There is nothing quite as stressful as running a terraform apply on a Friday afternoon, only to realize someone manually tweaked a security group rule in the AWS Console three weeks ago. This is ‘drift’—the gap between your defined code and the actual state of your infrastructure. In this iac drift detection tools review, I’m diving into the tools I’ve used to stop this madness and keep my environments predictable.
Why You Need Automated Drift Detection
In a perfect world, every change goes through Git. In the real world, engineers make ‘quick fixes’ in the UI during an incident. If you don’t detect this drift, your next automated deployment might accidentally revert a critical hotfix or, worse, fail entirely because the state file is out of sync. For those of you managing complex setups, I highly recommend looking into advanced terraform refactoring techniques to keep your modules lean, which actually makes drift easier to spot.
The Contenders: Top Drift Detection Tools
I’ve spent the last six months testing several approaches to drift detection. Some are built into the platforms, while others are specialized third-party agents.
1. Terraform Cloud / Spacelift
These platforms treat drift detection as a first-class citizen. Instead of running manual plans, they schedule health checks that alert you the moment the real-world state diverges from the stored state.
Strengths:
- Native integration with the IaC lifecycle.
- Automated scheduling (e.g., check every 2 hours).
- Direct links to the offending resource in the UI.
- Unified state management.
- Reduced ‘state lock’ contention.
Weaknesses:
- Can become expensive as you scale resource counts.
- Vendor lock-in to the specific orchestration platform.
- Initial setup of drift schedules can be tedious for hundreds of workspaces.
2. Driftctl (Now part of Pulumi)
For a long time, driftctl was the gold standard for open-source drift detection. It scans your entire cloud account and compares it to your state file, finding resources that aren’t even managed by IaC.
Strengths:
- Finds ‘unmanaged’ resources (the things you forgot to import).
- Highly detailed CLI output.
- Works across AWS, Azure, and GCP.
- Easy to plug into a GitHub Action or GitLab CI pipeline.
- No need to change your existing Terraform workflow.
Weaknesses:
- CLI-heavy; lacks a native ‘dashboard’ unless you build one.
- Can be slow on massive accounts (thousands of resources).
- Requires high-privilege read access to the cloud provider.
Performance and User Experience
In my experience, the ‘UX’ of drift detection isn’t about the dashboard—it’s about the alert. A tool that emails me a 50-page PDF of differences is useless. I prefer tools that send a Slack notification with a deep link to the specific line of code that needs updating.
When comparing the overhead, driftctl is lightweight but noisy. Managed platforms like Spacelift are quieter because they allow you to ignore specific attributes (like tags or auto-scaling counts) that naturally fluctuate. If you’re undecided on the platform, you might ask, should I use Terraform Cloud or Spacelift? Both handle drift significantly better than a raw terraform plan cron job.
Comparison Matrix
As shown in the image below, the trade-off usually falls between ‘ease of setup’ and ‘depth of visibility’.
| Feature | Terraform Cloud | Spacelift | Driftctl / Pulumi |
|---|---|---|---|
| Unmanaged Resource Detection | Limited | Moderate | Excellent |
| Automated Remediation | Yes (via Trigger) | Yes (via Blueprints) | No (Manual) |
| Setup Effort | Low | Medium | Low |
| Pricing Model | Per Resource/User | Per User/Resource | Open Source/SaaS |
Pricing Analysis
Pricing for drift detection is tricky. Driftctl is essentially free if you run it yourself, but the ‘cost’ is the engineering time spent managing the cron jobs. Managed services charge a premium for the peace of mind. In my current production setup, I’ve found that paying for a managed platform is cheaper than the hourly rate of a DevOps engineer spending four hours a week hunting down manual changes.
Who Should Use Which Tool?
- Small Teams / Side Projects: Stick with
driftctl. It’s free, powerful, and gives you a great audit of what’s actually in your account. - Mid-Sized Enterprise: Terraform Cloud. The integration is seamless and the drift detection is ‘good enough’ for most.
- Complex, Multi-Cloud Orgs: Spacelift. Their policy-as-code (OPA) allows you to define exactly what constitutes ‘critical drift’ versus ‘acceptable drift’.
Final Verdict
If you are tired of your pipelines failing due to manual changes, stop relying on manual plans. My recommendation: start with driftctl to clean up your current mess (import those unmanaged resources!), then migrate to a managed platform like Spacelift or Terraform Cloud to prevent the drift from returning. The ROI on drift detection is immediate—you stop fighting the cloud and start managing it.