Skip to main content
Feature CompatibilityThe feature is fully compatible starting from agent version 1.0.1044 The feature is supported only for Opentofu, Terragrunt, and Terraform.
Drift refers to the divergence between the actual state of infrastructure and the state defined in configuration files. This can occur when changes are made outside of the Infrastructure as Code (IaC) tool, such as manual updates through a cloud provider’s console or automated processes outside of the IaC pipeline. Drift is risky because it can lead to unexpected behavior, inconsistencies in resource management, and potentially compromise system reliability or security. If not detected and addressed, drift can cause deployments to fail, resulting in costly misconfigurations and possibly leaving systems vulnerable to exploitation. Regular drift analysis is crucial for maintaining infrastructure consistency and ensuring that all changes are tracked and aligned with the defined code. When resources are managed in env zero, identifying the root cause of environment drift is straightforward. Whether a user has modified the state directly, a provider version change has introduced differences, or new code was pushed without being applied—env zero captures these events.

Drift Cause Analysis

Based on the IaC data, env zero will analyze the drift to determine whether it was caused by one or more of the following reasons:

  1. Unmanaged Change

A resource was changed manually (by a user or API) in the cloud provider’s console. Unmanaged changes to infrastructure are risky and not recommended. env zero will check if a change was made to the resource outside of the IaC code. If a change is detected, it will appear here:
Interface screenshot showing configuration options
If you have Cloud Compass configured, a ‘More Details’ link will appear. Clicking it will show all the events that occurred within the resource between the last modifying deployment and the drift check deployment. In the events modal, you can view event details related to the changed resource—Event Date, Event Resource, Event Name, and the user who took the action.
Interface screenshot showing configuration options
Each event has a link that provides more information directly from the Cloud Provider.
Interface screenshot showing configuration options
Getting EventsCurrently, retrieving resource events is supported only for AWS and Azure.
In order to retrieve resource events, you must first set up Cloud Compass in your organization.
For more information, please refer to the documentation.

  1. Provider Version Change

A provider’s version was changed, causing the drift. This can occur when the infrastructure code doesn’t use static provider versions. env zero will display which provider’s version changed, along with the old and new versions.
Interface screenshot showing configuration options

  1. Module Version Change

A remote module’s version was changed, causing the drift. This can happen when the infrastructure code doesn’t use static module versions. env zero will display which module’s version changed, along with the old and new versions.
Interface screenshot showing configuration options

  1. Variable Change

One of the environment’s inputs in env zero changed, causing the drift. env zero will display who made the change, when it occurred, and the variable’s name, scope, old value, and new value. The old and new values will not be displayed for sensitive values.
Interface screenshot showing configuration options

  1. Unapplied Commit

A change was made to the infrastructure code but has not yet been applied. env zero will check if a commit was made to the infrastructure code after the last modifying deployment and show the commit (with a link to it in the VCS provider), along with who made it and when.
Interface screenshot showing configuration options
env zero uses globs to make this check more accurate. The default globs are: 
${TEMPLATEPATH}/**/\*.tf;${TEMPLATE_PATH}/**/.tofu;${TEMPLATEPATH}/\*\*/.hcl;env0.yml;env0.yaml
where ${TEMPLATE_PATH} is the template’s path.
These default globs can be overwritten by using the DRIFT_CAUSE_UNAPPLIED_COMMITS_GLOBS environment variable on the environment in env zero. It is a semicolon-delimited list of globs. env zero will also ensure that the environment’s revision and the revision at the time of the drift check are the same.

  1. State Modified

The environment’s state was directly modified. env zero will detect a state change and try to find a corresponding remote apply and link to it. If no remote apply is found, a message indicating that the state has changed will appear.
When a remote apply was detected:
Interface screenshot showing configuration options
When no remote apply was detected but the state has changed:
Interface screenshot showing configuration options

Using Drift Cause

There are two ways to utilize Drift Cause:

  1. In The Environment Page

If a drift has been detected in your environment, you will see a collapsible showing the number of issues found and a link to the drift deployment. Opening the collapsible will show a list of the different drift causes env zero checks for, as well as the check’s status. These results will appear on the right.
Interface screenshot showing configuration options

  1. On The Deployment Page

The ‘Drifts’ tab on a drifted deployment page shows a list of the different drift causes env zero checks for, as well as the check’s status. The drift cause check results will appear on the right.
Interface screenshot showing configuration options
Below it you will see the changed resources list and what changed. You will also be able to get the resource’s events by pressing the ‘Analyze Drift Cause’ button.
Interface screenshot showing configuration options
Reasons Drift Cause won’t be able to show events for resourceThere are several reasons why events will not be available:
  • A missing resource ID, which can happen for a number of reasons:
    • An old agent is being used
    • The drift reason is a resource being manually deleted
  • Unsupported provider, as detailed above
  • A user is missing the View Drift Cause permission
I