Terraform Drift Detection
Overview
Detect and categorize drift between Terraform-managed state and actual infrastructure. Drift indicates out-of-band changes that can cause problems during the next apply.
Announce at start: "I'm using the terraform-drift-detection skill to check for infrastructure drift."
The Process
Step 1: Verify Environment
# Verify AWS credentials and account
aws sts get-caller-identity
# Confirm we're in the right directory/environment
pwd
ls -la *.tf 2>/dev/null | head -5
Step 2: Refresh State
# Initialize if needed
terraform init
# Refresh state to detect drift
terraform plan -refresh-only -out=drift.out
# Convert to JSON for analysis
terraform show -json drift.out > drift.json
Step 3: Analyze Drift
Parse drift.json and categorize changes:
Drift Categories
| Category | Severity | Examples |
|---|---|---|
| Security Drift | CRITICAL | Security groups, IAM, encryption |
| Configuration Drift | HIGH | Instance settings, networking |
| Tag Drift | LOW | Tags modified outside Terraform |
| Metadata Drift | INFO | AWS-managed fields that change |
Step 4: Dispatch Analysis Agent
Task(drift-detector) → Categorize and assess drift impact
Agent should:
- Categorize each drifted resource
- Assess impact of accepting vs rejecting drift
- Identify potential causes (manual changes, AWS updates, etc.)
Step 5: Present Findings
## Drift Detection Report
### Summary
- Total drifted resources: X
- Critical drift: Y
- High drift: Z
- Low/Info drift: W
### Critical Drift (Requires Immediate Attention)
| Resource | Attribute | State Value | Actual Value |
|----------|-----------|-------------|--------------|
| ... | ... | ... | ... |
### Potential Causes
- Manual console changes: [list if detected]
- AWS service updates: [list if detected]
- Unknown origin: [list if detected]
### Recommended Actions
1. [Action for each drifted resource]
Step 6: Resolution Options
Present user with options:
- Accept Drift: Run
terraform apply -refresh-onlyto update state to match actual - Reject Drift: Run
terraform applyto revert actual infrastructure to match code - Investigate: Manual review needed before deciding
- Hybrid: Accept some drift, reject other drift
Never auto-resolve drift. Always get user approval.
Common Drift Sources
Intentional (Usually Accept)
- AWS auto-scaling adjustments
- Managed service updates
- Emergency manual fixes (document these!)
Unintentional (Usually Reject)
- Console click-ops mistakes
- Unapproved manual changes
- Conflicting automation
Systemic (Fix Root Cause)
- Multiple tools managing same resources
- Missing Terraform coverage
- CI/CD race conditions
Integration with Memory
Store detected drift patterns:
- Which resources commonly drift
- Common causes in this environment
- Resolution preferences
Query memory before analysis:
- Has this resource drifted before?
- What was the cause last time?
- What resolution was chosen?
Verification Checklist
Before presenting:
- Refresh completed successfully
- All drift categorized by severity
- Root causes identified where possible
- Resolution options are clear
- No sensitive values exposed in output