Terraform drift intelligence: detect, attribute, score, and fix IaC drift
Project description
๐ drifty
Terraform drift intelligence โ detect what changed, who changed it, how dangerous it is, and how to fix it.
pip install drifty
The Problem
terraform plan tells you what drifted. It doesn't tell you who changed it, how dangerous the change is, or what to do about it.
Manual changes in the AWS console during incidents, auto-scaling events, and ad-hoc CLI commands silently diverge your infrastructure from your Terraform state. By the time you notice, you don't know if it was a colleague, a runbook, or a security incident.
Enterprise platforms like Spacelift and HCP Terraform Cloud detect drift on a schedule โ but they're full IaC platforms that are heavyweight, expensive, and still offer zero attribution or severity intelligence.
drifty fills this exact gap.
Demo
$ drifty scan --workspace ./infra --attribute
๐ drifty โ Terraform Drift Intelligence
Scanning workspace: ./infra | 2026-06-05 14:00 UTC
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ 3 drifts detected - 1 Critical - 1 High - 1 Low โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
๐ด CRITICAL aws_security_group.main (sg-0abc1234)
Changed: ingress.0.cidr_blocks โ ["0.0.0.0/0"] (was: ["10.0.0.0/8"])
Who: arn:aws:iam::123456789:user/john.doe
When: 2026-06-03 14:22:11 UTC
Action: ModifySecurityGroupRules
Fix: terraform import aws_security_group.main sg-0abc1234
๐ HIGH aws_instance.api_server (i-0def5678)
Changed: instance_type โ t3.large (was: t3.medium)
Who: arn:aws:iam::123456789:role/ops-automation
When: 2026-06-02 09:15:44 UTC
Action: ModifyInstanceAttribute
Fix: terraform import aws_instance.api_server i-0def5678
๐ข LOW aws_s3_bucket.assets (assets-bucket-prod)
Changed: tags.LastModified โ "2026-06-01" (was: "2026-05-15")
Who: attribution unavailable (event outside 90-day CloudTrail window)
Fix: Add tag to Terraform config or run terraform apply to reconcile
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Run `drifty report --format markdown` to export this as a report.
Install
Requirements: Python 3.10+, Terraform 1.1+, AWS credentials configured
pip install drifty
Quick Start
# 1. Initialize config in your Terraform workspace
cd ./infra
drifty init
# 2. Scan for drift
drifty scan
# 3. Scan with CloudTrail attribution (who caused each drift)
drifty scan --attribute
# 4. Filter to critical and high only
drifty scan --severity high
# 5. Output as JSON (for CI/CD piping)
drifty scan --output json | jq '.findings[] | select(.severity=="critical")'
# 6. Export a markdown report
drifty report --format markdown --out ./drift-report.md
# 7. Send drift summary to Slack
drifty config set slack_webhook=https://hooks.slack.com/services/xxx/yyy/zzz
drifty scan --notify slack
# 8. Watch for new drift continuously (poll every 5 minutes)
drifty watch --interval 300 --threshold high --notify slack
# 9. Watch with CloudTrail attribution on every cycle
drifty watch --interval 300 --attribute --notify slack
# 10. Post drift report as a GitHub PR comment
drifty report-pr --attribute --severity high
# 11. View drift history across previous scans
drifty history
# 12. Show last 30 scans, high severity and above
drifty history --last 30 --severity high
# 13. Suppress a known/accepted drift
drifty ignore aws_instance.api_server --reason "approved by security team"
# 14. List all ignored resources
drifty ignore --list
# 15. Remove an ignore entry
drifty ignore aws_instance.api_server --remove
How It Works
drifty scan
โ
โโ 1. runs: terraform plan -refresh-only -json
โ
โโ 2. parses JSON Lines output โ extracts resource_drift entries
โ
โโ 3. scores each finding (scorer.py)
โ critical โ IAM, security groups, S3 policies
โ high โ EC2 instances, RDS, load balancers
โ medium โ Lambda, Auto Scaling, CloudWatch
โ low โ tag-only changes
โ
โโ 4. attributes each finding via CloudTrail (if --attribute)
โ boto3 โ LookupEvents by resource ID
โ returns: IAM principal, timestamp, API action
โ
โโ 5. renders output
terminal โ Rich color-coded table
json โ structured output for CI/CD
markdown โ report for Confluence / Notion
Commands
drifty scan
Options:
--workspace PATH Terraform directory (default: current dir)
--profile TEXT AWS CLI profile (default: "default")
--attribute Enable CloudTrail attribution
--severity TEXT Minimum severity: critical | high | medium | low
--output TEXT Output format: terminal | json | markdown
--notify TEXT Send results to: slack
drifty init
Initializes .drifty/config.yaml in the workspace with default settings.
drifty config set KEY=VALUE
drifty config set default_severity=high
drifty config set default_profile=prod
drifty config set slack_webhook=https://hooks.slack.com/...
drifty config set cloudtrail_lookback_days=30
drifty report
drifty report --format markdown --out ./reports/drift-$(date +%F).md
drifty report --format json
drifty scan --notify slack
Sends a Slack Block Kit message when drift is found. Requires a webhook URL configured in .drifty/config.yaml.
