Scheduled Terraform Drift Detection #9185
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scheduled Terraform Drift Detection | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # Run this workflow at the top of every hour | |
| - cron: "0 * * * *" | |
| jobs: | |
| drift-detection: | |
| name: Detect and reconcile drift in Terraform stacks | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: read | |
| checks: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| ### Check out the code | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.head_ref }} | |
| fetch-depth: 0 | |
| ### Install tooling | |
| - name: Install Terramate | |
| uses: terramate-io/terramate-action@v2 | |
| - name: Install asdf | |
| uses: asdf-vm/actions/setup@v3 | |
| - name: Install Terraform with asdf | |
| run: | | |
| asdf plugin add terraform | |
| asdf install terraform | |
| - name: Install OpenTofu with asdf | |
| run: | | |
| asdf plugin add opentofu | |
| asdf install opentofu | |
| ### Configure cloud credentials | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github | |
| env: | |
| AWS_REGION: us-east-1 | |
| AWS_ACCOUNT_ID: ${{ vars.AWS_ACCOUNT_ID }} | |
| - name: Verify AWS credentials | |
| run: aws sts get-caller-identity | |
| ### Run Dift Check | |
| - name: Run Terraform init in all stacks | |
| run: | | |
| terramate script run \ | |
| -C stacks \ | |
| --parallel 1 \ | |
| init | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Run drift detection | |
| id: drift-detect | |
| run: | | |
| terramate script run \ | |
| -C stacks \ | |
| --parallel 5 \ | |
| --continue-on-error \ | |
| -- \ | |
| drift detect | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Run drift reconciliation | |
| id: drift-reconcile | |
| run: | | |
| terramate script run \ | |
| -C stacks \ | |
| --tags reconcile \ | |
| --status=drifted \ | |
| --parallel 5 \ | |
| --continue-on-error \ | |
| -- \ | |
| drift reconcile | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} |