arnmatch 2026.1.0__tar.gz → 2026.1.2__tar.gz

{arnmatch-2026.1.0 → arnmatch-2026.1.2}/CLAUDE.md

@@ -32,28 +32,30 @@ uv run arnmatch <arn>
 ### Core Library (`src/arnmatch/`)
 
 - `__init__.py` - Main module with `arnmatch(arn)` function and `ARN` dataclass
-- `arn_patterns.py` - Generated file containing compiled regex patterns indexed by service
+- `arn_patterns.py` - Generated file containing compiled regex patterns indexed by service and AWS SDK services mapping
 
-The `arnmatch()` function splits the ARN, looks up patterns by service, and returns an `ARN` with partition, service, region, account, resource_type, and captured groups. The `resource_id` and `resource_name` properties use heuristics (prefer groups ending in "Id" or "Name").
+The `arnmatch()` function splits the ARN, looks up patterns by service, and returns an `ARN` with partition, service, region, account, resource_type, and captured groups. The `resource_id` and `resource_name` properties use heuristics (prefer groups ending in "Id" or "Name"). The `aws_sdk_services` property returns boto3 client names for the service.
 
 ### Code Generation (`codegen/`)
 
 - `scraper.py` - Scrapes AWS service authorization reference pages, caches results with joblib
 - `codegen.py` - Processes resources and generates `arn_patterns.py`
+- `index_sdk.py` - Maps ARN service names to AWS SDK (boto3) client names
 
-Data flow: AWS docs → `scraper.py` → raw resources → `codegen.py` → `codegen/build/arn_patterns.py` → (copied by `make build`) → `src/arnmatch/arn_patterns.py`
+Data flow: AWS docs → `scraper.py` → raw resources → `codegen.py` + `index_sdk.py` → `codegen/build/arn_patterns.py` → (copied by `make build`) → `src/arnmatch/arn_patterns.py`
 
 ### Key Design Decisions
 
 1. **Pattern ordering**: Patterns sorted by specificity (more literal segments first) for correct matching
 2. **Service index**: O(1) lookup by service before pattern matching
 3. **Overrides in codegen.py**: `PATTERN_OVERRIDES` fixes AWS docs that use wildcards instead of capture groups; `PATTERN_INCLUDES` adds patterns not in docs (EKS k8s resources, Inspector legacy)
-4. **Zero runtime dependencies**: Only codegen has external deps (requests, beautifulsoup4, joblib)
+4. **SDK service mapping**: `index_sdk.py` maps ARN service names to boto3 client names using botocore metadata (signingName/endpointPrefix), with manual overrides for edge cases and excludes for discontinued/console-only services
+5. **Zero runtime dependencies**: Only codegen has external deps (requests, beautifulsoup4, joblib, boto3)
 
 ## Build Notes
 
 - Uses `uv` for package management (not pip)
 - Build system is hatchling with dynamic version from `src/arnmatch/__init__.py`
-- **Versioning**: CalVer format `YYYY.MM.MICRO` (e.g., `2026.01.0`)
+- **Versioning**: CalVer format `YYYY.0M.MICRO` (e.g., `2026.01.0`)
 - Always run `make build` before publishing to ensure patterns are current
 - Scraper cache lives in `.cache/` - delete if AWS docs change significantly

{arnmatch-2026.1.0 → arnmatch-2026.1.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: arnmatch
-Version: 2026.1.0
+Version: 2026.1.2
 Summary: Parse AWS ARNs into structured data (2000+ resource types)
 Author-email: Andrey Gubarev <andrey@andreygubarev.com>
 Requires-Python: >=3.10
@@ -37,6 +37,7 @@ pip install arnmatch
 ```bash
 $ uvx arnmatch "arn:aws:lambda:us-east-1:123456789012:function:my-function"
 aws_service: lambda
+aws_sdk_services: lambda
 aws_region: us-east-1
 aws_account: 123456789012
 resource_type: function
@@ -52,13 +53,14 @@ from arnmatch import arnmatch
 arn = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
 result = arnmatch(arn)
 
-print(result.aws_service)    # lambda
-print(result.aws_region)     # us-east-1
-print(result.aws_account)    # 123456789012
-print(result.resource_type)  # function
-print(result.resource_id)    # my-function
-print(result.resource_name)  # my-function
-print(result.attributes)     # {'Partition': 'aws', 'Region': 'us-east-1', ...}
+print(result.aws_service)      # lambda
+print(result.aws_sdk_services) # ['lambda']
+print(result.aws_region)       # us-east-1
+print(result.aws_account)      # 123456789012
+print(result.resource_type)    # function
+print(result.resource_id)      # my-function
+print(result.resource_name)    # my-function
+print(result.attributes)       # {'Partition': 'aws', 'Region': 'us-east-1', ...}
 ```
 
 ## API Reference
@@ -89,6 +91,7 @@ Properties:
 |----------|-------------|
 | `resource_id` | Resource identifier (prefers groups ending in `Id`, falls back to `Name`, then last group) |
 | `resource_name` | Resource name (prefers groups ending in `Name`, falls back to `resource_id`) |
+| `aws_sdk_services` | List of boto3 client names for this service (e.g., `['elb', 'elbv2']` for elasticloadbalancing) |
 
 ### `ARNError`
 
@@ -96,7 +99,7 @@ Exception raised when ARN parsing fails. Inherits from `ValueError`.
 
 ## Versioning
 
-This project uses [CalVer](https://calver.org/) with format `YYYY.MM.MICRO` (e.g., `2026.01.0`).
+This project uses [CalVer](https://calver.org/) with format `YYYY.0M.MICRO` (e.g., `2026.01.0`).
 
 ## Development
 

{arnmatch-2026.1.0 → arnmatch-2026.1.2}/README.md

@@ -29,6 +29,7 @@ pip install arnmatch
 ```bash
 $ uvx arnmatch "arn:aws:lambda:us-east-1:123456789012:function:my-function"
 aws_service: lambda
+aws_sdk_services: lambda
 aws_region: us-east-1
 aws_account: 123456789012
 resource_type: function
@@ -44,13 +45,14 @@ from arnmatch import arnmatch
 arn = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
 result = arnmatch(arn)
 
-print(result.aws_service)    # lambda
-print(result.aws_region)     # us-east-1
-print(result.aws_account)    # 123456789012
-print(result.resource_type)  # function
-print(result.resource_id)    # my-function
-print(result.resource_name)  # my-function
-print(result.attributes)     # {'Partition': 'aws', 'Region': 'us-east-1', ...}
+print(result.aws_service)      # lambda
+print(result.aws_sdk_services) # ['lambda']
+print(result.aws_region)       # us-east-1
+print(result.aws_account)      # 123456789012
+print(result.resource_type)    # function
+print(result.resource_id)      # my-function
+print(result.resource_name)    # my-function
+print(result.attributes)       # {'Partition': 'aws', 'Region': 'us-east-1', ...}
 ```
 
 ## API Reference
@@ -81,6 +83,7 @@ Properties:
 |----------|-------------|
 | `resource_id` | Resource identifier (prefers groups ending in `Id`, falls back to `Name`, then last group) |
 | `resource_name` | Resource name (prefers groups ending in `Name`, falls back to `resource_id`) |
+| `aws_sdk_services` | List of boto3 client names for this service (e.g., `['elb', 'elbv2']` for elasticloadbalancing) |
 
 ### `ARNError`
 
@@ -88,7 +91,7 @@ Exception raised when ARN parsing fails. Inherits from `ValueError`.
 
 ## Versioning
 
-This project uses [CalVer](https://calver.org/) with format `YYYY.MM.MICRO` (e.g., `2026.01.0`).
+This project uses [CalVer](https://calver.org/) with format `YYYY.0M.MICRO` (e.g., `2026.01.0`).
 
 ## Development
 

{arnmatch-2026.1.0 → arnmatch-2026.1.2}/codegen/codegen.py

@@ -1,6 +1,6 @@
 # /// script
 # requires-python = ">=3.10"
-# dependencies = ["requests", "joblib", "beautifulsoup4"]
+# dependencies = ["requests", "joblib", "beautifulsoup4", "boto3"]
 # ///
 
 import logging
@@ -8,6 +8,7 @@ import re
 from pathlib import Path
 
 from scraper import AWSScraper
+from index_sdk import SDKServiceIndexer
 
 log = logging.getLogger(__name__)
 
@@ -233,8 +234,8 @@ class CodeGenerator:
         ("dms", "ReplicationSubnetGroup"): ["subgrp"],
     }
 
-    def generate(self, resources, output_path):
-        """Generate Python file with ARN patterns."""
+    def generate(self, resources, sdk_services_mapping, output_path):
+        """Generate Python file with ARN patterns and SDK services mapping."""
         # Group by service
         by_service = {}
         for r in resources:
@@ -258,9 +259,17 @@ class CodeGenerator:
                     f.write(f'        (re.compile(r"{regex}"), {type_names!r}),\n')
                 f.write("    ],\n")
 
+            f.write("}\n\n")
+
+            # Write SDK services mapping
+            f.write("# Auto-generated mapping: ARN service -> AWS SDK client names\n")
+            f.write("AWS_SDK_SERVICES = {\n")
+            for arn_svc, clients in sorted(sdk_services_mapping.items()):
+                f.write(f"    {arn_svc!r}: {clients!r},\n")
             f.write("}\n")
 
         log.info(f"Wrote {len(resources)} patterns for {len(by_service)} services to {output_path}")
+        log.info(f"Wrote SDK mapping for {len(sdk_services_mapping)} services")
 
     def pattern_to_regex(self, arn_pattern):
         """Convert ARN pattern to regex with named capture groups."""
@@ -300,14 +309,19 @@ def main():
     for svc in services:
         resources.extend(scraper.get_resources(svc["href"]))
 
-    # Process
+    # Process ARN patterns
     indexer = ARNIndexer()
     resources = indexer.process(resources)
 
