testing updated v2

Author: RkSinghDeo

.github/workflows/test-devolv-action.yml

@@ -36,6 +36,7 @@ jobs:
           path: ./test-devolv-policy.json
           approvers: RkSinghDeo, devolvdev
           github-token: ${{ secrets.GITHUB_TOKEN }}
+          approval-anyway: true
 
       - name: Run Devolv Validate
         uses: devolvdev/devolv-actions@v2

devolv/__init__.py

@@ -1,2 +1,2 @@
-__version__ = "0.2.31"
+__version__ = "0.2.32"
 

devolv/drift/cli.py

@@ -40,16 +40,20 @@ def push_branch(branch_name: str):
 def detect_drift(local_doc, aws_doc) -> bool:
     local_statements = {json.dumps(s, sort_keys=True) for s in local_doc.get("Statement", [])}
     aws_statements = {json.dumps(s, sort_keys=True) for s in aws_doc.get("Statement", [])}
-
     missing_in_local = aws_statements - local_statements
-
     if missing_in_local:
         typer.echo("❌ Drift detected: Local is missing permissions present in AWS.")
         return True
-
     typer.echo("✅ No removal drift detected (local may have extra permissions; that's fine).")
     return False
 
+def close_issue(repo_full_name, token, issue_num, comment):
+    gh = Github(token)
+    repo = gh.get_repo(repo_full_name)
+    issue = repo.get_issue(number=issue_num)
+    issue.create_comment(comment)
+    issue.edit(state="closed")
+
 @app.command()
 def drift(
     policy_name: str = typer.Option(..., "--policy-name", help="Name of the IAM policy"),
@@ -84,6 +88,7 @@ def drift(
             typer.echo(str(ve))
             raise typer.Exit(1)
         typer.echo(f"✅ AWS policy {policy_arn} updated to include any local additions.")
+
         if not approval_anyway:
             typer.echo("✅ No forced approval requested. Exiting.")
             return
@@ -99,11 +104,15 @@ def drift(
         raise typer.Exit(1)
 
     assignees = [a.strip() for a in approvers.split(",") if a.strip()]
-    issue_num, _ = create_approval_issue(repo_full_name, token, policy_name, assignees=assignees)
+    issue_num, _ = create_approval_issue(
+        repo_full_name, token, policy_name, assignees=assignees, approval_anyway=approval_anyway
+    )
     issue_url = f"https://github.com/{repo_full_name}/issues/{issue_num}"
     typer.echo(f"✅ Approval issue created: {issue_url}")
 
-    choice = wait_for_sync_choice(repo_full_name, issue_num, token)
+    choice = wait_for_sync_choice(
+        repo_full_name, issue_num, token, allowed_approvers=assignees, approval_anyway=approval_anyway
+    )
 
     if choice == "local->aws":
         merged_doc = merge_policy_documents(local_doc, aws_doc)
@@ -113,6 +122,7 @@ def drift(
             typer.echo(str(ve))
             raise typer.Exit(1)
         typer.echo(f"✅ AWS policy {policy_arn} updated with local changes (append-only).")
+        close_issue(repo_full_name, token, issue_num, "✅ AWS updated with local changes. Closing issue.")
 
     elif choice == "aws->local":
         _update_local_and_create_pr(aws_doc, policy_file, repo_full_name, policy_name, issue_num, token, "from AWS policy")
@@ -127,8 +137,18 @@ def drift(
         typer.echo(f"✅ AWS policy {policy_arn} updated with superset of local + AWS.")
         _update_local_and_create_pr(superset_doc, policy_file, repo_full_name, policy_name, issue_num, token, "with superset of local + AWS")
 
+    elif choice == "approve":
+        typer.echo("✅ Approved without sync action. Closing issue.")
+        close_issue(repo_full_name, token, issue_num, "✅ Approved without sync action. Closing issue.")
+
+    elif choice == "reject":
+        typer.echo("❌ Approval rejected. Closing issue.")
+        close_issue(repo_full_name, token, issue_num, "❌ Approval rejected. Closing issue.")
+        raise typer.Exit(1)
+
     else:
         typer.echo("⏭ No synchronization performed (skip).")
+        close_issue(repo_full_name, token, issue_num, "⏭ No sync chosen. Closing issue.")
 
