0
0
Terraformcloud~15 mins

Drift detection in CI/CD in Terraform - Deep Dive

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Overview - Drift Detection In Ci Cd
What is it?
Drift detection in CI/CD means finding out if the real cloud setup has changed from what your code says it should be. It checks if someone or something changed your cloud resources outside your usual update process. This helps keep your cloud setup reliable and predictable. Without it, your cloud might behave unexpectedly and cause problems.
Why it matters
Cloud setups can change without your knowledge, causing errors or security risks. Drift detection helps catch these changes early, so you can fix them before they cause outages or data loss. Without drift detection, teams might waste time troubleshooting mysterious issues or face downtime, costing money and trust.
Where it fits
You should first understand basic CI/CD pipelines and infrastructure as code (IaC) with Terraform. After learning drift detection, you can explore automated remediation and advanced monitoring to keep your cloud healthy and secure.
Mental Model
Core Idea
Drift detection is like a security guard comparing a checklist to the actual building to spot any unauthorized changes.
Think of it like...
Imagine you have a detailed map of your house layout. Drift detection is like walking through your house and checking if any furniture or walls have moved without your permission.
┌───────────────────────────────┐
│        Desired State (Code)   │
│  (Terraform configuration)    │
└──────────────┬────────────────┘
               │
               ▼
┌───────────────────────────────┐
│       Actual State (Cloud)     │
│ (Resources running in cloud)   │
└──────────────┬────────────────┘
               │
               ▼
┌───────────────────────────────┐
│       Drift Detection Tool     │
│  Compares desired vs actual   │
│  Reports differences (drift)  │
└───────────────────────────────┘
Build-Up - 7 Steps
1
FoundationUnderstanding Desired vs Actual State
🤔
Concept: Learn the difference between what your code says and what is really running in the cloud.
When you write Terraform code, you describe how your cloud resources should look. This is the desired state. The actual state is what is currently running in your cloud account. Sometimes, these two can be different if changes happen outside your code.
Result
You can now tell that your cloud setup has two states: desired (code) and actual (real).
Understanding these two states is key because drift detection compares them to find problems.
2
FoundationWhat Is Drift and Why It Happens
🤔
Concept: Drift means the actual cloud setup changed without updating the code.
Drift can happen if someone manually changes a server, a script updates a setting, or a cloud provider changes defaults. These changes make the actual state different from the desired state.
Result
You realize drift is a mismatch caused by outside changes.
Knowing why drift happens helps you see why automatic checks are needed to keep your cloud reliable.
3
IntermediateHow CI/CD Pipelines Use Drift Detection
🤔Before reading on: do you think drift detection runs before or after deployment in CI/CD? Commit to your answer.
Concept: Drift detection is integrated into CI/CD to catch changes before or after deployment.
In CI/CD, drift detection can run as a step that compares the current cloud state with the code. If drift is found, the pipeline can alert the team or stop deployment until fixed.
Result
Your pipeline can automatically find and report drift, preventing unexpected cloud states.
Integrating drift detection in CI/CD ensures your cloud matches your code continuously, reducing surprises.
4
IntermediateTerraform's Role in Drift Detection
🤔Before reading on: does Terraform automatically fix drift or just report it? Commit to your answer.
Concept: Terraform can detect drift by comparing its state file with the real cloud but does not fix it automatically without apply.
Terraform keeps a state file representing the last known cloud setup. When you run 'terraform plan', it compares this state with the actual cloud resources. Differences mean drift. Terraform shows these differences so you can decide to fix them.
Result
You can detect drift using Terraform commands and decide when to apply fixes.
Knowing Terraform reports drift but requires manual apply helps prevent accidental changes.
5
IntermediateAutomating Drift Detection in CI/CD Pipelines
🤔Before reading on: do you think drift detection should block deployments or just warn? Commit to your answer.
Concept: Drift detection can be automated to run regularly and enforce cloud consistency.
You can add drift detection as a step in your CI/CD pipeline using Terraform commands or cloud provider tools. If drift is detected, the pipeline can fail or notify the team. This automation keeps cloud and code in sync.
Result
Your cloud environment stays consistent with your code through automated checks.
Automating drift detection reduces manual effort and catches issues early.
6
AdvancedHandling Drift Remediation Safely
🤔Before reading on: should drift remediation always be automatic? Commit to your answer.
Concept: Deciding when and how to fix drift is critical to avoid unintended consequences.
Some drift fixes can cause downtime or data loss if applied blindly. Experts design pipelines to alert first, review changes, then apply fixes. Sometimes, manual intervention is safer than automatic remediation.
Result
You understand the balance between automation and control in fixing drift.
Knowing when to automate fixes and when to review prevents costly mistakes in production.
7
ExpertChallenges and Limits of Drift Detection
🤔Before reading on: do you think drift detection can catch all changes perfectly? Commit to your answer.
Concept: Drift detection has limits due to timing, state accuracy, and external factors.
Drift detection depends on accurate state files and timely scans. Some changes happen between scans or outside Terraform's knowledge. Also, complex dependencies can hide drift. Experts combine drift detection with monitoring and audits for best results.
Result
You see drift detection as one tool among many to maintain cloud health.
Understanding drift detection limits helps design more resilient cloud management strategies.
