I've recently taken over a large AWS setup where Terraform is heavily utilized. The problem is, there have been manual changes and CI/CD pipelines continually making updates that aren't tracked in Terraform, leading to significant drift in the infrastructure. I'm looking for effective strategies to address and resolve this Terraform drift, especially on a large scale. Any advice would be greatly appreciated!
3 Answers
One quick way to prevent further drift is to restrict user access to the AWS console and control plane APIs. This will help keep things in check moving forward. But first, you’ll need to address the existing drift!
We’ve been using Spacelift for drift detection. It’s a pretty handy tool! Just remember to only allow read access to the resources so you can reduce drift risks.
Have you checked out driftctl by Trivy? It doesn’t capture all resources, but it's a solid starting point. Also, if your Terraform resources aren’t tagged, consider adding a global tag to help manage what’s out there better.
Thanks for the tip! I'll definitely look into that.
That’s a great point! I just need to know the best approach to actually fix the drift that’s already there.