I Built a Terraform Drift Tool to Avoid Paying for Terraform Cloud

Small company problems

A sea of yellow “~” is probably one of the most annoying things a Terraform user can see. Anyone ever just spend 3 hours trying full Dora the Explorer on a terraform project just to find out why a seemingly “untouched” project, now has “23 to change…and 2 to destroy”.

When you work for a small company and you have many engineers using infrastructure automation tools like Terraform to spin up infrastructure a variety of events tend to cause drift

• Someone made an “emergency’ fix in the AWS console

• A team member added a permission to an IAM role “to help out a coworker”

• Configuration changes happen during incident response and aren't reflected back to code

The result? Your Terraform state and your actual infrastructure slowly diverge, leading to deployment surprises, configuration inconsistencies, and the eventual complaint of "…but it works locally"

What’s currently out there?

We looked around at some good solutions for dealing with drift.

Terraform Cloud. This would be easy to implement and would show us everything and alert us with a very feature rich UI. But because the company is also a startup…I was told I need to spend like a shareholder.

Spacelift - also great UI and very useful, but also costly

Driftctl - open source and direct cloud provider API integration. Standalone tool with no Terraform dependency. It checks against state vs actual terraform plan drift.

The other open source projects have not been touched or updated in a few years

So I built tfdrift

If you cant pay for it…build it

I really just needed something simple for my infrastructure.

• Concurrent Project Scanning: TFDrift automatically discovers all directories containing *.tf files and processes them in batches. This means you can point it at your entire infrastructure repository and it will intelligently scan everything in parallel.

• Multiple Output Formats: Get a clean console table for quick checks, or generate detailed HTML reports with expandable sections showing the full terraform plan output.

• CI/CD Ready: Designed to have structured output that integrates well with existing pipelines.

• Flexible Configuration: Support for custom backend configurations, different Terraform versions per scan, and verbose logging when you need to debug issues.

How I Use It

I've integrated TFDrift into our GitLab CI pipeline to run daily drift checks across all our infrastructure projects. The HTML reports give the team a clear view of any drift, and we can quickly identify which projects need attention.

# Daily drift check across all projects
./tfdrift scan --path <full/path/to/infra> --html

# Quick check on a specific environment
./tfdrift scan --path ./environments/production

The tool has already caught several instances of configuration drift that would have caused deployment issues later. Having this visibility into the actual state of our infrastructure has been invaluable.

Open Sourcing it

I basically made the core of tfdrift open source. It is a barebones version of what I use in production but it should give you a decent starting point if you wanted to play with it. The production version I use also includes

• CI/CD error checking to make sure our terraform apply does not happen if theres a drift. (Drift could have happened in between a merge request approval and apply)

• Integration with Slack so our development channel gets a daily reminder if there is infrastructure drift

• Performance optimization to really parallelize the different terraform runs.

Feel free to check it out and have fun with it. It’s written by a lazy yet inspired SRE…lazy and penurious