The latest articles on Forem by Sudarshan Thakur (@sudarshan_thakur_1e141b99). https://forem.com/sudarshan_thakur_1e141b99 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3891239%2F5a0d3691-a976-495d-a4ad-2e622643e944.JPG https://forem.com/sudarshan_thakur_1e141b99 en Sudarshan Thakur Sat, 09 May 2026 20:45:05 +0000 https://forem.com/sudarshan_thakur_1e141b99/how-i-built-a-terraform-plan-json-parser-in-python-gm https://forem.com/sudarshan_thakur_1e141b99/how-i-built-a-terraform-plan-json-parser-in-python-gm <p>Most DevOps engineers have run <code>terraform plan</code> thousands of times. Very few have looked at what comes out when you add the <code>-json</code> flag.</p> <p>I spent a couple of weeks inside that JSON output while building <a href="https://github.com/sudarshan8417/tfdrift" rel="noopener noreferrer">tfdrift</a>, an open-source drift detection tool. What I found was a surprisingly well-structured format — and a handful of gotchas that aren't documented anywhere obvious.</p> <p>This post is the technical deep-dive I wish I'd had when I started. If you're building any kind of tooling on top of Terraform — drift detection, policy enforcement, cost estimation, change analysis — this is the stuff you'll need to know.</p> <h2> Getting the JSON output </h2> <p>First, the basics. You can't just pipe <code>terraform plan</code> to get JSON. The text output and the JSON output are completely different codepaths. You need to do it in two steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Generate a plan file</span> terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan <span class="nt">-input</span><span class="o">=</span><span class="nb">false</span> <span class="nt">-no-color</span> <span class="c"># Step 2: Convert to JSON</span> terraform show <span class="nt">-json</span> tfplan </code></pre> </div> <p>The <code>-out</code> flag saves the plan as a binary file (not human-readable), and <code>terraform show -json</code> converts that binary into structured JSON. You can't skip step 1 — there's no <code>terraform plan -json</code> flag that gives you JSON directly to stdout. This tripped me up initially.</p> <p>In Python, that looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">get_plan_json</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Generate the plan file </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Convert to JSON </span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">show</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tfplan</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">120</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">)</span> </code></pre> </div> <p>A few things to notice here. The timeout on <code>plan</code> is 10 minutes — for large workspaces with many resources, plan can take a while because it's refreshing state against the cloud provider APIs. The timeout on <code>show</code> is shorter because it's just reading a local file. And we always set <code>-input=false</code> because we're running non-interactively — without it, Terraform might hang waiting for user input.</p> <h2> The structure of plan JSON </h2> <p>The JSON output has a lot of fields, but for drift detection, you really only care about one: <code>resource_changes</code>. Here's what a simplified version looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"format_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"terraform_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.7.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"resource_changes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_security_group.api_sg"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"managed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_security_group"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api_sg"</span><span class="p">,</span><span class="w"> </span><span class="nl">"provider_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"registry.terraform.io/hashicorp/aws"</span><span class="p">,</span><span class="w"> </span><span class="nl">"change"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"update"</span><span class="p">],</span><span class="w"> </span><span class="nl">"before"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ingress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"to_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_blocks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"10.0.0.0/8"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api-sg"</span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"after"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ingress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"to_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_blocks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"10.0.0.0/8"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="p">,</span><span class="w"> </span><span class="nl">"to_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_blocks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api-sg"</span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"after_sensitive"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"after_unknown"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each entry in <code>resource_changes</code> represents one resource that Terraform wants to modify. The <code>change</code> object gives you a <code>before</code> snapshot (current state in the cloud) and an <code>after</code> snapshot (what Terraform wants it to look like). The <code>actions</code> array tells you what kind of change it is.