Config Drift Detection

Drift between repo and runtime.

What config drift is

Drift: live infrastructure differs from the IaC source of truth.

Caused by: manual console changes, partial Terraform applies, third-party automation, deleted-then-recreated resources.

Drift undermines IaC. If the live state isn't what git says, your assumptions fail at incident time.

How to detect drift

Terraform: `terraform plan` shows differences between state and config. Run weekly in CI.

Drift detection tools: AWS Config rules, Driftctl, env0, Spacelift drift detection.

Cloud-native: AWS Config, Azure Policy, GCP Config Validator.

Drift response

Drift detected in tier-1 resources fires an alert. Investigate same day.

Decide: was the drift intentional (then update IaC), accidental (then revert), or hostile (then incident).

Log every drift event. Patterns reveal which teams or tools cause the most drift.

Drift prevention

Console write access only via break-glass roles. SSO + audit log on every console session.

Read-only IAM for everyone except the deployer role. Engineers debug via read-only.

OPA or Sentinel policies block resource creation outside Terraform.

How to deploy drift detection

Start with a weekly Terraform plan in CI on production. Diff is sent to Slack.

Add policy enforcement after detection is proven. Prevention is harder; detect first.

Track drift count over time. Goal: zero drift on tier-1 resources.