pulumi-drift-detector¶
Monitors infrastructure drift by running pulumi preview --expect-no-changes against each configured Pulumi stack and alerting when drift is detected.
Overview¶
| Property | Value |
|---|---|
| Trigger | CloudWatch scheduled event |
| Runtime | Python 3.11 |
| Timeout | 300 seconds |
| Memory | 512 MB |
Input Schema¶
{
"stacks": ["tradai-foundation-prod", "tradai-compute-prod"], # Override default stacks
"dry_run": false # If true, skip Pulumi operations (for testing)
}
Output Schema¶
{
"summary": {
"stacks_checked": 2,
"drifted": 1,
"errors": 0
},
"results": [
{
"stack_name": "tradai-foundation-prod",
"status": "checked",
"has_drift": true,
"resources_to_create": 0,
"resources_to_update": 2,
"resources_to_delete": 0,
"resources_unchanged": 45,
"drift_details": "{...}",
"timestamp": "2024-02-07T12:00:00Z"
}
]
}
Environment Variables¶
| Variable | Required | Default | Description |
|---|---|---|---|
PULUMI_BACKEND_URL | Yes | - | S3 backend URL for Pulumi state |
PULUMI_CONFIG_PASSPHRASE_SECRET_ARN | Yes | - | Secrets Manager ARN for Pulumi passphrase |
STACK_NAMES | No | - | Comma-separated list of stacks to check |
DYNAMODB_TABLE_NAME | Yes | - | State repository table for drift tracking |
ALERT_SNS_TOPIC_ARN | Yes | - | SNS topic for drift alerts |
ENVIRONMENT | No | dev | Environment name (dev/staging/prod) |
Key Features¶
- Runs
pulumi preview --expect-no-changes --jsonfor each stack - Parses JSON output to extract resource-level drift details
- Tracks drift state in DynamoDB to avoid duplicate alerts (only alerts on transition)
- Publishes CloudWatch metrics per stack:
DriftDetected,ResourcesToCreate/Update/Delete,CheckSuccess - Sends SNS alerts with detailed drift breakdown and remediation steps
- Retrieves Pulumi passphrase from AWS Secrets Manager
CloudWatch Metrics¶
| Metric | Description |
|---|---|
DriftDetected | 1.0 if drift detected, 0.0 otherwise |
ResourcesToCreate | Count of resources to create |
ResourcesToUpdate | Count of resources to update |
ResourcesToDelete | Count of resources to delete |
CheckSuccess | 1.0 if check succeeded, 0.0 on error |
EventBridge Schedule¶
{
"ScheduleExpression": "rate(6 hours)",
"Targets": [{
"Arn": "arn:aws:lambda:...:pulumi-drift-detector",
"Input": "{}"
}]
}
See Also¶
Related Lambdas:
- Cleanup Resources - Cleans up orphaned infrastructure
- Orphan Scanner - Scans for orphaned cloud resources
- Health Check - Infrastructure health monitoring
Architecture:
- Pulumi Code - Infrastructure as Code
- Architecture Overview - System design
Guides:
- Pulumi Operations - Pulumi operational runbooks
- Infrastructure Issues - Infrastructure incident response