Terraform drift detection using GitHub actions

tjtharrison
6 min readNov 7, 2023

If you use Terraform for managing your infrastructure as code, it is important to know when the current state of your infrastructure is different to the infrastructure you have specified in your repository.

Here is Hashicorp’s article on Terraform drift to explain in more detail: https://www.hashicorp.com/blog/detecting-and-managing-drift-with-terraform

In this article I’m going to be covering how to use a scheduled GitHub actions workflow to detect when this “drift” has occurred and send a message to a Slack channel notifying you of the differences.

Photo by Roberto H on Unsplash

Prerequisites

The example workflow I’ll be sharing covers installing infrastructure in AWS using Terraform. If this is the scenario you wish to be detecting drift in — You’ll need to have your GitHub runners already able to talk to AWS — I won’t be covering this in this article.

Further to the above, you will also require:

  • A GitHub repository containing your Terraform
  • The ability to create Slack incoming webhooks in your Slack team

The example we’re going to be using has multiple Terraform directories that are deployed using a matrix (if you do not have multiple directories — I’ll make a note of the changes required to the workflow).

The action also uses the GitHub action dflook/terraform-plan from the suite of actions to complete various Terraform related tasks in GitHub actions. If you wish to use a different action for generating Terraform plans you will need to update the workflow as appropriate.

Slack webhook

So the first thing we’ll want to do will be to create a Slack webhook API URL that we will be using to push messages into Slack.

I won’t dive into this much as this is well documented by Slack: https://api.slack.com/messaging/webhooks

Once you’ve got your webhook URL, we’ll want to create this as a GitHub secret on the repository that deploys your Terraform. Create a secret named DRIFT_DETECTION_SLACK_WEBHOOK as we’ll be referencing this in our workflow to complete posting the message into Slack.

--

--