Cloud configuration is constantly changing. To make that constant state of change more manageable and predictable, infrastructure as code (IaC) frameworks like Terraform and CloudFormation have risen to the challenge. Amongst other things, IaC puts the need for manual configuration changes at a minimum. But as we all know, configuration changes that happen outside of your IaC provisioning lifecycle are inevitable.
Those changes, known as cloud drift—can occur from simple miscommunication between teams or “break glass” SREmergencies that prompt ad hoc modification of your cloud environment via your cloud console or CLI.
Terraform drift detection
By design, HashiCorp Terraform compares compiled configuration files as part of its standard provisioning process to update the state file with real-world status and minimize configuration drift. It cannot, however, detect drift of resources managed outside of Terraform. So if no refresh / apply / plan are executed after manual configurations have been introduced, drift may go undetected.
Let’s say you opened a port to the internet to troubleshoot DNS issues using your cloud console or CLI and never reverted it. That drift could become an opportunity for adversaries attempting to infiltrate an exposed cloud asset.
To help detect and reconcile discrepancies between your infrastructure’s real-world state and the state defined in your configuration, Bridgecrew now supports drift detection for Terraform Cloud and AWS.
How it works
Drift detection with Bridgecrew leverages our Terraform Cloud integration, which was built to scan Terraform plan output for misconfigurations. With the Terraform Cloud integration and a connected AWS account, Bridgecrew will automatically and continuously compare your runtime configuration states with your predetermined Terraform state files for drift.
If a drift from your Terraform plan output occurs, Bridgecrew surfaces it as an Insight alongside IAM Insights and infrastructure Errors within your Incidents tab. Selecting the affected resource, you’ll see the drifted IaaS configuration on the right and the predefined state configuration on the left.
With this real-time information in hand, you can quickly determine whether a drift presents risk and should be reverted in AWS or if you should instead migrate it into your IaC configuration.
Note: Drifts are only detected when alterations to existing resource attributes are made, not when new resources are created or destroyed out-of-band.
By detecting drift between Terraform and AWS, Bridgecrew is closing another gap between runtime and build-time. Closing that gap has the potential to not only harden cloud infrastructure but also saves DevOps and infrastructure engineers time investigating and reconciling manual configuration changes.