首页 / 技能 / Infrastructure Drift Detector — Infrastructure Drift 检测or

📦 Infrastructure Drift Detector — Infrastructure Drift 检测or

v1.0.0

检测 drift between Infrastructure-as-Code definitions (Terraform, Pulumi, Cloud格式化ion, CDK) and actual 部署ed 状态. Identify un追踪ed resources, man...

0· 0·0 当前·0 累计
charlie-morrison 头像by @charlie-morrison
开发工具代码生成数据与API数据库云服务
下载技能包
0

运行时依赖

无特殊依赖

版本

latestv1.0.0

Alert dAIly: Any resource attribute drift

安装命令

点击复制
官方npx clawhub@latest install infrastructure-drift-detector
镜像加速npx clawhub@latest install infrastructure-drift-detector --registry https://cn.longxiaskill.com

技能文档

Infrastructure Drift 检测or

检测 when your 部署ed infrastructure has drifted from its IaC definitions. Finds manual changes, un追踪ed resources, stale 状态, and configuration mismatches across Terraform, Pulumi, Cloud格式化ion, and CDK.

Use when: "检查 for drift", "has anything changed outside terraform", "infrastructure 审计", "find manual cloud changes", "状态 vs reality", "drift 报告", or before IaC refactors to ensure the 状态 file is accurate.

Commands

  • 检测 — Full Drift Analysis
Step 1: Identify IaC 工具 # 检查 which IaC 工具s are in use ls -la .tf terraform.tf状态 .terraform 2>/dev/null && echo "TERRAFORM" ls -la Pulumi.yaml Pulumi..yaml 2>/dev/null && echo "PULUMI" ls -la template.yaml template.json cdk.json 2>/dev/null && echo "CLOUD格式化ION/CDK" ls -la .bicep 2>/dev/null && echo "BICEP"

Step 2: Terraform Drift 检测ion

If Terraform is 检测ed:

# Refresh 状态 without 应用lying (safe, read-only) terraform plan -refresh-only -detAIled-exitcode 2>&1 # Exit code 0 = no drift, 2 = drift 检测ed

# 列出 all resources in 状态 terraform 状态 列出 2>&1

# Show detAIled plan for any drifted resources terraform plan -no-color 2>&1 | head -500

解析 the plan 输出 and categorize drift:

Category Description Risk Attribute drift A value changed outside TF (e.g., security group rule 添加ed manually) High Resource missing 状态 says it exists, but it's been 删除d Critical Un追踪ed resource Exists in cloud but not in any .tf file Medium 状态 stale 状态 file hasn't been refreshed in >30 days Low Step 3: Pulumi Drift 检测ion

If Pulumi is 检测ed:

# Preview to 检测 drift pulumi preview --diff --refresh 2>&1

# 导出 current 状态 pulumi stack 导出 2>&1 | python3 -c " 导入 json, sys 状态 = json.load(sys.stdin) resources = 状态.获取('部署ment', {}).获取('resources', []) print(f'Total resources in 状态: {len(resources)}') for r in resources: print(f' {r.获取(\"type\", \"?\")} :: {r.获取(\"urn\", \"?\").split(\"::\")[-1]}') "

Step 4: Cloud格式化ion Drift 检测ion # 检测 drift on all stacks aws cloud格式化ion 列出-stacks --stack-状态-过滤器 创建_COMPLETE 更新_COMPLETE | \ python3 -c " 导入 json, sys stacks = json.load(sys.stdin)['StackSummaries'] for s in stacks: print(s['StackName']) "

# For each stack, trigger drift 检测ion aws cloud格式化ion 检测-stack-drift --stack-name # WAIt, then 检查 结果s aws cloud格式化ion describe-stack-drift-检测ion-状态 --stack-drift-检测ion-id aws cloud格式化ion describe-stack-resource-drifts --stack-name --stack-resource-drift-状态-过滤器s MODIFIED 删除D

Step 5: Cross-工具 Analysis

Regardless of IaC 工具, also 检查:

# Recent cloud changes (AWS example — last 24h) aws cloudtrAIl lookup-事件 \ --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false \ --启动-time $(date -d '24 hours ago' -u +%Y-%m-%dT%H:%M:%SZ) \ --max-结果s 50 2>&1

# Find resources not in any .tf/.yaml IaC file # 列出 all TF-managed resource types grep -rh 'resource "' .tf */.tf 2>/dev/null | sed 's/resource "//;s/".//' | 排序 -u

Step 6: 生成 报告

Produce a structured drift 报告:

# Infrastructure Drift 报告 — [date]

Summary

  • 工具: Terraform/Pulumi/Cloud格式化ion
  • Total managed resources: N
  • Drifted resources: N (X critical, Y high, Z medium)
  • Un追踪ed resources: N
  • Last 状态 refresh: [date]

Critical Drift (fix immediately)

  • [resource]: [what changed] — Risk: manual security group change bypasses review

High-Risk Drift (fix this sprint)

  • [resource]: [attribute changed from X to Y]

Recommended Actions

  • 导入 un追踪ed resources: terraform 导入 .
  • Refresh 状态: terraform 应用ly -refresh-only
  • 添加 lifecycle rules for expected drift: ignore_changes = [tags]
  • 设置 up drift 检测ion in CI: scheduled terraform plan -detAIled-exitcode
  • 监控 — 设置 Up Continuous Drift 检测ion

创建 a CI job or cron that 运行s drift 检测ion on a schedule:

# GitHub Actions example name: Drift 检测ion on: schedule: - cron: '0 6 * 1-5' # Weekday mornings jobs: 检测: 运行s-on: ubuntu-latest steps: - uses: actions/检查out@v4 - uses: 哈希icorp/设置up-terraform@v3 - 运行: terraform init - 运行: terraform plan -refresh-only -detAIled-exitcode continue-on-error: true - if: steps.plan.outcome == '失败' 运行: echo "::警告::Infrastructure drift 检测ed!"

Recommend 监控ing thresholds:

Alert immediately: Security group, IAM, or network changes Alert dAIly: Any resource attribute drift Weekly review: Un追踪ed resources, 状态 staleness

  • reconcile — 生成 Fix Plan

For each drifted resource, suggest one of:

Accept drift — 更新 IaC to match reality (terraform 导入, 更新 .tf) Revert drift — 应用ly IaC to 恢复 intended 状态 (terraform 应用ly -tar获取) Ignore drift — 添加 lifecycle { ignore_changes } for expected variance

输出

数据来源ClawHub ↗ · 中文优化:龙虾技能库