Terraform drift intelligence: detect, attribute, score, and fix IaC drift
Project description
๐ drifty
Detect Terraform drift, attribute the change, assess risk, and fix it fast.
pip install drifty
The Problem
terraform plan tells you what drifted. It does not provide native attribution for who changed it, how risky the change is, or the best way to respond.
Manual changes in the AWS console during incidents, auto-scaling events, and ad-hoc CLI commands can silently diverge infrastructure from Terraform state. By the time the drift is noticed, it is often unclear whether it came from a teammate, approved automation, or a potential security issue.
Platforms such as Spacelift and HCP Terraform can detect drift on a schedule, but they are broader IaC platforms that are heavier, more expensive, and do not natively focus on attribution or severity scoring.
drifty fills this gap. It gives teams a lightweight way to detect drift, enrich it with CloudTrail context, prioritize what matters, and act quickly.
Demo
$ drifty scan --workspace ./infra --attribute
๐ drifty โ Terraform Drift Intelligence
Scanning workspace: ./infra | 2026-06-05 14:00 UTC
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ 3 drifts detected - 1 Critical - 1 High - 1 Low โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
๐ด CRITICAL aws_security_group.main (sg-0abc1234)
Changed: ingress.0.cidr_blocks โ ["0.0.0.0/0"] (was: ["10.0.0.0/8"])
Who: arn:aws:iam::123456789:user/john.doe
When: 2026-06-03 14:22:11 UTC
Action: ModifySecurityGroupRules
Suggested action: reconcile state with Terraform import or revert with terraform apply
๐ HIGH aws_instance.api_server (i-0def5678)
Changed: instance_type โ t3.large (was: t3.medium)
Who: arn:aws:iam::123456789:role/ops-automation
When: 2026-06-02 09:15:44 UTC
Action: ModifyInstanceAttribute
Suggested action: reconcile state with Terraform import or revert with terraform apply
๐ข LOW aws_s3_bucket.assets (assets-bucket-prod)
Changed: tags.LastModified โ "2026-06-01" (was: "2026-05-15")
Who: attribution unavailable (event outside 90-day CloudTrail window)
Suggested action: add tag to Terraform config or run terraform apply to reconcile
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Run `drifty report --format markdown` to export this as a report.
Install
Requirements: Python 3.10+, AWS credentials configured, and Terraform available in your workspace.
pip install drifty
Quick Start
# 1. Initialize config in your Terraform workspace
cd ./infra
drifty init
# 2. Scan for drift
drifty scan
# 3. Scan with CloudTrail attribution
drifty scan --attribute
# 4. Filter to critical and high only
drifty scan --severity high
# 5. Output as JSON for CI/CD piping
drifty scan --output json | jq '.findings[] | select(.severity=="critical")'
# 6. Export a markdown report
drifty report --format markdown --out ./drift-report.md
# 7. Send drift summary to Slack
drifty config set slack_webhook=https://hooks.slack.com/services/xxx/yyy/zzz
drifty scan --notify slack
# 8. Watch for new drift continuously
drifty watch --interval 300 --threshold high --notify slack
# 9. Watch with CloudTrail attribution on every cycle
drifty watch --interval 300 --attribute --notify slack
# 10. Post drift report as a GitHub PR comment
drifty report-pr --attribute --severity high
# 11. View drift history across previous scans
drifty history
# 12. Show last 30 scans, high severity and above
drifty history --last 30 --severity high
# 13. Suppress a known or accepted drift
drifty ignore aws_instance.api_server --reason "approved by security team"
# 14. List all ignored resources
drifty ignore --list
# 15. Remove an ignore entry
drifty ignore aws_instance.api_server --remove
Why It Stands Out
drifty is designed for engineers who want drift detection without adopting a full platform. It works locally, fits naturally into CI, and adds attribution, severity, reporting, and notifications on top of Terraform's existing workflow.
A particularly strong workflow is continuous monitoring with Slack alerts and optional CloudTrail attribution. That combination helps teams catch new drift quickly without creating repeated noise.
How It Works
drifty scan
โ
โโ 1. runs: terraform plan -refresh-only -json
โ
โโ 2. parses JSON Lines output โ extracts resource_drift entries
โ
โโ 3. scores each finding
โ critical โ IAM, security groups, S3 policies
โ high โ EC2 instances, RDS, load balancers
โ medium โ Lambda, Auto Scaling, CloudWatch
โ low โ tag-only changes
โ
โโ 4. attributes each finding via CloudTrail (if --attribute)
โ boto3 โ LookupEvents by resource ID
โ returns: IAM principal, timestamp, API action
โ
โโ 5. renders output
terminal โ Rich color-coded output
json โ structured output for CI/CD
markdown โ report for docs and collaboration
Commands
drifty scan
Options:
--workspace PATH Terraform directory (default: current dir)
--profile TEXT AWS CLI profile (default: "default")
--attribute Enable CloudTrail attribution
--severity TEXT Minimum severity: critical | high | medium | low
--output TEXT Output format: terminal | json | markdown
--notify TEXT Send results to: slack
drifty init
Initializes .drifty/config.yaml in the workspace with default settings.
