Guides
Start typing to search…

Drift detection

Terracotta AI helps you identify and resolve infrastructure drift by comparing your Terraform plan with the actual state of your cloud environment. When credentials are configured, Terracotta runs a full terraform init and terraform plan to detect any discrepancies between the desired and actual infrastructure.

🔍 How Drift Detection Works

  1. PR is opened on a repo with credentials configured.

  2. Terracotta clones the repo and runs:

    • terraform init
    • terraform plan

  3. The AI assistant analyzes the plan output.

  4. It identifies any drift caused by manual changes made outside of Terraform.

  5. A structured review comment is posted summarizing the drift, risks, and suggestions.

Drift detection is only available when Terracotta has permission to run init and plan for the repo. If no credentials are provided, drift checks are skipped.

🧠 Example Drift Scenarios Detected

  • A resource (e.g. aws_instance.web) was deleted manually in the cloud provider console. Terraform will attempt to re-create it.
  • A configuration value (e.g. associate_public_ip_address) was changed outside Terraform, causing unintended behavior.
  • A new resource (e.g. aws_instance.web2) is being added, while a related one is recreated, triggering a public exposure warning.

✅ AI Review Comment Includes

  • Clear identification of drifted resources

  • Severity rating for each risk

  • Suggestions for:

    • Re-creating or removing the resource
    • Aligning attributes across resources
    • Verifying security group rules for exposed resources

  • Terraform code examples showing fixes

  • A TL;DR summary with merge-readiness guidance

🛠️ Fix Options

Option 1 – Accept Drift and Reconcile with Code

  • Explicitly set attributes to align behavior (e.g., public IPs)
  • Use lifecycle.ignore_changes if appropriate
  • Update security groups to scope access

Option 2 – Remove Resource from Code if Deletion Was Intentional

  • Use terraform state rm to remove the deleted resource from the state
  • Avoid Terraform from trying to re-create it unnecessarily

🔐 Security Implications

When resources like EC2 instances gain public IPs or are recreated without reviewed security groups:

  • Terracotta highlights potential public exposure risks
  • It flags overly permissive ingress rules (e.g. SSH from 0.0.0.0/0)

💰 Billing Impact Summary

The drift comment also includes a billing estimate table:

ComponentCurrent EstimateProposed EstimateNotes
EC2 Instance (web)~$8–$9/month~$8–$9/monthBeing re-created due to drift
EC2 Instance (web2)Not present~$8–$9/monthNewly added; verify exposure
Security GroupsNo chargeNo chargeAWS does not bill for security groups

📋 Summary

Terracotta Drift Detection gives teams:

  • Early visibility into infrastructure inconsistencies
  • Actionable, context-rich recommendations
  • Clear diffs and Terraform suggestions to resolve drift
  • Integrated security and cost insight

All drift detection feedback is tailored to your specific plan output and current cloud state. Terracotta helps you restore alignment and prevent surprises in production.

Updated 5 days ago