</p> <h2> Parsing the actions field </h2> <p>The <code>actions</code> field is where it gets interesting. It's an array, not a string, and the possible values are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Single actions </span><span class="p">[</span><span class="sh">"</span><span class="s">no-op</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Nothing changed </span><span class="p">[</span><span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Resource exists in code but not in cloud </span><span class="p">[</span><span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Resource exists in cloud but not in code </span><span class="p">[</span><span class="sh">"</span><span class="s">update</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Resource exists in both but attributes differ </span><span class="p">[</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Data source refresh </span> <span class="c1"># Compound actions (two-element arrays) </span><span class="p">[</span><span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Must destroy and recreate </span><span class="p">[</span><span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Create new before destroying old </span></code></pre> </div> <p>That last distinction matters. <code>["delete", "create"]</code> means Terraform will delete the resource first, then create the replacement — there will be downtime. <code>["create", "delete"]</code> means Terraform creates the new one first, then removes the old one — no downtime. The <code>create_before_destroy</code> lifecycle setting in your Terraform code controls which one you get.</p> <p>Here's how I mapped these to a simpler enum:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">enum</span> <span class="kn">import</span> <span class="n">Enum</span> <span class="k">class</span> <span class="nc">ChangeAction</span><span class="p">(</span><span class="nb">str</span><span class="p">,</span> <span class="n">Enum</span><span class="p">):</span> <span class="n">CREATE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span> <span class="n">UPDATE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">update</span><span class="sh">"</span> <span class="n">DELETE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span> <span class="n">REPLACE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">replace</span><span class="sh">"</span> <span class="n">NO_OP</span> <span class="o">=</span> <span class="sh">"</span><span class="s">no-op</span><span class="sh">"</span> <span class="n">ACTION_MAP</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">CREATE</span><span class="p">,</span> <span class="sh">"</span><span class="s">update</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">UPDATE</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">DELETE</span><span class="p">,</span> <span class="sh">"</span><span class="s">create,delete</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">REPLACE</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete,create</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">REPLACE</span><span class="p">,</span> <span class="sh">"</span><span class="s">no-op</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">NO_OP</span><span class="p">,</span> <span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">NO_OP</span><span class="p">,</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">parse_action</span><span class="p">(</span><span class="n">actions</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">ChangeAction</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">actions</span><span class="p">)</span> <span class="k">return</span> <span class="n">ACTION_MAP</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">UPDATE</span><span class="p">)</span> </code></pre> </div> <p>I collapsed both compound actions into a single <code>REPLACE</code> because for drift detection, the direction doesn't matter — either way, the resource is being recreated.</p> <h2> Extracting attribute-level diffs </h2> <p>This is the core of what makes severity classification possible. The <code>before</code> and <code>after</code> objects are full resource representations, so you can diff them attribute by attribute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">extract_changes</span><span class="p">(</span><span class="n">before</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">after</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Find which specific attributes changed.</span><span class="sh">"""</span> <span class="n">changes</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">all_keys</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">before</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="o">|</span> <span class="nf">set</span><span class="p">(</span><span class="n">after</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">all_keys</span><span class="p">):</span> <span class="n">old_val</span> <span class="o">=</span> <span class="n">before</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">new_val</span> <span class="o">=</span> <span class="n">after</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="n">old_val</span> <span class="o">!=</span> <span class="n">new_val</span><span class="p">:</span> <span class="n">changes</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">attribute</span><span class="sh">"</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="sh">"</span><span class="s">old_value</span><span class="sh">"</span><span class="p">:</span> <span class="n">old_val</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_value</span><span class="sh">"</span><span class="p">:</span> <span class="n">new_val</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="n">changes</span> </code></pre> </div> <p>Simple, right? Mostly. There are a few gotchas.</p> <h3> Gotcha 1: Sensitive values </h3> <p>Some attributes are marked as sensitive — passwords, API keys, things you don't want showing up in logs. Terraform handles this through the <code>after_sensitive</code> field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"after"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"newsecret123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"after_sensitive"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You need to check <code>after_sensitive</code> before logging or displaying values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">extract_changes</span><span class="p">(</span><span class="n">before</span><span class="p">,</span> <span class="n">after</span><span class="p">,</span> <span class="n">after_sensitive</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">changes</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">after_sensitive</span> <span class="o">=</span> <span class="n">after_sensitive</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">all_keys</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">before</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="o">|</span> <span class="nf">set</span><span class="p">(</span><span class="n">after</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">all_keys</span><span class="p">):</span> <span class="n">old_val</span> <span class="o">=</span> <span class="n">before</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">new_val</span> <span class="o">=</span> <span class="n">after</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="n">old_val</span> <span class="o">!