Infrastructure Drift: Why It Happens, How to Detect It, and How QuickInfra Fixes It

Infrastructure drift happens the moment someone makes a change to a cloud resource outside of the IaC process. An engineer resizes an instance in the AWS console because the on-call situation didn't allow time for a Terraform change. A security team adds a firewall rule directly to fix an incident. An auto-scaling event changes instance counts. Each of these events creates a gap between what your Terraform code says exists and what actually exists.

Why Drift Is a Problem

Drift isn't just a compliance issue — it's an operational reliability issue. When your Terraform configuration doesn't reflect reality, the next terraform apply may produce unexpected changes. Resources Terraform doesn't know about may be deleted. Resources that were manually modified may have their changes reverted.

Drift also undermines the core promise of IaC: if your git repository doesn't represent the actual state of your infrastructure, you can't reliably recreate it from code.

How QuickInfra Detects Drift

QuickInfra runs drift detection on a scheduled basis for all Infrastructure Projects. A drift check runs terraform plan against the current state and the actual cloud resources, compares the output, and identifies any differences. Differences are categorised by type:

• Configuration drift: an attribute of an existing resource changed (instance type, security group rule, tag)
• Missing resource: a resource in state no longer exists in AWS (was deleted outside Terraform)
• Unknown resource: a resource exists in AWS that isn't in state (was created outside Terraform)

Responding to Drift

When drift is detected, QuickInfra presents you with three options for each drifted resource:

Accept the drift (import): The manual change was intentional. Import the current state into Terraform so your configuration matches reality. Then update your IaC code to match.

Revert the drift: The manual change was unintended. Re-apply the Terraform configuration to restore the resource to its declared state.

Ignore the drift: The change is temporary (e.g., an auto-scaling count change) and should not affect the next apply.

Preventing Drift

The best drift strategy is prevention. QuickInfra supports restricting direct AWS console access for engineers who have QuickInfra project access — all changes should go through the platform. IAM Service Control Policies can enforce this at the org level.

For changes that genuinely need to go through the console (emergency security fixes, incident response), QuickInfra's process is: make the manual change, then update the IaC configuration to reflect it within 24 hours and run a plan to verify alignment.