+    # Build SDK services mapping
+    arn_services = {r["arn_service"] for r in resources}
+    sdk_indexer = SDKServiceIndexer()
+    sdk_mapping = sdk_indexer.process(arn_services)
+
     # Generate
     BUILD_DIR.mkdir(exist_ok=True)
     generator = CodeGenerator()
-    generator.generate(resources, BUILD_DIR / "arn_patterns.py")
+    generator.generate(resources, sdk_mapping, BUILD_DIR / "arn_patterns.py")
 
 
 if __name__ == "__main__":

arnmatch-2026.1.2/codegen/index_sdk.py

@@ -0,0 +1,194 @@
+# /// script
+# requires-python = ">=3.10"
+# dependencies = ["boto3"]
+# ///
+
+"""Maps ARN service names to AWS SDK (boto3) client names."""
+
+import gzip
+import json
+import os
+from pathlib import Path
+
+
+class SDKServiceIndexer:
+    """Builds mapping from ARN service names to AWS SDK client names."""
+
+    # Phase 3: Manual overrides for services where botocore metadata doesn't match
+    # Format: "arn_service" -> ["sdk_client1", "sdk_client2", ...]
+    OVERRIDES = {
+        # AI DevOps uses aiops client
+        "aidevops": ["aiops"],
+        # AppMesh preview uses appmesh client
+        "appmesh-preview": ["appmesh"],
+        # Service Catalog uses 'catalog' in ARNs but 'servicecatalog' client
+        "catalog": ["servicecatalog"],
+        # CloudWatch uses 'monitoring' as endpointPrefix but 'cloudwatch' in ARNs
+        "cloudwatch": ["cloudwatch"],
+        # Partner Central has multiple sub-clients
+        "partnercentral": [
+            "partnercentral-account",
+            "partnercentral-benefits",
+            "partnercentral-channel",
+            "partnercentral-selling",
+        ],
+        # AWS Private 5G uses privatenetworks client
+        "private-networks": ["privatenetworks"],
+        # RDS IAM auth uses rds client
+        "rds-db": ["rds"],
+        # Route53 recovery services
+        "route53-recovery-control": [
+            "route53-recovery-cluster",
+            "route53-recovery-control-config",
+        ],
+        # S3 variants map to s3 client
+        "s3-object-lambda": ["s3"],
+        "s3express": ["s3"],
+    }
+
+    # Discontinued/EOL services
+    EXCLUDES_DISCONTINUED = {
+        "a4b",  # Alexa for Business
+        "bugbust",  # AWS BugBust
+        "codestar",  # CodeStar
+        "elastic-inference",  # EOL April 2024
+        "elastictranscoder",  # Replaced by MediaConvert
+        "honeycode",  # Honeycode
+        "iotfleethub",  # EOL October 2025
+        "lookoutmetrics",  # Lookout for Metrics
+        "lookoutvision",  # Lookout for Vision
+        "monitron",  # Monitron
+        "nimble",  # Nimble Studio
+        "opsworks",  # OpsWorks Stacks - EOL May 2024
+        "opsworks-cm",  # OpsWorks Chef/Puppet - EOL 2024
+        "qldb",  # QLDB - EOL 2025
+        "robomaker",  # RoboMaker - EOL 2025
+        "worklink",  # WorkLink
+    }
+
+    # Console-only services (no SDK)
+    EXCLUDES_CONSOLE = {
+        "appstudio",  # AWS App Studio
+        "cloudshell",  # AWS CloudShell
+        "consoleapp",  # Console Mobile App
+        "elemental-appliances-software",  # Physical hardware
+        "elemental-support-cases",  # Support tickets
+        "identity-sync",  # Identity sync
+        "iq",  # AWS IQ
+        "iq-permission",  # AWS IQ
+        "mapcredits",  # AWS MAP credits
+        "one",  # Amazon One Enterprise (palm recognition)
+        "payments",  # Billing payments
+        "pricingplanmanager",  # Pricing plans
+        "purchase-orders",  # Billing purchase orders
+        "securityagent",  # AWS Security Agent (preview)
+        "sqlworkbench",  # Redshift Query Editor
+        "ts",  # AWS Diagnostic Tools
+        "vendor-insights",  # Marketplace Vendor Insights
+    }
+
+    # Services using non-boto3 SDK (IDE plugins, CLI, OpenAI SDK, etc.)
+    EXCLUDES_NOSDK = {
+        "apptest",  # AWS Application Testing
+        "bedrock-mantle",  # Uses OpenAI SDK
+        "codewhisperer",  # IDE extension (now Q Developer)
+        "freertos",  # FreeRTOS device SDK
+        "qdeveloper",  # IDE plugins only
+        "transform",  # CLI only
+        "transform-custom",  # CLI only
+    }
+
+    def __init__(self):
+        import botocore
+        self.botocore_data = Path(botocore.__file__).parent / "data"
+
+    def process(self, arn_services):
+        """Build ARN service -> SDK clients mapping."""
+        # Get all boto3 client metadata
+        metadata = self.metadata_load()
+
+        result = {}
+
+        for arn_service in sorted(arn_services):
+            # Phase 3: Check manual overrides first
+            if arn_service in self.OVERRIDES:
+                result[arn_service] = self.OVERRIDES[arn_service]
+                continue
+
+            # Known no-SDK services
+            excludes = self.EXCLUDES_DISCONTINUED | self.EXCLUDES_CONSOLE | self.EXCLUDES_NOSDK
+            if arn_service in excludes:
+                result[arn_service] = []
+                continue
+
+            # Phase 1: Direct name match
+            if arn_service in metadata:
+                result[arn_service] = [arn_service]
+                # Also check for additional clients via metadata
+                additional = self.metadata_match(
+                    arn_service, metadata, exclude={arn_service}
+                )
+                if additional:
+                    result[arn_service].extend(sorted(additional))
+                continue
+
+            # Phase 2: Find via botocore metadata (signingName/endpointPrefix)
+            clients = self.metadata_match(arn_service, metadata)
+            if clients:
+                result[arn_service] = sorted(clients)
+                continue
+
+            # No mapping found
+            raise ValueError(f"No SDK client mapping for ARN service: {arn_service}")
+
+        return result
+
+    def metadata_load(self):
+        """Load metadata for all boto3 clients."""
+        metadata = {}
+
+        for sdk_service in os.listdir(self.botocore_data):
+            client_path = self.botocore_data / sdk_service
+            if not client_path.is_dir():
+                continue
+
+            # Find latest version
+            versions = sorted(
+                [d for d in os.listdir(client_path) if d[0].isdigit()],
+                reverse=True,
+            )
+            if not versions:
+                continue
+
+            # Load service metadata
+            service_file = client_path / versions[0] / "service-2.json.gz"
+            if not service_file.exists():
+                continue
+
+            with gzip.open(service_file) as f:
+                data = json.load(f)
+                metadata[sdk_service] = data.get("metadata", {})
+
+        return metadata
+
+    def metadata_match(self, arn_service, metadata, exclude=None):
+        """Find SDK clients whose signingName or endpointPrefix matches ARN service."""
+        exclude = exclude or set()
+        matches = set()
+
+        for sdk_service, meta in metadata.items():
+            if sdk_service in exclude:
+                continue
+
+            # Check signingName first (more specific)
+            signing_name = meta.get("signingName")
+            if signing_name == arn_service:
+                matches.add(sdk_service)
+                continue
+
+            # Check endpointPrefix (fallback)
+            endpoint_prefix = meta.get("endpointPrefix")
+            if endpoint_prefix == arn_service:
+                matches.add(sdk_service)
+
+        return matches

