5e6288000f
Ensure IaC source are valid prevent us to fail after a potentially long running cloud resources scan. |
||
---|---|---|
.circleci | ||
.github | ||
assets | ||
bin | ||
build | ||
doc | ||
logger | ||
mocks | ||
pkg | ||
scripts | ||
test | ||
.dockerignore | ||
.editorconfig | ||
.gitignore | ||
.go-version | ||
Dockerfile | ||
LICENSE.md | ||
Makefile | ||
README.md | ||
codecov.yml | ||
go.mod | ||
go.sum | ||
main.go |
README.md
Measures infrastructure as code coverage, and tracks infrastructure drift.
IaC: Terraform, Cloud platform: AWS (Azure and GCP on the roadmap for 2021).
⚠️ This tool is still in beta state and will evolve in the future with potential breaking changes ⚠️
Why ?
Infrastructure as code is awesome, but there are too many moving parts: codebase, state file, actual cloud state. Things tend to drift.
Drift can have multiple causes: from developers creating or updating infrastructure through the web console without telling anyone, to uncontrolled updates on the cloud provider side. Handling infrastructure drift vs the codebase can be challenging.
You can't efficiently improve what you don't track. We track coverage for unit tests, why not infrastructure as code coverage?
driftctl tracks how well your IaC codebase covers your cloud configuration. driftctl warns you about drift.
Features
- Scan cloud provider and map resources with IaC code
- Analyze diff, and warn about drift and unwanted unmanaged resources
- Allow users to ignore resources
- Multiple output formats
Getting started
Installation
driftctl is available on Linux, macOS and Windows.
Binaries are available in the release page.
Docker
docker run -t --rm \
-v ~/.aws:/home/.aws:ro \
-v $(pwd):/app:ro \
-v ~/.driftctl:/home/.driftctl \
-e AWS_PROFILE=non-default-profile \
cloudskiff/driftctl scan
-v ~/.aws:/home/.aws:ro
(optionally) mounts your ~/.aws
containing AWS credentials and profile
-v $(pwd):/app:ro
(optionally) mounts your working dir containing the terraform state
-v ~/.driftctl:/home/.driftctl
(optionally) prevents driftctl to download the provider at each run
-e AWS_PROFILE=cloudskiff
(optionally) exports the non-default AWS profile name to use
cloudskiff/driftctl:<VERSION_TAG>
run a specific driftctl tagged release
Manual
Linux
This is an example using curl
. If you don't have curl
, install it, or use wget
.
# x64
curl -L https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_linux_amd64 -o driftctl
# x86
curl -L https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_linux_386 -o driftctl
Make the binary executable:
chmod +x driftctl
Optionally install driftctl to a central location in your PATH
:
# use any path that suits you, this is just a standard example. Install sudo if needed.
sudo mv driftctl /usr/local/bin/
macOS
# x64
curl -L https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_darwin_amd64 -o driftctl
Make the binary executable:
chmod +x driftctl
Optionally install driftctl to a central location in your PATH
:
# use any path that suits you, this is just a standard example. Install sudo if needed.
sudo mv driftctl /usr/local/bin/
Windows
# x64
curl https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_windows_amd64.exe -o driftctl.exe
# x86
curl https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_windows_386.exe -o driftctl.exe
Run
Be sure to have configured your AWS credentials.
You will need to assign proper permissions to allow driftctl to scan your account.
# With a local state
$ driftctl scan
# Same as
$ driftctl scan --from tfstate://terraform.tfstate
# To specify AWS credentials
$ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=XXX driftctl scan
# or using a profile
$ AWS_PROFILE=profile_name driftctl scan
# With state stored on a s3 backend
$ driftctl scan --from tfstate+s3://my-bucket/path/to/state.tfstate
Documentation & support
Contribute
To learn more about compiling driftctl and contributing, please refer to the contribution guidelines and contributing guide for technical details.