sundowndev
/
driftctl
mirror of https://github.com/sundowndev/driftctl.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
driftctl/doc/cmd/scan/iac_source.md

1.0 KiB
Raw Blame History

IaC source

Currently, driftctl only supports reading IaC from a Terraform state. We are investigating to support the Terraform code as well, as a state does not represent an intention.

Multiple states can be read by passing --from flags

Example:

# I want to read a local state and a state stored in an S3 bucket :
driftctl scan \
   --from tfstate+s3://statebucketdriftctl/terraform.tfstate \
   --from tfstate://terraform_toto.tfstate

Supported IaC sources

  • Terraform state
    • Local: --from tfstate://terraform.tfstate
    • S3: --from tfstate+s3://my-bucket/path/to/state.tfstate

S3

driftctl needs read-only access so you could use the policy below to ensure minimal access to your state file

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::mybucket"
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::mybucket/path/to/my/key"
    }
  ]
}