adding new version in wrapper

Author: RkSinghDeo

devolv/__init__.py

@@ -1,2 +1,2 @@
-__version__ = "0.2.29"
+__version__ = "0.2.30"
 

devolv/drift/cli.py

@@ -47,18 +47,15 @@ def push_branch(branch_name: str):
 
 
 def detect_drift(local_doc, aws_doc) -> bool:
-    local_statements = {json.dumps(s, sort_keys=True) for s in local_doc.get("Statement", [])}
-    aws_statements = {json.dumps(s, sort_keys=True) for s in aws_doc.get("Statement", [])}
-
-    missing_in_local = aws_statements - local_statements
-
-    if missing_in_local:
-        typer.echo("❌ Drift detected: Local is missing permissions present in AWS.")
+    from deepdiff import DeepDiff
+    diff = DeepDiff(aws_doc, local_doc, ignore_order=True)
+    if diff:
+        typer.echo(f"❌ Drift detected:\n{json.dumps(diff, indent=2)}")
         return True
-
-    typer.echo("✅ No removal drift detected (local may have extra permissions; that's fine).")
+    typer.echo("✅ No drift detected.")
     return False
 
+
 @app.command()
 def drift(
     dummy: str = typer.Argument(None, hidden=True),

devolv/drift/report.py

@@ -1,75 +1,163 @@
 import json
-import difflib
-from rich.console import Console
-from rich.text import Text
+import os
+import subprocess
+import boto3
 import typer
-def clean_policy(policy):
-    """
-    Remove empty statements ({} entries) from the policy's 'Statement' list.
-    """
-    if isinstance(policy, dict) and "Statement" in policy:
-        statements = policy.get("Statement", [])
-        if isinstance(statements, list):
-            policy["Statement"] = [s for s in statements if s]
-    return policy
+from github import Github
+from datetime import datetime
+from deepdiff import DeepDiff
+
+from devolv.drift.aws_fetcher import get_aws_policy_document, merge_policy_documents, build_superset_policy
+from devolv.drift.issues import create_approval_issue, wait_for_sync_choice
+from devolv.drift.github_approvals import create_github_pr
+from devolv.drift.report import print_drift_diff
 
-def detect_drift(local_doc, aws_doc) -> bool:
-    """Detect removal drift: AWS has permissions missing from local (danger)."""
-    local_statements = {json.dumps(s, sort_keys=True) for s in local_doc.get("Statement", [])}
-    aws_statements = {json.dumps(s, sort_keys=True) for s in aws_doc.get("Statement", [])}
+app = typer.Typer()
 
-    missing_in_local = aws_statements - local_statements
+def push_branch(branch_name: str):
+    try:
+        subprocess.run(["git", "checkout", "-B", branch_name], check=True)
+        subprocess.run(["git", "config", "user.email", "github-actions@users.noreply.github.com"], check=True)
+        subprocess.run(["git", "config", "user.name", "github-actions"], check=True)
+        subprocess.run(["git", "add", "."], check=True)
+        subprocess.run(["git", "commit", "-m", f"Update policy: {branch_name}"], check=True)
 
-    if missing_in_local:
-        typer.echo("❌ Drift detected: Local is missing permissions present in AWS.")
-        # No need to print each JSON line — rich diff will handle details
-        return True
+        try:
+            subprocess.run(["git", "push", "--set-upstream", "origin", branch_name], check=True)
+        except subprocess.CalledProcessError:
+            typer.echo("⚠️ Initial push failed. Attempting rebase + push...")
+            subprocess.run(["git", "pull", "--rebase", "origin", branch_name], check=True)
+            subprocess.run(["git", "push", "--set-upstream", "origin", branch_name], check=True)
 
-    typer.echo("✅ No removal drift detected (local may have extra permissions; that's fine).")
-    return False
+        typer.echo(f"✅ Pushed branch {branch_name} to origin.")
 
