Introducing Context Management for Analysis and reporting (#6)

* adding more testing and policy preparation

* Introducing more unit tests and documentation updates

* Fix CI build

* Fix CI build

Author: rafaelherik

.github/workflows/ci.yaml

@@ -20,18 +20,17 @@ jobs:
       uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
-
+  
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install flake8 pytest pytest-cov
-        pip install -e .
-
-    - name: Run tests with pytest
-      run: |
-        pytest --cov=tfsumpy --cov-report=xml
+        pip install poetry twine
+        poetry install --with dev
+        
+    - name: Run tests
+      run: poetry run pytest
+        
+    - name: Build package
+      run: poetry build
 
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v4
-      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+    

.github/workflows/release.yml

@@ -22,14 +22,14 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install build twine wheel
-        pip install -e ".[dev]"
+        pip install poetry twine
+        poetry install --with dev
         
     - name: Run tests
-      run: pytest
+      run: poetry run pytest
 
     - name: Build package
-      run: python -m build
+      run: poetry build
 
     - name: Get version from tag
       id: get_version

README.md

@@ -11,172 +11,172 @@ TFSumPy is a Python-based tool that analyzes Terraform plan files to provide a c
 
 ## Features
 
-- 🔍 Analyzes Terraform plan JSON output
-- ⚠️ Identifies high-risk changes (deletions of critical resources, security group modifications)
-- 🔒 Automatically redacts sensitive information (credentials, IPs, resource names)
-- 📊 Provides clear summary statistics
-- 🛡️ Supports Terraform 1.0+ plan formats
-- 📂 Module-aware resource grouping
+- 🔍 Detailed plan analysis with change breakdown
+- 📊 Clear summary statistics for resource changes
+- 🔒 Automatic sensitive information redaction
+- 🛡️ Risk assessment for infrastructure changes
+- 📋 Policy compliance checking
+- 🎨 Color-coded output for better readability
 - 🔄 Detailed attribute change tracking
 
 ## Installation
 
-Currently, TFSumPy can only be installed from source:
+Install using pip:
+```bash
+    pip install tfsumpy
+```
+Or install from source:
+```bash
+    git clone https://github.com/rafaelherik/tfsumpy.git
+    cd tfsumpy
+    pip install .
+```
+## Usage
 
+### Basic Usage
+
+1. Generate a Terraform plan JSON file:
 ```bash
-git clone https://github.com/rafaelherik/tfsumpy.git
-cd tfsumpy
-pip install .
+    terraform plan -out=tfplan
+    terraform show -json tfplan > plan.json
 ```
 
-## Usage
+2. Analyze the plan:
 
-First, generate a Terraform plan JSON file:
+Basic summary:
+```bash
+    tfsumpy plan.json
+```
 
+Show detailed changes:
 ```bash
-terraform plan -out=tfplan
-terraform show -json tfplan > plan.json
+    tfsumpy plan.json --changes
 ```
 
-Then analyze the plan using TFSumPy:
+Show resource details:
+```bash
+    tfsumpy plan.json --details
+```
 
+Enable risk assessment:
 ```bash
-# Basic usage
-tfsumpy plan.json
+    tfsumpy plan.json --risks
+```
 
-# Show resources grouped by module
-tfsumpy plan.json --show-module
+Enable policy compliance check:
+```bash
+    tfsumpy plan.json --policies
+```
 
-# Show detailed attribute changes
-tfsumpy plan.json --show-changes
+### Example Output
 
-# Using custom rules configuration
-tfsumpy plan.json --config rules_config.json
+```bash
+    Terraform Plan Analysis
+    ======================
+    Total Changes: 3
+    Create: 1
+    Update: 1
+    Delete: 1
+
+    Resource Changes:
+    CREATE aws_s3_bucket: data_bucket
+      + bucket = "new-bucket"
+
+    UPDATE aws_instance: web_server
+      ~ instance_type = t2.micro -> t2.small
+
+    DELETE aws_security_group: old_sg
+      - name = "old-sg"
+```
+### Advanced Features
 
-# Enable debug logging
-tfsumpy plan.json --debug
+1. Risk Assessment:
 
-# Show only specific sections
-tfsumpy plan.json --risks --details
+```bash
+    tfsumpy plan.json --risks
 ```
 
-### Command Line Options
+This will show:
+- High and medium risk changes
+- Impact assessment
+- Mitigation suggestions
+
+2. Policy Compliance:
 
-- `--show-module`: Group resources by their Terraform module
-- `--show-changes`: Display detailed attribute changes for resources
-- `--risks`: Show only the risk assessment section
-- `--details`: Show only the resource details section
-- `--debug`: Enable debug logging
-- `--config`: Specify a custom rules configuration file
+```bash
+    tfsumpy plan.json --policies
+```
 
-### Custom Rules Configuration
+Checks resources against:
+- Security best practices
+- Compliance requirements
+- Custom policy rules
 
