DEV Community

Cover image for Day 30 – Terraform Drift Detection & Auto-Remediation with GitHub Actions πŸš€
Jeeva
Jeeva

Posted on

Day 30 – Terraform Drift Detection & Auto-Remediation with GitHub Actions πŸš€

#aws #terraform #devops #github

🎯 Objective

  1. Build a fully automated system that:
  2. Provisions infrastructure using Terraform
  3. Detects unauthorized/manual infrastructure changes (drift)
  4. Automatically remediates drift
  5. Sends Slack notifications
  6. Manages GitHub issues for audit tracking
  7. Supports dev and prod environments All using GitHub Actions as the automation engine

πŸ— Project Architecture
The infrastructure includes:

  • VPC with public & private subnets
  • NAT Gateway for outbound internet
  • Autoscaling group across availability zones
  • Separate backend state for dev & prod (S3 + DynamoDB locking)
  • GitHub repository as the single source of truth

Terraform code is stored in GitHub, and GitHub Actions workflows automate:

  1. Provisioning
  2. Drift detection
  3. Destruction

πŸ”„ How Drift Detection Works
Terraform’s plan command supports detailed exit codes:
0 β†’ No changes
2 β†’ Drift detected
1 β†’ Error

The drift detection workflow runs:
terraform plan -detailed-exitcode

If exit code 2 is returned:

  • Drift is confirmed
  • terraform apply -auto-approve runs automatically
  • Infrastructure is restored to the desired state
  • Slack notification is sent
  • GitHub issue is updated/closed

This enforces:
Terraform code = Single Source of Truth

πŸ§ͺ Live Drift Testing
A manual change was made directly in AWS (modifying resource tags).

Result:
GitHub Actions detected drift
Terraform re-applied correct configuration
Tags reverted automatically
Slack notification confirmed remediation
GitHub issue lifecycle updated

This demonstrated real production-level drift governance.

πŸ” Security & Best Practices Implemented

  • AWS credentials stored in GitHub Secrets
  • Slack webhook stored securely
  • Separate backend state for dev & prod
  • DynamoDB locking to prevent concurrent state corruption
  • Scheduled Cron-based drift monitoring
  • Manual approvals for production workflows

πŸ“Œ Key Takeaways
βœ” Drift detection prevents configuration inconsistencies
βœ” GitHub Actions can fully automate infrastructure lifecycle
βœ” Terraform exit codes enable intelligent CI/CD logic
βœ” Slack integration improves operational visibility
βœ” GitHub Issues provide audit traceability
βœ” IaC must always be treated as the single source of truth

Top comments (0)