Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/digirati-labs/drifter
Check for drift between Terraform definitions and deployed state.
https://github.com/digirati-labs/drifter
Last synced: 3 months ago
JSON representation
Check for drift between Terraform definitions and deployed state.
- Host: GitHub
- URL: https://github.com/digirati-labs/drifter
- Owner: digirati-labs
- License: mit
- Created: 2019-05-09T15:50:49.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2020-07-28T11:16:48.000Z (over 4 years ago)
- Last Synced: 2024-06-28T06:36:31.356Z (5 months ago)
- Language: Python
- Size: 22.5 KB
- Stars: 18
- Watchers: 3
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Drifter
A tool that can detect and report on configuration drift between the latest repo version of AWS infrastructure Terraform and the deployed result.
This is loosely based upon https://github.com/futurice/terraform-monitor-lambda
## Environment Variables
| Name | Description | Default |
|-------------------------|-----------------------------------------------------------------------------------------|---------|
| DEBUG | Enable debug output | False |
| TERRAFORM_S3_BUCKET | The S3 bucket that the Terraform is stored in (used to detect Terraform version in use) | |
| TERRAFORM_S3_KEY | The key of the Terraform remote state in S3 (see `TERRAFORM_S3_BUCKET`, above) | |
| TERRAFORM_GITHUB_REPO | GitHub repository in format `user/repo` | |
| TERRAFORM_GITHUB_BRANCH | GitHub repository branch to use | master |
| TERRAFORM_GITHUB_FOLDER | Subfolder within GitHub repository for Terraform | |
| TERRAFORM_GITHUB_TOKEN | GitHub access token for the repo defined in `TERRAFORM_GITHUB_REPO` | |
| CLOUDWATCH_NAMESPACE | AWS CloudWatch metric namespace where metrics should be shipped | |
| AWS_REGION | AWS Region name | |
| SLACK_WEBHOOK_URL | Slack Webhook URL to emit messages to | |
| TMP_FOLDER | Temporary folder to use | /tmp |
The beady-eyed amongst you may note that there are additional settings for configuring a database - this is reserved for expansion and is currently unused.
## Permissions - AWS
From an AWS point of view these are handled by the Terraform. We don't know the scope of the Terraform that we will be asked to check, but we do know that we don't want to be able to change anything, so in the Terraform packaged with this module the Drifter task is given `arn:aws:iam::aws:policy/ReadOnlyAccess` which is a pre-rolled AWS policy that gives read-only access to all resource types.
## Permissions - GitHub
For GitHub, the access token given to Drifter must have READ access to the Terraform source repository. In Digirati's case, we'd simply add the `CI` team with READ access to the repository Teams list.
## Terraform
Terraform module for scheduled checking using Drifter, with notifications sent to a Slack webhook and metrics emitted to Cloudwatch.
| Variable | Description | Default |
|-------------------------|---------------------------------------------------------------------|-------------------|
| prefix | Prefix to give to AWS resources | |
| slack_webhook_url | Slack Webhook URL for notifications | |
| terraform_identifier | Identifier for the Drifter task (e.g. `my-tf-repo-master`) | |
| terraform_s3_bucket | Name of S3 bucket that the Terraform resides in | |
| terraform_s3_key | S3 Key of the Terraform remote state file | terraform.tfstate |
| terraform_github_repo | GitHub repository in format `user/repo` | |
| terraform_github_branch | GitHub repository branch to use | master |
| terraform_github_folder | Subfolder within GitHub repository for Terraform | |
| terraform_github_token | GitHub access token for the repo defined in `terraform_github_repo` | |
| cloudwatch_namespace | AWS CloudWatch metric namespace where metrics should be shipped | |
| tmp_folder | Temporary folder to use | /tmp |
| log_group_name | CloudWatch log group name that the container will emit logs to | |
| region | AWS Region for resources | |
| account_id | AWS account ID | |
| cluster_id | The cluster on which to run the scheduled ECS task | |
| cron_expression | Cron scheduling expression in form `cron(x x x x x x)` | |
### Example
```
module "drifter_estate" {
source = "git::https://github.com/digirati-labs/drifter.git/tree/master/tf/"
slack_webhook_url = "${var.slack_webhook_status}"
terraform_identifier = "my-terraform-repo-master"
terraform_s3_bucket = "my-state-bucket"
terraform_github_repo = "my-github-user/my-terraform-repo"
terraform_github_token = "${data.aws_ssm_parameter.terraform_github_token.value}"
cloudwatch_namespace = "terraform-drift"
log_group_name = "${var.log_group_name}"
prefix = "${var.prefix}"
region = "${var.region}"
account_id = "${var.account_id}"
cluster_id = "${module.metropolis_cluster.cluster_id}"
cron_expression = "cron(0 0 * * ? *)"
}
```