Terraformcloud~7 mins

Drift detection in CI/CD in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Infrastructure drift happens when the real cloud setup changes outside your code. Drift detection helps find these differences automatically during your CI/CD process to keep your setup reliable and consistent.

When you want to ensure your cloud resources match your Terraform code after manual changes.

When you run automated pipelines that deploy infrastructure and want to catch unexpected changes early.

When multiple team members manage infrastructure and you want to avoid conflicts or surprises.

When you want to maintain compliance by verifying infrastructure state regularly.

When you want to prevent outages caused by unnoticed configuration changes.

Config File - main.tf

main.tf

terraform {
  required_version = ">= 1.3.0"
  backend "local" {}
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "example" {
  bucket = "example-drift-detection-bucket"
  acl    = "private"
}

This Terraform file sets up a simple AWS S3 bucket resource.

The terraform block specifies the required Terraform version and uses a local backend for state storage.

The provider block configures AWS region.

The aws_s3_bucket resource creates a private S3 bucket named example-drift-detection-bucket.

Commands

Initializes the Terraform working directory, downloads provider plugins, and prepares the backend.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure.

Applies the Terraform configuration to create or update infrastructure without asking for confirmation.

Terminal

terraform apply -auto-approve

Expected OutputExpected

aws_s3_bucket.example: Creating... aws_s3_bucket.example: Creation complete after 3s [id=example-drift-detection-bucket] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Skips interactive approval prompt to automate deployment.

Checks for any differences between the current infrastructure and the Terraform code to detect drift. The exit code helps CI/CD pipelines decide next steps.

Terminal

terraform plan -detailed-exitcode

Expected OutputExpected

No changes. Infrastructure is up-to-date.

→

-detailed-exitcode - Returns exit code 2 if there are changes, 0 if no changes, 1 if error.

Run this command again after manually changing the S3 bucket outside Terraform to detect drift.

Terminal

terraform plan -detailed-exitcode

Expected OutputExpected

An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_s3_bucket.example will be updated in-place ~ acl = "private" -> "public-read" Plan: 0 to add, 1 to change, 0 to destroy.

→

-detailed-exitcode - Detects drift by exit code 2 when changes are found.

Key Concept

If you remember nothing else from this pattern, remember: terraform plan with -detailed-exitcode lets your CI/CD detect infrastructure drift automatically.

Common Mistakes

Not using the -detailed-exitcode flag with terraform plan in CI/CD pipelines.

Without this flag, the pipeline cannot detect drift because terraform plan always returns exit code 0 even if changes exist.

Always use terraform plan -detailed-exitcode in your CI/CD to catch drift by checking the exit code.

Manually changing infrastructure without updating Terraform code.

This causes drift that can lead to unexpected behavior and deployment failures.

Make all infrastructure changes through Terraform code and pipelines to keep state consistent.

Not running terraform init before terraform plan or apply.

Terraform commands fail or behave unpredictably without initialization.

Run terraform init once before other commands in a new working directory.

Summary

Run terraform init to prepare your working directory and providers.

Use terraform apply -auto-approve to deploy infrastructure automatically.

Use terraform plan -detailed-exitcode in CI/CD to detect drift by checking for differences between code and real infrastructure.