# One-time setup
drifty config set slack_webhook=https://hooks.slack.com/services/T.../B.../xxx
# Then just add the flag
drifty scan --notify slack
drifty scan --attribute --notify slack --severity high
The Slack message includes:
- Severity summary (๐ด Critical / ๐ High / ๐ก Medium / ๐ข Low counts)
- Per-finding blocks with changed attributes, CloudTrail attribution, and remediation hint
- Capped at 10 findings per message to stay within Slack's block limit
drifty watch
Continuously monitors your Terraform workspace for drift and alerts when new findings appear.
Options:
--workspace PATH Terraform directory (default: current dir)
--interval INT Polling interval in seconds (default: 300)
--threshold TEXT Minimum severity to trigger alert: critical | high | medium | low
--notify TEXT Notifier to use when new drift is detected: slack
--attribute Enable CloudTrail attribution on each cycle
# Poll every 5 minutes, alert on high+ drift via Slack
drifty watch --interval 300 --threshold high --notify slack --attribute
# Run locally with a fast interval for testing
drifty watch --interval 60 --threshold low
drifty watch tracks state between cycles using a finding hash stored in .drifty/state.json. It only alerts on new drift โ findings already seen in the previous cycle are suppressed to avoid repeated noise.
drifty report-pr
Scans for drift and posts a formatted report as a comment on a GitHub Pull Request.
Options:
--workspace PATH Terraform directory (default: current dir)
--profile TEXT AWS CLI profile
--attribute Enable CloudTrail attribution
--severity TEXT Minimum severity filter: critical | high | medium | low
--token TEXT GitHub token (defaults to GITHUB_TOKEN env var)
--repo TEXT Repository in owner/repo format (defaults to GITHUB_REPOSITORY env var)
--pr INT Pull request number (defaults to PR_NUMBER env var)
# In GitHub Actions (env vars set automatically)
drifty report-pr --attribute --severity high
# Locally against a specific PR
drifty report-pr --repo acme/infra --pr 42 --token ghp_xxx
Each finding renders as a collapsible <details> block with a changed attributes table, CloudTrail attribution, and a remediation hint. Add this step to your workflow:
- name: Drift Report
run: drifty report-pr --attribute --severity high
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
drifty history
Shows drift trends from previous scans. Findings are automatically persisted to .drifty/history.json after every drifty scan.
Options:
--workspace PATH Terraform directory (default: current dir)
--last INT Number of recent scans to show (default: 10)
--severity TEXT Minimum severity filter: critical | high | medium | low
--output TEXT terminal | json
drifty history
drifty history --last 30 --severity high
drifty history --output json
drifty ignore
Manages the ignore list for suppressing known or accepted drift. Suppressed resources still appear in scan output under a dimmed Suppressed label โ never silently hidden.
Options:
RESOURCE Resource address to ignore. Example: aws_instance.api_server
--workspace PATH Terraform directory (default: current dir)
--reason TEXT Reason for ignoring this resource
--remove Remove a resource from the ignore list
--list List all currently ignored resources
drifty ignore aws_instance.api_server
drifty ignore aws_instance.api_server --reason "approved by security team"
drifty ignore aws_instance.api_server --remove
drifty ignore --list
Ignore entries are persisted to .drifty/ignore.yaml with timestamp and author ($USER).
