Open Source driftctl Alternatives

Aug 30, 2023Terraform

What is driftctl?

driftctl is an OSS CLI tool that enables users to identify Terraform drift as well as unmanaged resources within a cloud environment. It is a quite popular tool and has collected over two thousand stars on GitHub.

Why Would We Want a Replacement?

driftctl’s reposistory and team was aquired by unicorn startup Snyk towards the end of 2021. While some its functionality was integrated into Snyk’s IaC offerings, the open source tool has been placed into “maintenance mode” since June 29, 2023. For many, that means it is time to look for an alternative. Specifically we need the following to be able to replace driftctl:

  • An open source solution that requires read-only access to our cloud environment and Terraform state files.
  • Ability to detect drift in cloud resources already controlled by Terraform.
  • Ability to detect resources outside of Terraform control.

OSS driftctl Alternatives

terraform plan

The terraform CLI inherently detects drift for Terraform managed resources when we run the terraform plan command.

Any resources that have “drifted” in the remote cloud environment will be picked-up as un-expected changes in the plan output. Unfortunately, terraform plan is unable to identify resources that are currently unmanaged by Terraform.

Interestingly, many enterprise drift detection offerings from products like Terraform Cloud and Spacelift are running managed, regular terraform plan commands under the hood.

Pros:

  • Natively integrated into the terraform CLI.
  • Out of the box support for all cloud resources that can be managed by Terraform.

Cons:

  • Generally run only when trying to deploy infrastructure changes, which is not an ideal time to discover drift.
  • Blind to cloud resources that are not already managed by Terraform.

terraformer

terraformer is a popular tool for generating Terraform from existing cloud resources. It supports resources across all major cloud providers and many other smaller Terraform providers.

Originally built by developers at Waze, the repo is now maintained by Google Cloud’s GitHub organization.

Pros:

  • Create codified versions of an entire cloud subset, including resources that are outside of Terraform control, providing the information needs to match that given by driftctl.

Cons:

  • Requires manual comparision against current Terraform configuration to determine what has drifted and what resources are not yet controlled by terraform.
  • Repository is maintained irregularly, with infrequent commits and most issues closed while in “stale” status.
  • Due to a reliance on internal Terraform packages, which were moved to internal/ sub-directories in subsequent releases, terraformer only directly supports Terraform 0.13.
  • Not all cloud resources supported by the tool.

cloud-concierge

cloud-concierge is an open source container that detects Terraform drift as well as resources outside of Terraform control. Bonus functionality includes:

  1. Codifying the resources outside of Terraform control and creating matching state import blocks/commands.
  2. Identify the entities that caused drift to occur in the first place, enabling the prevention of future drift through permission restrictions.

Pros:

  • Directly identifies both drift and resources unmanaged by Terraform for the cloud subset scanned.
  • Output results of codified unmanaged resources directly as a Pull Request, along with matching import blocks.
  • Allows for the preventation of future drift by identifying the cloud actors responsible for drift and resources created outside of Terraform control.
  • Additional native support for cloud cost analysis and security scanning

Cons:

  • Not all cloud resources are supported at time of writing.
  • Solution is heavier than alternatives. Executed as a container rather than a CLI binary, involves some environment variable configuration, and ability to output results as a Pull Request.

Conclusion

Other open source options to driftctl exist, including things as Terraform native as running terraform plan. We are, as maintainers of the project, biased towards cloud-concierge, but from a feature completeness perspective, it serves as a full replacement of driftctl features and offers more in terms of codification, surfacing root causes of drift, and security and cost analysis.

What did we miss? Any other open source drift tools that we should add to our analysis? Let us know in the comments below!

    dragondrop.cloud’s mission is to automate developer best practices while working with Infrastructure as Code. Our flagship OSS product, cloud-concierge, allows developers to codify their cloud, detect drift, estimate cloud costs and security risks, and more — while delivering the results via a Pull Request. For enterprises running cloud-concierge at scale, we provide a management platform. To learn more, schedule a demo or get started today!

    Learn More About Terraform

    Everything Everywhere All as Code

    “Everything as Code” Definition Everything as Code is a philosophy for managing IT infrastructure where all components of infrastructure are created, managed, and deleted using code. This applies to container definitions, cloud infrastructure, on-premise server...

    read more

    Why We Are Not Supporting OpenTF

    Background On August 10, HashiCorp changed the license to their previously “Open Source” projects to a Business Source License (BSL), making them now “source available” for all future releases. We discusssed in detail reasons and motivations for this change here. On...

    read more

    Terraform Drift: The Bad, the Ugly and the Black Swan

    What is Terraform Drift? What problems does it cause? And how can we fix it? So you’re using an Infrastructure as Code (IAC) solution like HashiCorp’s Terraform. You have at least some cloud resources deployed via Terraform. You’ve noticed that sometimes when you go...

    read more