This document describes how changes move from a developer commit to a running production deployment, and how drift detection catches out-of-band changes.
When a merge request is opened or updated, the pipeline runs a subset of stages:
tofu validateThe deploy stage is skipped. Plan output is posted as a comment or artifact so reviewers can inspect the exact infrastructure changes before approving the merge.
After a merge request is approved and merged into main, the full pipeline runs
automatically. There is no manual gate or approval step.
tofu apply with the saved plan artifactsThe plan artifact produced in the Plan stage is passed directly to the Deploy
stage. This guarantees that tofu apply executes exactly the changes that were
planned, with no opportunity for drift between planning and applying.
The Verify stage confirms that deployed services are healthy:
A failed health check marks the pipeline as failed and triggers notification.
A scheduled pipeline runs at a configured interval (typically daily) independent of any code change. It executes:
tofu plan -detailed-exitcode
The -detailed-exitcode flag causes tofu to exit with code 2 if the plan detects
changes (drift) between the declared state and the actual cluster state. Exit
code 0 means no drift.
When drift is detected, the pipeline raises an alert. The team can then choose to:
graph TD
MR[Merge Request] -->|validate + plan| Review[Code Review]
Review -->|merge| Main[main branch]
Main -->|"auto deploy"| Plan[tofu plan]
Plan --> Apply[tofu apply]
Apply --> Health[Health Check]
Schedule[Scheduled] -->|"drift check"| Drift{Drift?}
Drift -->|Yes| Alert[Alert]
Drift -->|No| OK[Clean]