Guides
Log InSign UpBlog

Drift Detection

👍

Drift detection runs do NOT count toward billing.

Overview

Terraform and OpenTofu drift occur when the actual state of your infrastructure differs from the state defined in your configuration files. It's caused by changes made to resources outside of the standard Terraform workflow, such as a manual edit in a cloud provider's console. These out-of-band changes cause the Terraform state file to become an inaccurate representation of your infrastructure.

Configuration

In Scalr, drift detection can be enabled per environment. If enabled in an environment, all workspaces in the environment will have the detection schedule applied.

To enable it, go to the environment management settings, click on drift detection, and apply the schedule:

If desired, drift can be applied to specific workspaces by matching:

  • Workspace tags
  • Workspace environment types
  • A workspace name pattern

Once enabled, the drift detector will execute based on the schedule. If drift is detected, workspace owners will see the drifted run in the drift detection tab. Drift detection runs do not block the run queue if drift is found and waiting on your decision (Sync state or revert infrastructure).

Drift will execute if the workspace has the following:

  • The workspace has active state.
  • A workspace has not been applied during the configured period: daily - in the last 24 hours, weekly - in the last 7 days.

Run Modes

Drift can be executed in two run modes:

  • Refresh-Only: This run mode will see all detected changes, including ignore_changes.
  • Plan: This run mode will see detected changes, but will not show drifted resources that have the ignore_changes attribute set.

Drift Remediation

When reviewing drift within a workspace, a user will have three options to remediate the drift:

  • Ignore: Changes found by the drift detector are declined, and no further actions are performed. Users can choose to resolve the drift manually.
  • Sync State: Changes found by the drift detector will be written to a state file. After clicking "Sync State", a refresh-only run will be triggered to synchronize the state. The runs:create permission is required.
  • Revert Infrastructure: Changes found by the drift detector will be declined. After clicking "Revert Infra", a plan & apply run will be triggered to rollback infrastructure to the previous state. The runs:create permission is required.

Runs executed to sync state or revert infrastructure will count towards billing.

Drift Notifications

You can integrate Scalr with Slack to receive real-time notifications upon the detection of infrastructure drift. By directing these alerts to a specific Slack channel, you ensure the appropriate team members are promptly informed. See more on configuring this here.

Once it is configured, the notifications will appear in Slack and then the actions can also be taken directly from there:

Other tools, such as MS Teams, will have drift detection added soon.

Drift Reporting

Drift reports can be seen within the environment scope reports. The drift detection report shows when the last time the drift was checked, the next scheduled drift check, and the current status. Users can then take action on the drift directly from the report.

Limitations

Workspaces using the Terragrunt run-all option are not currently supported.


Updated 11 days ago