Skip to main content

CI/CD Integration

Consul Guardian's drift command exits with code 1 when drift is detected. This makes it easy to integrate into CI/CD pipelines as a config validation step.

GitHub Actions

name: Config Drift Check

on:
  schedule:
    - cron: '0 */6 * * *'
  pull_request:
    paths:
      - 'consul-backup/**'

jobs:
  drift:
    runs-on: ubuntu-latest
    services:
      consul:
        image: hashicorp/consul:1.18
        ports:
          - 8500:8500

    steps:
      - uses: actions/checkout@v4

      - name: Install Guardian
        run: |
          curl -sSL https://github.com/consul-guardian/consul-guardian/releases/latest/download/consul-guardian_linux_amd64.tar.gz | tar xz
          sudo mv consul-guardian /usr/local/bin/

      - name: Run drift detection
        run: consul-guardian drift --prefix config/ --git-repo ./consul-backup
        env:
          CONSUL_GUARDIAN_CONSUL_ADDRESS: http://localhost:8500

      - name: Slack notification on drift
        if: failure()
        uses: slackapi/slack-github-action@v2
        with:
          webhook: ${{ secrets.SLACK_WEBHOOK }}
          webhook-type: incoming-webhook
          payload: |
            {"text": "Config drift detected in ${{ github.repository }}"}

GitLab CI

config-drift:
  stage: validate
  image: golang:1.22-alpine
  services:
    - name: hashicorp/consul:1.18
      alias: consul
  variables:
    CONSUL_GUARDIAN_CONSUL_ADDRESS: http://consul:8500
  script:
    - wget -qO- https://github.com/consul-guardian/consul-guardian/releases/latest/download/consul-guardian_linux_amd64.tar.gz | tar xz
    - ./consul-guardian drift --prefix config/ --git-repo ./consul-backup
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
    - if: $CI_MERGE_REQUEST_ID
      changes:
        - consul-backup/**

Pre-deploy Check

Add drift detection before deploying your application:

# GitHub Actions
deploy:
  needs: [build, test]
  steps:
    - name: Config drift check
      run: consul-guardian drift --prefix config/production/
      env:
        CONSUL_GUARDIAN_CONSUL_ADDRESS: ${{ secrets.CONSUL_ADDR }}
        CONSUL_GUARDIAN_CONSUL_TOKEN: ${{ secrets.CONSUL_TOKEN }}

    - name: Deploy
      if: success()
      run: kubectl apply -f deployment.yaml

If drift is detected, the deploy step is skipped. This prevents deploying with unexpected config changes.

Scheduled Monitoring

Run drift detection every few hours as a cron job:

on:
  schedule:
    - cron: '0 8,12,16,20 * * 1-5'  # weekdays at 8, 12, 16, 20

This catches manual Consul changes that bypass your normal change process.

Exit Codes

CodeMeaning
0No drift detected
1Drift detected (MISSING, EXTRA, or DRIFTED keys)
2Connection error (Consul unavailable, bad token, etc.)