Skip to content

Drift Detection and Correction #249

Drift Detection and Correction

Drift Detection and Correction #249

Workflow file for this run

name: "Drift Detection and Correction"
on:
schedule:
- cron: '0 1 * * *' # Run at 1 AM UTC every day
workflow_dispatch: # Allow manual triggers
env:
TF_CLOUD_ORGANIZATION: "deploymenttheory"
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
CONFIG_DIRECTORY: "workload/terraform/jamfpro"
permissions:
contents: read
id-token: write
jobs:
detect-and-correct-drift:
strategy:
matrix:
environment: [sandbox, staging, production]
name: "Detect and Correct Drift - ${{ matrix.environment }}"
runs-on: ubuntu-latest
env:
TF_WORKSPACE: "terraform-jamfpro-${{ matrix.environment }}"
steps:
- name: Checkout
uses: actions/checkout@v4.2.1
- name: Harden Runner
uses: step-security/harden-runner@v2.10.1
with:
egress-policy: audit
- name: Upload Configuration
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.3.1
id: drift-upload
with:
workspace: ${{ env.TF_WORKSPACE }}
directory: ${{ env.CONFIG_DIRECTORY }}
- name: Create Plan Run
uses: hashicorp/tfc-workflows-github/actions/create-run@v1.3.1
id: drift-plan
with:
workspace: ${{ env.TF_WORKSPACE }}
configuration_version: ${{ steps.drift-upload.outputs.configuration_version_id }}
plan_only: true
- name: Get Plan Output
uses: hashicorp/tfc-workflows-github/actions/plan-output@v1.3.1
id: plan-output
with:
plan: ${{ fromJSON(steps.drift-plan.outputs.payload).data.relationships.plan.data.id }}
- name: Check for Drift
id: check-drift
run: |
if [ "${{ steps.plan-output.outputs.add }}" != "0" ] || [ "${{ steps.plan-output.outputs.change }}" != "0" ] || [ "${{ steps.plan-output.outputs.destroy }}" != "0" ]; then
echo "Drift detected in ${{ matrix.environment }} environment"
echo "drift_detected=true" >> $GITHUB_OUTPUT
else
echo "No drift detected in ${{ matrix.environment }} environment"
echo "drift_detected=false" >> $GITHUB_OUTPUT
fi
- name: Apply Changes to Correct Drift
if: steps.check-drift.outputs.drift_detected == 'true'
uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.3.1
id: apply-drift
with:
run: ${{ fromJSON(steps.drift-plan.outputs.payload).data.id }}
comment: "Automated drift correction for ${{ matrix.environment }} environment"
- name: Determine Result Message
id: result-message
run: |
if [ "${{ steps.check-drift.outputs.drift_detected }}" == "true" ]; then
if [ "${{ steps.apply-drift.outcome }}" == "success" ]; then
echo "message=Drift detected and corrected" >> $GITHUB_OUTPUT
else
echo "message=Drift detected but not corrected" >> $GITHUB_OUTPUT
fi
else
echo "message=No drift detected" >> $GITHUB_OUTPUT
fi
outputs:
result_message: ${{ steps.result-message.outputs.message }}
send-notification:
needs: detect-and-correct-drift
if: always()
strategy:
matrix:
environment: [sandbox, staging, production]
uses: ./.github/workflows/send-notification.yml
with:
environment: "${{ matrix.environment }}"
result: "${{ needs.detect-and-correct-drift.outputs.result_message }}"
notification_channel: msteams # or 'slack'
secrets: inherit