Drift Detection #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/drift-detection.yml | |
| # Scheduled drift detection for the Chapter 06 production environment. | |
| name: "Drift Detection" | |
| # Note for learners: this workflow demonstrates the drift detection pattern | |
| # taught in Chapter 4. It is set to manual dispatch in the demo repo because | |
| # without a real state backend, every run reports full creation as drift. In | |
| # a real project, uncomment the schedule trigger below so the check runs | |
| # daily against your actual backend. | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| issues: write | |
| concurrency: | |
| group: terraform-drift-${{ github.ref_name }} | |
| cancel-in-progress: true | |
| env: | |
| TF_VERSION: "1.14.8" | |
| WORKING_DIR: "ch06-cicd-workflows/environments/prod" | |
| ENVIRONMENT_NAME: "prod" | |
| jobs: | |
| detect-drift: | |
| name: "Check for Drift" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v4 | |
| with: | |
| terraform_version: ${{ env.TF_VERSION }} | |
| - name: Terraform Init | |
| run: terraform init -backend=false | |
| working-directory: ${{ env.WORKING_DIR }} | |
| - name: Detect Drift | |
| id: drift | |
| run: | | |
| set +e | |
| terraform plan -no-color -detailed-exitcode 2>&1 | tee drift_output.txt | |
| EXIT_CODE=$? | |
| set -e | |
| if [ $EXIT_CODE -eq 0 ]; then | |
| echo "drift_detected=false" >> "$GITHUB_OUTPUT" | |
| echo "No drift detected." | |
| elif [ $EXIT_CODE -eq 2 ]; then | |
| echo "drift_detected=true" >> "$GITHUB_OUTPUT" | |
| echo "::warning::Drift detected! Review plan output." | |
| else | |
| echo "drift_detected=error" >> "$GITHUB_OUTPUT" | |
| echo "::error::Drift check failed." | |
| exit 1 | |
| fi | |
| working-directory: ${{ env.WORKING_DIR }} | |
| - name: Create Issue on Drift | |
| if: steps.drift.outputs.drift_detected == 'true' | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const driftOutput = fs.readFileSync( | |
| '${{ env.WORKING_DIR }}/drift_output.txt', 'utf8' | |
| ); | |
| const truncated = driftOutput.length > 50000 | |
| ? driftOutput.substring(0, 50000) + '\n... (truncated)' | |
| : driftOutput; | |
| github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: `Infrastructure Drift Detected - ${new Date().toISOString().split('T')[0]}`, | |
| body: `## Drift Detection Alert | |
| Scheduled drift detection found unexpected changes in the infrastructure. | |
| **Environment:** ${{ env.ENVIRONMENT_NAME }} | |
| **Working Directory:** ${{ env.WORKING_DIR }} | |
| **Detected at:** ${new Date().toISOString()} | |
| ### Plan Output | |
| \`\`\` | |
| ${truncated} | |
| \`\`\` | |
| ### Action Required | |
| 1. Review the plan output above | |
| 2. Determine if the changes are intentional or accidental | |
| 3. If intentional: update the Terraform code to match | |
| 4. If accidental: run \`terraform apply\` to reconcile the drift | |
| *This issue was created automatically by the drift detection workflow.*`, | |
| labels: ['drift', 'infrastructure'] | |
| }); |