100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
DevOps

Infrastructure Drift

IntermediateConcept1.4K learners

Infrastructure drift occurs when the actual, live state of cloud or infrastructure resources diverges from the state defined in Infrastructure as Code (IaC) configuration — typically because of manual changes made outside the IaC workflow…

Definition

Infrastructure drift occurs when the actual, live state of cloud or infrastructure resources diverges from the state defined in Infrastructure as Code (IaC) configuration — typically because of manual changes made outside the IaC workflow — leaving the codebase an inaccurate representation of what's actually running.

Overview

Infrastructure as Code tools like Terraform, Pulumi, and CloudFormation work on the premise that a declarative configuration file is the single source of truth for infrastructure state, and that applying that configuration is the only way changes should happen. Drift breaks that premise: it happens whenever someone (or some automated process) modifies a resource directly — clicking a change in the cloud console during an incident, running an imperative CLI command to quickly fix something, or another automation tool touching the same resources — without updating the IaC configuration to match. Over time, drift accumulates silently, and the codebase increasingly diverges from reality. Drift is dangerous for several reasons. It undermines the core value proposition of IaC — reproducibility and auditability — because the code no longer accurately describes what's deployed. It creates surprises during the next `terraform apply` or equivalent: the tool detects the live state doesn't match its records and may attempt to 'correct' the drift by reverting the manual change, potentially undoing an intentional emergency fix, or in worse cases, destroying and recreating a resource that had been manually altered in an incompatible way. It also erodes trust in the IaC pipeline, since manual changes made outside of it aren't reviewed, tested, or recorded in version control, making root-cause analysis during incidents harder. Detecting and managing drift is now a standard part of infrastructure operations tooling: Terraform's `plan` command surfaces drift by comparing live state against the state file before any apply; drift-detection services (like AWS Config or dedicated third-party tools) continuously monitor resources and alert when live configuration deviates from expected baselines; and organizational policy typically mandates that all infrastructure changes go through the IaC pipeline, with console/CLI access to production restricted or audited specifically to prevent drift from being introduced in the first place. Remediation options when drift is found include importing the manual change back into IaC configuration (codifying it as the new desired state) or reverting the live resource back to match the code, depending on whether the manual change was intentional and should be preserved.

Key Concepts

  • Divergence between IaC-declared configuration and the actual live state of resources
  • Typically caused by manual console/CLI changes made outside the IaC workflow
  • Detected by comparing live resource state against the IaC state file (e.g. `terraform plan`)
  • Risks unintended reversion or destructive recreation of manually-modified resources
  • Erodes reproducibility, auditability, and trust in the infrastructure codebase
  • Mitigated by drift-detection tooling (AWS Config, Terraform Cloud drift detection, etc.)
  • Organizational policy typically restricts direct production console/CLI access to prevent drift
  • Remediated either by codifying the manual change into IaC or reverting the resource to match code

Use Cases

Auditing production infrastructure to confirm it matches version-controlled IaC configuration
Investigating unexpected `terraform plan` output showing unplanned resource changes
Setting up continuous drift-detection alerts for compliance-sensitive environments
Reconciling emergency manual fixes made during an incident back into IaC after the fact
Enforcing policy that restricts direct console access to reduce drift risk
Root-causing incidents where live behavior didn't match what the codebase suggested

Frequently Asked Questions

From the Blog