 def _update_aws_policy(iam, policy_arn, policy_doc):
     sids = [stmt.get("Sid") for stmt in policy_doc.get("Statement", []) if "Sid" in stmt]

devolv/drift/github_approvals.py

@@ -3,6 +3,7 @@
 from github import Github
 import typer
 
+
 def _get_github_token():
     token = os.getenv("GITHUB_TOKEN")
     if not token:
@@ -12,31 +13,32 @@ def _get_github_token():
             "export GITHUB_TOKEN=${{ inputs.github-token }}"
         )
     return token
- 
+
+
 def _get_github_repo(repo_full_name: str):
     gh = Github(_get_github_token())
     return gh.get_repo(repo_full_name)
 
-def create_github_issue(repo: str, title: str, body: str, assignees: list) -> tuple:
+
+def create_github_issue(repo: str, title: str, body: str, assignees: list = None) -> tuple:
     """
     Create a GitHub issue and return (number, url)
     """
     try:
         repo_obj = _get_github_repo(repo)
-        issue = repo_obj.create_issue(title=title, body=body, assignees=assignees)
+        issue = repo_obj.create_issue(title=title, body=body, assignees=assignees or [])
         print(f"✅ Created issue #{issue.number} in {repo}: {issue.html_url}")
         return issue.number, issue.html_url
     except Exception as e:
         print(f"❌ Failed to create issue in {repo}: {e}")
         raise
 
+
 def create_github_pr(repo: str, head_branch: str, title: str, body: str, base: str = "main", issue_num: int = None) -> tuple:
     """
     Create a GitHub PR. If issue_num is provided, comment on the issue.
     Return (PR number, PR URL).
     """
-    from github import Github
-
     try:
         repo_obj = _get_github_repo(repo)
         pr = repo_obj.create_pull(
@@ -45,22 +47,19 @@ def create_github_pr(repo: str, head_branch: str, title: str, body: str, base: s
             head=head_branch,
             base=base
         )
-        #print(f"✅ Created PR #{pr.number} in {repo}: {pr.html_url}")
 
         if issue_num:
             issue = repo_obj.get_issue(number=issue_num)
             issue.create_comment(f"A PR has been created for this sync: {pr.html_url}")
-        
+
         return pr.number, pr.html_url
 
     except Exception as e:
         print(f"❌ Failed to create PR: {e}")
         raise
 
-def push_branch(branch_name: str):
-    import subprocess
-    import typer
 
+def push_branch(branch_name: str):
     try:
         # Create or switch to branch safely
         subprocess.run(["git", "checkout", "-B", branch_name], check=True)
@@ -69,7 +68,7 @@ def push_branch(branch_name: str):
         subprocess.run(["git", "config", "user.email", "github-actions@users.noreply.github.com"], check=True)
         subprocess.run(["git", "config", "user.name", "github-actions"], check=True)
 
-        # Add, commit
+        # Add and commit
         subprocess.run(["git", "add", "."], check=True)
         subprocess.run(["git", "commit", "-m", f"Update policy: {branch_name}"], check=True)
 
@@ -86,5 +85,3 @@ def push_branch(branch_name: str):
     except subprocess.CalledProcessError as e:
         typer.echo(f"❌ Git command failed: {e}")
         raise typer.Exit(1)
-
-

devolv/drift/issues.py

@@ -1,36 +1,51 @@
 from github import Github
 import time
 
-def create_approval_issue(repo_full_name, token, policy_name, assignees=None):
+def create_approval_issue(repo_full_name, token, policy_name, assignees=None, approval_anyway=False):
+    """
+    Create a GitHub issue requesting approval for IAM policy sync.
+    Supports forced approval requests (approval_anyway=True).
+    """
     gh = Github(token)
     repo = gh.get_repo(repo_full_name)
 
     approver_list = ", ".join([f"@{a}" for a in assignees]) if assignees else "anyone"
 
