惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
V
Visual Studio Blog
The GitHub Blog
The GitHub Blog
Apple Machine Learning Research
Apple Machine Learning Research
J
Java Code Geeks
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
Jina AI
Jina AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Hugging Face - Blog
Hugging Face - Blog
WordPress大学
WordPress大学
宝玉的分享
宝玉的分享
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
罗磊的独立博客
人人都是产品经理
人人都是产品经理
H
Heimdal Security Blog
Last Week in AI
Last Week in AI
博客园 - 【当耐特】
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
雷峰网
雷峰网
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
Microsoft Azure Blog
Microsoft Azure Blog
MyScale Blog
MyScale Blog
A
About on SuperTechFans
V2EX - 技术
V2EX - 技术
小众软件
小众软件
博客园 - Franky
博客园 - 司徒正美
P
Privacy International News Feed
爱范儿
爱范儿
U
Unit 42
博客园 - 叶小钗
The Hacker News
The Hacker News
C
Check Point Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
N
News and Events Feed by Topic
D
Docker
T
Threatpost
MongoDB | Blog
MongoDB | Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
H
Help Net Security
L
LINUX DO - 最新话题
Security Latest
Security Latest
T
The Exploit Database - CXSecurity.com
S
SegmentFault 最新的问题
A
Arctic Wolf
Spread Privacy
Spread Privacy

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
IaC Drift Management: Unexpected Infrastructure Discrepancies and
Mustafa ERBA · 2026-05-17 · via DEV Community

In today's rapidly evolving IT landscape, infrastructure management is becoming increasingly complex. To navigate this complexity and automate processes, Infrastructure as Code (IaC) approaches are of paramount importance. IaC is the practice of defining, provisioning, and managing infrastructure resources using code.

However, even when using IaC, unexpected infrastructure discrepancies known as "drift" can arise. IaC drift management encompasses the processes of detecting, correcting, and preventing these deviations between the ideal state defined in your code and the actual infrastructure state. In this post, we will delve into what IaC drift is, its causes, risks, and effective management strategies.

What is IaC Drift and Why is it Important?

Infrastructure as Code (IaC) enables your infrastructure to be defined and managed through version-controlled code files. This ensures that infrastructure changes are applied consistently and repeatably. However, this ideal state cannot always be maintained.

IaC drift management refers to your infrastructure deviating from its expected state. This occurs when a part of the infrastructure is modified outside of the IaC code, either manually or by another automated process. These deviations can seriously threaten the stability, security, and compliance of your systems.

Defining IaC Drift

IaC drift is when your infrastructure resources (e.g., virtual machines, databases, network configurations) differ from the configuration defined in your IaC code. In essence, it's a state of inconsistency between what your code dictates and what actually exists in your infrastructure. These inconsistencies can range from a minor setting adjustment to the deletion of an entire resource.

Drift invalidates your IaC code as the "single source of truth" for your infrastructure. This can lead to failed future deployments, unexpected behaviors, and prolonged troubleshooting processes. IaC drift management aims to minimize these discrepancies.

Causes of Drift

There can be multiple reasons for IaC drift, often stemming from human factors or process deficiencies. Understanding these causes is critical for developing strategies to prevent drift. Below are common reasons that lead to drift:

  • Manual Configuration Changes: This is the most common cause of drift. A developer or operations specialist might make direct changes to the infrastructure for a quick fix or testing purposes. These changes are often not reflected in the IaC code and are forgotten over time.
  • Emergency Fixes: When a critical issue arises in the production environment, direct interventions might be made for rapid solutions. These emergency interventions often bypass IaC processes, leading to drift.
  • Unsuccessful IaC Deployments: If an IaC deployment fails partially, some resources might have been created or modified, while others were not. This can leave a partial configuration that differs from what the IaC code expects.
  • Third-Party Integrations: Security tools, monitoring systems, or other automation solutions might make changes to infrastructure resources on their own. Changes made by such systems might not be specified in your IaC code.
  • Human Error: Sometimes, executing incorrect commands or targeting the wrong resources can lead to unintended changes in the infrastructure. These errors can invalidate the definitions in your IaC code.

Potential Risks of Drift

IaC drift brings with it a host of serious risks for an organization. These risks span a wide spectrum, from operational efficiency to security and compliance. IaC drift management is vital for minimizing these risks.

