Skip to main content
InfraAudit can ingest Terraform configuration files and compare what they declare against the live state of your connected cloud resources. This catches IaC drift — cases where someone changed a resource directly in the cloud console without updating the Terraform code.

How IaC drift detection works

1

Upload your Terraform files

Upload a .tf file or a ZIP of multiple .tf files to InfraAudit.
2

InfraAudit parses the declarations

InfraAudit statically parses the file and extracts declared resource types, names, and configuration attributes.
3

Resources are matched to live inventory

Each declared resource is matched to a corresponding live resource already discovered by your connected providers.
4

Attributes are compared

InfraAudit diffs the declared configuration attributes against the live values.
5

Differences become drift findings

Any attribute that differs between the Terraform declaration and the live resource creates an IaC drift finding.
InfraAudit parses .tf files statically. It does not run terraform plan, connect to your Terraform state backend, or require Terraform to be installed.

Upload Terraform files

1

Open the IaC section

In the sidebar, click IaC, then click Upload IaC definition.
2

Select Terraform as the type

Choose Terraform from the type selector.
3

Upload the file

Upload your .tf file or a ZIP containing multiple .tf files. Optionally add a name like main/vpc for easy identification.
4

Review results

Click Upload. InfraAudit parses the file and immediately runs a drift comparison. Results appear in the IaC list.

View IaC drift results

After uploading, click the definition in the IaC list. Each uploaded definition shows:
  • Upload timestamp and parse status (success, or parse error with line details)
  • Number of resources declared in the file
  • Number of resources successfully matched to live inventory
  • Number of IaC drift findings
Click a definition to see the drift detail — a table of declared versus live values for each drifted attribute.

Supported resource types

InfraAudit matches Terraform resources to live inventory by type and identifier:
Terraform resource typeMatched on
aws_instanceInstance ID or name tag
aws_s3_bucketBucket name
aws_db_instanceDB identifier
aws_lambda_functionFunction name
aws_security_groupSecurity group ID
google_compute_instanceInstance name
azurerm_virtual_machineVM name
Resources that cannot be matched to a live resource are shown as unmatched and do not produce drift findings.

CI/CD integration

Run IaC drift detection automatically in your Terraform deployment pipeline to catch drift before it causes problems: 
# GitHub Actions example
- name: Check IaC drift
  run: |
    infraudit iac upload --provider terraform --file main.tf --wait
    DRIFT_COUNT=$(infraudit iac drift list -o json | jq length)
    if [ "$DRIFT_COUNT" -gt 0 ]; then
      echo "IaC drift detected: $DRIFT_COUNT findings"
      infraudit iac drift list
      exit 1
    fi
  env:
    INFRAUDIT_SERVER_URL: ${{ secrets.INFRAUDIT_URL }}
    INFRAUDIT_TOKEN: ${{ secrets.INFRAUDIT_TOKEN }}

Notes

  • Variables and dynamic references in .tf files are resolved where possible (literal values only). Expressions that depend on terraform.tfvars or runtime data are left unresolved and excluded from comparison.
  • Sensitive attributes such as passwords and secrets are redacted in drift reports.
  • For continuous monitoring, upload updated .tf files as part of your CI/CD pipeline after each deployment.