Automated Fixes
Generate Terraform code to resolve infrastructure drift automatically.
Overview
When Controlinfra detects drift, the AI can generate fix code that:
- Updates your Terraform to match reality (accept the change)
- Provides commands to revert to Terraform state (reject the change)
- Offers alternative solutions based on best practices
Fix Options
For each drift, you have multiple resolution paths:
Option 1: Update Terraform Code
If the detected change should be permanent, update your Terraform:
hcl
# Before (your current Terraform)
resource "aws_instance" "web" {
instance_type = "t3.micro"
}
# After (generated fix to match reality)
resource "aws_instance" "web" {
instance_type = "t3.small" # Updated to match AWS
}Option 2: Revert with Terraform Apply
If the change was unintended, apply your Terraform to revert:
bash
# Preview the revert
terraform plan
# Apply to restore desired state
terraform applyOption 3: Accept with Modifications
Sometimes the right answer is a hybrid:
hcl
# The drift showed instance_type changed to t3.small
# You want to accept this but also add proper tagging
resource "aws_instance" "web" {
instance_type = "t3.small" # Accept the change
tags = {
Name = "web-server"
Environment = "production"
Reason = "Scaled up for performance" # Document why
}
}Generated Fix Code
Understanding the Output
Each drift shows AI-generated fix code:
┌─────────────────────────────────────────────────────────────┐
│ Fix Code │
├─────────────────────────────────────────────────────────────┤
│ │
│ # To update Terraform to match current AWS state: │
│ │
│ resource "aws_security_group" "web" { │
│ name = "web-sg" │
│ description = "Security group for web servers" │
│ vpc_id = aws_vpc.main.id │
│ │
│ ingress { │
│ from_port = 443 │
│ to_port = 443 │
│ protocol = "tcp" │
│ cidr_blocks = ["0.0.0.0/0"] # Added to match AWS │
│ description = "HTTPS from anywhere" │
│ } │
│ │
│ # ... rest of configuration │
│ } │
│ │
│ [Copy Code] [Create PR] [View Full File] │
└─────────────────────────────────────────────────────────────┘Code Quality
Generated fixes include:
- Correct syntax: Valid Terraform HCL
- Proper formatting: Follows Terraform style
- Comments: Explains what changed and why
- Context: Includes surrounding code for clarity
Using Fix Code
Method 1: Copy and Paste
- Click Copy Code on the fix
- Open your Terraform file
- Replace the relevant section
- Review and adjust as needed
- Commit the change
Method 2: Create Pull Request
- Click Create PR on the fix
- Review the generated PR details
- Click Create to submit
- Review and merge in GitHub
Method 3: Download Patch
- Click Download Patch
- Apply the patch locally:bash
git apply drift-fix.patch - Review changes
- Commit and push
Multi-Drift Fixes
When multiple drifts exist, you can:
Fix All at Once
Generate a combined fix for all drifts:
[Fix All Drifts] → Creates PR with all changesFix by Severity
Address critical issues first:
[Fix Critical] → Only critical severity
[Fix High+] → High and critical
[Fix All] → All severitiesFix by Resource
Select specific resources:
☑ aws_security_group.web [Fix]
☐ aws_instance.api [Skip]
☑ aws_s3_bucket.logs [Fix]
[Fix Selected]Fix Code Examples
Security Group Change
Drift Detected:
diff
~ ingress {
- cidr_blocks = ["10.0.0.0/8"]
+ cidr_blocks = ["0.0.0.0/0"]
}Generated Fix (Accept):
hcl
resource "aws_security_group" "web" {
# ... existing config ...
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Updated: Public HTTPS access
description = "HTTPS from internet"
}
}Generated Fix (Better Practice):
hcl
resource "aws_security_group" "web" {
# ... existing config ...
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [aws_security_group.alb.id] # ALB only
description = "HTTPS from ALB"
}
}Instance Type Change
Drift Detected:
diff
~ instance_type = "t3.micro" -> "t3.small"Generated Fix:
hcl
resource "aws_instance" "web" {
ami = var.ami_id
instance_type = "t3.small" # Upgraded from t3.micro
tags = {
Name = "web-server"
Note = "Instance type upgraded for performance"
}
}Missing Resource
Drift Detected:
diff
- aws_instance.old_server will be destroyedGenerated Fix (Keep Resource):
hcl
# Add this resource to your Terraform to keep it:
resource "aws_instance" "old_server" {
ami = "ami-12345678"
instance_type = "t3.micro"
subnet_id = aws_subnet.private.id
tags = {
Name = "old-server"
}
}Generated Fix (Remove Properly):
hcl
# If you want to remove this resource:
# 1. Remove from Terraform (already done)
# 2. Run: terraform apply
# 3. Verify resource is terminated
# Or import to state then destroy:
# terraform import aws_instance.old_server i-abc123
# terraform destroy -target=aws_instance.old_serverBest Practices
1. Always Review Generated Code
AI-generated fixes should be reviewed:
- Verify the change is correct
- Check for unintended side effects
- Ensure it follows your conventions
2. Test Before Applying
bash
# Always run plan first
terraform plan
# Review the changes carefully
# Then apply
terraform apply3. Use Version Control
Never apply fixes directly:
- Create a branch
- Apply the fix
- Create PR
- Get review
- Merge
4. Document Why
Add comments explaining drift fixes:
hcl
# Fix: Instance type upgraded from t3.micro to t3.small
# Reason: Manual scaling due to high CPU usage on 2024-01-15
# Ticket: INFRA-1234
instance_type = "t3.small"5. Address Root Cause
Fixing drift is step one—prevent recurrence:
- Update processes
- Add automation
- Implement guardrails
- Train team members
Troubleshooting
Fix Code Doesn't Apply
- Check Terraform version compatibility
- Verify resource names match
- Ensure all dependencies exist
Fix Creates New Drift
- Some attributes are computed
- Provider defaults may differ
- Use
lifecycle { ignore_changes }if needed
PR Creation Fails
- Verify GitHub permissions
- Check branch protection rules
- Ensure no conflicts exist
Next Steps
- Create Pull Requests - Auto-generate PRs
- AI Analysis - Understand the analysis
- Drift Detection - How drift is detected