Skip to content

Terraform drift check #191

Terraform drift check

Terraform drift check #191

name: Terraform drift check
on:
workflow_dispatch:
schedule:
- cron: "40 4 * * *" # 4:40 AM UTC
env:
AWS_REGION: ca-central-1
TERRAFORM_VERSION: 1.7.2
TERRAGRUNT_VERSION: 0.55.1
CONFTEST_VERSION: 0.49.0
permissions:
id-token: write
contents: read
jobs:
terraform-drift-check:
strategy:
fail-fast: false
matrix:
include:
- account_folder: org_account
module: main
account: 659087519042
role: cds-aws-lz-plan
assume_role_name: "assume_plan"
la_customer_id: LA_CUSTOMER_ID
la_shared_key: LA_SHARED_KEY
- account_folder: org_account
module: spend_notifier
account: 659087519042
role: cds-aws-lz-plan
spend_notifier_hook: SPEND_NOTIFIER_HOOK
weekly_spend_notifier_hook: WEEKLY_SPEND_NOTIFIER_HOOK
- account_folder: org_account
module: sentinel_oidc
account: 659087519042
role: cds-aws-lz-plan
- account_folder: org_account
module: cost_usage_report
account: 659087519042
role: cds-aws-lz-plan
- account_folder: org_account
module: iam_identity_center
account: 659087519042
role: cds-aws-lz-plan
- account_folder: log_archive
module: main
account: 274536870005
role: cds-aws-lz-plan
- account_folder: log_archive
module: legacy_archives
account: 274536870005
role: cds-aws-lz-plan
- account_folder: log_archive
module: sre_bot
account: 274536870005
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: audit
module: main
account: 886481071419
role: cds-aws-lz-plan
- account_folder: audit
module: sre_bot
account: 886481071419
role: cds-aws-lz-plan
admin_sso_role_arn: ADMIN_SSO_ROLE_ARN
- account_folder: aft
module: main
account: 137554749751
role: cds-aws-lz-plan
lz_webhook_key: LZ_CHANNEL_WEBHOOK
- account_folder: aft
module: notifications
account: 137554749751
role: cds-aws-lz-plan
aft_notifications_hook: AFT_NOTIFICATIONS_HOOK
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Setup Terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Configure aws credentials using OIDC
uses: aws-actions/configure-aws-credentials@master
with:
role-to-assume: arn:aws:iam::${{ matrix.account }}:role/${{ matrix.role }}
role-session-name: ${{matrix.module}}-drift-check
aws-region: ${{ env.AWS_REGION }}
- name: Terraform drift check for ${{matrix.module }}/${{ matrix.module }}
env:
TF_VAR_aft_slack_webhook: ${{ secrets[matrix.lz_webhook_key] }}
TF_VAR_assume_role_name: ${{ matrix.assume_role_name }}
TF_VAR_lw_customer_id: ${{ secrets[matrix.la_customer_id] }}
TF_VAR_lw_shared_key: ${{ secrets[matrix.la_shared_key] }}
TF_VAR_daily_spend_notifier_hook: ${{ secrets[matrix.spend_notifier_hook] }}
TF_VAR_weekly_spend_notifier_hook: ${{ secrets[matrix.weekly_spend_notifier_hook]}}
TF_VAR_aft_notifications_hook: ${{ secrets[matrix.aft_notifications_hook]}}
TF_VAR_admin_sso_role_arn: ${{ secrets[matrix.admin_sso_role_arn] }}
working-directory: ./terragrunt/${{ matrix.account_folder }}/${{ matrix.module }}
run: |
terragrunt init
terragrunt plan -detailed-exitcode