Bird
Raised Fist0
Terraformcloud~5 mins

Drift detection in CI/CD in Terraform - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is drift detection in the context of CI/CD?
Drift detection is the process of identifying differences between the desired infrastructure state defined in code and the actual state running in the cloud or environment.
Click to reveal answer
beginner
Why is drift detection important in Terraform-based CI/CD pipelines?
It ensures that the infrastructure matches the code, preventing unexpected changes or errors caused by manual updates or external modifications.
Click to reveal answer
beginner
Which Terraform command is commonly used to detect drift?
The command terraform plan compares the current infrastructure state with the configuration files and shows any differences.
Click to reveal answer
intermediate
How can drift detection be automated in a CI/CD pipeline?
By running terraform plan as part of the pipeline and failing the build if unexpected changes are detected.
Click to reveal answer
beginner
What is a common real-life analogy for drift detection?
It's like checking your house keys against a checklist before leaving to make sure nothing is missing or changed unexpectedly.
Click to reveal answer
What does Terraform's terraform plan command do in drift detection?
AShows differences between code and actual infrastructure
BDeletes all infrastructure
CDeploys new infrastructure without checking
DOnly formats the code files
Why should drift detection be part of a CI/CD pipeline?
ATo send notifications to users
BTo speed up code compilation
CTo backup code files
DTo automatically detect and prevent unexpected infrastructure changes
What happens if drift is detected during a CI/CD pipeline run?
AThe pipeline can fail to alert the team
BThe pipeline ignores it and continues
CThe infrastructure is deleted
DThe code is automatically changed
Which of these is NOT a cause of drift?
AManual changes made directly in the cloud console
BConfiguration files left unchanged
CExternal scripts modifying resources
DInfrastructure as code updates
What is a simple way to fix drift once detected?
AIgnore the drift and continue
BDelete all resources manually
CRun <code>terraform apply</code> to align infrastructure with code
DRestart the CI/CD server
Explain what drift detection is and why it matters in a Terraform CI/CD pipeline.
Think about how code and real infrastructure can get out of sync.
You got /3 concepts.
    Describe how you would automate drift detection in a CI/CD pipeline using Terraform commands.
    Consider what commands show differences and how the pipeline should respond.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of drift detection in a Terraform CI/CD pipeline?
      easy
      A. To find differences between the Terraform code and the actual infrastructure
      B. To speed up the deployment process by skipping validation
      C. To automatically delete unused resources without approval
      D. To generate documentation for the infrastructure

      Solution

      1. Step 1: Understand drift detection concept

        Drift detection compares the current real infrastructure state with the Terraform code to find differences.

      2. Step 2: Identify the purpose in CI/CD

        In CI/CD, drift detection helps catch unexpected changes before applying new updates.

      3. Final Answer:

        To find differences between the Terraform code and the actual infrastructure -> Option A

      4. Quick Check:

        Drift detection = find differences [OK]
      Hint: Drift detection = spot differences before apply [OK]
      Common Mistakes:
      • Thinking drift detection speeds deployment
      • Assuming it deletes resources automatically
      • Confusing it with documentation generation
      2. Which Terraform command is commonly used in CI/CD pipelines to detect drift before applying changes?
      easy
      A. terraform plan
      B. terraform apply
      C. terraform init
      D. terraform destroy

      Solution

      1. Step 1: Recall Terraform commands

        terraform plan shows the changes Terraform will make without applying them.

      2. Step 2: Identify drift detection command

        terraform plan detects differences (drift) between code and real infrastructure before apply.

      3. Final Answer:

        terraform plan -> Option A

      4. Quick Check:

        Detect drift = terraform plan [OK]
      Hint: Use terraform plan to preview changes [OK]
      Common Mistakes:
      • Using terraform apply which changes infrastructure
      • Confusing terraform init with drift detection
      • Using terraform destroy which deletes resources
      3. Given the following Terraform plan output snippet in a CI/CD pipeline:
        # aws_instance.example will be updated in-place
  ~ tags = {
      - "Environment" = "dev"
      + "Environment" = "prod"
    }

      What does this output indicate about drift?
      medium
      A. Terraform will ignore the tag change
      B. The instance will be destroyed and recreated
      C. No drift is detected; tags remain unchanged
      D. The tag "Environment" has drifted from "dev" to "prod" and will be updated

      Solution

      1. Step 1: Analyze the plan output

        The '~' symbol means in-place update. The tag "Environment" changes from "dev" to "prod".

      2. Step 2: Understand drift implication

        This shows drift: the real infrastructure tag differs from code and will be updated.

      3. Final Answer:

        The tag "Environment" has drifted from "dev" to "prod" and will be updated -> Option D

      4. Quick Check:

        ~ means update tag from dev to prod [OK]
      Hint: Look for ~ symbol to spot in-place updates [OK]
      Common Mistakes:
      • Thinking resource will be destroyed instead of updated
      • Ignoring tag changes as no drift
      • Assuming Terraform ignores tag differences
      4. You run terraform plan in your CI/CD pipeline but it does not detect drift even though manual changes were made outside Terraform. What is the most likely cause?
      medium
      A. Terraform automatically ignores manual changes
      B. You forgot to run terraform apply first
      C. Terraform state file is outdated or corrupted
      D. The provider plugin is missing

      Solution

      1. Step 1: Understand drift detection dependency

        Terraform relies on the state file to compare real infrastructure with code.

      2. Step 2: Identify cause of missed drift

        If the state file is outdated or corrupted, Terraform cannot detect manual changes (drift).

      3. Final Answer:

        Terraform state file is outdated or corrupted -> Option C

      4. Quick Check:

        State file outdated = missed drift detection [OK]
      Hint: Check state file freshness if drift not detected [OK]
      Common Mistakes:
      • Assuming terraform apply affects drift detection
      • Believing Terraform ignores manual changes by design
      • Thinking missing provider causes drift detection failure
      5. In a CI/CD pipeline, you want to automatically detect drift and fail the pipeline if any drift is found before applying changes. Which approach best achieves this?
      hard
      A. Run terraform apply directly and rely on errors to detect drift
      B. Run terraform plan and parse its output to detect changes, then fail if changes exist
      C. Skip drift detection and always apply changes
      D. Manually check infrastructure outside the pipeline

      Solution

      1. Step 1: Understand CI/CD drift detection goal

        The goal is to detect drift and fail early before applying changes.

      2. Step 2: Choose correct command and method

        terraform plan shows drift without applying; parsing its output allows pipeline to fail if drift exists.

      3. Step 3: Evaluate other options

        Applying directly risks unwanted changes; manual checks are slow; skipping detection is unsafe.

      4. Final Answer:

        Run terraform plan and parse its output to detect changes, then fail if changes exist -> Option B

      5. Quick Check:

        Plan + parse output = fail on drift [OK]
      Hint: Use terraform plan output to gate pipeline success [OK]
      Common Mistakes:
      • Applying without checking drift first
      • Relying on manual checks in automated pipelines
      • Ignoring drift detection to speed up deploys