-You can customize the analysis rules by creating a JSON configuration file. Here's an example structure:
+3. Detailed Analysis:
+
+```bash
+    tfsumpy plan.json --changes --details --risks
+```
+
+### Configuration
+
+Create a custom configuration file (config.json):
 
 ```json
-{
-  "sensitive_patterns": [
     {
-      "pattern": "\\bAKIA[0-9A-Z]{16}\\b",
-      "replacement": "[AWS-KEY-REDACTED]"
-    },
-    {
-      "pattern": "\\b(password|secret|token)\\b[\"']?:?[\\s\"']+[^\\s\"']+",
-      "replacement": "[SECRET-REDACTED]"
-    }
-  ],
-  "risk_rules": {
-    "high": [
-      {
-        "pattern": "\\bdelete\\b.*\\b(database|storage)\\b",
-        "message": "High risk: Critical storage resource deletion detected"
-      }
-    ],
-    "medium": [
-      {
-        "pattern": "\\bcreate\\b.*\\b(bucket|storage)\\b.*public:\\s*true",
-        "message": "Medium risk: Public storage resource being created"
+      "sensitive_patterns": [
+        {
+          "pattern": "\\b(?:password|secret|key)\\b",
+          "replacement": "[REDACTED]"
+        }
+      ],
+      "risk_rules": {
+        "high": [
+          {
+            "pattern": "\\bdelete\\b.*\\b(database|storage)\\b",
+            "message": "Critical resource deletion"
+          }
+        ]
       }
-    ]
-  }
-}
+    }
 ```
 
-The configuration file allows you to define:
-- `sensitive_patterns`: Regular expressions to identify and redact sensitive information
-- `risk_rules`: Patterns to identify high and medium risk changes
-
-## Example Output
+Use the configuration:
 
-### Default Output (without --show-module)
-```
-Infrastructure Change Analysis
-==============================
-Total Changes: 5
-Create: 2
-Update: 2
-Delete: 1
-
-Risk Assessment:
-High Risks:
-- High risk: Security-related configuration change
-Medium Risks:
-- Medium risk: Version change could cause compatibility issues
-
-Resource Details:
-CREATE aws_s3_bucket: project-storage-[REDACTED]
-UPDATE aws_security_group: app-sg-[REDACTED]
-  ~ ingress = [] -> [{port = 443}]
-UPDATE aws_ecs_service: api-service
-DELETE aws_iam_role: legacy-role
-CREATE aws_lambda_function: processor-function
+```bash
+    tfsumpy plan.json --config config.json
 ```
 
-### With Module Grouping (--show-module)
-```
-Infrastructure Change Analysis
-==============================
-Total Changes: 5
-Create: 2
-Update: 2
-Delete: 1
-
-Changes by Module:
-root:
-  Create: 1
-  Update: 1
-module.storage:
-  Create: 1
-  Update: 1
-  Delete: 1
-
-Risk Assessment:
-High Risks:
-- High risk: Security-related configuration change
-Medium Risks:
-- Medium risk: Version change could cause compatibility issues
-
-Resource Details:
-Module: root
-  CREATE aws_s3_bucket: project-storage-[REDACTED]
-  UPDATE aws_security_group: app-sg-[REDACTED]
-    ~ ingress = [] -> [{port = 443}]
-
-Module: module.storage
-  UPDATE aws_ecs_service: api-service
-  DELETE aws_iam_role: legacy-role
-  CREATE aws_lambda_function: processor-function
+### Debug Mode
+
+For troubleshooting or detailed logging:
+
+```bash
+    tfsumpy plan.json --debug
 ```
 
+This will:
+- Enable verbose logging
+- Show detailed error messages
+- Display analysis process information
+
 ## Requirements
 
 - Python 3.10 or higher
-- Terraform 1.0 or higher (for plan generation)
+- Terraform 1.0 or higher
 
 ## Contributing
 
-Contributions are welcome! Please feel free to submit a Pull Request. Visit our [GitHub repository](https://github.com/rafaelherik/tfsumpy) for more information.
+Contributions are welcome! Please feel free to submit a Pull Request. For major changes:
+
+1. Fork the repository
+2. Create your feature branch (`git checkout -b feature/AmazingFeature`)
+3. Commit your changes (`git commit -m 'Add some AmazingFeature'`)
+4. Push to the branch (`git push origin feature/AmazingFeature`)
+5. Open a Pull Request
+
+Please make sure to update tests as appropriate.
 
 ## License
 
-This project is licensed under the MIT License - see the LICENSE file for details.
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

docs/DEFAULT_POLICIES.md

@@ -0,0 +1,23 @@
+# TFSumPy Default Policies
+
+This document lists all default policies included with TFSumPy, organized by cloud provider.
+
+## AWS Policies
+
+### S3 Bucket Policies
+
+#### AWS_S3_VERSIONING
+- **Severity**: High
+- **Description**: Ensure S3 buckets have versioning enabled
+- **Resource Type**: aws_s3_bucket
+- **Condition**: Check if versioning is enabled
+- **Remediation**: Enable versioning on the S3 bucket using versioning configuration block
+
+#### AWS_S3_ENCRYPTION
+- **Severity**: High
+- **Description**: Ensure S3 buckets have encryption enabled
+- **Resource Type**: aws_s3_bucket
+- **Condition**: Check if server-side encryption is configured
+- **Remediation**: Configure server-side encryption using server_side_encryption_configuration block
+
+[Note: This file should be expanded with all default policies from the policies/*.yaml files]