What Is Drift?
Drift occurs when the actual state of your infrastructure differs from what Terraform believes is deployed. Common causes:
- Manual changes made via the cloud console
- Changes made by other tools or scripts
- Resources modified by automated processes (auto-scaling, backups)
How Forgecroft Detects Drift
After each apply run completes, Forgecroft extracts drift information from the post-apply plan JSON:
POST /runs/{id}/drift-json
The runner sends the plan JSON, and Forgecroft:
- Extracts drifting resource addresses and attribute names
- Compares against the previous completed apply’s drift snapshot for the workspace
- Flags items as
is_new: trueif they differ from the previous snapshot
Privacy: Values Are Not Stored
Forgecroft stores only attribute names, not values. For example:
{
"address": "aws_instance.web",
"attribute": "instance_type",
"is_new": true
}
This tells you that instance_type has drifted, but not what the old or new values are. This protects sensitive data in drift records.
Viewing Drift
Drift data is available in the run detail after an apply completes. Compare drift snapshots across apply runs to see what changed and when.
Detected Attributes
In addition to drift, Forgecroft updates workspace.detected_attributes after each plan run with:
- Providers — which cloud providers are used
- Resource types — which resource types are managed
These are available in the OPA policy input for governance rules.
Using Drift in Governance
You can write policies that respond to drift:
package forgecroft.policy
deny[msg] {
input.workspace.detected_attributes.providers[_] == "aws"
input.plan_changes.destroyed[_].resource_type == "aws_db_instance"
msg := "Destroying a database instance requires approval"
}
Related API Endpoints
POST /runs/{id}/drift-json— Submit drift data (runner callback)GET /workspaces/{workspaceId}/runs/{runId}/plan-resources— View per-resource changesGET /workspaces/{id}— Viewdetected_attributes