{arnmatch-2026.1.0 → arnmatch-2026.1.2}/src/arnmatch/__init__.py

@@ -1,12 +1,12 @@
 """ARN pattern matching using regex patterns."""
 
-__version__ = "2026.01.0"
+__version__ = "2026.01.2"
 
 import sys
 from dataclasses import dataclass
 from functools import cached_property
 
-from .arn_patterns import ARN_PATTERNS
+from .arn_patterns import ARN_PATTERNS, AWS_SDK_SERVICES
 
 # Standard groups that are not resource-specific
 STANDARD_GROUPS = {"Partition", "Region", "Account"}
@@ -77,6 +77,17 @@ class ARN:
         # Fall back to resource_id
         return self.resource_id
 
+    @cached_property
+    def aws_sdk_services(self):
+        """Get AWS SDK (boto3) client names for this resource's service.
+
+        Returns list of client names that can interact with this resource type.
+        May return multiple clients for services with versioned APIs
+        (e.g., ['elb', 'elbv2'] for elasticloadbalancing).
+        Returns empty list if no SDK client exists.
+        """
+        return AWS_SDK_SERVICES.get(self.aws_service, [])
+
 
 def arnmatch(arn: str) -> ARN:
     """Match ARN against patterns.
@@ -121,6 +132,7 @@ def main() -> None:
     try:
         result = arnmatch(arn)
         print(f"aws_service: {result.aws_service}")
+        print(f"aws_sdk_services: {','.join(result.aws_sdk_services)}")
         print(f"aws_region: {result.aws_region}")
         print(f"aws_account: {result.aws_account}")
         print(f"resource_type: {result.resource_type}")

