DevOps & Security
Infrastructure Drift Detector
Compares declared infrastructure with actual cloud resources and reports drift with severity classification and remediation recommendations. Useful for catching IaC drift before it causes production surprises. Platform engineers and SREs owning IaC repos, security teams monitoring the configuration attack surface, DevOps leads preparing for SOC 2 or compliance audits. In practice, drift is routine — an engineer patches something manually during an incident, a vendor adds managed fields that don't appear in the code, a module is removed from the repo but the live resource lingers. Drift that goes undetected until the next Terraform apply either causes surprise changes or, worse, quietly reveals that the IaC no longer describes reality. A structured detector makes drift visible so teams can decide to reconcile rather than be surprised.
One-Time Purchase
$19.99
# Infrastructure Drift Report — `northbeam-analytics` (AWS us-east-1)
**IaC framework:** Terraform 1.7
**Scope:** full region (us-east-1)
**Resources in code:** 247
**Resources in cloud:** 253
**Drift findings:** 11
<div data-callout="info" data-label="Summary">
Eleven drift findings across 253 cloud resources — **2 high**, **4 medium**, **5 low**. Six resources exist in the cloud with no Terraform reference (likely emergency-patched during last sprint's incident); five Terraform resources show field drift where someone modified the live resource directly. No resource is missing from cloud that exists in code — all declared resources are deployed.
</div>
<div data-stack data-stack-title="Drift summary">
<div data-row data-value="2">HIGH — security or compliance impact</div>
<div data-row data-value="4">MEDIUM — operational drift, no immediate risk</div>
<div data-row data-value="5">LOW — cosmetic or vendor-managed fields</div>
<div data-row data-value="6 / 253">Unmanaged — exist in cloud, not in code</div>
<div data-row data-value="5 / 247">Modified — drift on declared resources</div>
</div>
---
## Findings
| ID | Resource | Drift | Severity |
|---|---|---|---|
| DR-01 | `aws_security_group.api_lb` | Live SG has `0.0.0.0/0:22` ingress rule absent from code | <span data-pill="critical">high</span> |
| DR-02 | `aws_iam_role.lambda_writer` | Live role attached to `AdministratorAccess` policy; code declares `S3WriteOnly` | <span data-pill="critical">high</span> |
| DR-03 | `aws_rds_cluster.payments` | `backup_retention_period` = 7 in code, 14 in cloud (good direction, undocumented change) | <span data-pill="caution">medium</span> |
| DR-04 | `aws_lambda_function.webhook_handler` | `memory_size` = 256 in code, 512 in cloud | <span data-pill="caution">medium</span> |
| DR-05 | `aws_ecs_service.payments_api` | `desired_count` = 3 in code, 6 in cloud | <span data-pill="caution">medium</span> |
| DR-06 | `aws_s3_bucket.exports` | Lifecycle rule absent from code; cloud has 90-day glacier transition | <span data-pill="caution">medium</span> |
| DR-07 | `aws_cloudwatch_log_group.api` | `retention_in_days` = 30 in code, 90 in cloud | <span data-pill="info">low</span> |
| DR-08 | `aws_dynamodb_table.sessions` | `tags["Owner"]` = "platform" in code, "sre" in cloud | <span data-pill="info">low</span> |
| DR-09 | unmanaged | `aws_security_group.debug-2026-04-temp` exists; no Terraform reference | <span data-pill="info">low</span> |
| DR-10 | unmanaged | 4× `aws_cloudwatch_metric_alarm` created via console during the recent incident | <span data-pill="info">low</span> |
| DR-11 | unmanaged | 1× `aws_iam_user.contractor-readonly` created out-of-band | <span data-pill="caution">medium</span> |
---
<div data-callout="critical" data-label="DR-01 and DR-02 — fix this week">
**DR-01** exposes SSH (`:22`) to the public internet from the API load balancer security group. This was almost certainly added during the last sprint's incident; it should never have stayed. Remove via console **before** writing it back into Terraform, then `terraform import` to re-establish state.
**DR-02** is a privilege escalation: the live IAM role grants `AdministratorAccess`, which the code never declared. Confirm with the platform on-call who attached it; if no one owns the change, detach via console immediately and reconcile.
</div>
<div data-callout="caution" data-label="Reconciliation playbook">
For each finding:
1. **Confirm intent.** Is the cloud or the code correct?
2. If code is correct → revert the cloud change (`terraform apply` will do this for declared resources).
3. If cloud is correct → update the `.tf` file to match, then `terraform plan` should show no changes.
4. For unmanaged resources (DR-09 to DR-11) → either `terraform import` into state, or delete from cloud.
</div>
<div data-callout="info" data-label="Why drift happens here">
DR-04, DR-05, and DR-07 are scale-up changes that happened during normal operations and were never written back. Recommend adding a **post-incident drift check** to the runbook — any console change touched during an incident gets a follow-up ticket to either codify or revert within 5 business days.
</div>
*Run this detector on a daily cron against staging and weekly against production. Drift accumulates faster than humans notice it.*
This sample illustrates the skill's output format. Names, metrics, and operational details are illustrative unless the artifact explicitly analyzes public information.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in Infrastructure & Reliability
Bundle price: $55. Compare this skill with the full workflow bundle or Pro access.
Best for
Platform engineers and SREs maintaining a Terraform, Pulumi, or CloudFormation repo where the IaC is supposed to be the source of truth but reality has been quietly diverging — an engineer patched something during an incident, a managed field appeared in the provider, a resource was removed from code but lingers live. Especially valuable as input to SOC 2 evidence of configuration management.
Not ideal for
Environments that aren’t IaC-managed in the first place — the skill compares declared state to actual state and needs both. Also a poor fit for early-stage projects where drift is expected because the team is still discovering the right baseline and ‘reconcile to code’ would just churn.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short setup in the repository or workspace where the skill will run. Some coding familiarity helps for implementation-heavy outputs.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.