From a359bdd93074c4a73161a0b6c3f08e5c662867ad Mon Sep 17 00:00:00 2001
From: Kenneth Kehl <@kkehl@flexion.us>
Date: Wed, 18 Jun 2025 10:06:16 -0700
Subject: [PATCH] fix drift

---
 .github/workflows/drift.yml | 122 +++++++++++++++++++++---------------
 1 file changed, 72 insertions(+), 50 deletions(-)

diff --git a/.github/workflows/drift.yml b/.github/workflows/drift.yml
index a92179fbe..ddf6a8685 100644
--- a/.github/workflows/drift.yml
+++ b/.github/workflows/drift.yml
@@ -44,58 +44,80 @@ jobs:
             exit $exit_code
           fi
 
-  # check_demo_drift:
-  #   runs-on: ubuntu-latest
-  #   name: Check for drift of demo terraform configuration
-  #   environment: demo
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v4
-  #       with:
-  #         ref: 'production'
+  check_demo_drift:
+    runs-on: ubuntu-latest
+    name: Check for drift of demo terraform configuration
+    environment: demo
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: 'production'
 
-  #     # Looks like we need to install Terraform ourselves now!
-  #     # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
-  #     - name: Setup Terraform
-  #       uses: hashicorp/setup-terraform@v3
-  #       with:
-  #         terraform_version: "^1.7.5"
-  #         terraform_wrapper: false
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
 
-  #     - name: Check for drift
-  #       uses: dflook/terraform-check@v1
-  #       env:
-  #         AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-  #         AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-  #         TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
-  #         TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-  #       with:
-  #         path: terraform/demo
+      - name: Check for drift
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+        run: |
+          cd terraform/demo
+          terraform init
+          terraform plan -detailed-exitcode
+          exit_code=$?
+          if [ $exit_code -eq 0 ]; then
+            echo "No changes detected.  Intrastructure is up-to-date."
+          elif [ $exit_code -eq 2 ]; then
+            echo "Changes detected.  Infrastructure drift found."
+            exit 1
+          else
+            echo "Error running terraform plan."
+            exit $exit_code
+          fi
 
-  # check_prod_drift:
-  #   runs-on: ubuntu-latest
-  #   name: Check for drift of production terraform configuration
-  #   environment: production
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v4
-  #       with:
-  #         ref: 'production'
+  check_prod_drift:
+    runs-on: ubuntu-latest
+    name: Check for drift of production terraform configuration
+    environment: production
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: 'production'
 
-  #     # Looks like we need to install Terraform ourselves now!
-  #     # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
-  #     - name: Setup Terraform
-  #       uses: hashicorp/setup-terraform@v3
-  #       with:
-  #         terraform_version: "^1.7.5"
-  #         terraform_wrapper: false
+      # Looks like we need to install Terraform ourselves now!
+      # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "^1.7.5"
+          terraform_wrapper: false
 
-  #     - name: Check for drift
-  #       uses: dflook/terraform-check@v1
-  #       env:
-  #         AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-  #         AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-  #         TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
-  #         TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-  #       with:
-  #         path: terraform/production
+      - name: Check for drift
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+        run: |
+          cd terraform/production
+          terraform init
+          terraform plan -detailed-exitcode
+          exit_code=$?
+          if [ $exit_code -eq 0 ]; then
+            echo "No changes detected.  Intrastructure is up-to-date."
+          elif [ $exit_code -eq 2 ]; then
+            echo "Changes detected.  Infrastructure drift found."
+            exit 1
+          else
+            echo "Error running terraform plan."
+            exit $exit_code
+          fi