  • Configuration Inconsistency: Drift leads to inconsistent configurations across different environments (development, test, production). This can cause the "it worked on my machine!" syndrome, where an application that runs in a test environment encounters issues in production.
  • Security Vulnerabilities: Manual changes or outdated IaC code can result in missing security patches or misconfigured security groups. This creates potential entry points for malicious attackers.
  • Compliance Issues: Adhering to regulations like GDPR or HIPAA requires maintaining specific security and configuration standards. Drift can lead to deviations from these standards, causing problems during audits and potential legal penalties.
  • Troubleshooting Difficulties: When an issue arises, understanding which part of the infrastructure is managed by IaC and which part was manually changed can be complex. This prolongs troubleshooting time and increases system downtime.
  • Reduced Agility: In an environment with drift, deploying new features or patches becomes risky because the exact state of the existing infrastructure is unknown. This slows down deployment speed and reduces the organization's agility.
  • High Operational Costs: The time and effort spent detecting, analyzing, and correcting drift increase operational costs. Furthermore, outages or security breaches caused by drift also incur additional expenses.

IaC Drift Management Strategies

IaC drift management requires a combination of strategies to detect, correct, and most importantly, prevent drift. These strategies offer a comprehensive approach to ensuring the consistency and security of your infrastructure. An effective management plan is fueled by automation, process improvements, and cultural change.

Drift Detection

Drift detection is the process of comparing the actual infrastructure state with the expected state defined in your IaC code. This is the first and most fundamental step in IaC drift management. Regularly detecting drift allows you to intervene before problems escalate.

Various tools and methods are available for drift detection. Most IaC tools have built-in features that can perform such comparisons. For example, in Terraform, the terraform plan command shows the differences between your code and the existing infrastructure. Similarly, AWS Config, Azure Policy, and custom scripts can also be used for drift detection.

💡 Continuous Drift Detection

Drift detection should not be a one-time operation. By integrating regular and automated checks into your CI/CD pipelines, you can ensure your infrastructure remains compliant with your code continuously. Running these checks a few times a day or with every code change helps you catch drift at an early stage.

Below is an example of a Terraform plan output, simulating how it might indicate drift in a resource:

Terraform will perform the following actions:

  # aws_instance.web_server will be updated in-place
  ~ resource "aws_instance" "web_server" {
        id                            = "i-0abcdef1234567890"
        tags                          = {
            "Environment" = "production"
            "Name"        = "MyWebServer"
            "Owner"       = "DevOpsTeam"
        }
      - tags_all                      = {
      -     "Environment" = "production"
      -     "Name"        = "MyWebServer"
      -     "Owner"       = "DevOpsTeam"
      -     "DriftTag"    = "ManualChange" -> null # Drift detected: Manual tag removed
        }
        # (lifecycle, ami, instance_type, etc. remain unchanged)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Enter fullscreen mode Exit fullscreen mode

In this example, the "DriftTag" in the tags_all block indicates that the tag is not present in the IaC code but exists in the actual infrastructure and will be removed. This means someone manually added this tag via the AWS console, and the IaC code is unaware of it.

Drift Remediation

Once drift is detected, the next step is to correct these discrepancies. Drift remediation is the process of bringing the infrastructure back to the expected state defined in your IaC code or updating the IaC code to reflect the actual infrastructure state. This decision depends on the nature and cause of the drift.

There are two primary approaches:

  1. Revert to IaC: This assumes your IaC code is the "single source of truth." When drift is detected, the IaC code is applied to revert the infrastructure to the expected state. This means overwriting or deleting manually made changes. This approach ensures infrastructure consistency and repeatability but carries the risk of losing valuable manual changes.
  2. Update IaC: If the drift resulted from a significant and intended change (e.g., an emergency fix worked and should be permanent), then you need to update your IaC code to reflect the actual infrastructure state. This involves revising the code, testing it, and then deploying it. This approach keeps your IaC code up-to-date but requires careful evaluation of the accuracy and appropriateness of manual changes.

Automatic remediation typically follows the "revert to IaC" approach, continuously enforcing the IaC code's state onto the actual infrastructure. This is highly effective for ensuring consistency, especially in development and test environments. In production environments, automatic remediation should be applied cautiously, considering potential disruptions.

# After drift detection, `terraform apply` is used for remediation.
# This command applies the state defined in your IaC code to the infrastructure.
# It will revert drifted resources to their previous state or update them.
terraform apply --auto-approve

Enter fullscreen mode Exit fullscreen mode

The terraform apply command applies the changes shown by the plan command to the actual infrastructure. The --auto-approve flag allows direct application without confirmation, which is useful in automation pipelines but should be used with caution.

