Skip to content
Check for configuration drift

Drift Detection and Correction #60

Sign in to view logs

Drift Detection and Correction

Drift Detection and Correction #60

Workflow file for this run

.github/workflows/drift.yml at 5dc775b
name: Check for configuration drift
on:
schedule:
- cron: "0 8 * * *"
jobs:
check_drift:
runs-on: ubuntu-latest
name: Check for drift of jamf pro terraform configuration
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TF_ACTIONS_WORKING_DIR: "workload/terraform/jamfpro"
steps:
- name: Checkout
uses: actions/[email protected]
- name: terraform plan
uses: hashicorp/setup-terraform@v3
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
terraform_version: latest
- name: Terraform fmt
id: fmt
run: terraform fmt -check
continue-on-error: true
- name: Terraform Init with Terraform Cloud Remote Backend
id: init
env:
TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
run: terraform init
working-directory: ${{ env.TF_ACTIONS_WORKING_DIR }}
- name: Terraform Validate
id: validate
run: terraform validate -no-color
working-directory: ${{ env.TF_ACTIONS_WORKING_DIR }}
- name: Generate Terraform Plan
id: plan
run: |
terraform plan -no-color -out=plan.tfplan
terraform show -no-color plan.tfplan > plan.txt
working-directory: ${{ env.TF_ACTIONS_WORKING_DIR }}
- name: Export Plan as JSON
id: json
run: |
terraform show -no-color -json plan.tfplan > plan.json
working-directory: ${{ env.TF_ACTIONS_WORKING_DIR }}
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '>=1.20'
check-latest: true
- name: Check for duplicate resources
id: evaluate_plan_duplicate_resources
run: |
go build -o evaluate_plan_duplicate_resources main.go
./evaluate_plan_duplicate_resources -tfplan /home/runner/work/jamf-cloud-terraform/jamf-cloud-terraform/workload/terraform/jamfpro/plan.json
working-directory: workload/pipeline/duplicate_resources
# - name: Run Terraform Plan Script
# run: go run . -tfplan your-terraform-plan.json
# # Assumes your Go script writes to approval_group.txt
# - name: Set PR Approval Group
# run: |
# APPROVAL_GROUP=$(cat approval_group.txt)
# echo "Approval group required: $APPROVAL_GROUP"
# if [ "$APPROVAL_GROUP" == "Security" ]; then
# # Assuming 'security-team' is the GitHub team name for the security group
# curl \
# -X POST \
# -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
# -H "Accept: application/vnd.github+json" \
# https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers \
# -d '{"reviewers": [], "team_reviewers":["security-team-demo"], "maintainers_can_modify": true}'
# fi
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/[email protected]
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const planPath = '${{ env.TF_ACTIONS_WORKING_DIR }}/plan.txt';
const planOutput = fs.readFileSync(planPath, 'utf8');
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${planOutput}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
});
- name: Upload Terraform Plan as Artifact
uses: actions/[email protected]
with:
name: terraform-plan
path: ${{ env.TF_ACTIONS_WORKING_DIR }}/plan.json