π InvenTag State Management
InvenTag's state management system provides comprehensive tracking of AWS resource inventory changes over time, enabling organizations to maintain audit trails, detect infrastructure drift, and generate professional change reports.
π Overviewβ
The state management system consists of three core components:
- StateManager: Persistent storage and versioning of inventory states
- DeltaDetector: Advanced change detection and analysis
- ChangelogGenerator: Professional change documentation and reporting
ποΈ Architectureβ
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β StateManager β β DeltaDetector β βChangelogGeneratorβ
β β β β β β
β β’ State Storage βββββΆβ β’ Change DetectionβββββΆβ β’ Markdown Reportsβ
β β’ Versioning β β β’ Impact Analysis β β β’ HTML Reports β
β β’ Metadata β β β’ Categorization β β β’ Executive Summaryβ
β β’ Retention β β β’ Severity Rating β β β’ Audit Trails β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
π StateManagerβ
Core Featuresβ
- Persistent Storage: JSON-based state files with comprehensive metadata
- Versioning: Timestamp-based state identification with collision handling
- Retention Policies: Configurable cleanup by age and count limits
- Data Integrity: Checksum validation and corruption detection
- Export Capabilities: JSON, YAML, CSV export for CI/CD integration
Basic Usageβ
from inventag.state import StateManager
# Initialize with custom configuration
state_manager = StateManager(
state_dir="inventory_states",
retention_days=30,
max_snapshots=100
)
# Save current state
state_id = state_manager.save_state(
resources=discovered_resources,
account_id="123456789012",
regions=["us-east-1", "us-west-2"],
discovery_method="comprehensive",
compliance_data=compliance_results,
network_analysis=network_data,
security_analysis=security_data,
tags={"environment": "production", "purpose": "audit"}
)
# Load specific state
snapshot = state_manager.load_state(state_id)
# Load most recent state
latest_snapshot = state_manager.load_state()
# List available states
states = state_manager.list_states(limit=10)
Advanced Featuresβ
State Comparisonβ
# Get comparison data for delta analysis
comparison = state_manager.get_state_comparison_data(
state_id1="20231201_120000",
state_id2="20231201_130000"
)
Export and Integrationβ
# Export for CI/CD integration
exported_file = state_manager.export_state(
state_id="20231201_120000",
export_format="json",
output_file="state_export.json",
include_metadata=True
)
# Export to different formats
state_manager.export_state(state_id, export_format="yaml")
state_manager.export_state(state_id, export_format="csv")
Storage Managementβ
# Get storage statistics
stats = state_manager.get_storage_stats()
print(f"Total states: {stats['total_states']}")
print(f"Storage size: {stats['total_size_mb']} MB")
# Validate state integrity
validation = state_manager.validate_state_integrity()
print(f"Valid states: {len(validation['valid_states'])}")
print(f"Corrupted states: {len(validation['invalid_states'])}")
π DeltaDetectorβ
Core Featuresβ
- Comprehensive Change Detection: Added, removed, and modified resources
- Attribute-Level Analysis: Detailed tracking of individual attribute changes
- Change Categorization: Security, network, compliance, configuration changes
- Severity Assessment: Critical, high, medium, low severity ratings
- Impact Analysis: Security and network impact assessment
- Relationship Mapping: Dependency analysis and cascade risk detection
Basic Usageβ
from inventag.state import DeltaDetector
# Initialize detector
detector = DeltaDetector()
# Detect changes between states
delta_report = detector.detect_changes(
old_resources=previous_resources,
new_resources=current_resources,
state1_id="20231201_120000",
state2_id="20231201_130000"
)
# Access change summary
summary = delta_report.summary
print(f"Total changes: {summary['total_changes']}")
print(f"Added: {summary['added_count']}")
print(f"Removed: {summary['removed_count']}")
print(f"Modified: {summary['modified_count']}")
Advanced Analysisβ
Change Categoriesβ
# Analyze by change category
for resource in delta_report.modified_resources:
for change in resource.attribute_changes:
print(f"{change.attribute_path}: {change.category.value}")
print(f" Severity: {change.severity.value}")
print(f" Description: {change.description}")
Security Impact Assessmentβ
# Review security changes
security_changes = delta_report.security_changes
print(f"Total security changes: {security_changes['total_security_changes']}")
print(f"High risk resources: {len(security_changes['high_risk_resources'])}")
for resource_arn in security_changes['high_risk_resources']:
print(f"High risk: {resource_arn}")
Compliance Analysisβ
# Analyze compliance trends
compliance = delta_report.compliance_changes
old_compliance = compliance['old_compliance_stats']['compliance_percentage']
new_compliance = compliance['new_compliance_stats']['compliance_percentage']