Severity Rules
| Resource Type | Severity |
|---|---|
aws_iam_role_policy, aws_iam_policy |
๐ด Critical |
aws_security_group, aws_security_group_rule |
๐ด Critical |
aws_s3_bucket_policy, aws_s3_bucket_public_access_block |
๐ด Critical |
aws_instance (type/AMI change) |
๐ High |
aws_rds_instance, aws_lb, aws_alb |
๐ High |
aws_lambda_function, aws_autoscaling_group |
๐ก Medium |
aws_cloudwatch_metric_alarm |
๐ก Medium |
aws_instance (tag-only change) |
๐ข Low |
aws_s3_bucket (tag-only change) |
๐ข Low |
Override any rule per-workspace:
# .drifty/config.yaml
severity_overrides:
aws_lambda_function: high
aws_cloudwatch_metric_alarm: low
drifty vs. the Alternatives
| Feature | terraform plan |
Spacelift / HCP TF | drifty |
|---|---|---|---|
| Detects drift | โ | โ | โ |
| Who caused it | โ | โ | โ CloudTrail |
| Severity score | โ | โ | โ |
| Remediation hint | โ | โ | โ |
| JSON / Markdown output | โ | partial | โ |
| Works locally / in CI | โ | โ SaaS only | โ |
| Cost | free | $$$ | free |
| Install | N/A | platform setup | pip install drifty |
| Slack / webhook alerts | โ | โ | โ v0.2.0 |
| Continuous drift watch | โ | โ scheduled | โ v0.3.0 |
| GitHub PR comment | โ | โ | โ v0.4.0 |
| Drift history / trends | โ | โ | โ v0.5.0 |
| Ignore / suppress drift | โ | โ | โ v0.6.0 |
Configuration Reference
# .drifty/config.yaml
default_profile: default # AWS CLI profile
default_severity: null # minimum severity filter (null = show all)
default_output: terminal # terminal | json | markdown
slack_webhook: null # Slack incoming webhook URL
cloudtrail_lookback_days: 90 # max 90 (CloudTrail API limit)
severity_overrides: {} # per-resource type overrides
Roadmap
-
--notify slackโ post drift summary to Slack webhook (v0.2.0) -
drifty watchโ continuous drift monitoring (poll on interval) - GitHub PR comment integration
- Drift history โ persist findings to
.drifty/history.json -
drifty ignoreโ suppress known/accepted drift entries - Azure and GCP provider support
Contributing
git clone https://github.com/satyajit-dey-17/drifty.git
cd drifty
poetry install
poetry run pytest -v
poetry run ruff check drifty/
poetry run black drifty/
Please open an issue before submitting a large PR.
See .github/ISSUE_TEMPLATE/ for bug and feature templates.
License
MIT ยฉ Satyajit Dey
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file drifty-0.6.1.tar.gz.
File metadata
- Download URL: drifty-0.6.1.tar.gz
- Upload date:
- Size: 34.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6bcdfc7f7bc25ce174e358483075b400b124b49c54b118e6e7a2ccc2809b84a7
|
|
| MD5 |
97160d6062224fd3734beb96bebccaa6
|
|
| BLAKE2b-256 |
88b6cbb0d24cff84904a3725e4523c757ace554437848b93973678e55199282a
|
Provenance
The following attestation bundles were made for drifty-0.6.1.tar.gz:
Publisher:
publish.yml on satyajit-dey-17/drifty
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
drifty-0.6.1.tar.gz -
Subject digest:
6bcdfc7f7bc25ce174e358483075b400b124b49c54b118e6e7a2ccc2809b84a7 - Sigstore transparency entry: 1752762577
- Sigstore integration time:
-
Permalink:
satyajit-dey-17/drifty@19572bea6f671640cf2521b80d15cd47682f2992 -
Branch / Tag:
refs/tags/v0.6.1 - Owner: https://github.com/satyajit-dey-17
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@19572bea6f671640cf2521b80d15cd47682f2992 -
Trigger Event:
push
-
Statement type:
File details
Details for the file drifty-0.6.1-py3-none-any.whl.
File metadata
- Download URL: drifty-0.6.1-py3-none-any.whl
- Upload date:
- Size: 39.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40af9d3288ae58b8c69c12aaf93e0354247630b058066c21d620422c781fd9e4
|
|
| MD5 |
b4b2070f7ff912986a6af09e24673cb7
|
|
| BLAKE2b-256 |
ebd5ae1c8578b70c77872d28dbba0603e8ed8a146b1731b76e356cf9a3a88a03
|
Provenance
The following attestation bundles were made for drifty-0.6.1-py3-none-any.whl:
Publisher:
publish.yml on satyajit-dey-17/drifty
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
drifty-0.6.1-py3-none-any.whl -
Subject digest:
40af9d3288ae58b8c69c12aaf93e0354247630b058066c21d620422c781fd9e4 - Sigstore transparency entry: 1752762729
- Sigstore integration time:
-
Permalink:
satyajit-dey-17/drifty@19572bea6f671640cf2521b80d15cd47682f2992 -
Branch / Tag:
refs/tags/v0.6.1 - Owner: https://github.com/satyajit-dey-17
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@19572bea6f671640cf2521b80d15cd47682f2992 -
Trigger Event:
push
-
Statement type: