From 74a8845767a329f2b421c43fb1080be558336000 Mon Sep 17 00:00:00 2001
From: Jacob Nesbitt <jjnesbitt2@gmail.com>
Date: Thu, 23 Apr 2026 15:46:23 -0400
Subject: [PATCH] Remove drift detection job and permissions

---
 .../workflows/terraform-drift-detection.yaml  | 81 -------------------
 terraform/modules/spack_aws_k8s/eks.tf        | 20 +----
 .../spack_aws_k8s/github_actions_iam.tf       | 66 ---------------
 3 files changed, 2 insertions(+), 165 deletions(-)
 delete mode 100644 .github/workflows/terraform-drift-detection.yaml

diff --git a/.github/workflows/terraform-drift-detection.yaml b/.github/workflows/terraform-drift-detection.yaml
deleted file mode 100644
index c78735b2c..000000000
--- a/.github/workflows/terraform-drift-detection.yaml
+++ /dev/null
@@ -1,81 +0,0 @@
-name: Detect infrastructure drift
-on:
-  schedule:
-    # Run once an hour.
-    # GitHub throttles scheduled jobs if too many are queued at once,
-    # so they recommend scheduling them at a random minute instead of
-    # minute 0. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
-    - cron: '16 * * * *'
-  workflow_dispatch:
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  detect-drift:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: terraform/production
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v5
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4.2.0
-        with:
-          role-to-assume: arn:aws:iam::588562868276:role/GitHubActionsReadonlyRole
-          aws-region: us-east-1
-
-      - name: Get Terraform Version
-        id: tf_version
-        run: echo "value=$(cat .terraform-version)" >> $GITHUB_OUTPUT
-
-      - name: Install Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ steps.tf_version.outputs.value }}
-          terraform_wrapper: false
-
-      - name: Initialize Terraform
-        uses: nick-invision/retry@7152eba30c6575329ac0576536151aca5a72780e  # v3.0.0
-        with:
-          command: cd terraform/production && terraform init
-          max_attempts: 5
-          timeout_minutes: 5
-
-      - name: Run Terraform Plan
-        run: terraform plan -lock=false -detailed-exitcode -no-color -input=false -out=tfplan > tfplan_output.txt 2>&1
-        env:
-          TF_VAR_eks_cluster_role: "arn:aws:iam::588562868276:role/GitHubActionsReadonlyRole"
-          TF_VAR_gitlab_token: ${{ secrets.GITLAB_ACCESS_TOKEN }}
-
-      - name: Send Slack alert on drift
-        if: failure()
-        run: |
-          # Post message
-          curl -X POST \
-          -H "Content-type: application/json" \
-          -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \
-          -d '{
-                "channel": "spack-alerts",
-                "text": ":rotating_light: :rotating_light: :rotating_light: Infrastructure drift detected! :rotating_light: :rotating_light: :rotating_light:"
-              }' \
-          https://slack.com/api/chat.postMessage
-
-          # Upload TF plan stdout
-          curl -F file=@tfplan_output.txt \
-          -F channels=spack-alerts \
-          -F title="tfplan_output.txt" \
-          -F filetype="text" \
-          -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \
-          https://slack.com/api/files.upload
-
-          # Upload TF plan binary file
-          curl -F file=@tfplan \
-          -F channels=spack-alerts \
-          -F title="tfplan" \
-          -F filetype="binary" \
-          -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \
-          https://slack.com/api/files.upload
diff --git a/terraform/modules/spack_aws_k8s/eks.tf b/terraform/modules/spack_aws_k8s/eks.tf
index f7c9cdf0d..2ad6a3102 100644
--- a/terraform/modules/spack_aws_k8s/eks.tf
+++ b/terraform/modules/spack_aws_k8s/eks.tf
@@ -38,24 +38,8 @@ module "eks" {
           }
         }
       }
-    },
-    # Only create github_actions access entry on production cluster, since that's
-    # the only one we run the TF drift detection job on.
-    var.deployment_name == "prod" ? {
-      github_actions_drift_detection = {
-        kubernetes_groups = []
-        principal_arn     = aws_iam_role.github_actions_readonly[0].arn
-
-        policy_associations = {
-          cluster = {
-            policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminViewPolicy"
-            access_scope = {
-              type = "cluster"
-            }
-          }
-        }
-      }
-  } : {})
+    }
+  )
 
   # NOTE: Additional configuration of these addons (like in the vpc-cni addon below) won't necessarily
   # take immediate effect, as it is configuring the addon, not anything in the cluster directly.
diff --git a/terraform/modules/spack_aws_k8s/github_actions_iam.tf b/terraform/modules/spack_aws_k8s/github_actions_iam.tf
index 635fa0192..bf7cceb93 100644
--- a/terraform/modules/spack_aws_k8s/github_actions_iam.tf
+++ b/terraform/modules/spack_aws_k8s/github_actions_iam.tf
@@ -10,72 +10,6 @@ resource "aws_iam_openid_connect_provider" "github_actions" {
   thumbprint_list = [data.tls_certificate.github_actions.certificates.0.sha1_fingerprint]
 }
 
-resource "aws_iam_role" "github_actions_readonly" {
-  count = var.deployment_name == "prod" ? 1 : 0
-
-  name        = "GitHubActionsReadonlyRole"
-  description = "Managed by Terraform. IAM Role that a GitHub Actions runner can assume to authenticate with AWS."
-
-  assume_role_policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Principal" : {
-          "Federated" : aws_iam_openid_connect_provider.github_actions[0].arn
-        },
-        "Action" : "sts:AssumeRoleWithWebIdentity",
-        "Condition" : {
-          "StringLike" : {
-            "token.actions.githubusercontent.com:sub" : "repo:spack/spack-infrastructure:ref:refs/heads/main",
-            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
-          }
-        }
-      },
-      {
-        "Action" : "sts:AssumeRole",
-        "Principal" : {
-          # Unfortunately, we need to do this until https://github.com/hashicorp/terraform-provider-aws/issues/27034 is resolved.
-          # This trust statement allows the role to assume itself, which is necessary for the GitHub Actions session user to run terraform plan.
-          "AWS" : "arn:aws:sts::${data.aws_caller_identity.current.account_id}:assumed-role/GitHubActionsReadonlyRole/GitHubActions"
-        },
-        "Effect" : "Allow",
-      },
-    ]
-  })
-}
-
-# The `ReadOnlyAccess` managed policy doesn't include secretsmanager, so we explicitly grant it here.
-resource "aws_iam_role_policy" "github_actions_readonly" {
-  count = var.deployment_name == "prod" ? 1 : 0
-
-  name = "read-secrets"
-  role = aws_iam_role.github_actions_readonly[0].id
-
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "secretsmanager:GetSecretValue"
-        ],
-        "Resource" : "*"
-      }
-    ]
-  })
-}
-
-# This policy grants the GitHub Actions role read-only access to most resources in the AWS account.
-# There are some exceptions, such as secretsmanager (see inline_policy above)
-resource "aws_iam_role_policy_attachment" "github_actions_readonly" {
-  count = var.deployment_name == "prod" ? 1 : 0
-
-  role       = aws_iam_role.github_actions_readonly[0].name
-  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
-}
-
-
 # Allow github actions run from the develop branch of spack/spack to put objects into the source mirror
 resource "aws_iam_role" "github_actions_put_to_source_mirror" {
   count = var.deployment_name == "prod" ? 1 : 0