Detect Drifts in StackGen

Overview

Drift Detection in StackGen identifies discrepancies between your deployed cloud infrastructure and the state defined in your Terraform configurations. This feature ensures visibility into unauthorized or unintended changes, enabling teams to maintain consistency, security, and compliance across their environments.

Lets see how its done in a step-by-step manner.

Prerequisites

Click to view

• Permissions and Authentication: To enable drift detection, StackGen requires read-only access to your cloud provider and a valid Terraform state file.

  Ensure that you have the following permissions:

  • AWS: IAM policies with Describe, List, and Get permissions for infrastructure components.
  • Azure: Role-based access control (RBAC) with read permissions for required resources.
  • GCP: Read-only IAM roles for resource discovery.

• CLI Version: Ensure StackGen CLI v0.50.1 or higher is installed.

• TOFU Installation: Install OpenTofu (v1.9.0+), a Terraform-compatible tool, and add it to your PATH.

• Cloud Credentials: Configure your AWS, Azure, GCP, or Civo credentials.

• StackGen Login: Authenticate using stackgen configure.

  • To configure your environment variables, refer to the articles Configure StackGen Cloud and Configure StackGen CLI

Drift in StackGen UI

Click to view

To begin with Drift, follow these steps:

1. From the StackGen cloud Home page, navigate to the Drifts tab.

2. Click the appStack for which you want to detect drift.

   note

   Before you select the appStack, ensure that:

   • The appStack must be deployed to your cloud to be able to detect drift.
   • You have configured a storage state backend, as the drift command needs access to the .tfstate file.

3. From the Actions column, click View CLI Commands to follow the CLI commands.

   note

   Skip Step 2 of the CLI commands for Drifts Test dialog if you’ve already configured your environment.

   

Enable Drift Detection

Click to view

Run the following command:

stackgen drift detect --appstack-id <appstack-id> --var="region=<region>”

Flags

Flag	Description	Required
--appstack-id	ID of the appStack to analyze. You can find this in the URL of your appStack in the StackGen UI. Example: app-stack-12345.	Yes
--var="region=<region>"	Cloud provider region where the app stack is deployed. Example: us-east-1, west-europe.	Yes

Follow the StackGen CLI documentation to detect drift via the CLI.

View Drift Results in UI

Click to view

1. From the StackGen cloud Home page, navigate to the Drifts tab.

2. Click the chart icon next to the appStack to view the Drift dashboard.

   

   You will be redirected to the CLI Runs dashboard.

   

   From here you can view the following:

   • Summary: High-level changes (resource types affected).
   • Details: Per-resource diffs (e.g., modified tags, configuration shifts).

3. Click individual resources to view granular details (e.g., modified tags, configurations).

   

4. If you have a Custom IaC, you can view it by clicking the CLI Runs tab and clicking the relevant run.

   

Drift Alerts

Click to view

Drift Alerts notify you when your infrastructure changes outside the defined Infrastructure-as-Code (IaC) configuration. This helps you detect unexpected modifications and take corrective action quickly.

Drift Alerts let you:

• Detect unauthorized or manual changes to your cloud resources.
• Maintain compliance by monitoring infrastructure deviations.
• Reduce downtime by responding quickly to unexpected modifications.

Key Capabilities

• Automatic Drift Detection: Drift alret lets you monitor the differences between deployed infrastructure and your IaC definitions.
• Real-Time Notifications via Slack: All detected drifts are sent directly as alerts to your connected Slack channel.
• Centralized Alerting: All types of drift are reported; no manual selection is required.

How Drift Alerts Work

When you enable alerts on a drift, the following happens:

1. StackGen scans your infrastructure for changes outside your IaC definitions.
2. Any detected drift is compiled into an alert.
3. The alert is sent to your connected Slack channel in real-time.

Configure Drift Alerts

To get alerts on Drifts on an appStack, check out the section on Enabling appStack Notifications.

Best Practices

• Ensure your Slack integration is connected and active.
• Regularly review drift alerts to confirm whether changes are intentional or require remediation.
• Treat repeated drifts as a signal to review your deployment process.

Troubleshooting

Not Receiving Alerts?

• Verify that your Slack integration is active.
• Check that your Slack channel allows messages from StackGen.

Best Practices

Review Changes Before Applying: Always inspect drift results before updating your appStack.