=</span> <span class="n">new_val</span><span class="p">:</span> <span class="n">is_sensitive</span> <span class="o">=</span> <span class="p">(</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">after_sensitive</span><span class="p">,</span> <span class="nb">dict</span><span class="p">)</span> <span class="ow">and</span> <span class="n">after_sensitive</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="p">)</span> <span class="n">changes</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">attribute</span><span class="sh">"</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="sh">"</span><span class="s">old_value</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">(sensitive)</span><span class="sh">"</span> <span class="k">if</span> <span class="n">is_sensitive</span> <span class="k">else</span> <span class="n">old_val</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_value</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">(sensitive)</span><span class="sh">"</span> <span class="k">if</span> <span class="n">is_sensitive</span> <span class="k">else</span> <span class="n">new_val</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="n">changes</span> </code></pre> </div> <p>I learned this one the hard way when a database password showed up in a Slack notification during testing. Don't be me.</p> <h3> Gotcha 2: Nested objects and lists </h3> <p>Some attributes are deeply nested. A security group's <code>ingress</code> attribute isn't a simple value — it's a list of rule objects, each with <code>from_port</code>, <code>to_port</code>, <code>protocol</code>, and <code>cidr_blocks</code>. When you compare <code>before["ingress"]</code> to <code>after["ingress"]</code>, Python's <code>!=</code> operator works because it does deep comparison on lists and dicts. But the diff you get is "ingress changed" — you lose the granularity of <em>which</em> rule was added or removed.</p> <p>For tfdrift, I made the decision to report at the attribute level, not the nested value level. So you get "ingress changed" rather than "a new rule was added allowing port 22 from 0.0.0.0/0." This is a tradeoff — you lose some detail, but you gain simplicity and the ability to do pattern-based severity matching on the attribute name.</p> <p>If you need deeper diffing, you'd want something like <code>deepdiff</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">deepdiff</span> <span class="kn">import</span> <span class="n">DeepDiff</span> <span class="n">diff</span> <span class="o">=</span> <span class="nc">DeepDiff</span><span class="p">(</span><span class="n">before</span><span class="p">[</span><span class="sh">"</span><span class="s">ingress</span><span class="sh">"</span><span class="p">],</span> <span class="n">after</span><span class="p">[</span><span class="sh">"</span><span class="s">ingress</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <p>But for severity classification, knowing that <code>ingress</code> changed is enough to classify it as Critical.</p> <h3> Gotcha 3: Null vs. absent </h3> <p>Terraform's JSON output isn't always consistent about null values. Sometimes a missing attribute is <code>null</code>, sometimes it's absent from the object entirely. Your comparison code needs to handle both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">old_val</span> <span class="o">=</span> <span class="n">before</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Returns None if key doesn't exist </span><span class="n">new_val</span> <span class="o">=</span> <span class="n">after</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Both None/absent means no change </span><span class="k">if</span> <span class="n">old_val</span> <span class="ow">is</span> <span class="bp">None</span> <span class="ow">and</span> <span class="n">new_val</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">continue</span> </code></pre> </div> <h3> Gotcha 4: Data sources show up in resource_changes </h3> <p>This surprised me. Data sources (<code>data.aws_ami.latest</code>, <code>data.aws_vpc.main</code>, etc.) appear in the <code>resource_changes</code> array with a <code>mode</code> of <code>"data"</code>. They're not real resources — they're just lookups. You need to filter them out:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">change</span> <span class="ow">in</span> <span class="n">plan_json</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">resource_changes</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">change</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># Skip data sources </span></code></pre> </div> <p>If you don't, you'll get false drift alerts every time a data source refreshes with slightly different results.</p> <h3> Gotcha 5: Module addresses </h3> <p>Resources inside modules have a <code>module_address</code> field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_instance.web"</span><span class="p">,</span><span class="w"> </span><span class="nl">"module_address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"module.compute.module.web_tier"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_instance"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"web"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>address</code> field alone is <code>aws_instance.web</code>, which isn't unique if you have the same resource name in multiple modules. The full address is <code>module.compute.module.web_tier.aws_instance.web</code>. In tfdrift I handle this like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@property</span> <span class="k">def</span> <span class="nf">full_address</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">module</span><span class="p">:</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">module</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">address</span><span class="si">}</span><span class="sh">"</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">address</span> </code></pre> </div> <h2> Handling variable files </h2> <p>Here's something I discovered only when testing against real infrastructure: a huge number of workspaces require variable files to plan successfully. Without the right <code>.tfvars</code> file, <code>terraform plan</code> fails immediately with "No value for required variable."