{arnmatch-2026.1.0 → arnmatch-2026.1.2}/src/arnmatch/arn_patterns.py

@@ -2414,15 +2414,17 @@ ARN_PATTERNS = {
         (re.compile(r"^arn:(?P<Partition>[\w-]+):security-ir:(?P<Region>[\w-]*):(?P<Account>\d{12}):membership/(?P<MembershipId>.+?)$"), ['membership']),
     ],
     'securityagent': [
-        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-instance/(?P<AgentId>.+?)/artifact/(?P<ArtifactId>.+?)$"), ['Artifact']),
-        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-instance/(?P<AgentId>.+?)/finding/(?P<FindingId>.+?)$"), ['Finding']),
-        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-instance/(?P<AgentId>.+?)/pentest/(?P<PentestId>.+?)$"), ['Pentest']),
-        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-instance/(?P<AgentId>.+?)/pentest-job/(?P<JobId>.+?)$"), ['PentestJob']),
-        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-instance/(?P<AgentId>.+?)/pentest-task/(?P<TaskId>.+?)$"), ['PentestTask']),
+        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-space/(?P<AgentId>.+?)/artifact/(?P<ArtifactId>.+?)$"), ['Artifact']),
+        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-space/(?P<AgentId>.+?)/finding/(?P<FindingId>.+?)$"), ['Finding']),
+        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-space/(?P<AgentId>.+?)/pentest/(?P<PentestId>.+?)$"), ['Pentest']),
+        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-space/(?P<AgentId>.+?)/pentest-job/(?P<JobId>.+?)$"), ['PentestJob']),
+        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-space/(?P<AgentId>.+?)/pentest-task/(?P<TaskId>.+?)$"), ['PentestTask']),
         (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-instance/(?P<AgentId>.+?)$"), ['AgentInstance']),
+        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):agent-space/(?P<AgentId>.+?)$"), ['AgentSpace']),
         (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):application/(?P<ApplicationId>.+?)$"), ['Application']),
         (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):control/(?P<ControlId>.+?)$"), ['Control']),
         (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):integration/(?P<IntegrationId>.+?)$"), ['Integration']),
+        (re.compile(r"^arn:(?P<Partition>[\w-]+):securityagent:(?P<Region>[\w-]*):(?P<Account>\d{12}):security-requirement/(?P<SecurityRequirementId>.+?)$"), ['SecurityRequirement']),
     ],
     'securityhub': [
         (re.compile(r"^arn:(?P<Partition>[\w-]+):securityhub:(?P<Region>[\w-]*):(?P<Account>\d{12}):product/(?P<Company>.+?)/(?P<ProductId>.+?)$"), ['product']),
@@ -2794,3 +2796,362 @@ ARN_PATTERNS = {
         (re.compile(r"^arn:(?P<Partition>[\w-]+):xray:(?P<Region>[\w-]*):(?P<Account>\d{12}):sampling-rule/(?P<SamplingRuleName>.+?)$"), ['sampling-rule']),
     ],
 }
+
+# Auto-generated mapping: ARN service -> AWS SDK client names
+AWS_SDK_SERVICES = {
+    'a4b': [],
+    'access-analyzer': ['accessanalyzer'],
+    'account': ['account'],
+    'acm': ['acm'],
+    'acm-pca': ['acm-pca'],
+    'aidevops': ['aiops'],
+    'aiops': ['aiops'],
+    'airflow': ['mwaa'],
+    'airflow-serverless': ['mwaa-serverless'],
+    'amplify': ['amplify'],
+    'amplifybackend': ['amplifybackend'],
+    'amplifyuibuilder': ['amplifyuibuilder'],
+    'aoss': ['opensearchserverless'],
+    'apigateway': ['apigateway', 'apigatewayv2'],
+    'app-integrations': ['appintegrations'],
+    'appconfig': ['appconfig', 'appconfigdata'],
+    'appfabric': ['appfabric'],
+    'appflow': ['appflow'],
+    'application-autoscaling': ['application-autoscaling'],
+    'application-signals': ['application-signals'],
+    'appmesh': ['appmesh'],
+    'appmesh-preview': ['appmesh'],
+    'apprunner': ['apprunner'],
+    'appstream': ['appstream'],
+    'appstudio': [],
+    'appsync': ['appsync'],
+    'apptest': [],
+    'aps': ['amp'],
+    'arc-region-switch': ['arc-region-switch'],
+    'artifact': ['artifact'],
+    'athena': ['athena'],
+    'auditmanager': ['auditmanager'],
+    'autoscaling': ['autoscaling'],
+    'aws-marketplace': ['marketplace-agreement', 'marketplace-catalog', 'marketplace-deployment', 'marketplace-entitlement', 'marketplace-reporting', 'meteringmarketplace'],
+    'b2bi': ['b2bi'],
+    'backup': ['backup'],
+    'backup-gateway': ['backup-gateway'],
+    'backup-search': ['backupsearch'],
+    'batch': ['batch'],
+    'bcm-data-exports': ['bcm-data-exports'],
+    'bcm-pricing-calculator': ['bcm-pricing-calculator'],
+    'bedrock': ['bedrock', 'bedrock-agent', 'bedrock-agent-runtime', 'bedrock-data-automation', 'bedrock-data-automation-runtime', 'bedrock-runtime'],
+    'bedrock-agentcore': ['bedrock-agentcore', 'bedrock-agentcore-control'],
+    'bedrock-mantle': [],
+    'billing': ['billing'],
+    'billingconductor': ['billingconductor'],
+    'braket': ['braket'],
+    'budgets': ['budgets'],
+    'bugbust': [],
+    'cases': ['connectcases'],
+    'cassandra': ['keyspaces', 'keyspacesstreams'],
+    'catalog': ['servicecatalog'],
+    'ce': ['ce'],
+    'chatbot': ['chatbot'],
+    'chime': ['chime', 'chime-sdk-identity', 'chime-sdk-media-pipelines', 'chime-sdk-meetings', 'chime-sdk-messaging', 'chime-sdk-voice'],
+    'cleanrooms': ['cleanrooms'],
+    'cleanrooms-ml': ['cleanroomsml'],
+    'cloud9': ['cloud9'],
+    'clouddirectory': ['clouddirectory'],
+    'cloudformation': ['cloudformation'],
+    'cloudfront': ['cloudfront'],
+    'cloudhsm': ['cloudhsm', 'cloudhsmv2'],
