feat(aws): add blast propagation from security groups to instances vi… (#3284)

## Summary

- Add blast radius propagation from Security Groups to EC2 instances via
Network Interfaces
- Enable `ec2-network-interface` adapter to search by security group ID
using AWS's `group-id` filter
- Fix issue where changing a Security Group would not show affected EC2
instances in blast radius

## Problem

When analyzing the blast radius of a Security Group change, Overmind
wasn't discovering the EC2 instances attached to that security group.
This was because:

1. The `ec2-security-group` adapter only linked **outward** to VPCs and
other security groups
2. The `ec2-instance` adapter linked **to** security groups with `In:
true, Out: false`
3. Since blast radius starts from the changing resource (SG) and follows
outward links, instances were never discovered

This meant users would see no risks when modifying security groups, even
when instances were actively using them.

## Solution

Added a forward link from Security Groups → Network Interfaces →
Instances:

```
SG change → ec2-network-interface (SEARCH by sg-id) → ec2-instance (existing link with Out: true)
```

Changes:
- `ec2-security-group`: Added `LinkedItemQuery` to search for ENIs using
this SG
- `ec2-network-interface`: Added `InputMapperSearch` that filters by
`group-id` when query starts with `sg-`

## Test plan

- [x] Unit tests pass for `TestNetworkInterfaceInputMapperSearch`
- [x] Unit tests pass for `TestSecurityGroupOutputMapper` with new ENI
link
- [ ] Manual test: Create SG with attached instances, run change
analysis, verify instances appear in blast radius

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Enables blast radius from security groups to instances by linking SGs
to ENIs and adding ENI search by security group ID (and ARN).
>
> - **Adapters**
>   - `ec2-network-interface`:
> - Add `InputMapperSearch` supporting `sg-*` via `group-id` filter and
parsing ARN `network-interface/eni-*`.
> - Wire `InputMapperSearch` into adapter; update metadata
`SearchDescription`.
>   - `ec2-security-group`:
> - Add linked SEARCH to `ec2-network-interface` by SG ID with outward
blast propagation.
>     - Update `PotentialLinks` to include `ec2-network-interface`.
> - **Tests**
> - Add `TestNetworkInterfaceInputMapperSearch` and extend
`TestSecurityGroupOutputMapper` for new ENI link.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
436e0e83739023d73b97f54f16127d3febf09443. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: c1f547771af266b06d2d84390444dd171217873b

Author: jameslaneovermind

aws-source/adapters/ec2-network-interface.go

@@ -2,8 +2,11 @@ package adapters
 
 import (
 	"context"
+	"strings"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	"github.com/aws/aws-sdk-go-v2/service/ec2/types"
 
 	"github.com/overmindtech/cli/aws-source/adapterhelpers"
 	"github.com/overmindtech/cli/sdp-go"
@@ -21,6 +24,45 @@ func networkInterfaceInputMapperList(scope string) (*ec2.DescribeNetworkInterfac
 	return &ec2.DescribeNetworkInterfacesInput{}, nil
 }
 
+func networkInterfaceInputMapperSearch(_ context.Context, _ *ec2.Client, scope, query string) (*ec2.DescribeNetworkInterfacesInput, error) {
+	// If query looks like a security group ID, filter by it
+	// This enables security groups to discover their attached network interfaces
+	if strings.HasPrefix(query, "sg-") {
+		return &ec2.DescribeNetworkInterfacesInput{
+			Filters: []types.Filter{
+				{
+					Name:   aws.String("group-id"),
+					Values: []string{query},
+				},
+			},
+		}, nil
+	}
+
+	// Otherwise try to parse as an ARN
+	arn, err := adapterhelpers.ParseARN(query)
+	if err != nil {
+		return nil, &sdp.QueryError{
+			ErrorType:   sdp.QueryError_NOTFOUND,
+			ErrorString: "query must be a security group ID (sg-*) or a valid ARN",
+			Scope:       scope,
+		}
+	}
+
+	// Extract network interface ID from ARN
+	// ARN format: arn:aws:ec2:region:account:network-interface/eni-xxx
+	if arn.Type() == "network-interface" {
+		return &ec2.DescribeNetworkInterfacesInput{
+			NetworkInterfaceIds: []string{arn.ResourceID()},
+		}, nil
+	}
+
+	return nil, &sdp.QueryError{
+		ErrorType:   sdp.QueryError_NOTFOUND,
+		ErrorString: "unsupported ARN type for network interface search",
+		Scope:       scope,
+	}
+}
+
 func networkInterfaceOutputMapper(_ context.Context, _ *ec2.Client, scope string, _ *ec2.DescribeNetworkInterfacesInput, output *ec2.DescribeNetworkInterfacesOutput) ([]*sdp.Item, error) {
 	items := make([]*sdp.Item, 0)
 
