[DEVEX-146] Creation of a GitHub Action for Terraform Drift Detection

pagopa / dx

Devex repository for shared tools and pipelines.

https://pagopa.github.io/dx/docs/

1 stars 0 forks source link

[DEVEX-146] Creation of a GitHub Action for Terraform Drift Detection #43

Closed mamu0 closed 2 months ago

mamu0 commented 3 months ago

List of changes

Added a new GitHub action into file infra_drift_detection.yml, the action can be started manually or scheduled to run every day at 8 am. The GitHub Action is responsible for drift detecting, via a terraform plan, doing a check between the terraform state and the resources deployed on Azure. If there are changes to the state, the pipe will fail, and if the Slack Webhook URL is present, it will send a notification with the information. However, if there are no drifts the pipe will finish successfully without sending notifications.

Motivation and context

With this template we simplify the addition of the drift check, using the new infrastructure.

Type of changes

[x] Add new resources
[ ] Update configuration to existing resources
[ ] Remove existing resources

Does this introduce a change to production resources with possible user impact?

[ ] Yes, users may be impacted applying this change
[x] No

Other information

I updated the repo by adding the dev folder in infra and the identity and repository folders following the guide

gunzip commented 3 months ago

can you change this PR title adding a reference to the jira issue here?

https://pagopa.atlassian.net/jira/software/c/projects/DEVEX/boards/501/timeline

(create one if it doesn't exists yet)

gunzip commented 3 months ago

why draft?

mamu0 commented 3 months ago

why draft?

Because I wasn't sure of the final request, @Krusty93 certainly knows it in more detail, I have now configured the "unconventional" draft detection, because instead of checking only the changes on the AZURE console side that are inconsistent with the status, I also check the changes on the terraform code side that are not applied.

Now it work, but I don't know if it needs to be changed to remove control over unapplied terraform code.

Krusty93 commented 2 months ago

why draft?

Because I wasn't sure of the final request, @Krusty93 certainly knows it in more detail, I have now configured the "unconventional" draft detection, because instead of checking only the changes on the AZURE console side that are inconsistent with the status, I also check the changes on the terraform code side that are not applied.

Now it work, but I don't know if it needs to be changed to remove control over unapplied terraform code.

Very nice work! My personal opinion is to stick to this behavior, in order to help developers to eventually address code issues and/or remind/make clear them to apply code actually merged in the main branch.

On the other hand, the -refresh-only flag could help us to avoid "fake drifts" detection (i.e. cosmos db indexes)