Drift Detection
One of the main challenges when managing infrastructure as code is drift.
Drift means that the real-world state of your resources is different than your actual code. This can happen if someone is adding, updating or removing resources manually or with some automation tools outside of your Terraform code. env0 can help you detect those drifts and alert you about them automatically, this is done by setting a scheduled deployment task that ends by examining the terraform plan output.
Previous Support
Although you could configure a scheduled task of drift detection before as well, now we provide additional drift event notifications.
If you would like to set up a drift detection on your environment and get notified if a drift occurred you will need to follow these steps:
- Schedule a drift detection job: In the environment Settings tab, under Drift Detection make sure you add a cron expression based on the interval you would like to check the drift. For example, if you would like to check the drift twice a day at 10AM and at 7PM enter
00 10,19 * * *.
Drift Detection Scheduling
Note that despite being able to configure any cron definition for drift detection, the minimum interval will be 1 hour between checks. Additionally, having checks more frequent than once a day is only available for Business and Enterprise plans.
Also note our scheduler runs once an hour and controlling the exact minute of the run within the hour is impossible.
- Add Slack/Teams Notification: To get notified directly in Slack or Microsoft Teams when a drift has been detected, set up notifications targets & events on your project settings under Notifications.
You can set the following types of events:
- Drift detected - The remote resources have been changed.
- No drift detected - The remote resources are synced with your infrastructure code.
- Drift failed - The task has failed for some reason.
You can read more about notifications here.
When a drift detection job is executed you'll see its status under the Deployments tab :
When drift is identified, or if the drift detection process encounters an issue, environment drift-status will shift to Drifted or Error correspondingly.
These statuses will be accompanied by an informative message that links to the related Drift Detection deployment logs.
It's important to note that performing a new deployment on an environment with drift will reset its status appropriately.
Following a drift occurrence:
Following an error during drift detection:
Understanding Drift Statuses
OK: No drift has been detected; the environment's state matches the defined infrastructure as code (IaC) configuration.Error: An error occurred during the drift detection process.Drifted: Drift has been detected; the environment's state differs from the IaC configuration.Never Run: Drift detection has never been executed for this environment.Disabled: Drift detection is disabled for this environment.
Drift Remediation
Sometimes, you want to make your source-code the source of the truth. In this scenario, you want to help always enforce that the code is applied in your cloud environment. In env0, you can setup a "Scheduled Deployment" to always update your cloud resource regardless of drift using our Scheduling feature.
Auto-Approval & Approval Policies
If you trust your code, regardless of what happens in the cloud, then you'll want to turn on "Approve Plan Automatically" in the Environment Settings tab.
However, if you want some fine-grain control of when a scheduled deployment should be approved - you can use Approval Policies. For example, you can use the approval policy to automatically allow changes if only tags are being updated, or that there are no delete (or destroy) actions taking place.
Suggested Blog Content
Suggested Blog ContentUpdated 17 days ago