Historically there have been a couple of instances where the service layer showed a terraform plan diff even when running terraform plan from the main branch of a project (e.g. on platform-test). In two of these occasions, it was due to container definitions showing spurious changes based on default values in container definitions not showing up in the terraform configuration code. There have also been cases where we've made a change to some non-service layer (e.g. the network layer) but forgot to apply the changes.
This issue is to add a CI check that runs on some cadence (e.g. daily at midnight) that ensures that terraform plan shows a clean plan (no resources to add, change, or remove) to help avoid situations where the infrastructure doesn't match the code configuration.
Layers to check:
Service layer
Build repository layer
Network layer
Accounts layer
Don't check the database layer for now since currently there is some tech debt such that the role manager Lambda code will always show up as a diff in the terraform plan.
Historically there have been a couple of instances where the service layer showed a terraform plan diff even when running terraform plan from the main branch of a project (e.g. on platform-test). In two of these occasions, it was due to container definitions showing spurious changes based on default values in container definitions not showing up in the terraform configuration code. There have also been cases where we've made a change to some non-service layer (e.g. the network layer) but forgot to apply the changes.
This issue is to add a CI check that runs on some cadence (e.g. daily at midnight) that ensures that terraform plan shows a clean plan (no resources to add, change, or remove) to help avoid situations where the infrastructure doesn't match the code configuration.
Layers to check:
Don't check the database layer for now since currently there is some tech debt such that the role manager Lambda code will always show up as a diff in the terraform plan.