We are opening 30 min slots for 1:1 tech discussions to help you get started

Get started on driftctl

How-to use driftctl in 3 minutes. A quick tutorial to quickly catching your infrastructure drift​

In this quick tutorial, we will create, using Terraform, a simple IAM user with a keypair and attach to it a limited policy. Then we will make a series of (bad!) manual changes on the AWS console, to finally show how simply running driftctl helps to be alerted about new drifts! Once you’ve gone through this page, we also recommend you to visit this advanced tutorial where you will learn how to use driftctl in a more realistic real-life environment, with multiple Terraform states and output filtering.

Requirements

We recommend using an AWS account dedicated to testing. 

Create a test AWS environment

Download the example Terraform code and execute it: 

				
					
$ git clone git@github.com:cloudskiff/driftctl-quick-aws-tutorial.git
$ cd driftctl-quick-aws-tutorial



				
			
Export your AWS variables (or AWS_ACCESS_KEY_ID / AWS_SECRET_KEY pair): 
				
					$ export AWS_PROFILE="your-profile"
				
			

Initialize the Terraform environment: 

				
					$ terraform init
[...]
				
			

Run Terraform

				
					$ terraform apply
[...]
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
				
			

Log in to the AWS console here, navigate to the IAM tab and confirm the new IAM user is created. 

Create a manual drift on AWS

For demonstration purposes, let’s create some major drifts from the Terraform code and intention: 

  1. Go to the IAM user details, and deactivate the IAM key

2. Go to the IAM user details, and create a new IAM access key pair (don’t save the details, it’s for demo purposes)

3. Go to the IAM user details

  • Click on “Add permissions”
  • Click on “Attach existing policies directly”
  • Add an IAM policy of your choosing.
  • Click on “review” then “add permissions”
  • Confirm both policies are displayed.

Detect the drift

Confirm that Terraform doesn’t rollback nor notify the changes we just made manually:

				
					$ terraform apply
[...]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
				
			

Now, using driftctl, execute the following:

				
					$ driftctl scan 
Scanning AWS on region: us-east-1
Found unmanaged resources:
    aws_iam_access_key:
        - AKIASBXWQ3AY3RL7B2HG
    aws_iam_policy_attachment:
        - driftctl-demo-dfbvp5-arn:aws:iam::aws:policy/AdministratorAccess


Found 5 resource(s)
    - 60% coverage
    - 3 covered by IaC
    - 2 not covered by IaC
    - 0 deleted on cloud provider
    - 0/3 drifted from IaC
				
			

Voila!

Driftctl just reported you a set of manual changes that would otherwise stay in the dark!

Now that you have a basic understanding of how the CLI works, feel free to visit this advanced tutorial where you will learn how to use driftctl in a more realistic real-life environment, with multiple Terraform states and output filtering.

Stay in touch

Get product updates and occasional news.