Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change iac gen-driftignore to iac update-exclude-policy #3046

Merged
merged 1 commit into from
Mar 29, 2022
Merged

Change iac gen-driftignore to iac update-exclude-policy #3046

merged 1 commit into from
Mar 29, 2022

Conversation

eliecharra
Copy link
Contributor

@eliecharra eliecharra commented Mar 21, 2022
edited
Loading

What does this PR do?

This PR move the responsibility to generate drift exclusion rule from driftctl to snyk CLI.
We are now generating our own rules in the snyk policy file instead of using driftctl to generate a .driftignore
More context about that choice in the Jira ticket.

Where should the reviewer start?

src/cli/commands/update-exclude-policy.ts

How should this be manually tested?

$ cat test/fixtures/iac/drift/analysis.json | bin/snyk iac update-exclude-policy

Ensure your .snyk file is update with those new exclude rules

+exclude:
+  iac-drift:
+    - aws_iam_access_key.AKIA5QYBVVD25KFXJHYJ
+    - aws_iam_user.test-driftctl2
+    - aws_iam_access_key.AKIA5QYBVVD2Y6PBAAPY
+    - aws_s3_bucket_policy.driftctl
+    - aws_s3_bucket_notification.driftctl

Any background context you want to provide?

The exclude logic is based on this code from driftctl

Changes in help files are just FYI here, changes are in a draft PR in gitbook

What are the relevant tickets?

https://snyksec.atlassian.net/browse/CFG-1669

Screenshots

Additional questions

@github-actions
Copy link
Contributor

github-actions bot commented Mar 21, 2022
edited
Loading

Warnings
⚠️

Please make changes to snyk help text in Gitbook. Changes will be automatically synchronised to Snyk CLI as a scheduled PR.
For more information, see: help/README.md.

Generated by 🚫 dangerJS against 9ac4cf1

@eliecharra eliecharra changed the title feat: change gen-driftignore behavior Change iac gen-driftignore to iac update-exclude-policy Mar 23, 2022
@ghost
Copy link

ghost commented Mar 23, 2022

This PR modifies files linked to issues tracked in Stepsize. You might want to review their status, priority, and scope.

We are losing types because of hotloading components in a JS file
  • src/cli/commands/index.js

Mention [stepsize] in a comment if you'd like to report some technical debt. See examples here.

@eliecharra eliecharra marked this pull request as ready for review March 24, 2022 14:13
@eliecharra eliecharra requested review from a team as code owners March 24, 2022 14:13
@eliecharra eliecharra requested a review from craigfurman March 24, 2022 14:16
craigfurman
craigfurman reviewed Mar 24, 2022
View reviewed changes
Copy link

@craigfurman craigfurman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! This works in the case where there is already a .snyk file present, but errors with ENOENT when it does not. snyk ignore doesn't have this problem. We might want to touch the file first (unconditionally, idempotently).

Also, I noticed some stderr output from driftctl: "Hint: use gen-driftignore command to generate a .driftignore file based on your drifts". We might want to suppress / manipulate this before printing it for the user, to use this new command. WDYT?

help/cli-commands/iac-update-exclude-policy.md Outdated Show resolved Hide resolved
src/cli/commands/update-exclude-policy.ts Show resolved Hide resolved
aron
aron approved these changes Mar 25, 2022
View reviewed changes
Copy link
Contributor

@aron aron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 looks good to me.

help/cli-commands/iac-update-exclude-policy.md Show resolved Hide resolved
test/jest/acceptance/iac/gen-driftignore.spec.ts Show resolved Hide resolved
@eliecharra
Copy link
Contributor Author

Looking good! This works in the case where there is already a .snyk file present, but errors with ENOENT when it does not. snyk ignore doesn't have this problem. We might want to touch the file first (unconditionally, idempotently).

Fixed, I used the same logic than the ignore cmd.
2022-03-28_11-32

Also, I noticed some stderr output from driftctl: "Hint: use gen-driftignore command to generate a .driftignore file based on your drifts". We might want to suppress / manipulate this before printing it for the user, to use this new command. WDYT?

Yeah we can probably either remove that sentence from the engine, or check if we are wrapped in the snyk CLI and hide it only in that case.
I'm not sure that the second approach (basically doing if (isWrappedBySnyk) { ... }) is really something that we want.
I'm afraid that starting doing that will lead us to have a ton of if snyk statements everywhere in the engine, and that will finally bloat it a lot WDYT @craigfurman ? 🤔

@eliecharra eliecharra requested a review from craigfurman March 28, 2022 09:46
@aron
Copy link
Contributor

aron commented Mar 28, 2022

Yeah we can probably either remove that sentence from the engine, or check if we are wrapped in the snyk CLI and hide it only in that case.

Definitely agree with avoiding having anything snyk specific in the drift codebase. My understanding is that we want to aim for the drift -> snyk communication to be essentially machine to machine right? So perhaps we just need a flag or an environment variable to suppress "user info" output or help text.

craigfurman
craigfurman approved these changes Mar 28, 2022
View reviewed changes
Copy link

@craigfurman craigfurman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🥳

Yeah we can probably either remove that sentence from the engine

If that's an option, then I reckon we should do it. Less noise and all...

I'm not sure that the second approach (basically doing if (isWrappedBySnyk) { ... }) is really something that we want

IMO that's definitely not something we want, but it also isn't what I was suggesting! I was suggesting doing string replacement in this CLI on the stderr that it receives from driftctl. But if removing the message is an option, I prefer that one.

@eliecharra
feat: rename iac gen-driftignore to iac-update-exclude-policy
9ac4cf1 
This commit rename the existing `iac gen-driftignore` command and also change its
behavior. We are now generating our own exclude logic from the snyk CLI instead of
calling driftctl binary to update the `.driftignore`.
@eliecharra
Copy link
Contributor Author

If that's an option, then I reckon we should do it. Less noise and all...

Done here snyk/driftctl#1449
Let's discuss on this other PR if we want to wrap that in the --quiet flag or not

@eliecharra eliecharra merged commit 9c44e4d into master Mar 29, 2022
@eliecharra eliecharra deleted the feat/drift-exclude branch March 29, 2022 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aron aron aron approved these changes

@Avishagp Avishagp Avishagp approved these changes

@craigfurman craigfurman craigfurman approved these changes

@muscar muscar Awaiting requested review from muscar muscar was automatically assigned from snyk/snyk-open-source

@anthogez anthogez Awaiting requested review from anthogez anthogez was automatically assigned from snyk/snyk-open-source

@mika-bar mika-bar Awaiting requested review from mika-bar mika-bar was automatically assigned from snyk/snyk-open-source

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@eliecharra @aron @craigfurman @Avishagp