No drift detection for GitHub config

[AgaDufrat]

Old GitHub configuration script used to run daily overwriting any manual changes.
The new implementation with Terraform needs to be manually applied.

We may want to consider:

• having some drift detection and notifications.
  • https://app.terraform.io/app/govuk/workspaces/GitHub/health/drift
  • https://developer.hashicorp.com/terraform/cloud-docs/workspaces/settings/notifications
  • https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/notification_configuration
• schedule plan/apply (every 24h to begin with). This can be done via API https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run#create-a-run
• Stop people making changes in GitHub UI (readonly console only)

Depends on

• We've made the decision on how to go about it

[nicholsj]

This sounds like a good example to look at, but we should also explore their drift detection more generally.

[dj-maisy]

It looks like TFC already has Drift Detection configured, but we need to decide what to do with the information. TFC has Slack Integration, Emails and Webhooks so we could use some of those.

[theseanything]

You could also minimise drift by minimising permissions for developers to edit GitHub configuration without using the Terraform.