GitHub Action to validate infrastructure state by running terraform plan with detailed exit codes to detect configuration drift.
This action runs terraform plan with the -detailed-exitcode flag to detect when deployed infrastructure has drifted from the expected state defined in terraform code. It validates three types of infrastructure sequentially:
The action is designed to be used in scheduled workflows to continuously validate infrastructure compliance.
The action sets the DETAILED_EXITCODE=-detailed-exitcode environment variable before running three make targets:
make ci $ terraform-plan - AKS cluster validationmake ci $ domains-plan - Domains environment validationmake ci domains-infra-plan - Domains infrastructure validationYour Makefile’s terraform plan commands should use ${DETAILED_EXITCODE} to include this flag when set. All three validations run sequentially, and each reports drift status independently.
- name: Validate infrastructure
uses: DFE-Digital/github-actions/validate-infra@main
with:
azure-client-id: $
azure-subscription-id: $
azure-tenant-id: $
environment: production
slack-webhook: $
| Input | Description | Required | Default |
|---|---|---|---|
azure-client-id |
Azure service principal or managed identity client ID for OIDC | No | - |
azure-subscription-id |
Azure subscription ID for OIDC | No | - |
azure-tenant-id |
Azure tenant ID for OIDC | No | - |
environment |
Environment to validate (test, platform-test, production) | Yes | - |
terraform-main-ref |
Git ref (branch/tag/SHA) to use for terraform code | No | main |
terraform-base |
Path to the terraform files | No | cluster/terraform_aks_cluster |
terraform-version-file |
Name of file containing terraform version | No | terraform.tf |
slack-webhook |
Slack webhook URL for notifications | No | - |
| Output | Description |
|---|---|
cluster_drift_detected |
Whether AKS cluster infrastructure drift was detected (true, false, or error) |
domains_env_drift_detected |
Whether domains environment infrastructure drift was detected (true, false, or error) |
domains_infra_drift_detected |
Whether domains infrastructure drift was detected (true, false, or error) |
The action interprets terraform plan exit codes as follows:
0: No changes - infrastructure matches configuration1: Error occurred during plan2: Changes detected - infrastructure has driftedname: Infrastructure Validation
on:
schedule:
- cron: "0 2 * * *" # Daily at 2 AM UTC
workflow_dispatch:
inputs:
environment:
description: "Environment to validate"
type: choice
options: [test, production]
jobs:
validate:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC authentication
contents: read
steps:
- name: Validate infrastructure
id: validate
uses: DFE-Digital/github-actions/validate-infra@main
with:
azure-client-id: $
azure-subscription-id: $
azure-tenant-id: $
environment: $
slack-webhook: $
${DETAILED_EXITCODE} variable:
terraform-plan - AKS cluster validationdomains-plan - Domains environment validationdomains-infra-plan - Domains infrastructure validationci and environment targets must be defined in your Makefileterraform-plan:
terraform -chdir=$(TERRAFORM_PATH) plan $(DETAILED_EXITCODE)
domains-plan:
terraform -chdir=terraform/domains/environment_domains plan $(DETAILED_EXITCODE)
domains-infra-plan:
terraform -chdir=terraform/domains/infrastructure plan $(DETAILED_EXITCODE)