← 返回 Skills 市场

Infrastructure Drift Detector

Name: Infrastructure Drift Detector
Author: charlie-morrison

作者 charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install infrastructure-drift-detector

功能描述

Detect drift between Infrastructure-as-Code definitions (Terraform, Pulumi, CloudFormation, CDK) and actual deployed state. Identify untracked resources, man...

使用说明 (SKILL.md)

Infrastructure Drift Detector

Detect when your deployed infrastructure has drifted from its IaC definitions. Finds manual changes, untracked resources, stale state, and configuration mismatches across Terraform, Pulumi, CloudFormation, and CDK.

Use when: "check for drift", "has anything changed outside terraform", "infrastructure audit", "find manual cloud changes", "state vs reality", "drift report", or before IaC refactors to ensure the state file is accurate.

Commands

1. `detect` — Full Drift Analysis

Step 1: Identify IaC Tool

# Check which IaC tools are in use
ls -la *.tf terraform.tfstate .terraform 2>/dev/null && echo "TERRAFORM"
ls -la Pulumi.yaml Pulumi.*.yaml 2>/dev/null && echo "PULUMI"
ls -la template.yaml template.json cdk.json 2>/dev/null && echo "CLOUDFORMATION/CDK"
ls -la *.bicep 2>/dev/null && echo "BICEP"

Step 2: Terraform Drift Detection

If Terraform is detected:

# Refresh state without applying (safe, read-only)
terraform plan -refresh-only -detailed-exitcode 2>&1
# Exit code 0 = no drift, 2 = drift detected

# List all resources in state
terraform state list 2>&1

# Show detailed plan for any drifted resources
terraform plan -no-color 2>&1 | head -500

Parse the plan output and categorize drift:

Category	Description	Risk
Attribute drift	A value changed outside TF (e.g., security group rule added manually)	High
Resource missing	State says it exists, but it's been deleted	Critical
Untracked resource	Exists in cloud but not in any .tf file	Medium
State stale	State file hasn't been refreshed in >30 days	Low

Step 3: Pulumi Drift Detection

If Pulumi is detected:

# Preview to detect drift
pulumi preview --diff --refresh 2>&1

# Export current state
pulumi stack export 2>&1 | python3 -c "
import json, sys
state = json.load(sys.stdin)
resources = state.get('deployment', {}).get('resources', [])
print(f'Total resources in state: {len(resources)}')
for r in resources:
    print(f'  {r.get(\"type\", \"?\")} :: {r.get(\"urn\", \"?\").split(\"::\")[-1]}')
"

Step 4: CloudFormation Drift Detection

# Detect drift on all stacks
aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE | \
  python3 -c "
import json, sys
stacks = json.load(sys.stdin)['StackSummaries']
for s in stacks:
    print(s['StackName'])
"

# For each stack, trigger drift detection
aws cloudformation detect-stack-drift --stack-name \x3CSTACK_NAME>
# Wait, then check results
aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id \x3CID>
aws cloudformation describe-stack-resource-drifts --stack-name \x3CSTACK_NAME> --stack-resource-drift-status-filters MODIFIED DELETED

Step 5: Cross-Tool Analysis

Regardless of IaC tool, also check:

# Recent cloud changes (AWS example — last 24h)
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false \
  --start-time $(date -d '24 hours ago' -u +%Y-%m-%dT%H:%M:%SZ) \
  --max-results 50 2>&1

# Find resources not in any .tf/.yaml IaC file
# List all TF-managed resource types
grep -rh 'resource "' *.tf **/*.tf 2>/dev/null | sed 's/resource "//;s/".*//' | sort -u

Step 6: Generate Report

Produce a structured drift report:

# Infrastructure Drift Report — [date]

## Summary
- **Tool:** Terraform/Pulumi/CloudFormation
- **Total managed resources:** N
- **Drifted resources:** N (X critical, Y high, Z medium)
- **Untracked resources:** N
- **Last state refresh:** [date]

## Critical Drift (fix immediately)
- [resource]: [what changed] — Risk: manual security group change bypasses review

## High-Risk Drift (fix this sprint)
- [resource]: [attribute changed from X to Y]

## Recommended Actions
1. Import untracked resources: `terraform import \x3Ctype>.\x3Cname> \x3Cid>`
2. Refresh state: `terraform apply -refresh-only`
3. Add lifecycle rules for expected drift: `ignore_changes = [tags]`
4. Set up drift detection in CI: scheduled `terraform plan -detailed-exitcode`

2. `monitor` — Set Up Continuous Drift Detection

Create a CI job or cron that runs drift detection on a schedule:

# GitHub Actions example
name: Drift Detection
on:
  schedule:
    - cron: '0 6 * * 1-5'  # Weekday mornings
jobs:
  detect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform plan -refresh-only -detailed-exitcode
        continue-on-error: true
      - if: steps.plan.outcome == 'failure'
        run: echo "::warning::Infrastructure drift detected!"

