// the find
snyk/driftctl
Detect, track and alert on infrastructure drift
driftctl compares your live AWS/Azure/GCP infrastructure against your Terraform state and flags anything that exists in the cloud but isn't managed by code, or that has drifted from what Terraform thinks it is. It's essentially a coverage report for IaC — useful for teams where people occasionally click around in the console and forget to backport changes. The project is now in maintenance mode under Snyk.
The AWS resource coverage is genuinely broad — API Gateway v1/v2, IAM, EC2, RDS, Lambda, S3, CloudFront, Route53, and more, each with its own enumerator and repository abstraction. The parallel runner in enumeration/parallel means scans don't crawl on large accounts. The golden-file test pattern for each resource type makes it easy to see exactly what shape the tool expects a resource to be in. Multi-cloud support (AWS, Azure, GCP, GitHub) from a single CLI is rare in this space.
Maintenance mode is the headline problem — the README says so upfront, and with Snyk having acquired and then deprioritized it, bug fixes and new resource types are not coming. AWS coverage has obvious gaps: no EKS, no ECS, no SSM Parameter Store, no Secrets Manager, no EventBridge. The tool reads Terraform state files directly, so it only works if you're already using Terraform remote state in a location it can reach — no CDK, no Pulumi, no CloudFormation support. There's also no built-in remediation or import generation; you get a diff report and that's it, you still have to write the `terraform import` commands yourself.