Detect, track and alert on infrastructure drift
 
 
 
 
Go to file
Stephane Jourdan 2c06a5912a
Merge pull request #35 from cloudskiff/add_doc_template
Add doc issue template
2020-12-17 11:33:19 +01:00
.circleci 🍾 Initial release 2020-12-09 16:35:26 +01:00
.github Add doc issue template 2020-12-17 11:27:29 +01:00
assets 🍾 Initial release 2020-12-09 16:35:26 +01:00
bin 🍾 Initial release 2020-12-09 16:35:26 +01:00
build 🍾 Initial release 2020-12-09 16:35:26 +01:00
doc Merge pull request #10 from cloudskiff/update_remote_state_doc 2020-12-14 14:50:04 +01:00
logger 🍾 Initial release 2020-12-09 16:35:26 +01:00
mocks 🍾 Initial release 2020-12-09 16:35:26 +01:00
pkg Avoid to display false positive drift on instances when eip attached 2020-12-14 12:22:29 +01:00
scripts Fix build script 2020-12-14 16:13:47 +01:00
test allow provider version upgrades 2020-12-14 11:04:04 +01:00
.dockerignore add a docker build for driftcl & badge in readme 2020-12-11 17:12:22 +01:00
.editorconfig 🍾 Initial release 2020-12-09 16:35:26 +01:00
.gitignore 🍾 Initial release 2020-12-09 16:35:26 +01:00
.go-version 🍾 Initial release 2020-12-09 16:35:26 +01:00
Dockerfile add a docker build for driftcl & badge in readme 2020-12-11 17:12:22 +01:00
LICENSE.md 🍾 Initial release 2020-12-09 16:35:26 +01:00
Makefile 🍾 Initial release 2020-12-09 16:35:26 +01:00
README.md Updated documentation usage for aws creds 2020-12-16 16:31:03 +01:00
codecov.yml 🍾 Initial release 2020-12-09 16:35:26 +01:00
go.mod 🍾 Initial release 2020-12-09 16:35:26 +01:00
go.sum 🍾 Initial release 2020-12-09 16:35:26 +01:00
main.go 🍾 Initial release 2020-12-09 16:35:26 +01:00

README.md

Driftctl

Measures infrastructure as code coverage, and tracks infrastructure drift.
⚠️ This tool is still in beta state and will evolve in the future with potential breaking changes ⚠️

Why ?

Infrastructure as code is awesome, but there are too many moving parts: codebase, state file, actual cloud state. Things tend to drift.

Drift can have multiple causes: from developers creating or updating infrastructure through the web console without telling anyone, to uncontrolled updates on the cloud provider side. Handling infrastructure drift vs the codebase can be challenging.

You can't efficiently improve what you don't track. We track coverage for unit tests, why not infrastructure as code coverage?

driftctl tracks how well your IaC codebase covers your cloud configuration. driftctl warns you about drift.

Features

  • Scan cloud provider and map resources with IaC code
  • Analyze diff, and warn about drift and unwanted unmanaged resources
  • Allow users to ignore resources
  • Multiple output formats

Getting started

Installation

driftctl is available on Linux, macOS and Windows.

Binaries are available in the release page.

Docker

docker run \
  -v ~/.aws:/app/.aws:ro \
  -v $(pwd)/terraform.tfstate:/app/terraform.tfstate:ro \
  -v ~/.driftctl:/app/.driftctl \
  -e AWS_PROFILE=cloudskiff \
  cloudskiff/driftctl scan ## with the same option as the binary version

-v ~/.aws:/app/.aws:ro mount your .aws containing credentials and profile

-v $(pwd)/terraform.tfstate:/app/terraform.tfstate:ro mount your terraform state

-v ~/.driftctl:/app/.driftctl to prevent driftctl downloading the provider at each run, mount a directory to persist it

-e AWS_PROFILE=cloudskiff export the profile to use in you aws config

Manual

Linux
# x64
curl https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_linux_amd64 | sudo tee /usr/local/bin/driftctl
# x86
curl https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_linux_386 | sudo tee /usr/local/bin/driftctl
macOS
# x64
curl https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_darwin_amd64 | sudo tee /usr/local/bin/driftctl
Windows
# x64
curl https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_windows_amd64.exe -o driftctl.exe
# x86
curl https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_windows_386.exe -o driftctl.exe

Run

Be sure to have configured your AWS credentials.

You will need to assign proper permissions to allow driftctl to scan your account.

# With a local state
$ driftctl scan
# Same as
$ driftctl scan --from tfstate://terraform.tfstate

# To specify AWS credentials
$ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=XXX driftctl scan
# or using a profile
$ AWS_PROFILE=profile_name driftctl scan

# With state stored on a s3 backend
$ driftctl scan --from tfstate+s3://my-bucket/path/to/state.tfstate

Documentation & support

Contribute

To learn more about compiling driftctl and contributing, please refer to the contribution guidelines and contributing guide for technical details.