drifthound-action/examples/environment-based.yml at main · drifthoundhq/drifthound-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# Environment-Based Drift Detection Workflow
# This workflow demonstrates how to handle different credentials per environment
# Each environment (production, staging, dev) runs as a separate job with its own authentication

name: Environment-Based Drift Detection

on:
  schedule:
    # Check production every 6 hours
    - cron: '0 */6 * * *'
    # Check staging daily at 9am
    - cron: '0 9 * * *'

  workflow_dispatch:
    inputs:
      environment:
        description: 'Which environment to check'
        required: true
        type: choice
        options:
          - all
          - production
          - staging
          - development

jobs:
  # Production Environment Job
  drift-check-production:
    name: Production Drift Check
    runs-on: ubuntu-latest
    # Only run if: manual trigger selects 'all' or 'production', OR scheduled 6-hour cron
    if: |
      github.event_name == 'schedule' && github.event.schedule == '0 */6 * * *' ||
      github.event_name == 'workflow_dispatch' && (github.event.inputs.environment == 'all' || github.event.inputs.environment == 'production')

    timeout-minutes: 30

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Production AWS Authentication
      - name: Configure AWS credentials for Production
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_PROD_ROLE }}
          role-session-name: drifthound-prod-check
          aws-region: us-east-1

      # Run drift detection for production scopes only
      - name: Run drift detection for production
        id: prod-drift
        uses: drifthoundhq/drifthound-action@v1
        with:
          drifthound-url: ${{ secrets.DRIFTHOUND_URL }}
          drifthound-token: ${{ secrets.DRIFTHOUND_TOKEN }}
          environment: production  # Simple! Filter by environment field

      # Example: Block further actions if production has drift
      # DriftHound sends Slack notifications automatically via slack_channel config
      - name: Check production drift status
        if: steps.prod-drift.outputs.drift-detected == 'true'
        run: |
          echo "::warning::Production drift detected in ${{ steps.prod-drift.outputs.scopes-with-drift }} scope(s)"
          echo "Total scopes checked: ${{ steps.prod-drift.outputs.scopes-run }}"
          echo "Review drift details in DriftHound before deploying"
          # Uncomment to block deployments:
          # exit 1

  # Staging Environment Job
  drift-check-staging:
    name: Staging Drift Check
    runs-on: ubuntu-latest
    # Only run if: manual trigger selects 'all' or 'staging', OR daily 9am cron
    if: |
      github.event_name == 'schedule' && github.event.schedule == '0 9 * * *' ||
      github.event_name == 'workflow_dispatch' && (github.event.inputs.environment == 'all' || github.event.inputs.environment == 'staging')

    timeout-minutes: 20

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Staging AWS Authentication
      - name: Configure AWS credentials for Staging
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_STAGING_ROLE }}
          role-session-name: drifthound-staging-check
          aws-region: us-east-1

      # Run drift detection for staging scopes only
      - name: Run drift detection for staging
        uses: drifthoundhq/drifthound-action@v1
        with:
          drifthound-url: ${{ secrets.DRIFTHOUND_URL }}
          drifthound-token: ${{ secrets.DRIFTHOUND_TOKEN }}
          environment: staging  # Simple! Filter by environment field

  # Development Environment Job
  drift-check-development:
    name: Development Drift Check
    runs-on: ubuntu-latest
    # Only run on manual trigger
    if: |
      github.event_name == 'workflow_dispatch' &&
      (github.event.inputs.environment == 'all' || github.event.inputs.environment == 'development')

    timeout-minutes: 20

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Development AWS Authentication
      - name: Configure AWS credentials for Development
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_DEV_ROLE }}
          role-session-name: drifthound-dev-check
          aws-region: us-east-1

      # Run drift detection for development scopes only
      - name: Run drift detection for development
        uses: drifthoundhq/drifthound-action@v1
        with:
          drifthound-url: ${{ secrets.DRIFTHOUND_URL }}
          drifthound-token: ${{ secrets.DRIFTHOUND_TOKEN }}
          environment: development  # Simple! Filter by environment field

  # Summary Job (optional)
  summary:
    name: Summary
    runs-on: ubuntu-latest
    needs: [drift-check-production, drift-check-staging, drift-check-development]
    if: always()

    steps:
      - name: Check results
        run: |
          echo "## Drift Detection Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          # Production
          if [[ "${{ needs.drift-check-production.result }}" == "success" ]]; then
            echo "✅ **Production**: No issues" >> $GITHUB_STEP_SUMMARY
          elif [[ "${{ needs.drift-check-production.result }}" == "failure" ]]; then
            echo "❌ **Production**: Drift detected or error" >> $GITHUB_STEP_SUMMARY
          elif [[ "${{ needs.drift-check-production.result }}" == "skipped" ]]; then
            echo "⏭️ **Production**: Skipped" >> $GITHUB_STEP_SUMMARY
          fi

          # Staging
          if [[ "${{ needs.drift-check-staging.result }}" == "success" ]]; then
            echo "✅ **Staging**: No issues" >> $GITHUB_STEP_SUMMARY
          elif [[ "${{ needs.drift-check-staging.result }}" == "failure" ]]; then
            echo "❌ **Staging**: Drift detected or error" >> $GITHUB_STEP_SUMMARY
          elif [[ "${{ needs.drift-check-staging.result }}" == "skipped" ]]; then
            echo "⏭️ **Staging**: Skipped" >> $GITHUB_STEP_SUMMARY
          fi

          # Development
          if [[ "${{ needs.drift-check-development.result }}" == "success" ]]; then
            echo "✅ **Development**: No issues" >> $GITHUB_STEP_SUMMARY
          elif [[ "${{ needs.drift-check-development.result }}" == "failure" ]]; then
            echo "❌ **Development**: Drift detected or error" >> $GITHUB_STEP_SUMMARY
          elif [[ "${{ needs.drift-check-development.result }}" == "skipped" ]]; then
            echo "⏭️ **Development**: Skipped" >> $GITHUB_STEP_SUMMARY
          fi

      - name: Fail if any environment failed
        if: |
          needs.drift-check-production.result == 'failure' ||
          needs.drift-check-staging.result == 'failure' ||
          needs.drift-check-development.result == 'failure'
        run: |
          echo "::error::One or more environments had drift or errors"
          exit 1