Skip to content

Detect infrastructure drift #1203

Detect infrastructure drift

Detect infrastructure drift #1203

name: Detect infrastructure drift
on:
schedule:
# Run once an hour.
# GitHub throttles scheduled jobs if too many are queued at once,
# so they recommend scheduling them at a random minute instead of
# minute 0. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
- cron: '16 * * * *'
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
detect-drift:
runs-on: ubuntu-latest
defaults:
run:
working-directory: terraform/production
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4.0.2
with:
role-to-assume: arn:aws:iam::588562868276:role/GitHubActionsReadonlyRole-prod
aws-region: us-east-1
- name: Install Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: "~1.5.2"
terraform_wrapper: false
- name: Initialize Terraform
uses: nick-invision/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
with:
command: cd terraform/production && terraform init
max_attempts: 5
timeout_minutes: 5
- name: Run Terraform Plan
run: terraform plan -lock=false -detailed-exitcode -no-color -input=false -out=tfplan > tfplan_output.txt 2>&1
env:
TF_VAR_eks_cluster_role: "arn:aws:iam::588562868276:role/GitHubActionsReadonlyRole-prod"
- name: Send Slack alert on drift
if: failure()
run: |
# Post message
curl -X POST \
-H "Content-type: application/json" \
-H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \
-d '{
"channel": "spack-alerts",
"text": ":rotating_light: :rotating_light: :rotating_light: Infrastructure drift detected! :rotating_light: :rotating_light: :rotating_light:"
}' \
https://slack.com/api/chat.postMessage
# Upload TF plan stdout
curl -F file=@tfplan_output.txt \
-F channels=spack-alerts \
-F title="tfplan_output.txt" \
-F filetype="text" \
-H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \
https://slack.com/api/files.upload
# Upload TF plan binary file
curl -F file=@tfplan \
-F channels=spack-alerts \
-F title="tfplan" \
-F filetype="binary" \
-H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \
https://slack.com/api/files.upload