fixup! Implement drift-detection module

Author: whi-tw

infra/modules/drift-detection/buildspec/buildspec.yml

@@ -0,0 +1,148 @@
+# shellcheck shell=bash
+# shellcheck disable=SC2148
+
+set -euo pipefail
+
+echo "=== Drift Detection for ${DEPLOYMENT_NAME} ==="
+echo "Timestamp: $(date -Iseconds)"
+echo "Region: ${AWS_DEFAULT_REGION}"
+echo ""
+
+# Clone repository (full history needed to compare against stored SHAs)
+echo "Cloning repository: ${GIT_REPOSITORY_URL}"
+git clone --single-branch --branch "${GIT_BRANCH}" "${GIT_REPOSITORY_URL}" /tmp/repo
+cd /tmp/repo || exit
+
+CURRENT_SHA=$(git rev-parse HEAD)
+echo "Current HEAD: ${CURRENT_SHA}"
+echo ""
+
+# Get list of all roots for this deployment
+echo "=== Querying SSM parameters for ${DEPLOYMENT_NAME} roots ==="
+SSM_PREFIX="/terraform/last_applied/${DEPLOYMENT_NAME}/"
+
+PARAMETERS=$(aws ssm describe-parameters \
+    --parameter-filters "Key=Name,Option=BeginsWith,Values=${SSM_PREFIX}" \
+    --query 'Parameters[].Name' \
+    --output text)
+
+if [ -z "$PARAMETERS" ]; then
+    echo "ERROR: No SSM parameters found for deployment: ${DEPLOYMENT_NAME}"
+    exit 1
+fi
+
+echo "Found $(echo "$PARAMETERS" | wc -w) root(s) to check"
+echo ""
+
+# Track results
+TOTAL_ROOTS=0
+UP_TO_DATE_COUNT=0
+DRIFT_DETECTED_COUNT=0
+MISSING_SHA_COUNT=0
+DRIFTED_ROOTS=()
+
+# Check each root
+for PARAM_NAME in $PARAMETERS; do
+    TOTAL_ROOTS=$((TOTAL_ROOTS + 1))
+
+    # Extract root path from parameter name
+    # /terraform/last_applied/deploy/account -> deploy/account
+    ROOT_PATH="${PARAM_NAME#/terraform/last_applied/}"
+
+    echo "--- Checking: ${ROOT_PATH} ---"
+
+    # Get stored SHA from SSM
+    STORED_SHA=$(aws ssm get-parameter --name "${PARAM_NAME}" --query 'Parameter.Value' --output text 2>/dev/null || echo "")
+
+    if [ -z "$STORED_SHA" ]; then
+        echo "  ❌ MISSING: No SHA stored in SSM"
+        MISSING_SHA_COUNT=$((MISSING_SHA_COUNT + 1))
+        DRIFTED_ROOTS+=("${ROOT_PATH} (no SHA)")
+        echo ""
+        continue
+    fi
+
+    echo "  Stored SHA: ${STORED_SHA}"
+
+    # Check if SHA exists in repo
+    if ! git cat-file -e "${STORED_SHA}" 2>/dev/null; then
+        echo "  ⚠️  WARNING: Stored SHA not found in repository"
+        DRIFT_DETECTED_COUNT=$((DRIFT_DETECTED_COUNT + 1))
+        DRIFTED_ROOTS+=("${ROOT_PATH} (SHA not in repo)")
+        echo ""
+        continue
+    fi
+
+    # Check if directory has changed since stored SHA
+    ROOT_DIR="infra/deployments/${ROOT_PATH}"
+
+    if [ ! -d "${ROOT_DIR}" ]; then
+        echo "  ⚠️  WARNING: Directory does not exist: ${ROOT_DIR}"
+        DRIFT_DETECTED_COUNT=$((DRIFT_DETECTED_COUNT + 1))
+        DRIFTED_ROOTS+=("${ROOT_PATH} (dir missing)")
+        echo ""
+        continue
+    fi
+
+    # Check for changes between stored SHA and current HEAD
+    # Includes both the root directory AND all modules (with exclusions)
+
+    # Build git pathspec with exclusions
