Resource drift occurs when the actual state of infrastructure resources differs from what Terraform expects based on its state file. This happens when changes are made to resources outside of Terraform's control, such as manual modifications through cloud provider consoles, CLI tools, or other auto…Resource drift occurs when the actual state of infrastructure resources differs from what Terraform expects based on its state file. This happens when changes are made to resources outside of Terraform's control, such as manual modifications through cloud provider consoles, CLI tools, or other automation systems.
When Terraform manages infrastructure, it maintains a state file that records the expected configuration of all managed resources. This state file serves as Terraform's source of truth about what exists in your environment. Resource drift creates a discrepancy between this recorded state and the real-world infrastructure.
Common causes of resource drift include:
1. Manual changes made by team members through provider dashboards or APIs
2. Auto-scaling events that modify resource counts
3. Security patches or updates applied by cloud providers
4. Other automation tools modifying the same resources
5. Emergency fixes applied during incidents
Terraform detects drift during the 'terraform plan' and 'terraform apply' operations. When running a plan, Terraform refreshes its understanding of current infrastructure by querying the provider APIs. It then compares this real state against both the state file and your configuration files to identify any differences.
When drift is detected, Terraform will show the differences in its plan output. Depending on your configuration, Terraform may propose to revert the drifted resources back to the desired state defined in your configuration files.
To manage drift effectively, teams should:
- Run 'terraform plan' regularly to detect changes early
- Use 'terraform refresh' to update the state file with current infrastructure status
- Implement policies that prevent manual infrastructure modifications
- Consider using Terraform Cloud or Enterprise for continuous drift detection
- Document procedures for handling detected drift
Understanding and managing resource drift is essential for maintaining infrastructure consistency and ensuring that Terraform remains the authoritative source for your infrastructure configuration.
Understanding Resource Drift in Terraform
What is Resource Drift?
Resource drift occurs when the actual state of your infrastructure differs from what Terraform expects based on its state file. This happens when changes are made to resources outside of Terraform's control - such as manual modifications through cloud provider consoles, CLI tools, other automation scripts, or even by other team members.
Why is Understanding Resource Drift Important?
Understanding resource drift is crucial for several reasons:
• Infrastructure Consistency: Drift can lead to unexpected behavior in your applications when the actual infrastructure doesn't match your Terraform configuration.
• Security Risks: Unauthorized or untracked changes might introduce security vulnerabilities that go unnoticed.
• Compliance Issues: Organizations with strict compliance requirements need to ensure infrastructure matches approved configurations.
• Operational Reliability: Drift can cause Terraform plans to produce unexpected results, potentially leading to service disruptions.
How Resource Drift Works
Terraform maintains a state file that records the last known state of your managed infrastructure. When drift occurs:
1. External Change: Someone or something modifies a resource outside of Terraform
2. State Mismatch: The Terraform state file still reflects the old configuration
3. Detection: During the next terraform plan or terraform apply, Terraform queries the real infrastructure and compares it to the state
4. Drift Identified: Terraform detects differences between actual and expected state
Detecting Resource Drift
Terraform provides several ways to detect drift:
• terraform plan: Shows differences between your configuration, state, and actual infrastructure
• terraform refresh: Updates the state file to match real infrastructure (deprecated in favor of terraform apply -refresh-only)
• terraform apply -refresh-only: The recommended approach to update state to match actual infrastructure
Handling Resource Drift
When drift is detected, you have several options:
• Accept the drift: Use terraform apply -refresh-only to update the state file to match actual infrastructure
• Revert the drift: Run terraform apply to modify the actual infrastructure back to match your configuration
• Update configuration: Modify your Terraform configuration to reflect the desired new state, then apply
Exam Tips: Answering Questions on Understanding Resource Drift
• Remember the definition: Drift is when real infrastructure differs from Terraform state - this is a fundamental concept that appears frequently.
• Know the detection commands: Be familiar with terraform plan for detecting drift and terraform apply -refresh-only as the modern replacement for terraform refresh.
• Understand refresh behavior: The refresh operation reads from actual infrastructure and updates the state file - it does not modify your configuration files.
• Causes of drift: Questions may ask what causes drift - manual changes, other tools, or API calls outside Terraform are common answers.
• State file importance: Recognize that the state file is Terraform's source of truth for tracking managed resources.
• Drift resolution options: Know that you can either update state to match reality OR update reality to match your desired configuration.
• Watch for scenario questions: Exam questions often present scenarios where someone made a manual change and ask what Terraform will do on the next plan or apply.
• Default behavior: By default, terraform plan and terraform apply perform a refresh operation before comparing state to configuration.