Drift occurs when real Azure resources diverge from your IaC definitions — via manual portal changes, automated patches, or external tools. Drift detection compares desired state (code) against actual state (cloud) and alerts or auto-remediates.
Decision tree for responding to detected drift — remediate, accept, or escalate.
terraform plan -refresh-only queries real Azure state but proposes NO changes to resources — only updates the state file. Safe for drift detection without risk of accidental apply.
Azure Policy can also detect drift: Audit effects flag non-compliant resources. Deploy IfNotExists auto-remediates. Combine with Terraform for defense in depth.
Tags are the most common drift vector — engineers add/remove tags in the portal. Enforce tags via Azure Policy (Deny effect) OR terraform apply to restore them. Don't leave tag drift unaddressed.
terraform plan -parallelism=20 speeds up refresh for large infrastructures. Default is 10 parallel operations. Increase carefully — Azure RM API has throttling limits per subscription.
Low-severity drift (tag changes, minor config) should NOT page on-call. Route to a Slack channel for async review. Reserve PagerDuty for security-relevant drift (NSG, IAM changes).
Track drift events in an audit log (Azure Log Analytics). Regulators (SOC 2, PCI-DSS) require evidence that deviations from baseline config are detected and remediated.
Sign in to share your feedback and join the discussion.