Picture Terraform as the architect of your Lego city. Every building, road, and park is carefully planned in the blueprint. But what if someone sneaks in and changes things and adds a new tower, removes a bridge, or repaints a house without updating the blueprint?

That mismatch between Terraform’s state/configuration and the actual infrastructure is called drift. Drift can cause confusion, wasted costs, or even outages. In this chapter, you’ll learn how to detect drift and reconcile it, ensuring your blueprint always matches reality.

What is Drift?

• Definition: Drift = when infrastructure changes outside Terraform’s control.
• Causes:
  • Manual edits in cloud consoles.
  • Other automation tools bypassing Terraform.
  • Provider defaults or updates.

Detecting Drift

• terraform plan: Compares desired state (config) vs actual infra.
• Signs of drift:
  • Plan shows unexpected changes.
  • Resources marked for recreation even though .tf files are unchanged.
• Example: You manually resized an EC2 instance in AWS console. Terraform plan shows mismatch in instance type.

Reconciling Drift

• Option 1: Update Configs
  • Modify .tf files to match actual infra.
  • Run terraform apply → state aligns with reality.
• Option 2: Revert Infra
  • Keep configs as source of truth.
  • Run terraform apply → Terraform reverts infra to match configs.
• Option 3: Import Resources
  • Use terraform import to bring unmanaged resources into state.

Best Practices

• Treat Terraform configs as the single source of truth.
• Avoid manual changes in cloud consoles.
• Run terraform plan regularly to catch drift early.
• Document reconciliation decisions (update vs revert).
• Use CI/CD pipelines to enforce Terraform workflows.

Hands‑On Lab / Demo

Lab: Detecting and Reconciling Drift

1. Provision an EC2 instance with Terraform (t2.micro).
2. Manually change instance type in AWS console to t2.small.
3. Run:
   • terraform plan → detects drift (Terraform expects t2.micro).
4. Reconcile:
   • Option A: Update main.tf to t2.small → run terraform apply.
   • Option B: Keep t2.micro in config → run terraform apply to revert instance.

Pro Tips & Best Practices

• Always run terraform plan before apply.
• Use drift detection as part of CI/CD pipelines.
• Avoid “snowflake servers” (resources managed outside Terraform).
• Use terraform import for manually created resources.
• Communicate reconciliation decisions with your team.

Summary & Cheatsheet

• Drift = Mismatch between Terraform state/config and actual infra.
• Detect with: terraform plan.
• Reconcile by: Updating configs, reverting infra, or importing resources.
• Best practice: Keep configs as the single source of truth.

Quick mnemonic: Detect → Decide → Reconcile

The Hackers Notebook

Drift detection and reconciliation are the quality control checks of Terraform. They ensure your infrastructure stays aligned with the blueprint, preventing surprises and outages. By mastering drift management, you’ve gained the ability to keep Terraform honest and reliable.