trend = compliance['compliance_trend']['compliance_percentage_change']
print(f"Compliance change: {old_compliance}% β {new_compliance}% ({trend:+.1f}%)")
Custom Configurationβ
# Initialize with custom rules
detector = DeltaDetector(
ignore_metadata_fields=['custom_field', 'timestamp'],
severity_rules={
'custom_attribute': ChangeSeverity.CRITICAL,
'internal_id': ChangeSeverity.LOW
}
)
π ChangelogGeneratorβ
Core Featuresβ
- Multiple Formats: Markdown, HTML, JSON output formats
- Executive Summaries: High-level change overviews for management
- Detailed Analysis: Comprehensive change documentation
- Customizable Templates: Flexible formatting and styling
- Audit Trail Generation: Compliance-ready documentation
Basic Usageβ
from inventag.state import ChangelogGenerator
# Initialize generator
generator = ChangelogGenerator()
# Generate comprehensive changelog
changelog = generator.generate_changelog(
delta_report=delta_report,
format='markdown',
include_details=True,
include_executive_summary=True
)
# Export changelog
generator.export_changelog(changelog, 'infrastructure_changes.md')
Advanced Featuresβ
Custom Templatesβ
# Generate with custom template
changelog = generator.generate_changelog(
delta_report=delta_report,
format='html',
template_path='custom_template.html',
include_details=True
)
Executive Reportingβ
# Generate executive summary only
executive_summary = generator.generate_executive_summary(delta_report)
generator.export_changelog(executive_summary, 'executive_summary.md')
Audit Trail Generationβ
# Generate audit-ready documentation
audit_report = generator.generate_audit_report(
delta_report=delta_report,
compliance_context=True,
security_focus=True
)
π§ Integration Patternsβ
CI/CD Pipeline Integrationβ
# GitHub Actions example
name: Infrastructure Change Detection
on:
schedule:
- cron: '0 6 * * *' # Daily at 6 AM
jobs:
change-detection:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run change detection
run: |
python -c "
from inventag import AWSResourceInventory
from inventag.state import StateManager, DeltaDetector, ChangelogGenerator
# Discover current resources
inventory = AWSResourceInventory()
current_resources = inventory.discover_resources()
# Initialize state management
state_manager = StateManager(state_dir='states')
# Save current state
current_state_id = state_manager.save_state(
resources=current_resources,
account_id='${{ secrets.AWS_ACCOUNT_ID }}',
regions=['us-east-1', 'us-west-2'],
tags={'ci': 'github-actions', 'purpose': 'change-detection'}
)
# Get previous state for comparison
states = state_manager.list_states(limit=2)
if len(states) >= 2:
comparison = state_manager.get_state_comparison_data(
states[1]['state_id'], states[0]['state_id']
)
# Detect changes
detector = DeltaDetector()
delta_report = detector.detect_changes(
old_resources=comparison['state1']['resources'],
new_resources=comparison['state2']['resources'],
state1_id=states[1]['state_id'],
state2_id=states[0]['state_id']
)
# Generate changelog if changes detected
if delta_report.summary['total_changes'] > 0:
generator = ChangelogGenerator()
changelog = generator.generate_changelog(
delta_report=delta_report,
format='markdown',
include_details=True
)
generator.export_changelog(changelog, 'daily_changes.md')
# Create GitHub issue for significant changes
if delta_report.summary['total_changes'] > 10:
print('SIGNIFICANT_CHANGES_DETECTED')
"
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Create issue for significant changes
if: contains(steps.change-detection.outputs.stdout, 'SIGNIFICANT_CHANGES_DETECTED')
uses: actions/github-script@v6
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'Significant Infrastructure Changes Detected',
body: 'Automated change detection found significant infrastructure changes. Please review the daily_changes.md file.',
labels: ['infrastructure', 'alert']
})
Lambda Function Integrationβ
import json
import boto3
from inventag.state import StateManager, DeltaDetector, ChangelogGenerator
from inventag import AWSResourceInventory
def lambda_handler(event, context):
"""
AWS Lambda function for automated change detection
"""
try:
# Initialize components
inventory = AWSResourceInventory()
state_manager = StateManager(state_dir='/tmp/states')
detector = DeltaDetector()
# Discover current resources
current_resources = inventory.discover_resources()
# Save current state
current_state_id = state_manager.save_state(
resources=current_resources,
account_id=context.invoked_function_arn.split(':')[4],
regions=['us-east-1', 'us-west-2'],
tags={'source': 'lambda', 'function': context.function_name}
)
# Compare with previous state
states = state_manager.list_states(limit=2)
if len(states) >= 2:
comparison = state_manager.get_state_comparison_data(
states[1]['state_id'], states[0]['state_id']
)
delta_report = detector.detect_changes(
old_resources=comparison['state1']['resources'],
new_resources=comparison['state2']['resources'],
