feat: remove deprecated managed IaC drift detection (#4908)

* feat: remove deprecated managed IaC drift detection

managed drift detection has been deprecated with e6ad44a
and is now being removed after a 90-day period.

* fix: linting issues

* fix: iac update-exclude-policy acceptance test

* feat: fail `iac describe` when `--only-managed` flag provided

* feat: upgrade iac describe to driftctl 0.40.0

* chore: ignore false-positive secret leaks from test fixtures

* chore: add gitleaks ignore line after rebase

.gitleaksignore

@@ -79,3 +79,6 @@ cba65a3a91c64db2ee92c87e5972602b6c959586:test/fixtures/sast/sample-analyze-folde
 c2de35484dcad696a6ee32f2fa317d5cfaffc133:test/fixtures/code/sample-analyze-folders-response.json:generic-api-key:3
 668e99c11a12699d9b1aca20cf48e1969055acf5:test/fixtures/sast/sample-analyze-scm-project-response.json:generic-api-key:4
 0fb9746f823f48b2802269569e8575f4dfd3d95d:help/cli-commands/iac-test.md:snyk-api-token:219
+168e6f2b48bc294e558d648626a1e00ccd85decc:test/jest/unit/lib/iac/drift/fixtures/all.console:aws-access-token:98
+4c12242de73be79ebd768468e065790f0b9d23a7:test/jest/unit/lib/iac/drift/fixtures/all.console:aws-access-token:98
+25f37b4c609380452b0b96c3853b69e4dc29bb48:test/jest/unit/lib/iac/drift/fixtures/all.console:aws-access-token:98

package.json

@@ -84,7 +84,6 @@
     "glob": "^7.1.7",
     "global-agent": "^2.1.12",
     "jest-json-schema": "^6.1.0",
-    "jsondiffpatch": "^0.4.1",
     "lodash.assign": "^4.2.0",
     "lodash.camelcase": "^4.3.0",
     "lodash.capitalize": "^4.2.1",

src/cli/commands/describe.ts

@@ -6,16 +6,26 @@ import {
   parseDriftAnalysisResults,
   processAnalysis,
 } from '../../lib/iac/drift';
+import { CustomError } from '../../lib/errors';
 import { getIacOrgSettings } from './test/iac/local-execution/org-settings/get-iac-org-settings';
 import { UnsupportedEntitlementCommandError } from './test/iac/local-execution/assert-iac-options-flag';
 import config from '../../lib/config';
 import { addIacDriftAnalytics } from './test/iac/local-execution/analytics';
 import * as analytics from '../../lib/analytics';
 import { findAndLoadPolicy } from '../../lib/policy';
-import { DescribeRequiredArgumentError } from '../../lib/errors/describe-required-argument-error';
-import help from './help';
 import { DCTL_EXIT_CODES, runDriftCTL } from '../../lib/iac/drift/driftctl';
+import { IaCErrorCodes } from './test/iac/local-execution/types';
+import { getErrorStringCode } from './test/iac/local-execution/error-utils';
 
+export class FlagError extends CustomError {
+  constructor(flag: string) {
+    const msg = `Unsupported flag "${flag}" provided. Run snyk iac describe --help for supported flags`;
+    super(msg);
+    this.code = IaCErrorCodes.FlagError;
+    this.strCode = getErrorStringCode(this.code);
+    this.userMessage = msg;
+  }
+}
 export default async (...args: MethodArgs): Promise<any> => {
   const { options } = processCommandArgs(...args);
 
@@ -25,6 +35,10 @@ export default async (...args: MethodArgs): Promise<any> => {
     return legacyError('describe');
   }
 
