Skills
skills/snyk/studio-recipes/drift-detector

drift-detector

Installation
SKILL.md

Infrastructure Drift Detector

Detect, track, and resolve infrastructure drift between Terraform state and actual cloud resources to maintain Infrastructure as Code integrity.

Core Principle: Your cloud should match your code.

Note: This skill uses snyk iac describe CLI command (requires shell execution).

Quick Start

# Basic drift scan against a local Terraform state file
snyk iac describe --from=tfstate://terraform.tfstate

# Output as JSON for further analysis
snyk iac describe --from=tfstate://terraform.tfstate --json > drift-report.json

Prerequisites

  • Terraform project with state file (local or remote)
  • Cloud provider credentials configured
  • snyk CLI installed
  • Network access to cloud APIs

Supported Cloud Providers

Provider Setup
AWS AWS credentials (profile, env vars, or IAM role)
Azure Azure CLI login or service principal
GCP Application default credentials or service account

For a full list of supported resource types per provider, see SERVICES.md.

Phase 1: Setup

Goal: Configure drift detection environment.

Step 1.1: Verify Terraform State

Check for Terraform state:

Local state:

ls terraform.tfstate

Remote state (S3 backend):

terraform {
  backend "s3" {
    bucket = "my-terraform-state"
    key    = "state/terraform.tfstate"
    region = "us-east-1"
  }
}

Step 1.2: Verify Cloud Credentials

AWS:

aws sts get-caller-identity

Azure:

az account show

GCP:

gcloud auth application-default print-access-token

Phase 2: Run Drift Detection

Goal: Identify differences between IaC and actual cloud state.

Step 2.1: Basic Drift Scan

snyk iac describe --from=tfstate://terraform.tfstate

Step 2.2: Remote State Scan

For S3 backend:

snyk iac describe --from=tfstate+s3://my-bucket/state.tfstate

For Terraform Cloud:

snyk iac describe \
  --from=tfstate+tfcloud://organization/workspace \
  --tfc-token=$TFC_TOKEN

Step 2.3: Specific Service Scan

To focus on specific AWS services:

snyk iac describe \
  --from=tfstate://terraform.tfstate \
  --service=aws_s3,aws_ec2,aws_rds

Step 2.4: JSON Output for Analysis

snyk iac describe \
  --from=tfstate://terraform.tfstate \
  --json > drift-report.json

Phase 3: Analyze Results

Goal: Understand and categorize drift.

Step 3.1: Drift Categories

Category Description Risk Level
Unmanaged Resources not in Terraform High - shadow IT
Changed Resources modified outside Terraform Medium - config drift
Missing Resources in state but deleted Low - usually intentional

Step 3.2: Generate Report

## Infrastructure Drift Report

Scan Date: 2024-01-15
Terraform State: s3://my-bucket/prod.tfstate
Cloud Provider: AWS (us-east-1)

### Summary
- Unmanaged Resources: 12 (High)
- Changed Resources:    5  (Medium)
- Missing Resources:    2  (Low)
- Total Drift:         19

### Unmanaged Resources (Not in Terraform)
- aws_s3_bucket      | prod-logs-manual   | High     | Import or delete
- aws_security_group | sg-temp-access     | Critical | Review and remove

### Changed Resources (Modified Outside Terraform)
- aws_security_group.web | ingress: [443]   → ingress: [443, 22]  | High
- aws_rds_instance.main  | multi_az: true   → multi_az: false      | Critical

Step 3.3: Risk Assessment

Prioritize Critical issues first (e.g. SSH opened to 0.0.0.0/0, production HA disabled), then High risk issues (e.g. unmanaged IAM users or security groups). Document the affected resource, the risk, and the intended remediation action for each finding.

Phase 4: Remediation

Goal: Resolve drift and restore IaC integrity.

Step 4.1: Import Unmanaged Resources

For resources that should be in Terraform:

# Generate import block
terraform import aws_s3_bucket.manual_bucket prod-logs-manual

# Or use import block (Terraform 1.5+)

import {
  to = aws_s3_bucket.manual_bucket
  id = "prod-logs-manual"
}

Step 4.2: Remove Unauthorized Resources

For resources that shouldn't exist:

# After verification, delete unmanaged resources
aws s3 rb s3://unauthorized-bucket --force
aws ec2 terminate-instances --instance-ids i-temp-server

Step 4.3: Revert Changes

For resources modified outside Terraform:

# Re-apply Terraform to restore intended state
terraform apply

Step 4.4: Update Terraform (Adopt Changes)

If the manual change should be kept:

# Update Terraform to match new reality
resource "aws_security_group" "web" {
  # Add the new rule
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]  # Restrict if keeping
  }
}

Phase 5: Prevention

Goal: Prevent future drift.

Step 5.1: Generate Exclude Policy

For expected drift (auto-scaling, etc.):

snyk iac update-exclude-policy \
  --exclude-unmanaged \
  --exclude-changed

This creates a .snyk policy file:

exclude:
  iac-drift:
    - aws_autoscaling_group.*
    - aws_ecs_service.*:desiredCount

Step 5.2: CI/CD Integration

Add drift detection to CI/CD:

# GitHub Actions example
- name: Check for Infrastructure Drift
  run: |
    snyk iac describe \
      --from=tfstate+s3://my-bucket/prod.tfstate \
      --json > drift.json
    
    # Fail if unmanaged resources found
    if [ $(jq '.summary.total_unmanaged' drift.json) -gt 0 ]; then
      echo "Drift detected!"
      exit 1
    fi

Step 5.3: Regular Audits

Schedule regular drift audits:

Frequency Scope Purpose
Daily Critical resources Security monitoring
Weekly All production Configuration audit
Monthly All environments Comprehensive review

Common Scenarios

For detailed worked examples, see EXAMPLES.md. Brief references:

  • Post-Incident Audit: Run drift detection with JSON output, filter for security-related resources, identify unauthorized changes, generate incident report, remediate and document.
  • Pre-Deployment Check: Run drift detection, fail deployment if drift exists, resolve drift first, then proceed with deployment.
  • Shadow IT Discovery: Run drift detection, filter to unmanaged resources, categorize by owner/purpose, import or remove as appropriate.

Error Handling

State Access Error

Error: Could not read Terraform state

Solutions:
1. Verify state file path
2. Check S3/backend permissions
3. Ensure terraform init has been run

Cloud Credential Error

Error: Authentication failed

Solutions:
1. Verify cloud credentials
2. Check IAM permissions for describe/list
3. Ensure credentials not expired

Service Not Supported

Warning: Service X not supported

Solutions:
1. Check supported services list
2. Use Terraform plan comparison instead
3. Report to Snyk for feature request

Constraints

  1. Read-only: This skill only detects drift, doesn't modify resources
  2. Credentials required: Needs cloud provider access
  3. Service coverage: Not all resource types supported
  4. State required: Must have Terraform state to compare
  5. Network required: Needs access to cloud APIs
Weekly Installs
19
Repository
snyk/studio-recipes
GitHub Stars
29
First Seen
Mar 29, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass