Audit automation for finding resources not managed by Terraform

Hi

What is the best way to finding resources in Azure infrastructure that aren’t managed by Terraform?

I am looking for a way to enforce managing resources using Terraform, and also, add an audit automation to identify any inconsistent change on the cloud that does not exist in tfstate, any suggestion is appreciated.

Thank you

1 Like

A lot of drift detection tooling only looks at known resources, but when I was poking around for existing drift detection solutions a while back, I came across driftctl is one option. Takes a little bit of work to get setup, but basically, you configure it to look at all of your states that are in scope of a given account / subscription / whatever, and then run the tool against it. Depending on the provider you use, it may support more or fewer resources, so not sure how well it works with Azure, though it apparently has some support.

In certain cases, you’ll probably need to figure out their slightly wacky ignore syntax and ignore resources that were created by managed services (where the managed service itself is defined in terraform, but the underlying resources aren’t)

A GCP version would look something like this

driftctl scan --deep --to gcp+tf --tf-provider-version="x.x.x" --from tfstate+gs://foo/xyz/projects/default.tfstate [add other states here] --filter [filter expressions here]

And it’ll give you some kind of percentage of resources covered by IAC (based on the aggregated state files you’ve given it).

Hi Wyardley

Thank you for you response, looks like some Azure resources are supported. Supported Resources | driftctl-docs