+  if (options['only-managed']) {
+    return Promise.reject(new FlagError('only-managed'));
+  }
+
   // Ensure that we are allowed to run that command
   // by checking the entitlement
   const orgPublicId = options.org ?? config.org;
@@ -57,11 +71,6 @@ export default async (...args: MethodArgs): Promise<any> => {
     const output = await processAnalysis(options, describe);
     process.stdout.write(output);
   } catch (e) {
-    if (e instanceof DescribeRequiredArgumentError) {
-      // when missing a required arg we will display help to explain
-      const helpMsg = await help('iac', 'describe');
-      console.log(helpMsg);
-    }
     return Promise.reject(e);
   }
 };

src/cli/commands/test/iac/local-execution/analytics.ts

@@ -91,7 +91,6 @@ export function addIacDriftAnalytics(
   analytics.add('iac-drift-total-unmanaged', analysis.summary.total_unmanaged);
   analytics.add('iac-drift-total-managed', analysis.summary.total_managed);
   analytics.add('iac-drift-total-missing', analysis.summary.total_missing);
-  analytics.add('iac-drift-total-changed', analysis.summary.total_changed);
   analytics.add(
     'iac-drift-iac-source-count',
     analysis.summary.total_iac_source_count,

src/lib/iac/drift.ts

@@ -3,61 +3,14 @@ import {
   DescribeOptions,
   DriftAnalysis,
   DriftctlExecutionResult,
-  DriftCTLOptions,
   GenDriftIgnoreOptions,
 } from './types';
 import { Policy } from '../policy/find-and-load-policy';
-import { DescribeExclusiveArgumentError } from '../errors/describe-exclusive-argument-error';
-import { DescribeRequiredArgumentError } from '../errors/describe-required-argument-error';
 import snykLogoSVG from './assets/snyk-logo';
 import snykFaviconBase64 from './assets/snyk-favicon';
 import { getHumanReadableAnalysis } from './drift/output';
 import { runDriftCTL } from './drift/driftctl';
 
-export const DescribeExclusiveArgs = [
-  'all',
-  'only-managed',
-  'drift',
-  'only-unmanaged',
-];
-
-export const DescribeRequiredArgs = [
-  'all',
-  'only-managed',
-  'drift',
-  'only-unmanaged',
-];
-
-export const validateArgs = (options: DriftCTLOptions): void => {
-  if (options.kind === 'describe') {
-    return validateDescribeArgs(options as DescribeOptions);
-  }
-};
-
-const validateDescribeArgs = (options: DescribeOptions): void => {
-  // Check that there is no more than one of the exclusive arguments
-  let count = 0;
-  for (const describeExclusiveArg of DescribeExclusiveArgs) {
-    if (options[describeExclusiveArg]) {
-      count++;
-    }
-  }
-  if (count > 1) {
-    throw new DescribeExclusiveArgumentError();
-  }
-
-  // Check we have one of the required arguments
-  count = 0;
-  for (const describeRequiredArgs of DescribeRequiredArgs) {
-    if (options[describeRequiredArgs]) {
-      count++;
-    }
-  }
-  if (count === 0) {
-    throw new DescribeRequiredArgumentError();
-  }
-};
-
 export const parseDriftAnalysisResults = (input: string): DriftAnalysis => {
   return JSON.parse(input) as DriftAnalysis;
 };
@@ -78,10 +31,6 @@ export const updateExcludeInPolicy = (
   const excludedResources = driftignoreFromPolicy(policy);
   const addResource = (res) => excludedResources.push(`${res.type}.${res.id}`);
 
-  if (!options['exclude-changed'] && analysis.summary.total_changed > 0) {
-    analysis.differences?.forEach((change) => addResource(change.res));
-  }
-
   if (!options['exclude-missing'] && analysis.summary.total_missing > 0) {
     analysis.missing?.forEach((res) => addResource(res));
   }

src/lib/iac/drift/driftctl.ts

@@ -14,7 +14,6 @@ import {
   createIgnorePattern,
   verifyServiceMappingExists,
 } from '../service-mappings';
-import { validateArgs } from '../drift';
 import * as debugLib from 'debug';
 import { makeRequest } from '../../request';
 import * as child_process from 'child_process';
@@ -36,29 +35,29 @@ export const DCTL_EXIT_CODES = {
   EXIT_ERROR: 2,
 };
 
