sync provider and schema drift

trouze · trouze · commit 20c083e33835 · 2026-04-17T17:53:27.000-05:00
diff --git a/.github/workflows/schema-drift.yml b/.github/workflows/schema-drift.yml
@@ -0,0 +1,60 @@
+name: Schema Drift
+
+on:
+  pull_request:
+    paths:
+      - ".terraform.lock.hcl"
+      - "schemas/**"
+      - "scripts/resource_mapping.yml"
+      - "scripts/check_schema_drift.py"
+      - ".github/workflows/schema-drift.yml"
+  push:
+    branches: [main]
+    paths:
+      - ".terraform.lock.hcl"
+      - "schemas/**"
+      - "scripts/resource_mapping.yml"
+      - "scripts/check_schema_drift.py"
+  schedule:
+    - cron: "0 8 * * 1"  # Monday 08:00 UTC — catches upstream provider releases
+
+permissions:
+  contents: read
+
+jobs:
+  schema-drift:
+    name: Schema Drift Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
+        with:
+          terraform_version_file: .terraform-version
+
+      - name: Cache Terraform providers
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: .terraform
+          key: terraform-${{ hashFiles('.terraform.lock.hcl') }}
+          restore-keys: terraform-
+
+      - name: Init (downloads provider binary, no credentials needed)
+        run: terraform init -backend=false
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Check schema drift
+        id: drift
+        run: |
+          uv run --with PyYAML scripts/check_schema_drift.py \
+            --mapping scripts/resource_mapping.yml \
+            --schema schemas/v1.json \
+            --terraform-dir .
+
+      - name: Annotate PR on failure
+        if: failure() && github.event_name == 'pull_request'
+        run: |
+          echo "::error::Schema drift detected. Run 'make schema-drift' locally and classify any UNMAPPED fields in scripts/resource_mapping.yml. Add MISSING_FROM_SCHEMA fields to schemas/v1.json."
diff --git a/.gitignore b/.gitignore
@@ -38,5 +38,9 @@ terraform.rc
 
 *.DS_Store
 
+# Cached provider schema output (used by scripts/check_schema_drift.py --provider-schema)
+provider_schema_cache.json
+scripts/provider_schema_cache.json
+
 # Internal publishing checklist (keep local only)
 .claude/implementation/public.md
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 .DEFAULT_GOAL := help
 
-.PHONY: fmt fmt-check lint validate test test-integration docs pre-commit pre-commit-all help
+.PHONY: fmt fmt-check lint validate schema-drift schema-drift-verbose test test-integration docs pre-commit pre-commit-all help
 
 fmt: ## Auto-format all Terraform files
 	terraform fmt -recursive
@@ -15,6 +15,21 @@ validate: ## Run terraform validate (requires terraform init)
 	terraform init -backend=false -reconfigure
 	terraform validate
 
+schema-drift: ## Check for drift between dbtcloud provider schema and schemas/v1.json
+	terraform init -backend=false -reconfigure
+	uv run --with PyYAML scripts/check_schema_drift.py \
+		--mapping scripts/resource_mapping.yml \
+		--schema schemas/v1.json \
+		--terraform-dir .
+
+schema-drift-verbose: ## Same as schema-drift but also fails on STALE_YAML findings
+	terraform init -backend=false -reconfigure
+	uv run --with PyYAML scripts/check_schema_drift.py \
+		--mapping scripts/resource_mapping.yml \
+		--schema schemas/v1.json \
+		--terraform-dir . \
+		--fail-on-stale
+
 test: ## Run terraform test with mock providers (no credentials needed)
 	terraform test
 
diff --git a/modules/environments/main.tf b/modules/environments/main.tf
@@ -99,6 +99,8 @@ resource "dbtcloud_environment" "environments" {
   enable_model_query_history = try(each.value.env_data.enable_model_query_history, null)
   custom_branch              = try(each.value.env_data.custom_branch, null)
   deployment_type            = try(each.value.env_data.deployment_type, null)
+  is_active                  = try(each.value.env_data.is_active, null)
+  target_name                = try(each.value.env_data.target_name, null)
   use_custom_branch          = try(each.value.env_data.custom_branch, null) != null
   primary_profile_id         = local.resolve_primary_profile_id[each.key]
   extended_attributes_id     = local.resolve_primary_profile_id[each.key] != null ? null : local.resolve_extended_attributes_id[each.key]
@@ -131,6 +133,8 @@ resource "dbtcloud_environment" "protected_environments" {
   enable_model_query_history = try(each.value.env_data.enable_model_query_history, null)
   custom_branch              = try(each.value.env_data.custom_branch, null)
   deployment_type            = try(each.value.env_data.deployment_type, null)
+  is_active                  = try(each.value.env_data.is_active, null)
+  target_name                = try(each.value.env_data.target_name, null)
   use_custom_branch          = try(each.value.env_data.custom_branch, null) != null
   primary_profile_id         = local.resolve_primary_profile_id[each.key]
   extended_attributes_id     = local.resolve_primary_profile_id[each.key] != null ? null : local.resolve_extended_attributes_id[each.key]
diff --git a/modules/jobs/main.tf b/modules/jobs/main.tf
@@ -207,6 +207,7 @@ resource "dbtcloud_job" "jobs" {
   triggers_on_draft_pr     = try(each.value.job_data.triggers_on_draft_pr, false)
   force_node_selection     = local.force_node_selection_effective[each.key]
   deferring_environment_id = local.resolve_deferring_environment_id[each.key]
+  deferring_job_id         = try(each.value.job_data.deferring_job_id, null)
 
   schedule_cron     = local.schedule_cron_effective[each.key]
   schedule_days     = try(each.value.job_data.schedule_days, null)
@@ -263,6 +264,7 @@ resource "dbtcloud_job" "protected_jobs" {
   triggers_on_draft_pr     = try(each.value.job_data.triggers_on_draft_pr, false)
   force_node_selection     = local.force_node_selection_effective[each.key]
   deferring_environment_id = local.resolve_deferring_environment_id[each.key]
+  deferring_job_id         = try(each.value.job_data.deferring_job_id, null)
 
   schedule_cron     = local.schedule_cron_effective[each.key]
   schedule_days     = try(each.value.job_data.schedule_days, null)
diff --git a/modules/project/main.tf b/modules/project/main.tf
@@ -36,7 +36,10 @@ locals {
 resource "dbtcloud_project" "projects" {
   for_each = local.unprotected_projects_map
 
-  name = "${var.target_name}${each.value.name}"
+  name                    = "${var.target_name}${each.value.name}"
+  description             = try(each.value.description, null)
+  type                    = try(each.value.type, null)
+  dbt_project_subdirectory = try(each.value.dbt_project_subdirectory, null)
 
   # Deferred until dbt-labs/dbtcloud supports resource_metadata on dbtcloud_project (v2 parity).
   # resource_metadata = {
@@ -55,7 +58,10 @@ resource "dbtcloud_project" "projects" {
 resource "dbtcloud_project" "protected_projects" {
   for_each = local.protected_projects_map
 
-  name = "${var.target_name}${each.value.name}"
+  name                    = "${var.target_name}${each.value.name}"
+  description             = try(each.value.description, null)
+  type                    = try(each.value.type, null)
+  dbt_project_subdirectory = try(each.value.dbt_project_subdirectory, null)
 
   # Deferred until dbt-labs/dbtcloud supports resource_metadata on dbtcloud_project (v2 parity).
   # resource_metadata = {
diff --git a/scripts/check_schema_drift.py b/scripts/check_schema_drift.py
diff --git a/scripts/resource_mapping.yml b/scripts/resource_mapping.yml
