/terradiff

Get told when your Terraform config doesn't match reality

Primary LanguageJavaScriptGNU Affero General Public License v3.0AGPL-3.0

terradiff

CircleCI build of master Docker Repository on Quay

Get told when reality no longer matches your Terraform configuration.

This project is not ready for general use. This README is an infelicitous mix of documentation, plans, aspirations, and notes to self.

Why you might want this

Say you've got some Terraform configuration in a Git repository somewhere.

You will have some way of applying this configuration to your environments. You might run terraform manually, you might run it from CI, or you might use a tool like Atlantis.

No matter which of these you do, there might still be times when your actual environment will differ from what you intend in your configuration. Perhaps the config fails to apply. Perhaps someone made a direct change to the environment, circumventing your Terraform.

When this happens, you want to be told. In fact, you want to be alerted, so you can take whatever action is necessary to reconcile your configuration and reality.

What this does

When deployed, terradiff monitors a Terraform configuration and runs terraform plan every so often (every 2 minutes, say). It exports a Prometheus gauge, terradiff_plan_exit_code, that indicates whether terraform plan succeeded with no diff (0), failed due to some kind of error (1), or succeeded with some kind of diff (2). See the terraform plan manual for more details.

You can then configure a Prometheus alert that will tell you when there's a diff, or when the diffing process is broken.

terradiff also serves a simple web UI that shows the full terraform plan output. Your alert should link to that page so you can figure out what to do.

How to deploy it

terradiff is designed to run on Kubernetes. It is cloud native, if you're into that sort of thing.

It expects to run with a git-sync sidecar that pulls in your Terraform configuration from Git.

An example Kubernetes Deployment manifest can be found in this repository. It assumes you have a Secret named git-sync-secret with your GitHub credentials for synchronising the repository with your Terraform configuration, and Secrets for any credentials required to run terraform plan on that configuration.

Example alerting rules are also provided.

History

This project is inspired by the use of Terraform at Weaveworks. In particular, its lineage includes prom-run.

How to build this project

You really want to have stack installed, and to invoke it directly.