Under the Hood
Terraform stores a state file representing the last applied cloud setup. When you run 'terraform plan', it queries the cloud provider APIs to get the current resource states. It compares these live states with the state file and the desired configuration. Differences are reported as drift. This process uses provider-specific APIs and Terraform's internal graph to detect changes.
Why designed this way?
Terraform uses a state file to track resources because cloud APIs do not provide a single source of truth. This design allows Terraform to plan changes safely and detect drift. Alternatives like purely declarative systems without state can be less precise or slower. The state file approach balances accuracy and performance.
┌───────────────┐       ┌───────────────┐       ┌───────────────┐
│ Desired State │──────▶│ Terraform     │──────▶│ Cloud APIs    │
│ (Config Code) │       │ State File    │       │ (Actual State)│
└──────┬────────┘       └──────┬────────┘       └──────┬────────┘
       │                       │                       │
       │                       │                       │
       │                       ▼                       │
       │               ┌───────────────┐               │
       └──────────────▶│ Drift Compare │◀──────────────┘
                       └───────────────┘
Myth Busters - 4 Common Misconceptions
Quick: Does Terraform automatically fix drift when detected? Commit to yes or no.
Common Belief:Terraform automatically fixes any drift it finds during plan or apply.
Tap to reveal reality
Reality:Terraform only reports drift during 'plan'; it fixes drift only when you run 'apply' explicitly.
Why it matters:Assuming automatic fixes can cause unexpected changes or downtime if 'apply' is run without review.
Quick: Can drift detection catch changes made by all cloud tools? Commit to yes or no.
Common Belief:Drift detection catches every change made to cloud resources, no matter how or where.
Tap to reveal reality
Reality:Drift detection only sees changes visible to Terraform and the cloud APIs it uses; some external changes might be missed.
Why it matters:Missing some drift can lead to hidden issues and false confidence in cloud state.
Quick: Is drift detection only useful in large cloud environments? Commit to yes or no.
Common Belief:Drift detection is only necessary for big or complex cloud setups.
Tap to reveal reality
Reality:Drift can happen in any environment, even small ones; early detection prevents bigger problems later.
Why it matters:Ignoring drift in small setups can cause unexpected failures and harder troubleshooting.
Quick: Does drift detection always block deployments if drift is found? Commit to yes or no.
Common Belief:Drift detection must always stop deployments to keep cloud safe.
Tap to reveal reality
Reality:Drift detection can be configured to warn or block depending on risk tolerance and team processes.
Why it matters:Rigid blocking can slow teams unnecessarily; flexible policies balance safety and speed.
Expert Zone
1
Drift detection accuracy depends heavily on the freshness and correctness of the Terraform state file; stale or corrupted state can cause false positives or negatives.
2
Some cloud resources have properties that change frequently or are managed outside Terraform, requiring custom drift detection rules or exclusions.
3
Integrating drift detection with policy-as-code tools allows automated enforcement of compliance alongside drift checks.
When NOT to use
Drift detection is less useful in environments where infrastructure is managed manually or by multiple tools without a single source of truth. In such cases, adopting a full infrastructure as code approach or using cloud-native configuration management tools is better.
Production Patterns
Teams run drift detection as part of nightly CI/CD jobs or pre-deployment gates. Alerts are sent to chat or ticketing systems. Some use automated remediation for low-risk resources and manual review for critical ones. Drift detection is combined with monitoring and auditing for full cloud governance.
Connections
Version Control Systems
Drift detection builds on the idea of tracking changes and differences, similar to how version control tracks code changes.
Understanding how version control compares file versions helps grasp how drift detection compares cloud states.
Quality Control in Manufacturing
Both drift detection and quality control check if the final product matches the design specifications.
Seeing drift detection as quality control highlights its role in maintaining standards and preventing defects.
Biological Homeostasis
Drift detection is like a body’s system that detects and corrects imbalances to keep stable conditions.
This connection shows how systems maintain stability by detecting and fixing deviations, a universal principle.
Common Pitfalls
#1Ignoring drift detection leads to unnoticed cloud changes.
Wrong approach:terraform apply -auto-approve # No drift detection step before apply
Correct approach:terraform plan # Review plan output for drift terraform apply # Apply only after confirming no unwanted drift
Root cause:Skipping drift detection causes blind changes and potential outages.
#2Running drift detection without up-to-date state file.
Wrong approach:terraform plan # Using old or corrupted terraform.tfstate file
Correct approach:terraform refresh terraform plan # Refresh state before plan to get accurate drift detection
Root cause:Outdated state file causes incorrect drift reports.
#3Automatically applying all drift fixes without review.
Wrong approach:terraform apply -auto-approve # Automatically fixes drift without human check
Correct approach:terraform plan # Review drift changes terraform apply # Apply only after manual approval
Root cause:Blind automation risks unintended disruptions.
Key Takeaways
Drift detection compares your cloud's real setup with your code to find unexpected changes.
It is essential in CI/CD pipelines to keep infrastructure reliable and predictable.
Terraform detects drift by comparing its state file with actual cloud resources but requires manual apply to fix drift.
Automating drift detection helps catch issues early but balancing automation with manual review prevents mistakes.
Drift detection is one tool among many for cloud health; understanding its limits leads to better cloud management.