← Back to Skills Marketplace
1.
2.
3.
Infrastructure Drift Detector
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
39
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install infrastructure-drift-detector
Description
Detect drift between Infrastructure-as-Code definitions (Terraform, Pulumi, CloudFormation, CDK) and actual deployed state. Identify untracked resources, man...
README (SKILL.md)
Infrastructure Drift Detector
Detect when your deployed infrastructure has drifted from its IaC definitions. Finds manual changes, untracked resources, stale state, and configuration mismatches across Terraform, Pulumi, CloudFormation, and CDK.
Use when: "check for drift", "has anything changed outside terraform", "infrastructure audit", "find manual cloud changes", "state vs reality", "drift report", or before IaC refactors to ensure the state file is accurate.
Commands
1. detect — Full Drift Analysis
Step 1: Identify IaC Tool
# Check which IaC tools are in use
ls -la *.tf terraform.tfstate .terraform 2>/dev/null && echo "TERRAFORM"
ls -la Pulumi.yaml Pulumi.*.yaml 2>/dev/null && echo "PULUMI"
ls -la template.yaml template.json cdk.json 2>/dev/null && echo "CLOUDFORMATION/CDK"
ls -la *.bicep 2>/dev/null && echo "BICEP"
Step 2: Terraform Drift Detection
If Terraform is detected:
# Refresh state without applying (safe, read-only)
terraform plan -refresh-only -detailed-exitcode 2>&1
# Exit code 0 = no drift, 2 = drift detected
# List all resources in state
terraform state list 2>&1
# Show detailed plan for any drifted resources
terraform plan -no-color 2>&1 | head -500
Parse the plan output and categorize drift:
| Category | Description | Risk |
|---|---|---|
| Attribute drift | A value changed outside TF (e.g., security group rule added manually) | High |
| Resource missing | State says it exists, but it's been deleted | Critical |
| Untracked resource | Exists in cloud but not in any .tf file | Medium |
| State stale | State file hasn't been refreshed in >30 days | Low |
Step 3: Pulumi Drift Detection
If Pulumi is detected:
# Preview to detect drift
pulumi preview --diff --refresh 2>&1
# Export current state
pulumi stack export 2>&1 | python3 -c "
import json, sys
state = json.load(sys.stdin)
resources = state.get('deployment', {}).get('resources', [])
print(f'Total resources in state: {len(resources)}')
for r in resources:
print(f' {r.get(\"type\", \"?\")} :: {r.get(\"urn\", \"?\").split(\"::\")[-1]}')
"
Step 4: CloudFormation Drift Detection
# Detect drift on all stacks
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE | \
python3 -c "
import json, sys
stacks = json.load(sys.stdin)['StackSummaries']
for s in stacks:
print(s['StackName'])
"
# For each stack, trigger drift detection
aws cloudformation detect-stack-drift --stack-name \x3CSTACK_NAME>
# Wait, then check results
aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id \x3CID>
aws cloudformation describe-stack-resource-drifts --stack-name \x3CSTACK_NAME> --stack-resource-drift-status-filters MODIFIED DELETED
Step 5: Cross-Tool Analysis
Regardless of IaC tool, also check:
# Recent cloud changes (AWS example — last 24h)
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=ReadOnly,AttributeValue=false \
--start-time $(date -d '24 hours ago' -u +%Y-%m-%dT%H:%M:%SZ) \
--max-results 50 2>&1
# Find resources not in any .tf/.yaml IaC file
# List all TF-managed resource types
grep -rh 'resource "' *.tf **/*.tf 2>/dev/null | sed 's/resource "//;s/".*//' | sort -u
Step 6: Generate Report
Produce a structured drift report:
# Infrastructure Drift Report — [date]
## Summary
- **Tool:** Terraform/Pulumi/CloudFormation
- **Total managed resources:** N
- **Drifted resources:** N (X critical, Y high, Z medium)
- **Untracked resources:** N
- **Last state refresh:** [date]
## Critical Drift (fix immediately)
- [resource]: [what changed] — Risk: manual security group change bypasses review
## High-Risk Drift (fix this sprint)
- [resource]: [attribute changed from X to Y]
## Recommended Actions
1. Import untracked resources: `terraform import \x3Ctype>.\x3Cname> \x3Cid>`
2. Refresh state: `terraform apply -refresh-only`
3. Add lifecycle rules for expected drift: `ignore_changes = [tags]`
4. Set up drift detection in CI: scheduled `terraform plan -detailed-exitcode`
2. monitor — Set Up Continuous Drift Detection
Create a CI job or cron that runs drift detection on a schedule:
# GitHub Actions example
name: Drift Detection
on:
schedule:
- cron: '0 6 * * 1-5' # Weekday mornings
jobs:
detect:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
- run: terraform plan -refresh-only -detailed-exitcode
continue-on-error: true
- if: steps.plan.outcome == 'failure'
run: echo "::warning::Infrastructure drift detected!"
