KiloClawPowered by OpenClaw
Back to Cookbook
OpenClaw recipe

Terraform Infrastructure Drift Scanner

aka “Drift Hunter

Find out who made that "quick fix" in the AWS console

Runs Terraform drift checks across your workspaces and surfaces everything that's drifted from your declared state. Catches manual console changes, forgot-to-import resources, and environment inconsistencies before they cause the next outage.

House RecipeWork3 min
Try in KiloClawFree 7-day trial

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "Drift Hunter". Scan my Terraform workspaces for infrastructure drift. For each workspace: 1. Run a refresh-only drift check such as `terraform plan -refresh-only -out=tfplan && terraform show -json tfplan` 2. Identify resources that have been modified outside Terraform 3. Show before (Terraform state) vs. after (actual infrastructure) for each drifted resource 4. Generate `terraform import` suggestions for any unmanaged resources you can identify 5. Recommend whether to update the Terraform code to match reality or revert the manual change If I give you multiple workspaces or environments, also compare them and flag inconsistencies (e.g., a security group rule in prod that doesn't exist in staging).

How It Works

Drift happens when someone makes a change outside Terraform — a quick security

group rule in the console, a manual RDS parameter tweak, a load balancer

config change during an incident. This skill detects all of it.

What You Get

  • Full drift report across one or more Terraform workspaces
  • Identification of manually changed resources with before/after comparison
  • `terraform import` suggestions for resources that exist but aren't managed
  • Recommendations: reconcile in Terraform or revert the manual change
  • Cross-environment comparison (dev vs staging vs prod drift)

Setup Steps

  1. Ensure Terraform is initialized and has cloud credentials
  2. Tell your Claw which workspaces or directories to scan
  3. Review the drift report
  4. Apply the suggested import commands or config updates

Tips

  • Use refresh-only plans to isolate drift from intentional code changes
  • Run weekly as a scheduled task to catch drift early
  • Focus on stateful resources (databases, DNS, IAM) where drift is most dangerous
  • The cross-environment comparison is great for catching "works in dev" issues
  • Can generate `terraform import` commands for moved or renamed resources
Tags:#terraform#iac#drift#devops

Related Recipes

Plan Whisperer

Spot the destroy hiding in 2,000 lines of Terraform plan

Runs terraform plan, parses the JSON output, and gives you a risk-rated summary. Flags resource deletions, replacements, and security-sensitive changes (IAM, security groups, databases) so you catch the dangerous stuff before it hits production.

Work2 min

Env Diff

Find out why it works in staging but not production

Compares configurations across your environments — Terraform state, Helm values, env vars, K8s resources — and surfaces every difference. The fastest way to find the manual change someone made in production 6 months ago.

Work3 min

CLAWBITE AI

Local-first AI assistant that automates small daily tasks safely on your device

A personal, local-first AI assistant that automates small daily tasks—organizing files, setting reminders, and monitoring system events—without touching sensitive data or taking risky actions without your approval.

Personal5 min

Source Hunter

Real sources, named experts, actual quotes

Deep research that finds primary sources with named individuals, community sentiment from Reddit/HN/X, and news coverage. No summaries of summaries — actual quotes with URLs.

Creative1 min