Skip to main content

GitHub Action: atmos-terraform-drift-remediation

This Github Action is used to remediate drift

Introduction

This action is used for drift remediation.

There is another companion action github-action-atmos-terraform-drift-detection.

Usage

Workflow example

In this example drift will be remediated when user sets label apply to an issue.

name: github-action-atmos-terraform-drift-remediation
run-name: github-action-atmos-terraform-drift-remediation

on:
issues:
types:
- labeled
- closed

permissions:
id-token: write
contents: read

jobs:
remediate-drift:
runs-on: ubuntu-latest
name: github-action-atmos-terraform-drift-remediation
if: |
github.event.action == 'labeled' &&
contains(join(github.event.issue.labels.*.name, ','), 'apply')
steps:
- name: github-action-atmos-terraform-drift-remediation
uses: cloudposse/github-action-atmos-terraform-drift-remediation@v1
with:
issue-number: ${{ github.event.issue.number }}
action: remediate
atmos-config-path: "${{ github.workspace }}/rootfs/usr/local/etc/atmos/"
terraform-plan-role: "arn:aws:iam::111111111111:role/acme-core-gbl-identity-gitops"
terraform-state-bucket: "acme-core-ue2-auto-gitops"
terraform-state-role: "arn:aws:iam::999999999999:role/acme-core-ue2-auto-gitops-gha"
terraform-state-table: "acme-core-ue2-auto-gitops"
aws-region: "us-east-2"

discard-drift:
runs-on: ubuntu-latest
name: github-action-atmos-terraform-drift-remediation
if: |
github.event.action == 'closed' &&
!contains(join(github.event.issue.labels.*.name, ','), 'remediated')
steps:
- name: github-action-atmos-terraform-drift-remediation
uses: cloudposse/github-action-atmos-terraform-drift-remediation@v1
with:
issue-number: ${{ github.event.issue.number }}
action: discard

Inputs

NameDescriptionDefaultRequired
actionDrift remediation action. One of ['remediate', 'discard']remediatefalse
atmos-config-pathThe path to the folder where atmos.yaml file is located.false
atmos-versionAtmos version to use for vendoring. Default 'latest'latestfalse
aws-regionAWS region for assuming identity.us-east-1false
debugEnable action debug mode. Default: 'false'falsefalse
issue-numberIssue NumberN/Atrue
terraform-apply-roleThe AWS role to be used to apply Terraform. Required for action 'remediate'.N/Afalse
terraform-state-bucketThe S3 Bucket where the planfiles are stored. Required for action 'remediate'.N/Afalse
terraform-state-roleThe AWS role to be used to retrieve the planfile from AWS. Required for action 'remediate'.N/Afalse
terraform-state-tableThe DynamoDB table where planfile metadata is stored. Required for action 'remediate'.N/Afalse
terraform-versionThe version of Terraform CLI to install. Instead of full version string you can also specify constraint string starting with "<" (for example <1.13.0) to install the latest version satisfying the constraint. A value of latest will install the latest version of Terraform CLI. Defaults to latest.latestfalse
tokenUsed to pull node distributions for Atmos from Cloud Posse's GitHub repository. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.${{ github.server_url == 'https://github.com' && github.token || '' }}false