Terraform drift is what happens when someone clicks in the AWS console, edits an IAM policy directly, or a script modifies a security group — and your Terraform state no longer matches reality. InfraGhost detects it in under 45 seconds across AWS, GCP, and Kubernetes — no scripts, no cron jobs, no babysitting.
Terraform drift is the gap between your code and your cloud. You write aws_security_group rules in HCL, apply them, and call it done. Three days later, a developer opens the AWS console to "quickly" test something. A week after that, an on-call engineer adds a port rule during an incident and forgets to back-port it to Terraform. A month later, a compliance audit finds a 0.0.0.0/0 rule that nobody can explain.
Each one of those changes is drift. Your Terraform says one thing. Your infrastructure is something else. And terraform plan only catches it when you actually run it.
The three most common drift sources — and there are more than three:
plan run.terraform plan alone isn't enoughterraform plan is reactive. It catches drift when you run it — which means it catches drift when you're about to apply changes, not when the drift happened. A security group opened to the internet at 2pm on Tuesday won't be caught until the next developer runs a plan on that workspace, which might be Friday afternoon, or next sprint, or never if nobody touches that module.
Three failure modes that plan doesn't cover:
Between plan runs, your infrastructure is in an unknown state. In a 10-person team running one deploy per day, every resource is unverified for 23+ hours. Multiply that across environments.
plansStaging and dev environments often go weeks without a Terraform run. They accumulate drift silently — different configs, missing tags, stale security rules. When you finally run a plan, the diff is enormous and nobody can explain what changed when.
A 50-resource module takes ~30 seconds to plan. A real infrastructure at 5,000 resources takes 10+ minutes. Running a drift check across all workspaces becomes a CI/CD bottleneck, so teams do it less, which means more drift, which makes the output noisier, which makes teams trust it less.
InfraGhost runs a continuous scan cycle: poll live provider APIs, compare against desired state, surface deltas in real time. No terraform plan required. No state file mutations. No CI/CD pipeline to configure. Connect your cloud account, define your desired state baseline, and InfraGhost starts scanning immediately.
The scan cycle:
InfraGhost calls AWS/GCP/K8s APIs directly to read live resource state. Every 45 seconds, across all configured accounts and regions simultaneously.
Desired state can come from your Terraform state file, a config snapshot, or InfraGhost's own baseline capture. The comparison is attribute-level — not just "resource exists" but "does every field match."
Drift events appear in the dashboard in real time. Auto-remediable drift (config changes, tag drift, security group rules) gets fixed immediately. Structural drift (missing resources, IAM mutations) is flagged for human approval.
{
"event_id": "drift_7f3a2b",
"detected_at": "2026-05-05T18:42:03Z",
"resource": {
"type": "aws_security_group",
"id": "sg-0a1b2c3d4e5f",
"name": "prod-web-sg",
"region": "us-east-1",
"account": "prod-123456789"
},
"drift": {
"attribute": "ingress_rules",
"expected": [
{ "from_port": 443, "to_port": 443, "cidr": "10.0.0.0/8" }
],
"actual": [
{ "from_port": 443, "to_port": 443, "cidr": "10.0.0.0/8" },
{ "from_port": 22, "to_port": 22, "cidr": "0.0.0.0/0" }
],
"severity": "critical",
"delta": "unexpected_inbound_rule_added"
},
"action": {
"status": "pending_approval",
"reason": "security_group_to_public_internet",
"requires_human_approval": true
}
}
Not all drift is equal. A changed tag gets auto-fixed. A security group opened to 0.0.0.0/0 waits for your approval. InfraGhost applies this distinction automatically based on drift severity, resource type, and your configured approval gates.
0.0.0.0/0 or ::/0No scripts to install. No dummy data. This is InfraGhost running against a live simulated infrastructure — same code, same agent, same 45-second scan cycle.
Open full dashboard → — Hit "Trigger Drift" to watch InfraGhost catch and fix a drift event in real time.
| InfraGhost | Scheduled CI Plans | |
|---|---|---|
| Detection latency | 45 seconds | Minutes to hours (depends on schedule) |
| Setup required | Connect cloud account | Write + maintain GitHub Actions / Azure DevOps YAML |
| Scales with infra size | Yes — parallel API polling | Degrades — plan time grows linearly with resource count |
| Works without a PR | Yes — continuous background scan | No — CI only runs when triggered |
| Multi-environment | Yes — all envs scanned simultaneously | Requires separate pipelines per env |
| Auto-remediation | Yes — built-in | No — plan output only, no fix |
| State file changes | No — read-only | Yes — plan can mutate state |
| Cost | $49–399/mo flat | Engineer time to write + maintain pipelines |
Every 45 seconds. The scan cycle is continuous — InfraGhost polls live provider APIs on a fixed interval across all your configured cloud accounts and regions. You can configure the interval (minimum 30 seconds on Team and Scale plans). There's no manual trigger required.
Yes. InfraGhost doesn't require direct access to your Terraform state files or HCL — it compares live infrastructure state against a desired-state baseline, which can be sourced from your Terraform state, a CloudFormation template, or a manual config snapshot. Terragrunt workspaces are supported the same way as standard Terraform. The agent polls provider APIs directly; how you wrote your IaC doesn't matter.
No. InfraGhost is read-only with respect to your Terraform state. It reads live provider APIs to detect drift, but it never runs terraform plan, terraform apply, or touches your .tfstate files. Auto-remediation uses provider API calls directly (e.g., calling AWS APIs to revert a security group rule), not Terraform runs. Your state files are yours.
Depends on the drift type. Low-severity config drift (tag changes, logging settings, minor config values within bounds) is auto-remediated immediately. High-severity drift (security group rules, IAM changes, resource deletion candidates) triggers a Slack/email alert and waits for your approval. You approve or reject in one click from Slack or the dashboard. Every remediation stores a before-snapshot for rollback.
Terraform Cloud's drift detection runs non-actionable refresh-only plans on a schedule. It shows you drift but doesn't fix it. InfraGhost detects and remediates in the same workflow — with approval gates for sensitive changes. InfraGhost also works across Terraform, CloudFormation, and unmanaged infrastructure; Terraform Cloud's detection is scoped to resources in your TFC workspaces. And InfraGhost starts at $49/mo; Terraform Cloud's drift detection requires the Standard Edition.
Yes. InfraGhost supports multi-account and multi-region AWS setups natively. You configure an IAM role per account (or use AWS Organizations-based cross-account role assumption), and InfraGhost scans all configured accounts simultaneously. Drift events are tagged by account, region, and environment. The Team plan covers up to 5 accounts; Scale covers unlimited.
AWS and GCP today, with Kubernetes (EKS, GKE, self-managed) included. Azure is in the roadmap. Within AWS, all major services are covered: EC2, RDS, S3, Lambda, ECS, EKS, IAM, VPC, Route53, CloudFront, ElastiCache, and more. GCP coverage includes Compute Engine, GKE, Cloud SQL, Cloud Storage, IAM, and VPC.
14-day free trial. No card required to start. Live in under 5 minutes — connect your first cloud account, get your first drift scan, see exactly what's out of sync.