A drift is a configuration state where a resource's actual configuration differs from its expected configuration. Drifts usually occur when resources that are managed using IaC, like Terraform or CloudFormation, are modified manually using CLI or Console.
Supported frameworks: Terraform.
Supported cloud providers: AWS, Microsoft Azure, Google Cloud.
State file access is not required
Bridgecrew drift detection is built to be non-pervasive and does not require any access to Terraform state files.
How it works
- Bridgecrew determines whether a resource has drifted by evaluating recently captured configuration snapshots with the recent captured resource blocks from source code. It then compares those expected values with the actual values of those resource properties as they currently exist. A resource would then be considered to have drifted if one or more of its properties have been deleted, or had their value changed.
Detecting drifts in Terraform
Yorin your IaC CI/CD pipelines to enable tracing for all deployed resources. Yor can be deployed as a GitHub action or a standalone CI runner. For more details, click here.
- Ensure your cloud accounts are connected.
- Ensure your code repositories are connected.
Drift detection is initiated on every periodic scan. You can manually trigger a scan using the Scan API.
To review newly detected drifts go to Projects and filter-in the Drift category. Drifting resources blocks will appear in the central pane. The split code view will demonstrate the differences between the Terrraform source code and the deployed resource information.
Clicking the resource name and the underlying cloud resource ID in the notification banner will toggle between resource explorer views on the right pane.
Drifts can be resolved in 2 ways:
- Reverting the current cloud settings to the original resource definition in code. This outcome can be easily achieved using Terraform's native apply command. When you
terraform apply, Terraform will deploy the current configuration setting and revert whatever manual modifications that have been introduced. In this case we recommend suppressing the open errors in Bridgecrew Projects console.
- Creating a pull request to align any newly added cloud configurations to the resource's definition in code. When you click FIX DRIFT in Bridgecrew a new pull request will be opened in your select repository and will contain additions/modifications to your resource blocks. We recommend testing the results of this addition using a lower environment (QA/Stage) to ensure these changes do not interfere with any functional aspects of your stack.
Updated almost 2 years ago