitGatewayVPCAttachment |
Remove spurious plural + uppercase VPC |
7. Redundant / mismatched config names
| Field |
YAML Tag |
Issue |
Proposed |
SecretsManagerSecrets |
SecretsManager |
Go field has redundant "Secrets" suffix; YAML tag doesn't match field |
SecretsManager / SecretsManager |
8. Overly generic resource types
| Current |
Proposed |
Rationale |
iam |
iam-user |
Too generic — siblings are iam-group, iam-role, iam-policy |
rds |
rds-instance |
Too generic — siblings are rds-cluster, rds-proxy, rds-snapshot |
9. Code typo
| Location |
Current |
Proposed |
config/config.go:256 |
AWSProtectectableResourceType |
AWSProtectableResourceType |
10. Config field declared but unused at runtime
| Field |
Issue |
EC2DHCPOption |
Exists in config.go but ec2-dhcp-option resource reads EC2DedicatedHosts instead (see #1) |
Preventing regressions
Add a Go test that iterates all registered resources and asserts:
- Resource types match
^[a-z][a-z0-9]*(-[a-z0-9]+)*$ (strict kebab-case)
- Config YAML tags match
^[A-Z][A-Za-z0-9]*$ (PascalCase, no lowercase-starting acronyms)
- Every resource's
ConfigGetter returns a unique config field (no two resources sharing one)
- Every config field in the struct is referenced by exactly one resource
Alternatively, derive config keys automatically from resource types to eliminate ad-hoc mappings entirely.