+    except subprocess.CalledProcessError as e:
+        typer.echo(f"❌ Git command failed: {e}")
+        raise typer.Exit(1)
 
-def generate_diff_lines(local_doc: dict, aws_doc: dict):
+def detect_drift(local_doc, aws_doc) -> dict:
     """
-    Generate a unified diff between local and AWS policy JSONs.
+    Use deepdiff to detect all drift between local and AWS policy documents.
+    Return the diff dict.
     """
-    local_str = json.dumps(clean_policy(local_doc), indent=2, sort_keys=True)
-    aws_str = json.dumps(clean_policy(aws_doc), indent=2, sort_keys=True)
-
-    diff = list(difflib.unified_diff(
-        local_str.splitlines(),
-        aws_str.splitlines(),
-        fromfile="local",
-        tofile="aws",
-        lineterm=""
-    ))
-    if not diff:
-        # Return at least header lines if no differences
-        return ["--- local", "+++ aws"]
+    diff = DeepDiff(aws_doc, local_doc, ignore_order=True)
+    if diff:
+        typer.echo("❌ Drift detected:")
+        typer.echo(json.dumps(diff, indent=2))
+    else:
+        typer.echo("✅ No drift detected.")
     return diff
 
-def print_drift_diff(local_doc: dict, aws_doc: dict):
-    """
-    Pretty-print a unified diff using Rich.
-    """
-    console = Console()
-    diff_lines = generate_diff_lines(local_doc, aws_doc)
+@app.command()
+def drift(
+    policy_name: str = typer.Option(..., "--policy-name", help="Name of the IAM policy"),
+    policy_file: str = typer.Option(..., "--file", help="Path to local policy file"),
+    account_id: str = typer.Option(None, "--account-id", help="AWS Account ID (optional)"),
+    approvers: str = typer.Option("", help="Comma-separated GitHub usernames for approval (optional)"),
+    approval_anyway: bool = typer.Option(False, "--approval-anyway", help="Request approval even if no drift"),
+    repo_full_name: str = typer.Option(None, "--repo", help="GitHub repo full name (e.g., org/repo)")
+):
+    iam = boto3.client("iam")
+    if not account_id:
+        account_id = boto3.client("sts").get_caller_identity()["Account"]
+    policy_arn = f"arn:aws:iam::{account_id}:policy/{policy_name}"
+
+    try:
+        with open(policy_file) as f:
+            local_doc = json.load(f)
+    except FileNotFoundError:
+        typer.echo(f"❌ Local policy file {policy_file} not found.")
+        raise typer.Exit(1)
 
-    # If only headers (or no lines), treat as no drift
-    if not diff_lines or (len(diff_lines) == 2 and diff_lines[0].startswith("---") and diff_lines[1].startswith("+++")):
-        console.print("✅ No drift detected: Policies match.", style="green")
+    aws_doc = get_aws_policy_document(policy_arn)
+    diff = detect_drift(local_doc, aws_doc)
+
+    if not diff and not approval_anyway:
+        typer.echo("✅ No drift and no forced approval requested. Exiting.")
         return
 