Recommend monitoring thresholds:
- Alert immediately: Security group, IAM, or network changes
- Alert daily: Any resource attribute drift
- Weekly review: Untracked resources, state staleness
3. reconcile — Generate Fix Plan
For each drifted resource, suggest one of:
- Accept drift — update IaC to match reality (
terraform import, update .tf) - Revert drift — apply IaC to restore intended state (
terraform apply -target) - Ignore drift — add
lifecycle { ignore_changes }for expected variance
Output a step-by-step remediation script with terraform import commands for untracked resources and terraform apply -target commands for reverts.
Usage Guidance
This skill's instructions will run cloud CLIs and read IaC state and repo files, but the registry metadata does not declare those dependencies or the need for cloud credentials. Before installing or using it: 1) Verify where the skill will run (your local machine, CI runner, or ephemeral environment). 2) Ensure CLIs (terraform, pulumi, aws, python3) are installed and you understand that the skill will use whatever credentials/config are available in that environment. 3) Do not run it in a production environment with broad credentials — use a read-only or least-privilege account first. 4) Review and test the exact commands on a safe copy of your repo/state (dry-run) before accepting remediation steps like terraform import or apply. 5) Ask the publisher to update metadata to declare required binaries and environment variables, and to add explicit confirmation steps before any state-changing commands. If you cannot validate those points, treat the skill as untrusted and run its commands manually in a controlled environment instead of allowing automatic invocation.
Capability Analysis
Type: OpenClaw Skill
Name: infrastructure-drift-detector
Version: 1.0.0
The infrastructure-drift-detector skill bundle provides legitimate tools and instructions for auditing cloud environments using Terraform, Pulumi, and AWS CLI. The commands used in SKILL.md, such as 'terraform plan -refresh-only' and 'aws cloudtrail lookup-events', are standard industry practices for identifying configuration discrepancies. There is no evidence of data exfiltration, malicious execution, or prompt injection intended to subvert the agent's behavior.
Capability Assessment
Purpose & Capability
The SKILL.md clearly targets Terraform, Pulumi, CloudFormation/CDK and cloud provider state (e.g., AWS CloudTrail). That purpose legitimately needs cloud CLIs (aws, terraform, pulumi), local IaC state files, and cloud credentials. The skill metadata lists no required binaries, env vars, or primary credential — which is inconsistent with the stated purpose.
Instruction Scope
Runtime instructions tell the agent to read repository files (.tf, Pulumi.yaml, template.json, terraform.tfstate), run terraform/pulumi/aws CLI commands, parse outputs, and generate remediation commands. Those actions are within the declared purpose, but they imply access to cloud accounts and local state files that are not declared in metadata. The instructions do not constrain where they should run (e.g., CI vs local machine) or require explicit user confirmation before making changes (the docs recommend 'terraform apply' in places).
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes disk-write risk — nothing is downloaded or executed by an installer as part of skill setup. The security surface is the runtime commands described in SKILL.md.
Credentials
SKILL.md implicitly requires: terraform, pulumi, aws CLIs, python3, standard Unix tools (grep, sed, date). It also requires valid cloud credentials/config (AWS credentials or SDK-configured access) to perform CloudFormation drift detection, CloudTrail queries, and to inspect live resources. None of those are declared in requires.env or required binaries. The skill asks for actions that use potentially sensitive credentials without declaring them or warning the user.
Persistence & Privilege
The skill does not request always:true and is user-invocable (normal). It does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed by default but not by itself suspicious; still, an autonomously-invoked skill that can call cloud CLIs increases blast radius if credentials are available — keep that in mind.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install infrastructure-drift-detector - After installation, invoke the skill by name or use
/infrastructure-drift-detector - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of infrastructure-drift-detector.
- Detects drift between IaC definitions (Terraform, Pulumi, CloudFormation, CDK) and actual deployed infrastructure.
- Identifies untracked resources, manual changes, configuration mismatches, and stale state.
- Provides step-by-step drift analysis, reporting, and categorization by risk.
- Includes templates for drift reports and CI integration for continuous monitoring.
- Supplies remediation steps for reconciliation: import, revert, or ignore drifted resources.
Metadata
Frequently Asked Questions
What is Infrastructure Drift Detector?
Detect drift between Infrastructure-as-Code definitions (Terraform, Pulumi, CloudFormation, CDK) and actual deployed state. Identify untracked resources, man... It is an AI Agent Skill for Claude Code / OpenClaw, with 39 downloads so far.
How do I install Infrastructure Drift Detector?
Run "/install infrastructure-drift-detector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Infrastructure Drift Detector free?
Yes, Infrastructure Drift Detector is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Infrastructure Drift Detector support?
Infrastructure Drift Detector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Infrastructure Drift Detector?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills