terradiff
Get told when reality no longer matches your Terraform configuration.
This project is not ready for general use. This README is an infelicitous mix of documentation, plans, aspirations, and notes to self.
Why you might want this
Say you've got some Terraform configuration in a Git repository somewhere.
You will have some way of applying this configuration to your environments.
You might run terraform
manually, you might run it from CI, or you
might use a tool like Atlantis.
No matter which of these you do, there might still be times when your actual environment will differ from what you intend in your configuration. Perhaps the config fails to apply. Perhaps someone made a direct change to the environment, circumventing your Terraform.
When this happens, you want to be told. In fact, you want to be alerted, so you can take whatever action is necessary to reconcile your configuration and reality.
What this does
When deployed, terradiff monitors a Terraform configuration and runs
terraform plan
every so often (every 2 minutes, say). It exports a
Prometheus gauge, terradiff_plan_exit_code
, that indicates whether
terraform plan
succeeded with no diff (0), failed due to some kind of
error (1), or succeeded with some kind of diff (2). See the terraform plan
manual for more details.
You can then configure a Prometheus alert that will tell you when there's a diff, or when the diffing process is broken.
terradiff also serves a simple web UI that shows the full terraform plan
output. Your alert should link to that page so you can figure out what to do.
How to deploy it
terradiff is designed to run on Kubernetes. It is cloud native, if you're into that sort of thing.
It expects to run with a git-sync sidecar that pulls in your Terraform configuration from Git.
An example Kubernetes Deployment manifest can be
found in this repository. It assumes you have a Secret named
git-sync-secret
with your GitHub credentials for synchronising the
repository with your Terraform configuration, and Secrets for any credentials
required to run terraform plan
on that configuration.
Example alerting rules are also provided.
History
This project is inspired by the use of Terraform at Weaveworks. In particular, its lineage includes prom-run.
How to build this project
You really want to have stack installed, and to invoke it directly.