+    PATHSPEC="${ROOT_DIR} infra/modules/"
+    if [ -n "${EXCLUDED_MODULE_PATHS}" ]; then
+        IFS=',' read -ra EXCLUDED <<<"${EXCLUDED_MODULE_PATHS}"
+        for EXCLUDED_PATH in "${EXCLUDED[@]}"; do
+            PATHSPEC="${PATHSPEC} :(exclude)${EXCLUDED_PATH}"
+        done
+    fi
+
+    if git diff --quiet "${STORED_SHA}..HEAD" -- "${PATHSPEC}"; then
+        echo "  ✅ UP TO DATE: No changes detected"
+        UP_TO_DATE_COUNT=$((UP_TO_DATE_COUNT + 1))
+    else
+        echo "  ⚠️  DRIFT DETECTED: Changes found since last apply"
+
+        # Show changed files in root
+        ROOT_CHANGES=$(git diff --name-only "${STORED_SHA}..HEAD" -- "${ROOT_DIR}")
+        if [ -n "$ROOT_CHANGES" ]; then
+            echo "  Changed files in root:"
+            echo "$ROOT_CHANGES" | sed 's/^/    - /'
+        fi
+
+        # Show changed modules (excluding specified paths)
+        MODULE_CHANGES=$(git diff --name-only "${STORED_SHA}..HEAD" -- "${PATHSPEC}" | grep "^infra/modules/" || true)
+        if [ -n "$MODULE_CHANGES" ]; then
+            echo "  Changed modules:"
+            echo "$MODULE_CHANGES" | sed 's/^/    - /'
+        fi
+
+        DRIFT_DETECTED_COUNT=$((DRIFT_DETECTED_COUNT + 1))
+        DRIFTED_ROOTS+=("${ROOT_PATH}")
+    fi
+
+    echo ""
+done
+
+# Print summary
+echo "==================================================================="
+echo "=== DRIFT DETECTION SUMMARY ==="
+echo "==================================================================="
+echo "Deployment:        ${DEPLOYMENT_NAME}"
+echo "Total roots:       ${TOTAL_ROOTS}"
+echo "Up to date:        ${UP_TO_DATE_COUNT}"
+echo "Drift detected:    ${DRIFT_DETECTED_COUNT}"
+echo "Missing SHA:       ${MISSING_SHA_COUNT}"
+echo ""
+
+if [ ${DRIFT_DETECTED_COUNT} -gt 0 ] || [ ${MISSING_SHA_COUNT} -gt 0 ]; then
+    echo "⚠️  ATTENTION REQUIRED: ${#DRIFTED_ROOTS[@]} root(s) need review:"
+    for ROOT in "${DRIFTED_ROOTS[@]}"; do
+        echo "  - ${ROOT}"
+    done
+    echo ""
+    echo "These roots may need to be reapplied to match the current codebase."
+    exit 0
+else
+    echo "✅ All roots are up to date!"
+    exit 0
+fi

infra/modules/drift-detection/drift-detection.sh

@@ -11,6 +11,23 @@ resource "aws_cloudwatch_log_group" "drift_check" {
   retention_in_days = 30
 }
 
+locals {
+  buildspec = {
+    version = "0.2"
+    env = {
+      shell = "bash"
+    }
+
+    phases = {
+      build = {
+        commands = [
+          file("${path.module}/drift-detection.sh")
+        ]
+      }
+    }
+  }
+}
+
 resource "aws_codebuild_project" "drift_check" {
   #checkov:skip=CKV_AWS_147:Amazon Managed SSE is sufficient
   name          = "drift-check-${var.deployment_name}"
@@ -20,7 +37,7 @@ resource "aws_codebuild_project" "drift_check" {
 
   source {
     type      = "NO_SOURCE"
-    buildspec = file("${path.module}/buildspec/buildspec.yml")
+    buildspec = jsonencode(local.buildspec)
   }
 
   logs_config {