testing drift v2 in flow

Author: RkSinghDeo

.github/workflows/test-devolv-action.yml.yml

@@ -36,13 +36,13 @@ jobs:
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ap-south-1
-          role-to-assume: arn:aws:iam::149704127940:role/DevolvCIRole
+          aws-region: *******
+          role-to-assume: arn:aws:iam::*******:role/DevolvCIRole
           role-skip-session-tagging: true
 
       - name: Run Devolv Drift Detection
         uses: devolvdev/devolv-actions@v1
         with:
-          tool: drift
-          policy-name: DevolvTestPolicyHuge
-          path: ./test-devolv-policy.json
+          tool: drift  # drift = detect IAM drift (validator also available)  
+          policy-name: DevolvTestPolicyHuge # Name of the IAM policy in AWS  
+          path: ./test-devolv-policy.json  # Path to your local IaC policy file 

.github/workflows/test.yml

@@ -0,0 +1,27 @@
+name: Devolv Action Test
+
+on:
+  workflow_dispatch: {}
+
+jobs:
+  test-devolv:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Devolv Drift
+        uses: your-org/devolv-action@v2
+        with:
+          tool: drift
+          policy-name: DevolvTestPolicy
+          path: ./test-devolv-policy.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Devolv Validate
+        uses: your-org/devolv-action@v2
+        with:
+          tool: validate
+          path: ./test-devolv-policy.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml_bkp

@@ -1,59 +1,26 @@
 import boto3
-import botocore
-
-def get_policy(policy_name=None, policy_arn=None):
-    client = boto3.client("iam")
-    sts_client = boto3.client("sts")
-
-    try:
-        if policy_arn:
-            # Directly fetch by provided ARN
-            return _fetch_policy_document(client, policy_arn)
-
-        # No ARN provided → try to construct ARN
-        account_id = sts_client.get_caller_identity()["Account"]
-        constructed_arn = f"arn:aws:iam::{account_id}:policy/{policy_name}"
-
-        try:
-            return _fetch_policy_document(client, constructed_arn)
-        except botocore.exceptions.ClientError as e:
-            if e.response["Error"]["Code"] not in ["NoSuchEntity", "AccessDenied"]:
-                raise  # Unexpected error, re-raise
-
-            # Fallthrough to attempt list-based discovery
-            pass
-
-        # Fallback: attempt to list policies (if permission allows)
-        paginator = client.get_paginator('list_policies')
-        for page in paginator.paginate(Scope='Local'):
-            for policy in page['Policies']:
-                if policy['PolicyName'] == policy_name:
-                    return _fetch_policy_document(client, policy['Arn'])
-
-        # As last attempt, try AWS-managed policies
-        for page in paginator.paginate(Scope='AWS'):
-            for policy in page['Policies']:
-                if policy['PolicyName'] == policy_name:
-                    return _fetch_policy_document(client, policy['Arn'])
-
-        # Not found at all
-        return None
-
-    except botocore.exceptions.ClientError as e:
-        error = e.response.get("Error", {})
-        code = error.get("Code", "UnknownError")
-        message = error.get("Message", "")
-        print(f"❌ AWS API error during policy fetch: {code} — {message}")
-        return None
-    except Exception as e:
-        print(f"❌ Unexpected error during policy fetch: {str(e)}")
-        return None
-
-def _fetch_policy_document(client, policy_arn):
-    policy_meta = client.get_policy(PolicyArn=policy_arn)
-    version_id = policy_meta["Policy"]["DefaultVersionId"]
-    version = client.get_policy_version(
-        PolicyArn=policy_arn,
-        VersionId=version_id
-    )
-    return version["PolicyVersion"]["Document"]
+import json
+
+def get_aws_policy_document(policy_arn: str) -> dict:
+    """
+    Fetch the JSON document of the default version of a managed IAM policy.
+    """
+    iam = boto3.client("iam")
+    policy = iam.get_policy(PolicyArn=policy_arn)['Policy']
+    default_version = policy['DefaultVersionId']
+    version = iam.get_policy_version(PolicyArn=policy_arn, VersionId=default_version)
+    return version['PolicyVersion']['Document']
+
+def merge_policy_documents(local_doc: dict, aws_doc: dict) -> dict:
+    """
+    Merge statements by appending any local-only statements to the AWS document.
+    This is an "append-only" merge (we do not delete existing AWS statements).
+    """
+    aws_stmts = aws_doc.get("Statement", [])
+    local_stmts = local_doc.get("Statement", [])
+    merged = list(aws_stmts)  # copy existing AWS statements
+    for stmt in local_stmts:
+        if stmt not in aws_stmts:
+            merged.append(stmt)
+    aws_doc["Statement"] = merged
+    return aws_doc

devolv/drift/aws_fetcher.py

@@ -1,48 +1,87 @@
+import json
+import boto3
 import typer
-from pathlib import Path
-from devolv.drift import aws_fetcher, file_loader, report
-import botocore
+import os
 
+from devolv.drift.aws_fetcher import get_aws_policy_document, merge_policy_documents
+from devolv.drift.github_issues import create_approval_issue, wait_for_sync_choice
+from devolv.drift.github_approvals import create_github_pr
+from devolv.drift.report import detect_and_print_drift
+
+app = typer.Typer()
+
+@app.command()
 def drift(
-    policy_name: str = typer.Option(..., "--policy-name", help="IAM policy name in AWS"),
-    file: str = typer.Option(..., "--file", help="Path to local policy file")
+    policy_name: str = typer.Option(..., "--policy-name", help="Name of the IAM policy"),
+    policy_file: str = typer.Option(..., "--file", help="Path to local policy file"),
+    account_id: str = typer.Option(None, "--account-id", help="AWS Account ID (optional, auto-detected if not provided)"),
+    approvers: str = typer.Option("", help="Comma-separated GitHub usernames for approval"),
+    approval_anyway: bool = typer.Option(False, "--approval-anyway", help="Request approval even if no drift")
 ):
-    try:
-        local_path = Path(file)
-        if not local_path.exists():
-            typer.secho(f"❌ File not found: {file}", fg=typer.colors.RED)
-            raise typer.Exit(1)
+    """
+    Detect drift between local policy (file) and AWS policy (ARN),
+    create GitHub issue for approval, and perform sync based on comment.
+    """
+    # Auto-detect account ID if not provided
+    if not account_id:
+        sts = boto3.client("sts")
+        account_id = sts.get_caller_identity()["Account"]
 
-        local_policy = file_loader.load_policy(local_path)
-        aws_policy = aws_fetcher.get_policy(policy_name)
+    policy_arn = f"arn:aws:iam::{account_id}:policy/{policy_name}"
 
-        if aws_policy is None:
-            typer.secho(f"⚠️ Could not fetch AWS policy '{policy_name}'.", fg=typer.colors.YELLOW)
-            raise typer.Exit(1)
+    # Load local policy document
+    try:
+        with open(policy_file) as f:
+            local_doc = json.load(f)
+    except FileNotFoundError:
+        typer.echo(f"❌ Local policy file {policy_file} not found.")
+        raise typer.Exit(1)
 
-        report.generate_diff_report(local_policy, aws_policy)
+    # Fetch AWS policy document
+    aws_doc = get_aws_policy_document(policy_arn)
+    drift = detect_and_print_drift(local_doc, aws_doc)
 
-    except botocore.exceptions.ClientError as e:
-        error = e.response.get("Error", {})
-        code = error.get("Code", "UnknownError")
-        message = error.get("Message", "")
+    # If no drift and no approval flag, exit
+    if not drift and not approval_anyway:
+        typer.echo("✅ No drift detected. Use --approval-anyway to force approval.")
+        raise typer.Exit()
 
-        typer.secho(f"❌ AWS API error: {code}", fg=typer.colors.RED)
+    # Create GitHub issue
+    token = os.getenv("GITHUB_TOKEN")
+    if not token:
+        typer.echo("❌ GITHUB_TOKEN not set in environment.")
+        raise typer.Exit(1)
 
-        if code == "AccessDenied" and ' because ' in message:
-            main, reason = message.split(' because ', 1)
-            typer.echo(f"   → {main.strip()}")
-            typer.echo(f"   → Reason: {reason.strip()}")
-        else:
-            typer.echo(f"   → {message.strip()}")
+    issue_num = create_approval_issue("owner/repo", token, policy_name)
+    typer.echo(f"Issue #{issue_num} created for approval.")
 
-        typer.echo(f"⚠️ Could not fetch AWS policy '{policy_name}'.")
-        typer.echo(f"💡 Tip: Ensure your IAM user has permission for {code}-related actions.")
-        raise typer.Exit(1)
+    # Wait for sync choice comment
+    choice = wait_for_sync_choice("owner/repo", issue_num, token)
 
-    except typer.Exit:
-        raise  # Let Typer handle clean exits
+    if choice == "local->aws":
+        merged_doc = merge_policy_documents(local_doc, aws_doc)
+        iam = boto3.client("iam")
+        versions = iam.list_policy_versions(PolicyArn=policy_arn)['Versions']
+        if len(versions) >= 5:
+            oldest = sorted((v for v in versions if not v['IsDefaultVersion']),
+                            key=lambda v: v['CreateDate'])[0]
+            iam.delete_policy_version(PolicyArn=policy_arn, VersionId=oldest['VersionId'])
+        iam.create_policy_version(
+            PolicyArn=policy_arn,
+            PolicyDocument=json.dumps(merged_doc),
+            SetAsDefault=True
+        )
+        typer.echo(f"✅ AWS policy {policy_arn} updated with local changes (append-only).")
 
-    except Exception as e:
-        typer.secho(f"❌ Unexpected error: {str(e)}", fg=typer.colors.RED)
-        raise typer.Exit(1)
+    elif choice == "aws->local":
+        new_content = json.dumps(aws_doc, indent=2)
+        with open(policy_file, "w") as f:
+            f.write(new_content)
+        branch = f"update-policy-{policy_name}"
+        pr_title = f"Update {policy_file} from AWS policy"
+        pr_body = "This PR updates the local policy file with the AWS default version."
+        pr_num = create_github_pr("owner/repo", branch, pr_title, pr_body)
+        typer.echo(f"✅ Created PR #{pr_num}: updated {policy_file} from AWS policy.")
+
+    else:
+        typer.echo("⏭ No synchronization performed (skip).")

devolv/drift/cli.py

@@ -1,5 +1,6 @@
 from deepdiff import DeepDiff
 
+
 def compare_policies(local, aws):
     diff = DeepDiff(local, aws, ignore_order=True)
     return diff

devolv/drift/comparator.py

@@ -0,0 +1,47 @@
+import os
+from github import Github
+
+def _get_github_token():
+    token = os.getenv("GITHUB_TOKEN")
+    if not token:
+        raise ValueError(
+            "❌ GITHUB_TOKEN not set in environment. "
+            "In your Action, ensure it's passed via input and exported: "
+            "export GITHUB_TOKEN=${{ inputs.github-token }}"
+        )
+    return token
+
+def _get_github_repo(repo_full_name: str):
+    gh = Github(_get_github_token())
+    return gh.get_repo(repo_full_name)
+
+def create_github_issue(repo: str, title: str, body: str, assignees: list) -> int:
+    """
+    Create a GitHub issue using the GitHub API.
+    """
+    try:
+        repo_obj = _get_github_repo(repo)
+        issue = repo_obj.create_issue(title=title, body=body, assignees=assignees)
+        print(f"✅ Created issue #{issue.number} in {repo}")
+        return issue.number
+    except Exception as e:
+        print(f"❌ Failed to create issue in {repo}: {e}")
+        raise
+
+def create_github_pr(repo: str, head_branch: str, title: str, body: str, base: str = "main") -> int:
+    """
+    Create a GitHub pull request using the GitHub API.
+    """
+    try:
+        repo_obj = _get_github_repo(repo)
+        pr = repo_obj.create_pull(
+            title=title,
+            body=body,
+            head=head_branch,
+            base=base
+        )
+        print(f"✅ Created PR #{pr.number} in {repo}")
+        return pr.number
+    except Exception as e:
+        print(f"❌ Failed to create PR in {repo}: {e}")
+        raise

devolv/drift/github_approvals.py

@@ -0,0 +1,32 @@
+from github import Github
+import time
+
+def create_approval_issue(repo_full_name, token, policy_name):
+    g = Github(token)
+    repo = g.get_repo(repo_full_name)
+    body = (
+        f"Drift detected for policy `{policy_name}`.\n\n"
+        "Please comment:\n"
+        "- `local->aws` to sync local changes to AWS\n"
+        "- `aws->local` to sync AWS changes to local file\n"
+        "- `skip` to do nothing"
+    )
+    issue = repo.create_issue(
+        title=f"Devolv Drift Sync Approval Needed: {policy_name}",
+        body=body
+    )
+    return issue.number
+
+def wait_for_sync_choice(repo_full_name, issue_number, token):
+    g = Github(token)
+    repo = g.get_repo(repo_full_name)
+    issue = repo.get_issue(number=issue_number)
+
+    while True:
+        comments = issue.get_comments()
+        for comment in comments:
+            content = comment.body.strip().lower()
+            if content in ["local->aws", "aws->local", "skip"]:
+                return content
+        print("Waiting for approval comment...")
+        time.sleep(30)  # Poll every 30 seconds