@@ -252,8 +294,9 @@ func NewEC2NetworkInterfaceAdapter(client *ec2.Client, accountID string, region
 		DescribeFunc: func(ctx context.Context, client *ec2.Client, input *ec2.DescribeNetworkInterfacesInput) (*ec2.DescribeNetworkInterfacesOutput, error) {
 			return client.DescribeNetworkInterfaces(ctx, input)
 		},
-		InputMapperGet:  networkInterfaceInputMapperGet,
-		InputMapperList: networkInterfaceInputMapperList,
+		InputMapperGet:    networkInterfaceInputMapperGet,
+		InputMapperList:   networkInterfaceInputMapperList,
+		InputMapperSearch: networkInterfaceInputMapperSearch,
 		PaginatorBuilder: func(client *ec2.Client, params *ec2.DescribeNetworkInterfacesInput) adapterhelpers.Paginator[*ec2.DescribeNetworkInterfacesOutput, *ec2.Options] {
 			return ec2.NewDescribeNetworkInterfacesPaginator(client, params)
 		},
@@ -270,7 +313,7 @@ var networkInterfaceAdapterMetadata = Metadata.Register(&sdp.AdapterMetadata{
 		Search:            true,
 		GetDescription:    "Get a network interface by ID",
 		ListDescription:   "List all network interfaces",
-		SearchDescription: "Search network interfaces by ARN",
+		SearchDescription: "Search network interfaces by ARN or security group ID (sg-*)",
 	},
 	PotentialLinks: []string{"ec2-instance", "ec2-security-group", "ip", "dns", "ec2-subnet", "ec2-vpc"},
 	TerraformMappings: []*sdp.TerraformMapping{

aws-source/adapters/ec2-network-interface_test.go

@@ -40,6 +40,88 @@ func TestNetworkInterfaceInputMapperList(t *testing.T) {
 	}
 }
 