+    'cloudsearch': ['cloudsearch', 'cloudsearchdomain'],
+    'cloudshell': [],
+    'cloudtrail': ['cloudtrail'],
+    'cloudwatch': ['cloudwatch'],
+    'codeartifact': ['codeartifact'],
+    'codebuild': ['codebuild'],
+    'codecatalyst': ['codecatalyst'],
+    'codecommit': ['codecommit'],
+    'codeconnections': ['codeconnections'],
+    'codedeploy': ['codedeploy'],
+    'codeguru-profiler': ['codeguruprofiler'],
+    'codeguru-reviewer': ['codeguru-reviewer'],
+    'codeguru-security': ['codeguru-security'],
+    'codepipeline': ['codepipeline'],
+    'codestar': [],
+    'codestar-connections': ['codestar-connections'],
+    'codestar-notifications': ['codestar-notifications'],
+    'codewhisperer': [],
+    'cognito-identity': ['cognito-identity'],
+    'cognito-idp': ['cognito-idp'],
+    'cognito-sync': ['cognito-sync'],
+    'comprehend': ['comprehend'],
+    'compute-optimizer': ['compute-optimizer'],
+    'config': ['config'],
+    'connect': ['connect', 'connect-contact-lens'],
+    'connect-campaigns': ['connectcampaigns', 'connectcampaignsv2'],
+    'consoleapp': [],
+    'controlcatalog': ['controlcatalog'],
+    'controltower': ['controltower'],
+    'cur': ['cur'],
+    'databrew': ['databrew'],
+    'dataexchange': ['dataexchange'],
+    'datapipeline': ['datapipeline'],
+    'datasync': ['datasync'],
+    'datazone': ['datazone'],
+    'dax': ['dax'],
+    'deadline': ['deadline'],
+    'detective': ['detective'],
+    'devicefarm': ['devicefarm'],
+    'directconnect': ['directconnect'],
+    'dlm': ['dlm'],
+    'dms': ['dms'],
+    'docdb-elastic': ['docdb-elastic'],
+    'drs': ['drs'],
+    'ds': ['ds'],
+    'dsql': ['dsql'],
+    'dynamodb': ['dynamodb', 'dynamodbstreams'],
+    'ec2': ['ec2'],
+    'ecr': ['ecr'],
+    'ecr-public': ['ecr-public'],
+    'ecs': ['ecs'],
+    'eks': ['eks'],
+    'elastic-inference': [],
+    'elasticache': ['elasticache'],
+    'elasticbeanstalk': ['elasticbeanstalk'],
+    'elasticfilesystem': ['efs'],
+    'elasticloadbalancing': ['elb', 'elbv2'],
+    'elasticmapreduce': ['emr'],
+    'elastictranscoder': [],
+    'elemental-appliances-software': [],
+    'elemental-support-cases': [],
+    'emr-containers': ['emr-containers'],
+    'emr-serverless': ['emr-serverless'],
+    'entityresolution': ['entityresolution'],
+    'es': ['es', 'opensearch'],
+    'events': ['events'],
+    'evidently': ['evidently'],
+    'evs': ['evs'],
+    'execute-api': ['apigatewaymanagementapi', 'connectparticipant'],
+    'finspace': ['finspace'],
+    'finspace-api': ['finspace-data'],
+    'firehose': ['firehose'],
+    'fis': ['fis'],
+    'fms': ['fms'],
+    'forecast': ['forecast', 'forecastquery'],
+    'frauddetector': ['frauddetector'],
+    'freertos': [],
+    'fsx': ['fsx'],
+    'gamelift': ['gamelift'],
+    'gameliftstreams': ['gameliftstreams'],
+    'geo': ['location'],
+    'geo-maps': ['geo-maps'],
+    'geo-places': ['geo-places'],
+    'geo-routes': ['geo-routes'],
+    'glacier': ['glacier'],
+    'globalaccelerator': ['globalaccelerator'],
+    'glue': ['glue'],
+    'grafana': ['grafana'],
+    'greengrass': ['greengrass', 'greengrassv2'],
+    'groundstation': ['groundstation'],
+    'guardduty': ['guardduty'],
+    'health': ['health'],
+    'healthlake': ['healthlake'],
+    'honeycode': [],
+    'iam': ['iam'],
+    'identity-sync': [],
+    'identitystore': ['identitystore'],
+    'imagebuilder': ['imagebuilder'],
+    'inspector': ['inspector'],
+    'inspector2': ['inspector2'],
+    'internetmonitor': ['internetmonitor'],
+    'invoicing': ['invoicing'],
+    'iot': ['iot'],
+    'iotanalytics': ['iotanalytics'],
+    'iotdeviceadvisor': ['iotdeviceadvisor'],
+    'iotevents': ['iotevents'],
+    'iotfleethub': [],
+    'iotfleetwise': ['iotfleetwise'],
+    'iotmanagedintegrations': ['iot-managed-integrations'],
+    'iotsitewise': ['iotsitewise'],
+    'iottwinmaker': ['iottwinmaker'],
+    'iotwireless': ['iotwireless'],
+    'iq': [],
+    'iq-permission': [],
+    'ivs': ['ivs', 'ivs-realtime'],
+    'ivschat': ['ivschat'],
+    'kafka': ['kafka'],
+    'kafkaconnect': ['kafkaconnect'],
+    'kendra': ['kendra'],
+    'kendra-ranking': ['kendra-ranking'],
+    'kinesis': ['kinesis'],
+    'kinesisanalytics': ['kinesisanalytics', 'kinesisanalyticsv2'],
+    'kinesisvideo': ['kinesisvideo', 'kinesis-video-archived-media', 'kinesis-video-media', 'kinesis-video-signaling', 'kinesis-video-webrtc-storage'],
+    'kms': ['kms'],
+    'lambda': ['lambda'],
+    'launchwizard': ['launch-wizard'],
+    'lex': ['lex-models', 'lex-runtime', 'lexv2-models', 'lexv2-runtime'],
+    'license-manager': ['license-manager'],
+    'license-manager-linux-subscriptions': ['license-manager-linux-subscriptions'],
+    'license-manager-user-subscriptions': ['license-manager-user-subscriptions'],
+    'lightsail': ['lightsail'],
+    'logs': ['logs'],
+    'lookoutequipment': ['lookoutequipment'],
+    'lookoutmetrics': [],
+    'lookoutvision': [],
+    'm2': ['m2'],
+    'machinelearning': ['machinelearning'],
+    'macie2': ['macie2'],
+    'managedblockchain': ['managedblockchain'],
+    'mapcredits': [],
+    'mediaconnect': ['mediaconnect'],
+    'mediaconvert': ['mediaconvert'],
+    'medialive': ['medialive'],
+    'mediapackage': ['mediapackage'],
+    'mediapackage-vod': ['mediapackage-vod'],
+    'mediapackagev2': ['mediapackagev2'],
+    'mediastore': ['mediastore', 'mediastore-data'],
+    'mediatailor': ['mediatailor'],
+    'medical-imaging': ['medical-imaging'],
+    'memorydb': ['memorydb'],
+    'mgh': ['mgh', 'migrationhub-config'],
+    'mgn': ['mgn'],
+    'migrationhub-orchestrator': ['migrationhuborchestrator'],
+    'mobiletargeting': ['pinpoint'],
+    'monitron': [],
+    'mpa': ['mpa'],
+    'mq': ['mq'],
+    'neptune-db': ['neptunedata'],
+    'neptune-graph': ['neptune-graph'],
+    'network-firewall': ['network-firewall'],
+    'networkflowmonitor': ['networkflowmonitor'],
+    'networkmanager': ['networkmanager'],
+    'networkmonitor': ['networkmonitor'],
+    'nimble': [],
+    'notifications': ['notifications'],
+    'notifications-contacts': ['notificationscontacts'],
+    'nova-act': ['nova-act'],
+    'oam': ['oam'],
+    'observabilityadmin': ['observabilityadmin'],
+    'odb': ['odb'],
+    'omics': ['omics'],
+    'one': [],
+    'opensearch': ['opensearch'],
+    'opsworks': [],
+    'opsworks-cm': [],
+    'organizations': ['organizations'],
+    'osis': ['osis'],
+    'outposts': ['outposts'],
+    'panorama': ['panorama'],
+    'partnercentral': ['partnercentral-account', 'partnercentral-benefits', 'partnercentral-channel', 'partnercentral-selling'],
+    'payment-cryptography': ['payment-cryptography', 'payment-cryptography-data'],
+    'payments': [],
+    'pca-connector-ad': ['pca-connector-ad'],
+    'pca-connector-scep': ['pca-connector-scep'],
+    'pcs': ['pcs'],
+    'personalize': ['personalize', 'personalize-events', 'personalize-runtime'],
+    'pi': ['pi'],
+    'pipes': ['pipes'],
+    'polly': ['polly'],
+    'pricingplanmanager': [],
+    'private-networks': ['privatenetworks'],
+    'profile': ['customer-profiles'],
+    'proton': ['proton'],
+    'purchase-orders': [],
+    'qapps': ['qapps'],
+    'qbusiness': ['qbusiness'],
+    'qdeveloper': [],
+    'qldb': [],
+    'quicksight': ['quicksight'],
+    'ram': ['ram'],
+    'rbin': ['rbin'],
+    'rds': ['rds', 'docdb', 'neptune'],
+    'rds-db': ['rds'],
+    'redshift': ['redshift'],
+    'redshift-serverless': ['redshift-serverless'],
+    'refactor-spaces': ['migration-hub-refactor-spaces'],
+    'rekognition': ['rekognition'],
+    'repostspace': ['repostspace'],
+    'resiliencehub': ['resiliencehub'],
+    'resource-explorer-2': ['resource-explorer-2'],
+    'resource-groups': ['resource-groups'],
+    'robomaker': [],
+    'rolesanywhere': ['rolesanywhere'],
+    'route53': ['route53'],
+    'route53-recovery-control': ['route53-recovery-cluster', 'route53-recovery-control-config'],
+    'route53-recovery-readiness': ['route53-recovery-readiness'],
+    'route53globalresolver': ['route53globalresolver'],
+    'route53profiles': ['route53profiles'],
+    'route53resolver': ['route53resolver'],
+    'rum': ['rum'],
+    's3': ['s3', 's3control'],
+    's3-object-lambda': ['s3'],
+    's3-outposts': ['s3outposts'],
+    's3express': ['s3'],
+    's3tables': ['s3tables'],
+    's3vectors': ['s3vectors'],
+    'sagemaker': ['sagemaker', 'sagemaker-a2i-runtime', 'sagemaker-edge', 'sagemaker-featurestore-runtime', 'sagemaker-metrics', 'sagemaker-runtime'],
+    'sagemaker-geospatial': ['sagemaker-geospatial'],
+    'savingsplans': ['savingsplans'],
+    'scheduler': ['scheduler'],
+    'schemas': ['schemas'],
+    'scn': ['supplychain'],
+    'sdb': ['sdb'],
+    'secretsmanager': ['secretsmanager'],
+    'security-ir': ['security-ir'],
+    'securityagent': [],
+    'securityhub': ['securityhub'],
+    'securitylake': ['securitylake'],
+    'serverlessrepo': ['serverlessrepo'],
+    'servicecatalog': ['servicecatalog', 'servicecatalog-appregistry'],
+    'servicediscovery': ['servicediscovery'],
+    'servicequotas': ['service-quotas'],
+    'ses': ['ses', 'mailmanager', 'pinpoint-email', 'sesv2'],
+    'shield': ['shield'],
+    'signer': ['signer'],
+    'simspaceweaver': ['simspaceweaver'],
+    'sms-voice': ['sms-voice', 'pinpoint-sms-voice', 'pinpoint-sms-voice-v2'],
+    'snow-device-management': ['snow-device-management'],
+    'sns': ['sns'],
+    'social-messaging': ['socialmessaging'],
+    'sqlworkbench': [],
+    'sqs': ['sqs'],
+    'ssm': ['ssm'],
+    'ssm-contacts': ['ssm-contacts'],
+    'ssm-incidents': ['ssm-incidents'],
+    'ssm-quicksetup': ['ssm-quicksetup'],
+    'ssm-sap': ['ssm-sap'],
+    'sso': ['sso', 'sso-admin'],
+    'states': ['stepfunctions'],
+    'storagegateway': ['storagegateway'],
+    'sts': ['sts'],
+    'swf': ['swf'],
+    'synthetics': ['synthetics'],
+    'textract': ['textract'],
+    'thinclient': ['workspaces-thin-client'],
+    'timestream': ['timestream-query', 'timestream-write'],
+    'timestream-influxdb': ['timestream-influxdb'],
+    'tnb': ['tnb'],
+    'transcribe': ['transcribe'],
+    'transfer': ['transfer'],
+    'transform': [],
+    'transform-custom': [],
+    'translate': ['translate'],
+    'trustedadvisor': ['trustedadvisor'],
+    'ts': [],
+    'vendor-insights': [],
+    'verifiedpermissions': ['verifiedpermissions'],
+    'voiceid': ['voice-id'],
+    'vpc-lattice': ['vpc-lattice'],
+    'waf': ['waf'],
+    'waf-regional': ['waf-regional'],
+    'wafv2': ['wafv2'],
+    'wellarchitected': ['wellarchitected'],
+    'wickr': ['wickr'],
+    'wisdom': ['wisdom', 'qconnect'],
+    'workdocs': ['workdocs'],
+    'worklink': [],
+    'workmail': ['workmail'],
+    'workmailmessageflow': ['workmailmessageflow'],
+    'workspaces': ['workspaces'],
+    'workspaces-instances': ['workspaces-instances'],
+    'workspaces-web': ['workspaces-web'],
+    'xray': ['xray'],
+}

