Detect and Fix Infrastructure Drift

Intermediate10 minTrending

Identify when real infrastructure has drifted from Terraform state and resolve discrepancies systematically.

Prerequisites

-Terraform installed
-Existing managed infrastructure

Steps

Refresh state to detect drift

Update the state file with the real-world status of all managed resources without making any changes.

$ terraform plan -refresh-only

The -refresh-only flag updates state without proposing any resource changes. Perfect for drift detection.

Apply the refresh to update state

Accept the refreshed state so Terraform knows the current real-world status of resources.

$ terraform apply -refresh-only

Review the refresh output carefully. This updates what Terraform considers the current state of your infrastructure.

Run a full plan to see pending changes

After refreshing, run a standard plan to see what changes Terraform would make to reconcile config with reality.

$ terraform plan -out=drift-fix.tfplan

Review specific resource state

Inspect the state of a specific resource to understand its current attributes as Terraform sees them.

$ terraform state show aws_instance.web

Decide: reconcile config or re-apply

Either update your .tf files to match the drifted state (accept drift) or apply the plan to enforce your config.

$ terraform apply drift-fix.tfplan

If the drift was intentional (e.g., emergency hotfix), update your config to match. If accidental, apply to enforce the desired state.

Full Script

full-script.sh

#!/bin/bash
set -euo pipefail

# Terraform Drift Detection Script
# Detects and reports infrastructure drift

echo "==> Refreshing state to detect drift..."
terraform plan -refresh-only -detailed-exitcode -no-color 2>&1 | tee /tmp/tf-drift.txt
REFRESH_EXIT=${PIPESTATUS[0]}

if [ "$REFRESH_EXIT" -eq 0 ]; then
  echo "No drift detected in state refresh."
elif [ "$REFRESH_EXIT" -eq 2 ]; then
  echo "WARNING: State drift detected during refresh."
  echo "Review the output above for details."
fi

echo ""
echo "==> Checking for configuration drift..."
terraform plan -detailed-exitcode -no-color 2>&1 | tee /tmp/tf-config-drift.txt
PLAN_EXIT=${PIPESTATUS[0]}

if [ "$PLAN_EXIT" -eq 0 ]; then
  echo "Infrastructure matches configuration. No drift."
elif [ "$PLAN_EXIT" -eq 2 ]; then
  echo ""
  echo "DRIFT DETECTED. Resources that would change:"
  grep -E "^  # " /tmp/tf-config-drift.txt || true
  echo ""
  echo "Review /tmp/tf-config-drift.txt for full details."
  echo "To fix: terraform apply or update your .tf files."
fi

FAQ

Discussion

Loading comments...

#!/bin/bash set -euo pipefail # Terraform Drift Detection Script # Detects and reports infrastructure drift echo "==> Refreshing state to detect drift..." terraform plan -refresh-only -detailed-exitcode -no-color 2>&1 | tee /tmp/tf-drift.txt REFRESH_EXIT=${PIPESTATUS[0]} if [ "$REFRESH_EXIT" -eq 0 ]; then echo "No drift detected in state refresh." elif [ "$REFRESH_EXIT" -eq 2 ]; then echo "WARNING: State drift detected during refresh." echo "Review the output above for details." fi echo "" echo "==> Checking for configuration drift..." terraform plan -detailed-exitcode -no-color 2>&1 | tee /tmp/tf-config-drift.txt PLAN_EXIT=${PIPESTATUS[0]} if [ "$PLAN_EXIT" -eq 0 ]; then echo "Infrastructure matches configuration. No drift." elif [ "$PLAN_EXIT" -eq 2 ]; then echo "" echo "DRIFT DETECTED. Resources that would change:" grep -E "^ # " /tmp/tf-config-drift.txt || true echo "" echo "Review /tmp/tf-config-drift.txt for full details." echo "To fix: terraform apply or update your .tf files." fi