-    title = f"Approval needed for IAM policy: {policy_name}"
-    body = (
-        f"Please review and approve the sync for `{policy_name}`.\n\n"
-        f"✅ **Allowed approvers:** {approver_list}\n\n"
-        "**Reply with one of the following commands to proceed:**\n"
-        "- `local->aws` → Apply local policy changes to AWS\n"
-        "- `aws->local` → Update local policy file from AWS\n"
-        "- `aws<->local` → Sync both ways (superset, update AWS + local)\n"
-        "- `skip` → Skip this sync"
-    )
+    if approval_anyway:
+        title = f"Approval needed (forced) for IAM policy: {policy_name}"
+        body = (
+            f"Approval is required even though no drift was detected for `{policy_name}`.\n\n"
+            f"✅ **Allowed approvers:** {approver_list}\n\n"
+            "**Reply with one of the following commands to proceed:**\n"
+            "- `approve` → Approve current policy state; no changes applied\n"
+            "- `reject` → Reject current state; no changes applied"
+        )
+    else:
+        title = f"Approval needed for IAM policy: {policy_name}"
+        body = (
+            f"Please review and approve the sync for `{policy_name}`.\n\n"
+            f"✅ **Allowed approvers:** {approver_list}\n\n"
+            "**Reply with one of the following commands to proceed:**\n"
+            "- `local->aws` → Apply local policy changes to AWS\n"
+            "- `aws->local` → Update local policy file from AWS\n"
+            "- `aws<->local` → Sync both ways (superset, update AWS + local)\n"
+            "- `skip` → Skip this sync"
+        )
 
     issue = repo.create_issue(
         title=title,
         body=body,
         assignees=assignees or []
     )
 
-    #print(f"✅ Created issue #{issue.number} in {repo_full_name}: {issue.html_url}")
     return issue.number, issue.html_url
 
-
-def wait_for_sync_choice(repo_full_name, issue_number, token, allowed_approvers=None):
-    g = Github(token)
-    repo = g.get_repo(repo_full_name)
+def wait_for_sync_choice(repo_full_name, issue_number, token, allowed_approvers=None, approval_anyway=False):
+    """
+    Poll for an approved sync command or forced approval (approve/reject).
+    """
+    gh = Github(token)
+    repo = gh.get_repo(repo_full_name)
     issue = repo.get_issue(number=issue_number)
 
     allowed_approvers = [a.lower() for a in (allowed_approvers or [])]
@@ -45,9 +60,12 @@ def wait_for_sync_choice(repo_full_name, issue_number, token, allowed_approvers=
                 print(f"Ignoring comment from unauthorized user: {commenter}")
                 continue
 
-            if content in ["local->aws", "aws->local", "aws<->local", "skip"]:
-                return content
+            if approval_anyway:
+                if content in ["approve", "reject"]:
+                    return content
+            else:
+                if content in ["local->aws", "aws->local", "aws<->local", "skip"]:
+                    return content
 
         print("Waiting for approval comment...")
         time.sleep(30)
-

devolv/drift/report.py

@@ -3,6 +3,7 @@
 from rich.console import Console
 from rich.text import Text
 import typer
+
 def clean_policy(policy):
     """
     Remove empty statements ({} entries) from the policy's 'Statement' list.
@@ -14,24 +15,26 @@ def clean_policy(policy):
     return policy
 
 def detect_drift(local_doc, aws_doc) -> bool:
-    """Detect removal drift: AWS has permissions missing from local (danger)."""
+    """
+    Detect removal drift:
+    Returns True if AWS has permissions not present in local (local missing permissions).
+    """
     local_statements = {json.dumps(s, sort_keys=True) for s in local_doc.get("Statement", [])}
     aws_statements = {json.dumps(s, sort_keys=True) for s in aws_doc.get("Statement", [])}
 
     missing_in_local = aws_statements - local_statements
 
     if missing_in_local:
         typer.echo("❌ Drift detected: Local is missing permissions present in AWS.")
-        # No need to print each JSON line — rich diff will handle details
         return True
 
     typer.echo("✅ No removal drift detected (local may have extra permissions; that's fine).")
     return False
 
-
 def generate_diff_lines(local_doc: dict, aws_doc: dict):
     """
-    Generate a unified diff between local and AWS policy JSONs.
+    Generate a unified diff between pretty-printed local and AWS policy JSONs.
+    Returns a list of diff lines.
     """
     local_str = json.dumps(clean_policy(local_doc), indent=2, sort_keys=True)
     aws_str = json.dumps(clean_policy(aws_doc), indent=2, sort_keys=True)
@@ -46,7 +49,7 @@ def generate_diff_lines(local_doc: dict, aws_doc: dict):
 
 def print_drift_diff(local_doc: dict, aws_doc: dict):
     """
-    Pretty-print a unified diff using Rich.
+    Pretty-print a unified diff using Rich formatting.
     """
     console = Console()
     diff_lines = generate_diff_lines(local_doc, aws_doc)