Drift Prevention

While drift detection and remediation are important, the best strategy is to prevent drift from occurring in the first place. Drift prevention involves mechanisms and processes that ensure all infrastructure changes are made through the IaC process.

  • Policy Enforcement: You can prevent direct manual changes to specific resources by using native policy engines of cloud providers (AWS SCPs, Azure Policies, Google Cloud Organization Policies) or third-party tools (Open Policy Agent - OPA). These policies might, for example, mandate certain tags or prohibit opening specific ports.
  • Access Control: Restrict direct access to infrastructure resources as much as possible. Use Role-Based Access Control (RBAC) to allow only specific IaC deployment accounts or CI/CD pipelines to make infrastructure changes. Limiting direct access to the production environment for developers and operations teams significantly reduces the risk of manual changes.
  • CI/CD Pipeline Integration: Mandate that all infrastructure changes go through a CI/CD pipeline. This pipeline should include code review, automated testing, and IaC deployment. Every change should be committed to the codebase and deployed through an automated process.
  • Immutable Infrastructure: Instead of modifying servers or other infrastructure components, create a new version and destroy the old one when a change is needed. This approach largely eliminates configuration drift because each deployment starts fresh. Docker containers and AMIs (Amazon Machine Images) are good examples of this principle.
  • Regular Audits and Reviews: Regularly review your IaC code and infrastructure configurations. Code reviews are an effective way to catch potential issues early and ensure adherence to IaC standards. Security audits can also uncover manually made changes.

Popular IaC Tools and Drift Management Features

Different IaC tools offer various features for drift management. Understanding the capabilities of these tools can help you determine the most suitable strategy for your environment. Each tool has its own philosophy and strengths in defining and managing infrastructure as code.

Terraform

HashiCorp Terraform is one of the most popular IaC tools for provisioning and managing infrastructure across various cloud providers and other services. Terraform operates with a declarative approach and offers robust features for drift management.

Terraform's primary drift detection mechanism is the terraform plan command. This command compares the desired state defined in your IaC code with the current infrastructure state and shows the differences between them. Potential additions, updates, or deletions are clearly indicated. To correct drift, the terraform apply command is used; this command brings the infrastructure to the state defined in your IaC code.

Platforms like Terraform Cloud and Terraform Enterprise offer more advanced drift detection and alerting features. These platforms can continuously monitor resources in your workspaces and notify you when a deviation from your code is detected. This allows you to proactively manage drift without the need for manual intervention.

# Shows differences between the current infrastructure state and your code
terraform plan

# When drift is detected, applies the state in your code to the infrastructure
# This can revert manual changes or update your IaC code
terraform apply

Enter fullscreen mode Exit fullscreen mode

AWS CloudFormation

AWS CloudFormation is an IaC service that allows you to declaratively define AWS resources. CloudFormation manages resources through stacks. It has built-in features for drift management.

CloudFormation's Drift Detection feature compares the actual configuration of resources in a stack with the expected configuration in the stack template. This feature can be initiated via the AWS console, CLI, or SDK and reports drifted resources and changes. When drift is detected, CloudFormation does not provide automatic remediation directly but allows you to review the drift and correct it manually or by deploying a new template. Additionally, CloudFormation's Change Sets feature helps prevent unexpected situations by allowing you to preview changes to be applied to a stack beforehand.

Ansible

Ansible is an open-source tool used for IT automation. It performs tasks such as configuration management, application deployment, and orchestration. Ansible places great importance on the principle of "idempotency," meaning that running a playbook multiple times always leads to the same outcome.

While Ansible doesn't offer a direct "drift detection" feature, it indirectly manages drift through idempotency. Each time a playbook is run, it checks the state of the target system and makes only the necessary changes. Running a playbook with the --check or --diff flags allows you to preview potential changes to the system (i.e., drift) before they are made. These modes show what is different based on your intent, without making actual changes.

Pulumi

Pulumi is a modern IaC platform that allows you to define cloud infrastructure using real programming languages like Go, Python, TypeScript, and C#. The power of programming languages enables the creation of more complex and dynamic infrastructures.

Pulumi displays and applies planned changes using the pulumi preview and pulumi up commands. For drift detection, it reflects the actual state of cloud resources into the state file with pulumi refresh, and then reports the difference between the state and the code with pulumi preview.

Conclusion

IaC drift accumulates like invisible debt and surfaces during incidents until it's noticed. The triple threat of a disciplined refresh + preview cycle, automated drift checks in CI, and IAM policies blocking manual cloud console changes is the most effective strategy to prevent drift at its source.