-    console.print("❌ Drift detected — see diff below", style="bold red")
-    for line in diff_lines:
-        if line.startswith('---') or line.startswith('+++'):
-            console.print(Text(line, style="bold"))
-        elif line.startswith('@@'):
-            console.print(Text(line, style="cyan"))
-        elif line.startswith('-'):
-            console.print(Text(line, style="red"))
-        elif line.startswith('+'):
-            console.print(Text(line, style="green"))
-        else:
-            console.print(Text(line, style="bright_black"))
+    # print rich diff if drift exists
+    if diff:
+        print_drift_diff(local_doc, aws_doc)
+
+    # Approval flow starts
+    repo_full_name = repo_full_name or os.getenv("GITHUB_REPOSITORY")
+    token = os.getenv("GITHUB_TOKEN")
+
+    if not repo_full_name:
+        typer.echo("❌ GitHub repo not specified. Use --repo or set GITHUB_REPOSITORY.")
+        raise typer.Exit(1)
+    if not token:
+        typer.echo("❌ GITHUB_TOKEN not set in environment.")
+        raise typer.Exit(1)
+
+    assignees = [a.strip() for a in approvers.split(",") if a.strip()]
+    issue_num, _ = create_approval_issue(repo_full_name, token, policy_name, assignees=assignees, drift_detected=bool(diff))
+    typer.echo(f"✅ Approval issue created: https://github.com/{repo_full_name}/issues/{issue_num}")
+
+    choice = wait_for_sync_choice(repo_full_name, issue_num, token)
+
+    if choice == "local->aws":
+        merged_doc = merge_policy_documents(local_doc, aws_doc)
+        _update_aws_policy(iam, policy_arn, merged_doc)
+        typer.echo(f"✅ AWS policy {policy_arn} updated with local changes (append-only).")
+
+    elif choice == "aws->local":
+        _update_local_and_create_pr(aws_doc, policy_file, repo_full_name, policy_name, issue_num, token, "from AWS policy")
+
+    elif choice == "aws<->local":
+        superset_doc = build_superset_policy(local_doc, aws_doc)
+        _update_aws_policy(iam, policy_arn, superset_doc)
+        typer.echo(f"✅ AWS policy {policy_arn} updated with superset of local + AWS.")
+        _update_local_and_create_pr(superset_doc, policy_file, repo_full_name, policy_name, issue_num, token, "with superset of local + AWS")
+
+    elif choice == "accept":
+        gh = Github(token)
+        repo = gh.get_repo(repo_full_name)
+        issue = repo.get_issue(number=issue_num)
+        issue.create_comment("✅ Approved current state. No action needed.")
+        issue.edit(state="closed")
+        typer.echo("✅ Approval received. No action required. Issue closed.")
+
+    elif choice == "reject":
+        gh = Github(token)
+        repo = gh.get_repo(repo_full_name)
+        issue = repo.get_issue(number=issue_num)
+        issue.create_comment("❌ Rejected current state. No action taken.")
+        issue.edit(state="closed")
+        typer.echo("❌ Approval rejected. Issue closed.")
+
+    else:
+        typer.echo("⏭ No synchronization performed (skip).")
+
+def _update_aws_policy(iam, policy_arn, policy_doc):
+    versions = iam.list_policy_versions(PolicyArn=policy_arn)["Versions"]
+    if len(versions) >= 5:
+        oldest = sorted((v for v in versions if not v["IsDefaultVersion"]), key=lambda v: v["CreateDate"])[0]
+        iam.delete_policy_version(PolicyArn=policy_arn, VersionId=oldest["VersionId"])
+    iam.create_policy_version(
+        PolicyArn=policy_arn,
+        PolicyDocument=json.dumps(policy_doc),
+        SetAsDefault=True
+    )
+
+def _update_local_and_create_pr(doc, policy_file, repo_full_name, policy_name, issue_num, token, description=""):
+    new_content = json.dumps(doc, indent=2)
+    with open(policy_file, "w") as f:
+        f.write(new_content)
+
+    timestamp = datetime.utcnow().strftime("%Y%m%d-%H%M%S")
+    branch = f"drift-sync-{policy_name}-{timestamp}".replace("/", "-").lower()
+
+    push_branch(branch)
+
+    pr_title = f"Update {policy_file} {description}".strip()
+    pr_body = f"This PR updates `{policy_file}` {description}.\n\nLinked to issue #{issue_num}.".strip()
+
+    pr_num, pr_url = create_github_pr(repo_full_name, branch, pr_title, pr_body, issue_num=issue_num)
 
+    gh = Github(token)
+    repo = gh.get_repo(repo_full_name)
+    issue = repo.get_issue(number=issue_num)
+    issue.create_comment(f"✅ PR created and linked: {pr_url}. Closing issue.")
+    issue.edit(state="closed")