Recommend monitoring thresholds:

Alert immediately: Security group, IAM, or network changes
Alert daily: Any resource attribute drift
Weekly review: Untracked resources, state staleness

3. `reconcile` — Generate Fix Plan

For each drifted resource, suggest one of:

Accept drift — update IaC to match reality (terraform import, update .tf)
Revert drift — apply IaC to restore intended state (terraform apply -target)
Ignore drift — add lifecycle { ignore_changes } for expected variance

Output a step-by-step remediation script with terraform import commands for untracked resources and terraform apply -target commands for reverts.

安全使用建议

This skill's instructions will run cloud CLIs and read IaC state and repo files, but the registry metadata does not declare those dependencies or the need for cloud credentials. Before installing or using it: 1) Verify where the skill will run (your local machine, CI runner, or ephemeral environment). 2) Ensure CLIs (terraform, pulumi, aws, python3) are installed and you understand that the skill will use whatever credentials/config are available in that environment. 3) Do not run it in a production environment with broad credentials — use a read-only or least-privilege account first. 4) Review and test the exact commands on a safe copy of your repo/state (dry-run) before accepting remediation steps like terraform import or apply. 5) Ask the publisher to update metadata to declare required binaries and environment variables, and to add explicit confirmation steps before any state-changing commands. If you cannot validate those points, treat the skill as untrusted and run its commands manually in a controlled environment instead of allowing automatic invocation.

功能分析

Type: OpenClaw Skill Name: infrastructure-drift-detector Version: 1.0.0 The infrastructure-drift-detector skill bundle provides legitimate tools and instructions for auditing cloud environments using Terraform, Pulumi, and AWS CLI. The commands used in SKILL.md, such as 'terraform plan -refresh-only' and 'aws cloudtrail lookup-events', are standard industry practices for identifying configuration discrepancies. There is no evidence of data exfiltration, malicious execution, or prompt injection intended to subvert the agent's behavior.

能力评估

⚠ Purpose & Capability

The SKILL.md clearly targets Terraform, Pulumi, CloudFormation/CDK and cloud provider state (e.g., AWS CloudTrail). That purpose legitimately needs cloud CLIs (aws, terraform, pulumi), local IaC state files, and cloud credentials. The skill metadata lists no required binaries, env vars, or primary credential — which is inconsistent with the stated purpose.

⚠ Instruction Scope

Runtime instructions tell the agent to read repository files (.tf, Pulumi.yaml, template.json, terraform.tfstate), run terraform/pulumi/aws CLI commands, parse outputs, and generate remediation commands. Those actions are within the declared purpose, but they imply access to cloud accounts and local state files that are not declared in metadata. The instructions do not constrain where they should run (e.g., CI vs local machine) or require explicit user confirmation before making changes (the docs recommend 'terraform apply' in places).

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files. That minimizes disk-write risk — nothing is downloaded or executed by an installer as part of skill setup. The security surface is the runtime commands described in SKILL.md.

⚠ Credentials

SKILL.md implicitly requires: terraform, pulumi, aws CLIs, python3, standard Unix tools (grep, sed, date). It also requires valid cloud credentials/config (AWS credentials or SDK-configured access) to perform CloudFormation drift detection, CloudTrail queries, and to inspect live resources. None of those are declared in requires.env or required binaries. The skill asks for actions that use potentially sensitive credentials without declaring them or warning the user.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable (normal). It does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed by default but not by itself suspicious; still, an autonomously-invoked skill that can call cloud CLIs increases blast radius if credentials are available — keep that in mind.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install infrastructure-drift-detector
安装完成后，直接呼叫该 Skill 的名称或使用 /infrastructure-drift-detector 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of infrastructure-drift-detector. - Detects drift between IaC definitions (Terraform, Pulumi, CloudFormation, CDK) and actual deployed infrastructure. - Identifies untracked resources, manual changes, configuration mismatches, and stale state. - Provides step-by-step drift analysis, reporting, and categorization by risk. - Includes templates for drift reports and CI integration for continuous monitoring. - Supplies remediation steps for reconciliation: import, revert, or ignore drifted resources.

元数据

Slug infrastructure-drift-detector

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题