Explaining Terraform Drift

The aim of this page📝 is to explain how Terraform detects and manages drift between the desired state defined in the Terraform code and the actual state of the infrastructure.

• Terraform maintains the state of infrastructure using a state file (never touch that manually!).
• The refresh operation updates the state file with the current state of the infrastructure.
• Terraform performs a refresh as part of the plan and apply operations to detect drift.
• To resolve drift, update your Terraform code or run a plan and apply operation.

Here is a diagram that visualizes the relationship between refresh, plan, apply, state file, infrastructure, and Terraform code:

Example:

Terraform will perform the following actions:
  ### module.aws_user_operator.aws_iam_user.acme_operator_user[0] will be created
  + resource "aws_iam_user" "acme_operator_user" {
      + arn           = (known after apply)
      + force_destroy = false
      + id            = (known after apply)
      + name          = "acme-operator"
      + path          = "/"
      + tags          = {
          + "client"           = "com.foobar"
          + "system"           = "acme"
          + "tf_stack"         = "aws_account"
          + "tf_stack_version" = "1.0.0"
        }
      + unique_id     = (known after apply)
    }

In summary, Terraform detects and manages drift by performing a refresh operation as part of the plan and apply operations. This allows Terraform to detect any changes that may have been made outside of Terraform and reconcile them with the desired state defined in the code.