Take control of infrastructure drift

Infrastructure as code is awesome, but there are so many moving parts: codebase, state file, actual state.
Things tend to drift.

Drift happens 
when team members update infrastructure through the web console without telling anyone
with uncontrolled updates on the provider side
when you use scripts

How it works

Track coverage
Run ./driftctl to scan the IaC codebase, and compare it to the actual infrastructure state on the provider side. Get a report on infrastructure as code coverage metric.
Prioritize and sort drift events
Drift-CTL sorts and prioritizes events by impact. Drift events can be ignored if they are noise, or flagged if they are important.
Alert on drift
Drift-CTL alerts users when critical drift happens. It can run at scheduled intervals, or it can be integrated in your CI.

Drift-CTL is a free and open-source CLI that tracks, analyzes, prioritizes, and warns users of infrastructure drift


Infrastructure drift happens when the state of your actual infrastructure (for instance services deployed on AWS) becomes different from the expected state (services created in code+manually managed and known)

Infrastructure as Code is a never-ending process and changes are very frequent. Uncontrolled drifts are devops nightmare because drift causes security issues, additional cost, and toil.

If you only have a partial Infrastructure as Code coverage

You are still managing manually-created resources, while most new resources might end up under source control.
In this case, the easy to use code coverage tool, will help you know exactly what’s the proportion of manual resources and IaC managed resources.

If you are still on the path towards a full automation of your cloud resources, chances are that you have an increased risk of manual interactions as you are still used to utilizing the cloud provider console to manage existing resources. Mistakes can happen: a resource managed by some IaC can end up being manually modified, and next time Terraform is applied, there’s a drift to manage (imagine that situation during an emergency ‘terraform apply…)

Another complexity you are facing is the visibility of manually created resources. When most of the team’s IaaS users’ identities are automated, how do you realize another one was just created manually, therefore out of control? Drift-CTL will alert you that a new resource was manually created, also lowering the code coverage score, so you can improve your IaC codebase promptly.

If you have a higher Infrastructure as Code maturity and automation level

While advanced teams with full infrastructure automation are still an exception today, they often interact with lesser skilled members, or in large companies, teams. Drift-CTL will help you guarantee everything stays well under control, with immediate feedback.

You will also be interested in changes made inadvertently not by humans but by IaaS-authenticated applications or microservices (a developer can do a lot with IAM keys and a SDK!).

The more advanced teams with the most coverage are bound to handle multiple generations of tools: maybe one product is managed with CloudFormation, the second one with Terraform, and the last one with Pulumi. Drift-CTL unifies the visibility of all changes across all the IaC tools you deployed.

(See also how is it different from other tools)

Drift-CTL will support Terraform on its first release. The project roadmap includes Pulumi, Cloud Formation and ARM support as well. 

Drift-CTL is a simple but powerful tool to control infrastructure drift in order to improve DevOps productivity and to avoid security/compliance issues introduced by unknown configurations. 

  1. Define your coverage : Drift-CTL scans your IaC codebase, and compares it to the actual infrastructure state on the provider side. It then reports an infrastructure as code coverage metric.
  2. Detect : Drift-CTL scans periodically your cloud provider and detect drift
  3. Sort : Drift-CTL sorts and prioritizes events by impact. Drift events can be ignored if they are noise, ignored as a known drift, or flagged it they are important
  4. Alert : Drift-CTL alerts users when critical drift happens. It can run at scheduled intervals, or it can be integrated in your CI
  5. Remediate (roadmap) : Drift-CTL submits PR to reintroduce unmanaged resources in the code and erase unwanted ressource.
  • By testing the tool and providing us with feedback and issues ⚠️
  • By proposing new features 💡
  • By spreading the word 📣
  • By giving the project a star ⭐

How is it different from terrafom plan, terraform refresh or Cloud Formation drift detection?

While IaC tools are only able to detect drifts within their scope, they are blind to all other resources you may have in within your environments. Drift-CTL works in and out of the IaC scoped resources.

Terraform refresh only grabs a delta from the IaaS to the Terraform state, for a resource already managed by Terraform. It doesn’t handle drifts per se, but simply acknowledges a remote change not seen in the local state.

Terraform plan is the opposite: it wants to apply the local code and solve the delta between the intention, local state, and IaaS reality. Even for you resources defined by Infrastructure as Code, Terraform Plan does not provide a complete change coverage (attached resources are not covered for example) and lets some critical changes go undetected with potential security threats wide open.

In both cases, whatever exists out of Terraform is not seen. There’s a huge visibility issue here (and through that: security).

Drift-CTL is also tightly integrated with the IaaS provider and offers a lot more context than the simple configuration drift. It will provide historical data (“it already happened 5 times in the last 5 weeks”), pattern detection (“this S3 bucket appears every day at 05:00:00”), and enhanced drift data (“this change was made by IAM #12345 on 2020/9/8 at 11:04 AM”)*.



Yes! Drift-CTL is a free and open-source software. It is not released yet, so just click on the links below to join the alpha list and get updates on the project.