drifty config set KEY=VALUE
drifty config set default_severity=high
drifty config set default_profile=prod
drifty config set slack_webhook=https://hooks.slack.com/...
drifty config set cloudtrail_lookback_days=30
drifty report
drifty report --format markdown --out ./reports/drift-$(date +%F).md
drifty report --format json
drifty scan --notify slack
Sends a Slack Block Kit message when drift is found. Configure slack_webhook in .drifty/config.yaml first.
# One-time setup
drifty config set slack_webhook=https://hooks.slack.com/services/T.../B.../xxx
# Then run with notifications
drifty scan --notify slack
drifty scan --attribute --notify slack --severity high
The Slack message includes:
- Severity summary
- Per-finding blocks with changed attributes, attribution, and remediation hints
- A cap of 10 findings per message to stay within Slack block limits
drifty watch
Continuously monitors a Terraform workspace for drift and alerts when new findings appear.
Options:
--workspace PATH Terraform directory (default: current dir)
--interval INT Polling interval in seconds (default: 300)
--threshold TEXT Minimum severity to trigger alert: critical | high | medium | low
--notify TEXT Notifier to use when new drift is detected: slack
--attribute Enable CloudTrail attribution on each cycle
# Poll every 5 minutes, alert on high+ drift via Slack
drifty watch --interval 300 --threshold high --notify slack --attribute
# Run locally with a faster interval for testing
drifty watch --interval 60 --threshold low
drifty watch tracks state between cycles using a finding hash stored in .drifty/state.json. It only alerts on new drift so previously seen findings do not create repeated noise.
drifty report-pr
Scans for drift and posts a formatted report as a comment on a GitHub Pull Request.
Options:
--workspace PATH Terraform directory (default: current dir)
--profile TEXT AWS CLI profile
--attribute Enable CloudTrail attribution
--severity TEXT Minimum severity filter: critical | high | medium | low
--token TEXT GitHub token (defaults to GITHUB_TOKEN env var)
--repo TEXT Repository in owner/repo format (defaults to GITHUB_REPOSITORY env var)
--pr INT Pull request number (defaults to PR_NUMBER env var)
# In GitHub Actions
drifty report-pr --attribute --severity high
# Locally against a specific PR
drifty report-pr --repo acme/infra --pr 42 --token ghp_xxx
Each finding renders as a collapsible <details> block with changed attributes, attribution details, and a remediation hint.
Example GitHub Actions step:
- name: Drift Report
run: drifty report-pr --attribute --severity high
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
drifty history
Shows drift trends from previous scans. Findings are automatically persisted to .drifty/history.json after every drifty scan.
Options:
--workspace PATH Terraform directory (default: current dir)
--last INT Number of recent scans to show (default: 10)
--severity TEXT Minimum severity filter: critical | high | medium | low
--output TEXT terminal | json
drifty history
drifty history --last 30 --severity high
drifty history --output json
drifty ignore
Manages the ignore list for suppressing known or accepted drift. Suppressed resources still appear in scan output under a dimmed Suppressed label rather than being silently hidden.
Options:
RESOURCE Resource address to ignore, for example aws_instance.api_server
--workspace PATH Terraform directory (default: current dir)
--reason TEXT Reason for ignoring this resource
--remove Remove a resource from the ignore list
--list List all currently ignored resources
drifty ignore aws_instance.api_server
drifty ignore aws_instance.api_server --reason "approved by security team"
drifty ignore aws_instance.api_server --remove
drifty ignore --list
Ignore entries are persisted to .drifty/ignore.yaml with timestamp and author.