+func TestNetworkInterfaceInputMapperSearch(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name           string
+		query          string
+		expectFilter   bool
+		filterName     string
+		filterValue    string
+		expectENIId    bool
+		eniId          string
+		expectError    bool
+	}{
+		{
+			name:         "Security group ID",
+			query:        "sg-0437857de45b640ce",
+			expectFilter: true,
+			filterName:   "group-id",
+			filterValue:  "sg-0437857de45b640ce",
+		},
+		{
+			name:        "Network interface ARN",
+			query:       "arn:aws:ec2:eu-west-2:123456789012:network-interface/eni-0b4652e6f2aa36d78",
+			expectENIId: true,
+			eniId:       "eni-0b4652e6f2aa36d78",
+		},
+		{
+			name:        "Invalid query",
+			query:       "invalid-query",
+			expectError: true,
+		},
+		{
+			name:        "Invalid ARN type",
+			query:       "arn:aws:ec2:eu-west-2:123456789012:instance/i-1234567890abcdef0",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			input, err := networkInterfaceInputMapperSearch(context.Background(), nil, "123456789012.eu-west-2", tt.query)
+
+			if tt.expectError {
+				if err == nil {
+					t.Errorf("expected error for query %s, got nil", tt.query)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Errorf("unexpected error for query %s: %v", tt.query, err)
+				return
+			}
+
+			if tt.expectFilter {
+				if len(input.Filters) != 1 {
+					t.Errorf("expected 1 filter, got %d", len(input.Filters))
+					return
+				}
+				if *input.Filters[0].Name != tt.filterName {
+					t.Errorf("expected filter name %s, got %s", tt.filterName, *input.Filters[0].Name)
+				}
+				if len(input.Filters[0].Values) != 1 || input.Filters[0].Values[0] != tt.filterValue {
+					t.Errorf("expected filter value %s, got %v", tt.filterValue, input.Filters[0].Values)
+				}
+			}
+
+			if tt.expectENIId {
+				if len(input.NetworkInterfaceIds) != 1 {
+					t.Errorf("expected 1 network interface ID, got %d", len(input.NetworkInterfaceIds))
+					return
+				}
+				if input.NetworkInterfaceIds[0] != tt.eniId {
+					t.Errorf("expected network interface ID %s, got %s", tt.eniId, input.NetworkInterfaceIds[0])
+				}
+			}
+		})
+	}
+}
+
 func TestNetworkInterfaceOutputMapper(t *testing.T) {
 	output := &ec2.DescribeNetworkInterfacesOutput{
 		NetworkInterfaces: []types.NetworkInterface{

aws-source/adapters/ec2-security-group.go

@@ -64,6 +64,27 @@ func securityGroupOutputMapper(_ context.Context, _ *ec2.Client, scope string, _
 			})
 		}
 
+		// Network Interfaces using this security group
+		// This enables blast radius propagation from security groups to
+		// instances via their network interfaces
+		if securityGroup.GroupId != nil {
+			item.LinkedItemQueries = append(item.LinkedItemQueries, &sdp.LinkedItemQuery{
+				Query: &sdp.Query{
+					Type:   "ec2-network-interface",
+					Method: sdp.QueryMethod_SEARCH,
+					Query:  *securityGroup.GroupId,
+					Scope:  scope,
+				},
+				BlastPropagation: &sdp.BlastPropagation{
+					// Network interfaces don't affect the security group
+					In: false,
+					// Changes to the security group affect network interfaces
+					// (and through them, EC2 instances)
+					Out: true,
+				},
+			})
+		}
+
 		item.LinkedItemQueries = append(item.LinkedItemQueries, extractLinkedSecurityGroups(securityGroup.IpPermissions, scope)...)
 		item.LinkedItemQueries = append(item.LinkedItemQueries, extractLinkedSecurityGroups(securityGroup.IpPermissionsEgress, scope)...)
 
@@ -108,7 +129,7 @@ var securityGroupAdapterMetadata = Metadata.Register(&sdp.AdapterMetadata{
 		ListDescription:   "List all security groups",
 		SearchDescription: "Search for security groups by ARN",
 	},
-	PotentialLinks: []string{"ec2-vpc"},
+	PotentialLinks: []string{"ec2-vpc", "ec2-network-interface"},
 	TerraformMappings: []*sdp.TerraformMapping{
 		{TerraformQueryMap: "aws_security_group.id"},
 		{TerraformQueryMap: "aws_security_group_rule.security_group_id"},

aws-source/adapters/ec2-security-group_test.go

@@ -101,6 +101,12 @@ func TestSecurityGroupOutputMapper(t *testing.T) {
 			ExpectedQuery:  "vpc-0d7892e00e573e701",
 			ExpectedScope:  item.GetScope(),
 		},
+		{
+			ExpectedType:   "ec2-network-interface",
+			ExpectedMethod: sdp.QueryMethod_SEARCH,
+			ExpectedQuery:  "sg-094e151c9fc5da181",
+			ExpectedScope:  item.GetScope(),
+		},
 		{
 			ExpectedType:   "ec2-security-group",
 			ExpectedMethod: sdp.QueryMethod_GET,