-export const driftctlVersion = 'v0.36.0';
+export const driftctlVersion = 'v0.40.0';
 
 const driftctlChecksums = {
   driftctl_darwin_amd64:
-    'c9b44613694931d5033d16cf6396c2611d115f3c6971c8215c04b6ce321e9bb5',
+    '4eb86bd4a1e965c2552879795434143f1db974b2d795581b9ddb69d0bd8a245a',
   'driftctl_windows_386.exe':
-    'e37505fa9875b3d3c29fdfffebbe03f60154aae3e8d7057cad469dfceec47151',
+    'a02f079cb128ba46396db9654bc8bb8066ebde0539ebbeb401a40a81dfc8f733',
   driftctl_darwin_arm64:
-    'a18cb7039bf67bf0addf628887cfd12488895492d7e0c3a31a0a51005bc0d583',
+    'dfdee8138eb817cc066b8bf915c808fbd53536ee1757b34ca6e518e1c2ad1ba5',
   driftctl_linux_arm64:
-    '6dcc235d511546cc3573f5a7b3fc2a825a4dff7e08df481a55f5826ac6802059',
+    '8816f1378138c2ce585c762e109b5fdd41b7144b915e97759ceae946db023540',
   'driftctl_windows_arm.exe':
-    'c7bf2d1f268a5c4b6985d02a0d2e98ecf43ef5bc4de14360568f0233e206e471',
+    '6217151b4168e93ffdd6e005cb1cf03768f371cd6b412f53605fde46343c08d1',
   driftctl_linux_amd64:
-    'f2b388a6f92772e35320cb2240b68dab2c62c87d4a84ffc88bb42020cb0ab805',
+    '84e2462454956a4df794a24e0f4d2351299212d772b8602fc5070e6174ac1324',
   'driftctl_windows_amd64.exe':
-    '696e067ee37c156b175c51e55481e823fb8601c8d69133cb12ba8a3f2e22aa68',
+    '1561fd04e3d428c39ae95f81214517bbf62e8333156bf538a2d385005e350c8b',
   'driftctl_windows_arm64.exe':
-    '5531adc30e0d1431b692062bbc7c91536d86f5f5d212a5bd3083fec6007f0be5',
+    '76f939d836da64fa9dab63f0eeffd09a0de7e353b034296b8f1582cdff6f2a61',
   driftctl_linux_arm:
-    'c6bcd8987f633d310b9872c5635112d8fd479f4117518aa4864fa38874c7869e',
+    '7f669ca49e152779a09587ff0e58dedd3996229cc8ff3e5cdc371895eaa994f6',
   driftctl_linux_386:
-    '864ff0810466ed2917b3347866b5da80fae43e2487b18a563f1d7f299e5f1518',
+    'e6bbdf341148e81511d30dd5afe2fa2ef08f3b0b75079bf0bde2b790d75beb8a',
 };
 
 const dctlBaseUrl = 'https://static.snyk.io/cli/driftctl/';
@@ -150,14 +149,6 @@ const generateScanFlags = async (
     args.push('--strict');
   }
 
-  if (options.deep || options.all) {
-    args.push('--deep');
-  }
-
-  if (options['only-managed'] || options.drift) {
-    args.push('--only-managed');
-  }
-
   if (options['only-unmanaged']) {
     args.push('--only-unmanaged');
   }
@@ -238,24 +229,6 @@ export const runDriftCTL = async ({
   stdio?: StdioOptions;
 }): Promise<DriftctlExecutionResult> => {
   const path = await findOrDownload();
-  await validateArgs(options);
-
-  if (options.kind === 'describe') {
-    const descOptions = options as DescribeOptions;
-
-    if (
-      descOptions.deep ||
-      descOptions.all ||
-      descOptions['only-managed'] ||
-      descOptions.drift
-    ) {
-      process.stderr.write(
-        `DEPRECATION NOTICE: Drift detection of managed resources,\n` +
-          `including --only-managed and --drift has been deprecated.\n` +
-          `The end-of-life date for drift detection of managed resources is September 30. 2023.\n\n`,
-      );
-    }
-  }
 
   const args = await generateArgs(options, driftIgnore);