Severity Rules
| Resource Type | Severity |
|---|---|
aws_iam_role_policy, aws_iam_policy |
๐ด Critical |
aws_security_group, aws_security_group_rule |
๐ด Critical |
aws_s3_bucket_policy, aws_s3_bucket_public_access_block |
๐ด Critical |
aws_instance (type or AMI change) |
๐ High |
aws_rds_instance, aws_lb, aws_alb |
๐ High |
aws_lambda_function, aws_autoscaling_group |
๐ก Medium |
aws_cloudwatch_metric_alarm |
๐ก Medium |
aws_instance (tag-only change) |
๐ข Low |
aws_s3_bucket (tag-only change) |
๐ข Low |
Override any rule per workspace:
# .drifty/config.yaml
severity_overrides:
aws_lambda_function: high
aws_cloudwatch_metric_alarm: low
drifty vs. Alternatives
| Feature | terraform plan |
Spacelift / HCP Terraform | drifty |
|---|---|---|---|
| Detects drift | โ | โ | โ |
| Native attribution | โ | โ | โ CloudTrail |
| Severity score | โ | โ | โ |
| Remediation guidance | โ | โ | โ |
| JSON / Markdown output | โ | Partial | โ |
| Works locally / in CI | โ | โ SaaS only | โ |
| Cost | Free | $$$ | Free |
| Install | N/A | Platform setup | pip install drifty |
| Slack alerts | โ | โ | โ |
| Continuous drift watch | โ | โ Scheduled | โ |
| GitHub PR comment | โ | โ | โ |
| Drift history / trends | โ | โ | โ |
| Ignore / suppress drift | โ | โ | โ |
Configuration Reference
# .drifty/config.yaml
default_profile: default
default_severity: null
default_output: terminal
slack_webhook: null
cloudtrail_lookback_days: 90
severity_overrides: {}
Release
drifty is packaged with Poetry, built from pyproject.toml, and published to PyPI. Poetry requires a package version to be defined in pyproject.toml, either in project.version or tool.poetry.version, and that version is the source of truth for the built package metadata.
The recommended GitHub Actions pattern is to build distributions in one job, store them as artifacts, and publish them from a separate PyPI job that runs on tag pushes with trusted publishing enabled. For repeatable releases, use the tag as the release trigger, keep the package version aligned with pyproject.toml, and configure the PyPI publish step to skip already-uploaded files on reruns.
Tagged releases can also create or update a GitHub Release with changelog-derived notes while PyPI publication is handled separately in the publish job.
Example local development flow:
poetry version patch
poetry build
poetry publish -r testpypi
Example GitHub Actions publish step:
- name: Publish distribution ๐ฆ to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
skip-existing: true
Roadmap
- Slack notifications via
--notify slack - Continuous drift watch
- GitHub PR comment integration
- Drift history
- Ignore / suppress drift
- Azure and GCP provider support
Contributing
git clone https://github.com/satyajit-dey-17/drifty.git
cd drifty
poetry install
poetry run pytest -v
poetry run ruff check drifty/
poetry run black drifty/
Please open an issue before submitting a large PR. See .github/ISSUE_TEMPLATE/ for bug and feature templates.
License
MIT ยฉ Satyajit Dey
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file drifty-0.6.5.tar.gz.
File metadata
- Download URL: drifty-0.6.5.tar.gz
- Upload date:
- Size: 36.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e2196c20eafff90516baa64b98ede18ea2b6a8febfaf55a46f1bc34f0a2dbf5
|
|
| MD5 |
c18e25cafeb8fef9ac6d4ddff0a6aedc
|
|
| BLAKE2b-256 |
e5b3569aaf99f0467a3c62ddd0fbca402d47478cc9dfc8d88b211d20871a1636
|
Provenance
The following attestation bundles were made for drifty-0.6.5.tar.gz:
Publisher:
publish.yml on satyajit-dey-17/drifty
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
drifty-0.6.5.tar.gz -
Subject digest:
9e2196c20eafff90516baa64b98ede18ea2b6a8febfaf55a46f1bc34f0a2dbf5 - Sigstore transparency entry: 1810962619
- Sigstore integration time:
-
Permalink:
satyajit-dey-17/drifty@b4c4a87ec988c5e10b999e1977e25c7b5ff688ab -
Branch / Tag:
refs/tags/v0.6.5 - Owner: https://github.com/satyajit-dey-17
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b4c4a87ec988c5e10b999e1977e25c7b5ff688ab -
Trigger Event:
push
-
Statement type:
File details
Details for the file drifty-0.6.5-py3-none-any.whl.
File metadata
- Download URL: drifty-0.6.5-py3-none-any.whl
- Upload date:
- Size: 40.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
459a55a25fd97f0d8efa7e35082aff783cae15e671871ea178949dcc7401117a
|
|
| MD5 |
8e4c2e8a17ac9f59a73fcf9d4eedcc43
|
|
| BLAKE2b-256 |
349e270eb57b88c4f17a49782429b2e8b20cd69a855cdb434b5f207af76d2007
|
Provenance
The following attestation bundles were made for drifty-0.6.5-py3-none-any.whl:
Publisher:
publish.yml on satyajit-dey-17/drifty
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
drifty-0.6.5-py3-none-any.whl -
Subject digest:
459a55a25fd97f0d8efa7e35082aff783cae15e671871ea178949dcc7401117a - Sigstore transparency entry: 1810962636
- Sigstore integration time:
-
Permalink:
satyajit-dey-17/drifty@b4c4a87ec988c5e10b999e1977e25c7b5ff688ab -
Branch / Tag:
refs/tags/v0.6.5 - Owner: https://github.com/satyajit-dey-17
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b4c4a87ec988c5e10b999e1977e25c7b5ff688ab -
Trigger Event:
push
-
Statement type: