Terrakube
Home
2.21.0
2.21.0
  • Introduction
  • Updates
  • Getting started
    • 📐Architecture
    • 🔐Security
    • 🚀Getting Started
    • 💿Docker Images
    • 🌐Docker Compose
    • 🚗Docker Compose + Traefik
    • 📥Deployment
      • 🔨Helm Chart
      • 🚀Minikube
      • 🔑Minikube + HTTPS
      • ✈️Ingress Configuration
      • 🔐User Authentication (DEX)
      • 💾Storage backend
        • Azure Storage Account
        • Amazon Cloud Storage
        • Google Cloud Storage
        • Minio (S3 compatible)
      • 🛰️Database Backend
        • SQL Azure
        • PostgreSQL
        • MySQL
        • H2
      • 🔐Custom CA Certs
      • ⚙️Custom Terraform CLI Builds
      • 👮Self-Hosted Agents
      • 📶Proxy Configuration
      • 🛡️Token Security
      • 🚦Open Telemetry
    • 🤵User Management
      • Azure Active Directory
      • Google Cloud Identity
      • Amazon Cognito
      • Github
  • 📓User Guide
    • Organizations
      • Creating an Organization
      • Global Variables
      • Team Management
      • API Tokens
      • Templates
        • Default Templates
        • Persistent Context
        • Import Templates
        • UI Templates
        • Filter global variables in jobs
        • Template Scheduling in Jobs
      • Tags
    • VCS Providers
      • Github
      • Github Enterprise
      • GitLab
      • Gitlab EE and CE
      • Bitbucket
      • Azure DevOps
      • SSH
    • Workspaces
      • Overview
      • Creating Workspaces
      • Terraform State
      • Share Workspace State
      • Variables
      • Dynamic Provider Credentials
        • AWS Dynamic Provider Credentials
        • Azure Dynamic Provider Credentials
        • GCP Dynamic Provider Credentials
      • Workspace scheduler
      • API-driven Workflow
      • CLI-driven Workflow
      • Ephemeral Workspaces
      • Actions
        • Developing Actions
          • Quick start
          • Display Criteria
          • Action Types
          • Action Context
          • Action Proxy
        • Built-in Actions
          • Open Documentation
          • Resource Details
          • Open in Azure Portal
          • Restart Azure VM
          • Azure Monitor
          • Open AI
    • Private Registry
      • Publishing Private Modules
      • Using Private Modules
    • Policy Enforcement (OPA)
    • Cost Estimation
    • Drift Detection
    • CI/CD Integration
      • Github Actions
      • Bitbucket
    • Terrakube CLI
      • Getting started
      • Installation
      • Commands
        • terrakube login
        • terrakube logout
        • terrakube organization
          • organization list
          • organization create
          • organization update
          • organization delete
        • terrakube team
          • team list
          • team create
          • team update
          • team delete
        • terrakube workspace
          • workspace list
          • workspace create
          • workspace update
          • workspace delete
          • workspace variable
            • variable list
        • terrakube variable
          • variable update
          • variable delete
          • variable create
        • terrakube job
          • job list
          • job create
        • terrakube module
          • module list
          • module create
          • module update
          • module delete
    • Reference
      • Executor
        • Terraform Execution Flow
        • Terraform Versions
    • Migrating to Terrakube
  • 🎓Learn
    • What is Terrakube
      • Section Overview
      • Terraform in a Nutshell
      • Terraform Challenges at Enterprise Level
      • Introducing Terrakube
      • Summary and Up Next
    • Deploying using Terrakube
  • 📖API
    • 🌟Getting started
    • ⚙️Methods
      • Globalvar
      • Organization
      • Teams
      • Workspace
      • Variables
      • History
      • Jobs
      • Template
      • Schedule
      • Step
      • Module
      • Vcs
      • Provider
      • Personal Access Token
      • Team API Tokens
      • SSH Key
      • Agent
Powered by GitBook
On this page
  • Open Policy Definition
  • Template Definition
  • Template Setup
  • Workspace Setup
  • Schedule Drift Detection

Was this helpful?

