Terraform Drift Detection: How to Catch Configuration Drift

By /

Listen to this Post

Infrastructure as Code (IaC) tools like Terraform help manage cloud resources efficiently, but “drift” remains a significant challenge. Drift occurs when the actual state of your infrastructure deviates from the state defined in your Terraform configuration. This can happen due to manual changes, cloud provider updates, or security patches.

To effectively manage drift, implement regular audits and automated notifications. Yugandhar Suthari’s article on Terraform Drift Detection suggests proactive monitoring to detect and remediate drift, especially in production environments.

You Should Know:

1. Detecting Drift with Terraform Commands

  • terraform plan: Compare the current infrastructure state with the Terraform configuration. 
    terraform plan -detailed-exitcode

Exit code `2` indicates drift.

  • terraform refresh: Sync Terraform’s state with the real-world infrastructure. 
    terraform refresh

2. Automating Drift Detection

Use CI/CD pipelines (e.g., GitHub Actions, GitLab CI) to schedule drift checks: 

 GitHub Actions Example
name: 'Terraform Drift Check'
on:
schedule:
- cron: '0 0   '  Daily check
jobs:
drift-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: terraform init
- run: terraform plan -detailed-exitcode

3. Using Terraform Drift Detection Tools

  • terraform-docs: Generate documentation to track changes.
  • driftctl: Open-source tool for scanning cloud resources. 
    driftctl scan --from tfstate://terraform.tfstate

4. Remediating Drift

  • Manual Fix: Adjust Terraform configs and reapply. 
    terraform apply
  • Automated Enforcement: Use policies (e.g., Open Policy Agent) to block non-compliant changes.

5. Monitoring with Cloud Providers

  • AWS Config Rules: Track compliance. 
    aws configservice describe-config-rules
  • Azure Policy: Enforce IaC compliance. 
    az policy assignment list

What Undercode Say:

Managing Terraform drift is critical for maintaining infrastructure integrity. Regular audits, automation, and strict change controls minimize risks. Use tools like `driftctl` and enforce policies to ensure consistency.

Expected Output:

  • Daily drift reports via CI/CD.
  • Alerts for unauthorized changes.
  • Automated remediation workflows.

References:

Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: