Drift Detection

Detect when your real infrastructure has drifted from your configuration. Oxid compares the desired state in your .tf files against the actual state of each resource.

Usage

oxid drift [flags]

The drift command refreshes the state of all managed resources by querying each provider, then compares the live state against your .tf configuration. Any differences are reported as drift.

Example Output

$ oxid drift

Checking 24 resources for drift...

Drift detected in 3 resources:

  ~ aws_security_group.web
      ingress: rule added out-of-band
        + {from_port: 8080, to_port: 8080, protocol: "tcp", cidr_blocks: ["0.0.0.0/0"]}

  ~ aws_instance.api
      instance_type: "t3.medium" (config) vs "t3.large" (actual)
      tags.ManagedBy: not in config, found "manual" in actual

  - aws_s3_bucket.temp
      Resource exists in state but not in configuration (removed from .tf files)

3 resources have drifted. Run 'oxid plan' to see the full remediation plan.

Types of Drift

Changed resources (~)

Attributes differ between your configuration and the real infrastructure. This happens when someone modifies a resource outside of Oxid (e.g., through the cloud console, another tool, or a script).

Added resources (+)

Resources exist in the real infrastructure but are not in your configuration or state. These are resources created outside of Oxid that match your provider configuration.

Removed resources (-)

Resources exist in state or configuration but no longer exist in the real infrastructure. Someone deleted the resource outside of Oxid.

Flags

Flag	Description	Default
--no-refresh	Skip refreshing state from providers. Compare config against the last known state instead of the live state.	false
--json	Output drift report in JSON format.	false

How It Works

Drift detection follows this sequence:

Refresh - Oxid calls ReadResource on each provider to get the current state of every managed resource.
Compare - The refreshed state is compared against the desired configuration in your .tf files.
Report - Any differences are displayed with the specific attributes that differ.

NoteDrift detection does not modify any infrastructure or state. It is a read-only operation.

Remediation

After detecting drift, you have two options:

Option 1: Apply to fix drift

Run oxid apply to bring infrastructure back in line with your configuration:

oxid drift        # Detect drift
oxid plan         # See the full remediation plan
oxid apply        # Fix the drift

Option 2: Update config to match reality

If the out-of-band change was intentional, update your .tf files to match the actual state:

# Update main.tf to reflect the actual instance type
# Then verify no drift remains:
oxid drift

CI/CD Integration

Run drift detection on a schedule to catch unauthorized changes:

# Scheduled CI job (e.g., daily)
oxid init
oxid drift --json > drift-report.json

# Alert if drift detected
if [ $(cat drift-report.json | jq '.drifted_count') -gt 0 ]; then
  echo "Drift detected!" | slack-notify
fi

TipCombining drift detection with resource change history gives you a complete audit trail of when infrastructure diverged from configuration.