Detecting Infrastructure Drift

Overview

Detect discrepancies between actual cloud infrastructure state and the desired state defined in IaC (Terraform, CloudFormation, Pulumi). Run drift detection commands, analyze modified/added/deleted resources, generate drift reports with affected resources, and provide remediation steps to bring infrastructure back into compliance.

Prerequisites

• IaC configuration files up to date in the project directory
• Cloud provider CLI installed and authenticated with read access to all managed resources
• IaC tool installed: Terraform 1.0+, AWS CLI (for CloudFormation drift), or Pulumi
• Remote state storage accessible and current (S3 backend, Terraform Cloud, Pulumi Cloud)
• Read-only IAM permissions for all resource types managed by IaC

Instructions

1. Identify the IaC tool in use by scanning for .tf files, template.yaml, or Pulumi.yaml
2. Initialize the IaC tool if needed: terraform init to download providers and configure backend
3. Run drift detection: terraform plan -detailed-exitcode (exit code 2 = drift detected), aws cloudformation detect-stack-drift, or pulumi preview
4. Parse the output to identify resources with drift: added (exists in cloud but not in IaC), modified (attributes changed), or deleted (in IaC but missing from cloud)