Edit on GitHub
Export as PDF
  1. User Guide

Drift Detection

Terrakube can be used to detect any infraestructure drift, this can be done using Terrakube extensions(open policy and slack), templates and schedules, below you can find an example of how this can be achieved.

Open Policy Definition

The firts step will be to create a small rego policy and add this to your Terrakube extensions repository inside the "policy" folder with the name "plan_information.rego", this is a very simple policy that will count the number of changes for a terraform plan.

package terrakube.plan.information

import input as tfplan
  
created := create_count {
    resources := [resource | resource:= tfplan.resource_changes[_]; resource.change.actions[_] == "create"]
    create_count := count(resources)
}

deleted := delete_count {
    resources := [resource | resource:= tfplan.resource_changes[_]; resource.change.actions[_] == "delete"]
    delete_count := count(resources)
}

updated := updated_count {
    resources := [resource | resource:= tfplan.resource_changes[_]; resource.change.actions[_] == "update"]
    updated_count := count(resources)
}

no_change := no_change_count {
    resources := [resource | resource:= tfplan.resource_changes[_]; resource.change.actions[_] == "no-op"]
    no_change_count := count(resources)

The output of this policy will look like this:

{
    "created": 2,
    "deleted": 4,
    "no_change": 2,
    "updated": 5
}

The policy should look like this in your extension repository

Template Definition

The firts step will be to create a Terrakube template that validate if there is a change in our infraestructure.

flow:
  - type: "terraformPlan"
    step: 100
    name: "Running Terraform Plan with Drift Detection and Slack Notification"
    commands:
      - runtime: "GROOVY"
        priority: 100
        after: true
        script: |
          import Opa

          new Opa().loadTool(
            "$workingDirectory",
            "$bashToolsDirectory",
            "0.45.0")
          "Opa Download Completed..."
      - runtime: "BASH"
        priority: 200
        after: true
        script: |
          cd $workingDirectory;
          terraform show -json terraformLibrary.tfPlan > tfplan.json;
          echo "Validating terraform plan information";
          opa exec --decision terrakube/plan/information --bundle .terrakube/toolsRepository/policy/ tfplan.json | jq '.result[0].result' > drift_detection.json;
          cat drift_detection.json;
      - runtime: "GROOVY"
        priority: 300
        after: true
        script: |
          import SlackApp
          import groovy.json.JsonSlurper
          import groovy.json.JsonOutput
          
          File drift_detection = new File("${workingDirectory}/drift_detection.json")
          String drift_detection_content = drift_detection.text

          println drift_detection_content

          def jsonSlurper = new JsonSlurper()
          def body = jsonSlurper.parseText(drift_detection_content)
          def changes =  body.created + body.updated + body.deleted

          if (changes > 0) {
            new SlackApp().sendMessageWithoutAttachment(
              "#general", 
              "Hello team, Terrakube has deteted an infrastructure drift, please review the following workspace $workspaceId inside organization $organizationId", 
              "$SLACK_TOKEN", 
              terrakubeOutput);
          } else {
            new SlackApp().sendMessageWithoutAttachment(
              "#general", 
              "Hello team, Terrakube did not detect any infrastructure drift for workspace $workspaceId inside organization $organizationId", 
              "$SLACK_TOKEN", 
              terrakubeOutput);
          }

          "Drift Detection Completed..."

In a high level this template will do the following:

  • Run a terraform plan

flow:
  - type: "terraformPlan"
    step: 100
    name: "Running Terraform Plan with Drift Detection and Slack Notification"
  • Once the terraform plan is completed, the template will import the Open Policy Extension to our job workspace

    commands:
      - runtime: "GROOVY"
        priority: 100
        after: true
        script: |
          import Opa

          new Opa().loadTool(
            "$workingDirectory",
            "$bashToolsDirectory",
            "0.45.0")
          "Opa Download Completed..."
  • The next step will be to export the terraform plan in JSON format and execute the rego policy to validate the number of changes in our terraform plan and create a file "drift_detection.json" with the result

      - runtime: "BASH"
        priority: 200
        after: true
        script: |
          cd $workingDirectory;
          terraform show -json terraformLibrary.tfPlan > tfplan.json;
          echo "Validating terraform plan information";
          opa exec --decision terrakube/plan/information --bundle .terrakube/toolsRepository/policy/ tfplan.json | jq '.result[0].result' > drift_detection.json;
          cat drift_detection.json;
      
  • Now you can use the "drift_detection.json" file using a simple groovy script to review the number of changes in the terraform plan.

      - runtime: "GROOVY"
        priority: 300
        after: true
        script: |
          import SlackApp
          import groovy.json.JsonSlurper
          import groovy.json.JsonOutput
          
          File drift_detection = new File("${workingDirectory}/drift_detection.json")
          String drift_detection_content = drift_detection.text

          println drift_detection_content

          def jsonSlurper = new JsonSlurper()
          def body = jsonSlurper.parseText(drift_detection_content)
          def changes =  body.created + body.updated + body.deleted
  • Once you have the number of changes we can add a simple validation to send a Slack Message using the Terrakube extension to notify you teams if an infrastructure drift was detected

          if (changes > 0) {
            new SlackApp().sendMessageWithoutAttachment(
              "#general", 
              "Hello team, Terrakube has deteted an infrastructure drift, please review the following workspace $workspaceId inside organization $organizationId", 
              "$SLACK_TOKEN", 
              terrakubeOutput);
          } else {
            new SlackApp().sendMessageWithoutAttachment(
              "#general", 
              "Hello team, Terrakube did not detect any infrastructure drift for workspace $workspaceId inside organization $organizationId", 
              "$SLACK_TOKEN", 
              terrakubeOutput);
          }
SLACK_TOKEN is an environment variable that you can define at workspace level.
You can also setup this using the global variables in your organization

Template Setup

Now that you have define the template to detect the infraestructure drif you can add the template in your Terrakube organization using the name "Drift Detection"

The template will look like this:

Now you can use this template in any workspace inside your organization

Workspace Setup

To test the template we can use the following example for Azure and we execute a Terraform Apply inside Terrakube. This will create a app service plan with tier Basic and size B1

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.25.0"
    }
  }
}

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "api-rg-pro"
  location = "East Us 2"
}

resource "azurerm_app_service_plan" "example" {
  name                = "api-appserviceplan-pro"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  sku {
    tier = "Basic"
    size = "B1"
  }
}

Once our resources are created in Azure we can run the Drift Detection template.

The template will send a message to a Slack channel with the following:

  • If there is no infracstructure change you should receive the following message in your slack channel.

  • If for some reason the resource in Azure is changed (scale up) and our state in Terrakube does not match with Azure you will see the following message.

Schedule Drift Detection

Now that you have tested the Drift Detection template, you can use with the Workspace Schedule feature to run this template for example every day at 5:30 AM for the workspace.

You will have to go the the "Schedule" option inside your workspace.

Now you can select the Drift Detection template to run at 5:30 AM every day.

Now you should receive the notification in your Slack channel every day at 5:30 am

Implementing Drift detection in Terrakube is easy, you just need to make use of extension and write a small script, this is just an example of easy is to extend Terrakube functionality using extensions, you can even create more complex templates quickly, for example you could create a webhook or send emails using the sendgrid extension.

PreviousCost EstimationNextCI/CD Integration

Last updated 11 months ago

Was this helpful?

Terrakube extensions can be stored inside a GIT repository that you can configure when staring the platform. This is an example repository that you can fork or customize to create your custom extensions based on your own requirements

📓
https://github.com/AzBuilder/terrakube-extensions