Drift Detection
Understand how Controlinfra detects and categorizes infrastructure drift.
What is Infrastructure Drift?
Infrastructure drift occurs when the actual state of your cloud resources differs from what's defined in your Terraform code. This can happen due to:
- Manual changes in cloud consoles
- Emergency fixes applied outside Terraform
- Auto-scaling or automated processes
- Third-party tools modifying resources
- Direct API calls bypassing IaC
How Detection Works
Controlinfra uses Terraform's native plan functionality to detect drift:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Terraform │ │ AWS │ │ Terraform │
│ Code │────▶│ State │────▶│ Plan │
│ (desired) │ │ (remote) │ │ (diff) │
└─────────────┘ └─────────────┘ └─────────────┘
│
▼
┌─────────────┐
│ Drift │
│ Detected │
└─────────────┘The Scan Pipeline
- Clone: Download your repository
- Init: Initialize Terraform (
terraform init) - Plan: Run Terraform plan (
terraform plan) - Detect: Parse plan output for changes
- Analyze: AI analysis of each drift (optional)
- Complete: Results ready for review
Drift Types
Create Drift
Resources that exist in Terraform but not in AWS:
diff
+ aws_instance.new_server will be created
+ ami = "ami-12345678"
+ instance_type = "t3.micro"Common causes:
- Resource was manually deleted
- Initial Terraform hasn't been applied
- State file out of sync
Update Drift
Resources where actual configuration differs from Terraform:
diff
~ aws_security_group.web will be updated
~ ingress {
- cidr_blocks = ["10.0.0.0/8"]
+ cidr_blocks = ["0.0.0.0/0"]
}Common causes:
- Manual changes in AWS console
- Emergency fixes
- Auto-scaling modifications
Delete Drift
Resources that exist in AWS but not in Terraform:
diff
- aws_instance.old_server will be destroyedCommon causes:
- Resource removed from Terraform code
- Orphaned resources
- State file corruption
Severity Classification
Each drift is classified by severity:
| Severity | Color | Description | Action |
|---|---|---|---|
| Critical | 🔴 Red | Security vulnerability | Fix immediately |
| High | 🟠 Orange | Significant risk | Fix soon |
| Medium | 🟡 Yellow | Should address | Plan to fix |
| Low | 🟢 Green | Minor issue | Fix when convenient |
Severity Factors
Controlinfra considers:
- Resource type: Security groups vs. tags
- Change type: Delete vs. update
- Scope: Single attribute vs. entire resource
- Security impact: Exposed ports, IAM changes
- Cost impact: Resource size, storage changes
Severity Examples
| Change | Severity | Reason |
|---|---|---|
| Security group allows 0.0.0.0/0 | Critical | Security exposure |
| IAM policy permissions changed | High | Access control |
| Instance type modified | Medium | Cost/performance |
| Resource tag added | Low | Metadata only |
Scan Results
No Drift Detected
When your infrastructure matches Terraform:
✅ Scan Complete
No drift detected. Your infrastructure is in sync
with your Terraform configuration.
Resources checked: 47
Time: 2m 34sDrift Detected
When differences are found:
⚠️ Drift Detected
Found 3 drifts across 47 resources
🔴 Critical: 1
🟡 Medium: 1
🟢 Low: 1
Click on each drift for details and remediation options.Viewing Drift Details
Click on any drift to see:
Resource Information
Resource: aws_security_group.web
Type: aws_security_group
Name: web-security-group
Change: Update (in-place)Attribute Changes
diff
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
- cidr_blocks = ["10.0.0.0/8"]
+ cidr_blocks = ["0.0.0.0/0"]
}AI Analysis (if configured)
Root Cause:
The security group was modified in the AWS console to allow
HTTPS traffic from the internet instead of internal network only.
Impact:
This change exposes your application to external traffic, which
may be intentional for a public-facing service, but was not
reflected in the Terraform configuration.
Recommendation:
If this change is intentional, update your Terraform code.
If not, revert by applying the current Terraform configuration.Filtering and Sorting
Filter by Status
- All: Show all drifts
- Critical: Only critical severity
- High: High and above
- Medium: Medium and above
- Low: All severities
Filter by Type
- Create: Resources to be created
- Update: Resources to be modified
- Delete: Resources to be destroyed
Filter by Resource
Search for specific resources:
- By name:
web-server - By type:
aws_instance - By module:
module.vpc
Sort Options
- Severity: Critical first
- Resource type: Group by type
- Change type: Create, update, delete
- Alphabetical: By resource name
Historical Tracking
Scan History
View all scans for a repository:
Scan #45 - Dec 9, 2024 - 3 drifts
Scan #44 - Dec 8, 2024 - 2 drifts
Scan #43 - Dec 7, 2024 - 0 drifts
Scan #42 - Dec 6, 2024 - 5 driftsDrift Trends
Track drift over time:
- Increasing drift count may indicate process issues
- Consistent clean scans indicate good IaC practices
- Recurring drift suggests systemic problems
Best Practices
1. Regular Scans
Schedule scans to catch drift early:
- Daily for production
- Weekly for staging
- After major changes
2. Address Critical First
Prioritize by severity:
- Fix all critical drifts immediately
- Plan high-severity fixes
- Address medium/low in sprints
3. Investigate Root Causes
Don't just fix—understand why:
- Who made the change?
- Why was it needed?
- How to prevent recurrence?
4. Update Terraform or Revert
For each drift, decide:
- Update Terraform: If change is desired
- Revert with Apply: If change is unwanted
5. Document Exceptions
Some drift may be acceptable:
- Auto-scaling managed resources
- Dynamic configurations
- Document these decisions
Troubleshooting
Scan Takes Too Long
- Large state files slow down plans
- Consider splitting into smaller workspaces
- Use
-targetfor specific resources
False Positives
Some "drift" may be expected:
- Computed values that change
- Provider default behaviors
- Ignore with Terraform lifecycle rules
Missing Resources
If resources aren't detected:
- Verify working directory is correct
- Check Terraform version compatibility
- Ensure state is accessible
Next Steps
- AI Analysis - Understand AI-powered insights
- Automated Fixes - Generate fix code
- Pull Requests - Auto-create PRs