state1_id=states[1]['state_id'],
state2_id=states[0]['state_id']
)
# Upload results to S3 if changes detected
if delta_report.summary['total_changes'] > 0:
s3 = boto3.client('s3')
# Generate and upload changelog
generator = ChangelogGenerator()
changelog = generator.generate_changelog(
delta_report=delta_report,
format='markdown',
include_details=True
)
s3.put_object(
Bucket=os.environ['REPORTS_BUCKET'],
Key=f"changes/{current_state_id}_changes.md",
Body=changelog.encode('utf-8'),
ContentType='text/markdown'
)
# Send SNS notification for critical changes
critical_changes = [
r for r in delta_report.added_resources + delta_report.removed_resources + delta_report.modified_resources
if r.severity.value == 'critical'
]
if critical_changes:
sns = boto3.client('sns')
sns.publish(
TopicArn=os.environ['ALERT_TOPIC'],
Subject='Critical Infrastructure Changes Detected',
Message=f'Detected {len(critical_changes)} critical changes. Review report at s3://{os.environ["REPORTS_BUCKET"]}/changes/{current_state_id}_changes.md'
)
return {
'statusCode': 200,
'body': json.dumps({
'state_id': current_state_id,
'resources_count': len(current_resources),
'changes_detected': delta_report.summary['total_changes'] if 'delta_report' in locals() else 0
})
}
except Exception as e:
print(f"Error: {str(e)}")
return {
'statusCode': 500,
'body': json.dumps({'error': str(e)})
}
π Best Practicesβ
State Managementβ
- Regular Snapshots: Take daily snapshots for trend analysis
- Meaningful Tags: Use descriptive tags for state identification
- Retention Policies: Configure appropriate retention based on compliance needs
- Storage Monitoring: Monitor storage usage and implement cleanup policies
Change Detectionβ
- Baseline Establishment: Create initial baseline states for comparison
- Threshold Configuration: Set appropriate change thresholds for alerting
- Category Focus: Focus on security and compliance changes for critical alerts
- Regular Review: Establish processes for reviewing and acting on changes
Changelog Generationβ
- Audience-Appropriate: Generate different reports for different audiences
- Regular Distribution: Establish regular changelog distribution schedules
- Action Items: Include clear action items and recommendations
- Archive Management: Maintain historical changelog archives
π Security Considerationsβ
- Read-Only Operations: State management uses only read-only AWS operations
- Data Encryption: Consider encrypting state files for sensitive environments
- Access Control: Implement appropriate file system permissions
- Audit Logging: Enable logging for state management operations
- Credential Management: Use IAM roles and temporary credentials where possible
π¨ Troubleshootingβ
Common Issuesβ
State File Corruption
# Validate and repair states
validation = state_manager.validate_state_integrity()
for invalid_state in validation['invalid_states']:
print(f"Corrupted state: {invalid_state}")
# Remove corrupted state if necessary
Storage Space Issues
# Monitor storage usage
stats = state_manager.get_storage_stats()
if stats['total_size_mb'] > 1000: # 1GB threshold
print("Storage usage high, consider cleanup")
# Implement cleanup logic
Performance Optimization
# For large environments, consider:
# 1. Filtering resources by service or region
# 2. Using compression for state files
# 3. Implementing parallel processing
# 4. Optimizing retention policies
π Monitoring and Metricsβ
Key Metrics to Trackβ
- State Storage Growth: Monitor storage usage over time
- Change Frequency: Track change rates by service and category
- Compliance Trends: Monitor compliance percentage changes
- Security Events: Track security-related changes
- Performance Metrics: Monitor state save/load times
Integration with Monitoring Systemsβ
# Example CloudWatch metrics integration
import boto3
def publish_metrics(delta_report, state_manager):
cloudwatch = boto3.client('cloudwatch')
# Publish change metrics
cloudwatch.put_metric_data(
Namespace='InvenTag/StateManagement',
MetricData=[
{
'MetricName': 'TotalChanges',
'Value': delta_report.summary['total_changes'],
'Unit': 'Count'
},
{
'MetricName': 'CriticalChanges',
'Value': len([r for r in delta_report.added_resources + delta_report.removed_resources + delta_report.modified_resources if r.severity.value == 'critical']),
'Unit': 'Count'
}
]
)
# Publish storage metrics
stats = state_manager.get_storage_stats()
cloudwatch.put_metric_data(
Namespace='InvenTag/StateManagement',
MetricData=[
{
'MetricName': 'StorageSize',
'Value': stats['total_size_mb'],
'Unit': 'Megabytes'
},
{
'MetricName': 'StateCount',
'Value': stats['total_states'],
'Unit': 'Count'
}
]
)
For more examples and advanced usage patterns, see the demo scripts in the examples/ directory:
state_manager_demo.py- Comprehensive state management demonstrationdelta_detector_demo.py- Change detection and analysis exampleschangelog_generator_demo.py- Professional changelog generation examples