Terraform Drift Detection: A Deep Dive For Azure Infrastructure

Hey guys! Let's dive into Terraform configuration drift detection for Azure infrastructure. This is super important for keeping your infrastructure in check, so let's get started!

Overview

We're going to explore the necessity and implementation of a mechanism to detect "configuration drift" in Azure infrastructure managed by Terraform.

Note: This feature is considered an add-on after the basic Terraform implementation in Issue #37 is complete. So, it's something we'll tackle a bit later.

What is Configuration Drift?

Configuration Drift is when the actual state of your infrastructure managed by Terraform differs from the expected state defined in your Terraform state file and configuration files. Think of it like this: you set things up perfectly, but then something changes outside of your control, and your infrastructure is no longer as you intended. This is a common issue, especially in large, dynamic environments.

Examples of Causes

Configuration drift can happen for several reasons. Let's look at some common scenarios:

• Manual Changes via Azure Portal: Someone might log into the Azure Portal and tweak settings directly. This is a big one because it bypasses Terraform.
• Changes via Other Tools (ARM templates, Azure CLI, etc.): If you're using other tools to manage your infrastructure alongside Terraform, they might make changes that Terraform isn't aware of.
• Automatic Changes due to Security Policies: Sometimes, security policies can automatically modify configurations to ensure compliance. While this is good for security, it can lead to drift.
• Manual Changes for Emergency Response: In emergency situations, admins might make quick changes directly to the infrastructure. This is understandable, but it can cause drift if not properly documented and brought back into Terraform.

Mentions in Microsoft Docs

Let's see what Microsoft has to say about this. They actually highlight the importance of drift detection in their official documentation.

Reference 1: Deploy to Azure infrastructure with GitHub Actions

3. Terraform Drift Detection This workflow runs on a periodic basis to scan your environment for any configuration drift or changes made outside of Terraform. If any drift is detected, a GitHub Issue is raised to alert the maintainers of the project.

Microsoft's official documentation recommends three main workflows as best practices for Terraform CI/CD with GitHub Actions:

1. Terraform Unit Tests: Checks the quality of your code. Think of it as making sure your Terraform code is solid before you deploy anything.
2. Terraform Plan/Apply: Plans and applies your changes. This is the core of Terraform's operation.
3. Terraform Drift Detection: Regularly detects configuration drift. This is the one we're focusing on!

Reference 2: Terraform GitHub Actions Sample

Microsoft provides an official sample repository that includes a Terraform Drift Detection workflow. This is a great example of how to set up drift detection in your own projects. It shows you the nuts and bolts of how it's done in a real-world scenario.

Implementation Method

Here’s how you can implement drift detection, based on the Microsoft example:

• Periodic Execution: Use GitHub Actions' schedule trigger to run the drift detection workflow regularly. This ensures you're always on the lookout for changes.
• Detection Method: Check for changes using the output of terraform plan. If terraform plan shows differences, you've got drift!
• Notification: Automatically create a GitHub Issue when drift is detected. This alerts your team to the problem so they can investigate.

Necessity in General Operations

So, when is drift detection really important? Let's break it down.

Cases Where Drift Detection is Useful

1. Large Teams: When you have multiple admins, it’s easier for someone to make a change without realizing the impact. Drift detection keeps everyone on the same page.
2. Long-Term Operations: The longer your infrastructure runs, the higher the risk of manual changes creeping in. Drift detection is like a safety net.
3. Compliance Requirements: If you need to prove the integrity of your infrastructure configuration, drift detection is a must-have.
4. Production Environments: Catching unexpected changes early is crucial in production. Drift detection can prevent major headaches.

Cases Where Drift Detection May Not Be Necessary

1. Small Projects: If you're the only admin and you're super careful, you might not need it. But even then, it's good to have!
2. Early Development Stages: When your infrastructure is changing rapidly, drift detection might create too much noise. But consider adding it as you stabilize.
3. Short-Term Projects: If your project is short-lived, the overhead of drift detection might not be worth it.

Implementation Complexity and Operational Load

Implementing drift detection isn't too hard, but there are some things to consider. Let's look at the challenges and the ongoing effort required.

Implementation Challenges

• False Positives: Azure's automatic updates can sometimes trigger false alarms. You'll need to filter these out.
• Permissions Management: Setting up the Service Principal for periodic execution requires careful permission management.
• Notification Frequency: Too many alerts can lead to alert fatigue. You want to strike the right balance.
• Response Flow: You need a clear process for fixing drift once it's detected. Who's responsible? What are the steps?

Operational Load

• Regular Issue Review and Resolution: You'll need to check the GitHub Issues created by drift detection and take action.
• Drift Cause Investigation: Figuring out why the drift occurred can take time. Was it intentional? Was it a mistake?
• Distinguishing Intentional Changes: You'll need to differentiate between intentional changes (that should be brought into Terraform) and unintentional ones.

Recommendations

Current Project Priority: Low

Reasons:

1. Small Personal Project: There's only one of us managing things right now.
2. Development Phase: The infrastructure configuration is still evolving.
3. Prioritize Basic Implementation: Getting the core Terraform CI/CD setup right is the most important thing for now.

Future Implementation Timing

We should consider implementing drift detection when:

• [ ] Terraform basic implementation is complete (Issue #37). This is our foundation.
• [ ] We have stable operation in the production environment (3-6 months). This gives us time to see how things are working.
• [ ] The team grows. More people mean more chances for drift.
• [ ] We experience actual problems due to manual changes. This will be the real proof that we need it.

Implementation Plan (Future)

If we implement drift detection, here are the technical specs:

Workflow Design

# .github/workflows/terraform-drift.yml
name: 'Terraform Drift Detection'
on:
  schedule:
    # Run at 9:00 AM (JST) on weekdays
    - cron: '0 0 * * 1-5'
  workflow_dispatch: # Allow manual execution

Detection Logic

1. Run terraform plan.
2. Detect anything other than No changes in the output.
3. Automatically create a GitHub Issue with the changes.
4. Notify the relevant people.

Required Additional Settings

• Azure Service Principal for periodic execution. This needs the right permissions.
• GitHub permissions for Issue creation. Terraform needs to be able to create issues.
• Filtering logic to avoid false positives. This is crucial to avoid alert fatigue.

References

• Microsoft: Deploy to Azure infrastructure with GitHub Actions
• Azure Samples: Terraform GitHub Actions
• Terraform: Detecting and Managing Drift

---

Labels: research, infrastructure, terraform, future-enhancement

Priority: Low

Dependencies: Completion of Issue #37