DocumentationAPI ReferenceTerraform ProviderStatus PageSchedule a DemoFree Trial
Documentation

Drift Cause

Suggest Edits

🚧

Feature Compatibility

The feature is fully compatible starting from agent version 1.0.1044
The feature is supported only for Opentofu, Terragrunt, and Terraform.

Drift refers to the divergence between the actual state of infrastructure and the state defined in configuration files. This can occur when changes are made outside of the Infrastructure as Code (IaC) tool, such as manual updates through a cloud provider's console or automated processes outside of the IaC pipeline.

Drift is risky because it can lead to unexpected behavior, inconsistencies in resource management, and potentially compromise system reliability or security. If not detected and addressed, drift can cause deployments to fail, resulting in costly misconfigurations and possibly leaving systems vulnerable to exploitation. Regular drift analysis is crucial for maintaining infrastructure consistency and ensuring that all changes are tracked and aligned with the defined code.

When resources are managed in env0, identifying the root cause of environment drift is straightforward. Whether a user has modified the state directly, a provider version change has introduced differences, or new code was pushed without being applied—env0 captures these events.

Drift Cause Analysis

Based on the IaC data, env0 will analyze the drift to determine whether it was caused by one or more of the following reasons:

  1. Unmanaged Change

    A resource was changed manually (by a user or API) in the cloud provider's console. Unmanaged changes to infrastructure are risky and not recommended. env0 will check if a change was made to the resource outside of the IaC code. If a change is detected, it will appear here:

    If you have Cloud Compass configured, a ‘More Details’ link will appear. Clicking it will show all the events that occurred within the resource between the last modifying deployment and the drift check deployment. In the events modal, you can view event details related to the changed resource—Event Date, Event Resource, Event Name, and the user who took the action.

    Each event has a link that provides more information directly from the Cloud Provider.


    🚧

    Getting Events

    Currently, retrieving resource events is supported only for AWS and Azure.
    In order to retrieve resource events, you must first set up Cloud Compass in your organization.
    For more information, please refer to the documentation.

  2. Provider Version Change

    A provider's version was changed, causing the drift. This can occur when the infrastructure code doesn’t use static provider versions. env0 will display which provider's version changed, along with the old and new versions.

  3. Module Version Change

    A remote module's version was changed, causing the drift. This can happen when the infrastructure code doesn’t use static module versions. env0 will display which module's version changed, along with the old and new versions.

  4. Variable Change

    One of the environment's inputs in env0 changed, causing the drift. env0 will display who made the change, when it occurred, and the variable's name, scope, old value, and new value. The old and new values will not be displayed for sensitive values.

  5. Unapplied Commit

    A change was made to the infrastructure code but has not yet been applied. env0 will check if a commit was made to the infrastructure code after the last modifying deployment and show the commit (with a link to it in the VCS provider), along with who made it and when.

    env0 uses globs to make this check more accurate. The default globs are:

    ${TEMPLATEPATH}/**/\*.tf;${TEMPLATE_PATH}/**/.tofu;${TEMPLATEPATH}/\*\*/.hcl;env0.yml;env0.yaml

    where ${TEMPLATE_PATH} is the template’s path.
    These default globs can be overwritten by using the DRIFT_CAUSE_UNAPPLIED_COMMITS_GLOBS environment variable on the environment in env0. It is a semicolon-delimited list of globs. env0 will also ensure that the environment's revision and the revision at the time of the drift check are the same.

  6. State Modified

    The environment's state was directly modified. env0 will detect a state change and try to find a corresponding remote apply and link to it. If no remote apply is found, a message indicating that the state has changed will appear.
    When a remote apply was detected:

    When no remote apply was detected but the state has changed:

Using Drift Cause

There are two ways to utilize Drift Cause:

  1. In The Environment Page

    If a drift has been detected in your environment, you will see a collapsible showing the number of issues found and a link to the drift deployment. Opening the collapsible will show a list of the different drift causes env0 checks for, as well as the check's status. These results will appear on the right.

  2. On The Deployment Page

    The ‘Drifts’ tab on a drifted deployment page shows a list of the different drift causes env0 checks for, as well as the check's status. The drift cause check results will appear on the right.

    Below it you will see the changed resources list and what changed. You will also be able to get the resource's events by pressing the ‘Analyze Drift Cause’ button.

🚧

Reasons Drift Cause won’t be able to show events for resource

There are several reasons why events will not be available:

  • A missing resource ID, which can happen for a number of reasons:
    • An old agent is being used
    • The drift reason is a resource being manually deleted
  • Unsupported provider, as detailed above
  • A user is missing the View Drift Cause permission

Updated 13 days ago