driftctl
is a new tool, recently released that reports on drift of your terraform
code in AWS
.
Running a scan will output all objects created in a region that are not part of your terraform
code. We’ve been using it to find drift of terraform
code and for rogue manual objects being created.
So far I’m really liking it and expect more functionality to added it evolves. But definitely worth checking it out if you want to add more testing
around your IaC
.
Install
Currently there’s no package management options but you can install via
curl -L https://github.com/cloudskiff/driftctl/releases/latest/download/driftctl_linux_amd64 -o driftctl
chmod +x driftctl
sudo mv driftctl /usr/local/bin/
Compare against s3 state using a AWS named profile
Run a driftctl
scan against ALL
tfstate in a s3 bucket
AWS_PROFILE=eng driftctl scan \
--from tfstate+s3://<S3 Bucket>/
Run a scan against specific tagged resources
You may want to check for drift against deployed IaC
which is tagged
. The below will only show drift for objects with a tag key of TerraformWorkspace
and value of core
AWS_PROFILE=<Profile Name> driftctl scan --from tfstate+s3://<S3 Bucket>/core/terraform.tfstate --filter "Attr.Tags.TerraformWorkspace == 'core'"
Ignore objects
There are going to be objects created outside of terraform that you want to ignore, things like your tfstate
s3
bucket / dynamodb
table. Or maybe objects created via the Serverless Framework
or SAM
which overlays onto Cloudformation
Create a file in the location you are running the scan from named: .driftignore
Format is like:
## terraform state managemenet
aws_s3_bucket.engineering-statefile
aws_dynamodb_table.engineering-locks
## ignore ami created via packer
aws_ami:*