{arnmatch-2026.1.0 → arnmatch-2026.1.2}/tests/test_arnmatch.py

@@ -9,6 +9,7 @@ def test_acm():
     )
     assert result.resource_type == "certificate"
     assert result.attributes["CertificateId"] == "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+    assert result.aws_sdk_services == ["acm"]
 
 
 def test_apigateway():
@@ -68,6 +69,8 @@ def test_cloudwatch():
         result.attributes["AlarmName"]
         == "CPU Utilization - High Warning - service-production-1"
     )
+    # cloudwatch is a manual override (endpointPrefix is 'monitoring')
+    assert result.aws_sdk_services == ["cloudwatch"]
 
 
 def test_codebuild():
@@ -212,6 +215,8 @@ def test_elasticfilesystem():
     )
     assert result.resource_type == "file-system"
     assert result.attributes["FileSystemId"] == "fs-01234567"
+    # elasticfilesystem maps to efs via metadata
+    assert result.aws_sdk_services == ["efs"]
 
 
 def test_elasticloadbalancing():
@@ -245,6 +250,8 @@ def test_elasticloadbalancing():
     assert result.resource_type == "targetgroup"
     assert result.attributes["TargetGroupName"] == "target-grp-1"
     assert result.attributes["TargetGroupId"] == "0123456789abcdef"
+    # elasticloadbalancing maps to multiple SDK clients
+    assert result.aws_sdk_services == ["elb", "elbv2"]
 
 
 def test_es():
@@ -307,6 +314,7 @@ def test_lambda():
     )
     assert result.resource_type == "function"
     assert result.attributes["FunctionName"] == "ProcessDataHandler"
+    assert result.aws_sdk_services == ["lambda"]
 
 
 def test_logs():
@@ -339,6 +347,8 @@ def test_rds():
     )
     assert result.resource_type == "snapshot"
     assert result.attributes["SnapshotName"] == "final-database-backup-01234567"
+    # rds maps to multiple SDK clients (rds, docdb, neptune share ARN format)
+    assert result.aws_sdk_services == ["rds", "docdb", "neptune"]
 
 
 def test_route53():
@@ -357,6 +367,7 @@ def test_s3():
     result = arnmatch("arn:aws:s3:::example-bucket-01")
     assert result.resource_type == "bucket"
     assert result.attributes["BucketName"] == "example-bucket-01"
+    assert result.aws_sdk_services == ["s3", "s3control"]
 
 
 def test_secretsmanager():