Terraform Drift Monitor
Focus Areas:
  • automation
  • compliance
A system that detects differences between actual and desired infrastructure, supporting compliance and reducing risk.

Background

The Centers for Medicare and Medicaid Services (CMS) uses Terraform to manage infrastructure behind Medicare systems and HealthCare.gov. As these systems grew and more people began working on them, configuration drift—when real infrastructure no longer matches Terraform definitions—became a growing problem. Working with CMS, Corbalt developed Terraform Drift Monitor, an automated system that continuously checks infrastructure state and alerts teams to drift before it affects deployments or compliance.

Automated Drift Detection

Terraform Drift Monitor periodically evaluates planned infrastructure changes across Terraform-managed infrastructure and analyzes the results to find resources that no longer match their defined state. The system identifies what has changed—whether from manual console edits, automated processes, or changes made outside Terraform—giving teams a clear view of how the current infrastructure differs from the intended configuration.

Actionable Reporting

Each check produces both HTML and email reports describing the changes found. The reports show which resources have drifted, what attributes changed, and when the drift was first detected. Links to the relevant repositories are included so engineers can jump directly to the affected code. This helps teams quickly decide whether the change should be captured in Terraform or reversed during the next deployment.

On-Demand Analysis

In addition to scheduled checks, teams can run drift checks on demand. This is especially useful before important deployments, allowing engineers to confirm that infrastructure is in the expected state and that applying the new configuration will not undo legitimate changes.

Workflow Integration

Terraform Drift Monitor fits into CMS's existing workflows. Email reports are sent automatically to the appropriate team distribution lists so the right people see drift alerts. Full HTML reports are stored in shared locations, creating a record that can support audits or post-incident reviews.

Conclusion

Terraform Drift Monitor has saved an estimated one to two weeks of engineering time each year that was previously spent investigating unexplained infrastructure changes and determining whether deployments were safe. By quickly detecting drift and providing clear reports, the system has improved deployment confidence, increased visibility across teams, and strengthened infrastructure governance. Teams can now approach Terraform deployments with a clear understanding of what will change, reducing the risk of unexpected rollbacks and enabling faster, safer updates.

View All Work