</p> <p>My first scan of a real environment found 150+ workspaces. About 80% of the subdirectory workspaces failed because they expected variables to be passed in. The main workspace had a <code>terraform.tfvars</code> file and worked fine.</p> <p>The fix was auto-detection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">find_var_files</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">:</span> <span class="n">Path</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Find .tfvars files in a workspace directory.</span><span class="sh">"""</span> <span class="n">var_files</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># terraform.tfvars is the default — always include if present </span> <span class="n">default</span> <span class="o">=</span> <span class="n">workspace_path</span> <span class="o">/</span> <span class="sh">"</span><span class="s">terraform.tfvars</span><span class="sh">"</span> <span class="k">if</span> <span class="n">default</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="n">var_files</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">default</span><span class="p">))</span> <span class="c1"># Also check for other .tfvars files </span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">.</span><span class="nf">glob</span><span class="p">(</span><span class="sh">"</span><span class="s">*.tfvars</span><span class="sh">"</span><span class="p">)):</span> <span class="k">if</span> <span class="n">f</span><span class="p">.</span><span class="n">name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">terraform.tfvars</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># Already added </span> <span class="k">if</span> <span class="n">f</span><span class="p">.</span><span class="n">name</span><span class="p">.</span><span class="nf">endswith</span><span class="p">(</span><span class="sh">"</span><span class="s">.auto.tfvars</span><span class="sh">"</span><span class="p">):</span> <span class="k">continue</span> <span class="c1"># Terraform loads these automatically </span> <span class="n">var_files</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">f</span><span class="p">))</span> <span class="k">return</span> <span class="n">var_files</span> </code></pre> </div> <p>Then when building the plan command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">plan_cmd</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">vf</span> <span class="ow">in</span> <span class="nf">find_var_files</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">):</span> <span class="n">plan_cmd</span><span class="p">.</span><span class="nf">extend</span><span class="p">([</span><span class="sh">"</span><span class="s">-var-file</span><span class="sh">"</span><span class="p">,</span> <span class="n">vf</span><span class="p">])</span> </code></pre> </div> <p>This single change took my scan success rate from about 20% to 85% on that same codebase.</p> <h2> The -detailed-exitcode flag </h2> <p>Here's a useful trick: <code>terraform plan</code> supports a <code>-detailed-exitcode</code> flag that changes the exit code behavior:</p> <ul> <li>Exit code 0: Plan succeeded, no changes</li> <li>Exit code 1: Error</li> <li>Exit code 2: Plan succeeded, changes detected</li> </ul> <p>This means you can quickly check for drift without parsing any JSON at all:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-detailed-exitcode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="c1"># No drift — skip JSON parsing entirely </span> <span class="k">return</span> <span class="p">[]</span> <span class="k">elif</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="c1"># Error — log and move on </span> <span class="k">return</span> <span class="nf">handle_error</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">stderr</span><span class="p">)</span> <span class="k">elif</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span> <span class="c1"># Drift detected — now parse the JSON </span> <span class="k">return</span> <span class="nf">parse_plan_json</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">)</span> </code></pre> </div> <p>This is a nice optimization because it means you only run <code>terraform show -json</code> (which can be slow for large state files) when there's actually something to look at.</p> <h2> Putting it all together </h2> <p>Here's the complete flow in simplified form:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">scan_workspace</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">DriftedResource</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Scan a single workspace for drift.</span><span class="sh">"""</span> <span class="c1"># 1. Run terraform init </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">init</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-backend=true</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># 2. Build plan command with var files </span> <span class="n">plan_cmd</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-detailed-exitcode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="k">for</span> <span class="n">vf</span> <span class="ow">in</span> <span class="nf">find_var_files</span><span class="p">(</span><span class="nc">Path</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">)):</span> <span class="n">plan_cmd</span><span class="p">.</span><span class="nf">extend</span><span class="p">([</span><span class="sh">"</span><span class="s">-var-file</span><span class="sh">"</span><span class="p">,</span> <span class="n">vf</span><span class="p">])</span> <span class="c1"># 3. Run plan </span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="n">plan_cmd</span><span class="p">,</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">:</span> <span class="k">return</span> <span class="p">[]</span> <span class="c1"># No drift or error </span> <span class="c1"># 4. Get JSON output </span> <span class="n">show</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">show</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tfplan</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">plan_json</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">show</span><span class="p">.</span><span class="n">stdout</span><span class="p">)</span> <span class="c1"># 5. Parse changes </span> <span class="n">drifted</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">change</span> <span class="ow">in</span> <span class="n">plan_json</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">resource_changes</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">change</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="n">actions</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">actions</span><span class="sh">"</span><span class="p">]</span> <span class="n">action</span> <span class="o">=</span> <span class="nf">parse_action</span><span class="p">(</span><span class="n">actions</span><span class="p">)</span> <span class="k">if</span> <span class="n">action</span> <span class="o">==</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">NO_OP</span><span class="p">:</span> <span class="k">continue</span> <span class="n">before</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">before</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">after</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">after</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">sensitive</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">after_sensitive</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">attr_changes</span> <span class="o">=</span> <span class="nf">extract_changes</span><span class="p">(</span><span class="n">before</span><span class="p">,</span> <span class="n">after</span><span class="p">,</span> <span class="n">sensitive</span><span class="p">)</span> <span class="n">drifted</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nc">DriftedResource</span><span class="p">(</span> <span class="n">address</span><span class="o">=</span><span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">address</span><span class="sh">"</span><span class="p">],</span> <span class="n">resource_type</span><span class="o">=</span><span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">],</span> <span class="n">action</span><span class="o">=</span><span class="n">action</span><span class="p">,</span> <span class="n">changes</span><span class="o">=</span><span class="n">attr_changes</span><span class="p">,</span> <span class="n">module</span><span class="o">=</span><span class="n">change</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">module_address</span><span class="sh">"</span><span class="p">),</span> <span class="p">))</span> <span class="c1"># 6. Clean up plan file </span> <span class="nc">Path</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">tfplan</span><span class="sh">"</span><span class="p">).</span><span class="nf">unlink</span><span class="p">(</span><span class="n">missing_ok</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="n">drifted</span> </code></pre> </div> <p>That's roughly 60 lines to go from a Terraform workspace directory to a structured list of drifted resources with attribute-level detail. The actual tfdrift implementation adds severity classification, ignore rules, error handling, and reporting on top of this, but the core parsing logic is what you see here.</p> <h2> Lessons learned </h2> <p><strong>Shell out, don't replicate.</strong> I briefly considered using the Terraform provider SDKs directly (like boto3 for AWS) to compare state. That would've been months of work and broken with every provider update. Shelling out to <code>terraform plan -json</code> gives you free compatibility with every provider, every backend, and every Terraform version since 0.12. The tradeoff is requiring a Terraform installation, but anyone who needs drift detection already has one.</p> <p><strong>The JSON format is stable but undocumented.</strong> HashiCorp has <a href="https://developer.hashicorp.com/terraform/internals/json-format" rel="noopener noreferrer">documentation</a> for the JSON output format, but it's sparse. The format has been stable since Terraform 0.12 (2019), and I haven't encountered breaking changes across versions. But it's not formally versioned, so in theory a future release could change things. Supporting OpenTofu via a <code>--binary</code> flag is a hedge against that.</p> <p><strong>Test against real infrastructure early.</strong> I built the parser against synthetic test data first and thought it was done. Then I pointed it at a real codebase with 150+ workspaces and discovered the variable file problem, the module address problem, and several edge cases with nested attributes. Synthetic tests are necessary but not sufficient.</p> <p><strong>Clean up after yourself.</strong> The <code>tfplan</code> binary file that <code>terraform plan -out</code> creates will accumulate if you don't delete it. In a scan across 150 workspaces, that's 150 binary files sitting in various directories. Always clean up in a <code>finally</code> block.</p> <h2> Try it yourself </h2> <p>All of this code is in the tfdrift source:</p> <ul> <li> <strong>Plan execution</strong>: <a href="https://github.com/sudarshan8417/tfdrift/blob/main/src/tfdrift/detectors/drift.py" rel="noopener noreferrer"><code>src/tfdrift/detectors/drift.py</code></a> </li> <li> <strong>Data models</strong>: <a href="https://github.com/sudarshan8417/tfdrift/blob/main/src/tfdrift/models.py" rel="noopener noreferrer"><code>src/tfdrift/models.py</code></a> </li> <li> <strong>Severity classification</strong>: <a href="https://github.com/sudarshan8417/tfdrift/blob/main/src/tfdrift/severity.py" rel="noopener noreferrer"><code>src/tfdrift/severity.py</code></a> </li> </ul> <p>Or just install it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>tfdrift tfdrift scan <span class="nt">--path</span> ./your-terraform-dir <span class="nt">--verbose</span> </code></pre> </div> <p>If you're building your own Terraform tooling and run into edge cases I didn't cover, I'd love to hear about them. Open an issue or drop a comment.</p> <p><em>This is part 3 of a series on infrastructure drift detection. Part 1: <a href="https://dev.to/sudarshan_thakur_1e141b99/i-built-tfdrift-free-terraform-drift-detection-with-severity-alerts-2n96">I Built a Free Terraform Drift Detector — Here's Why</a>. Part 2: <a href="https://dev.to/sudarshan_thakur_1e141b99/why-severity-classification-changes-everything-about-drift-detection-2lig">Why Severity Classification Changes Everything About Drift Detection</a>. Coming next: Setting Up Continuous Drift Monitoring With GitHub Actions and Slack.</em></p> devops python terraform tooling Sudarshan Thakur Sat, 09 May 2026 20:45:05 +0000 https://forem.com/sudarshan_thakur_1e141b99/how-i-built-a-terraform-plan-json-parser-in-python-kaa https://forem.com/sudarshan_thakur_1e141b99/how-i-built-a-terraform-plan-json-parser-in-python-kaa <p>Most DevOps engineers have run <code>terraform plan</code> thousands of times. Very few have looked at what comes out when you add the <code>-json</code> flag.</p> <p>I spent a couple of weeks inside that JSON output while building <a href="https://github.com/sudarshan8417/tfdrift" rel="noopener noreferrer">tfdrift</a>, an open-source drift detection tool. What I found was a surprisingly well-structured format — and a handful of gotchas that aren't documented anywhere obvious.</p> <p>This post is the technical deep-dive I wish I'd had when I started. If you're building any kind of tooling on top of Terraform — drift detection, policy enforcement, cost estimation, change analysis — this is the stuff you'll need to know.</p> <h2> Getting the JSON output </h2> <p>First, the basics. You can't just pipe <code>terraform plan</code> to get JSON. The text output and the JSON output are completely different codepaths. You need to do it in two steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Generate a plan file</span> terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan <span class="nt">-input</span><span class="o">=</span><span class="nb">false</span> <span class="nt">-no-color</span> <span class="c"># Step 2: Convert to JSON</span> terraform show <span class="nt">-json</span> tfplan </code></pre> </div> <p>The <code>-out</code> flag saves the plan as a binary file (not human-readable), and <code>terraform show -json</code> converts that binary into structured JSON. You can't skip step 1 — there's no <code>terraform plan -json</code> flag that gives you JSON directly to stdout. This tripped me up initially.</p> <p>In Python, that looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">get_plan_json</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Generate the plan file </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">600</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Convert to JSON </span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">show</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tfplan</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">120</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">stdout</span><span class="p">)</span> </code></pre> </div> <p>A few things to notice here. The timeout on <code>plan</code> is 10 minutes — for large workspaces with many resources, plan can take a while because it's refreshing state against the cloud provider APIs. The timeout on <code>show</code> is shorter because it's just reading a local file. And we always set <code>-input=false</code> because we're running non-interactively — without it, Terraform might hang waiting for user input.</p> <h2> The structure of plan JSON </h2> <p>The JSON output has a lot of fields, but for drift detection, you really only care about one: <code>resource_changes</code>. Here's what a simplified version looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"format_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"terraform_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.7.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"resource_changes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_security_group.api_sg"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"managed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_security_group"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api_sg"</span><span class="p">,</span><span class="w"> </span><span class="nl">"provider_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"registry.terraform.io/hashicorp/aws"</span><span class="p">,</span><span class="w"> </span><span class="nl">"change"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"update"</span><span class="p">],</span><span class="w"> </span><span class="nl">"before"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ingress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"to_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_blocks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"10.0.0.0/8"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api-sg"</span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"after"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ingress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"to_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_blocks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"10.0.0.0/8"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"from_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="p">,</span><span class="w"> </span><span class="nl">"to_port"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="p">,</span><span class="w"> </span><span class="nl">"cidr_blocks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api-sg"</span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"after_sensitive"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"after_unknown"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each entry in <code>resource_changes</code> represents one resource that Terraform wants to modify. The <code>change</code> object gives you a <code>before</code> snapshot (current state in the cloud) and an <code>after</code> snapshot (what Terraform wants it to look like). The <code>actions</code> array tells you what kind of change it is.</p> <h2> Parsing the actions field </h2> <p>The <code>actions</code> field is where it gets interesting. It's an array, not a string, and the possible values are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Single actions </span><span class="p">[</span><span class="sh">"</span><span class="s">no-op</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Nothing changed </span><span class="p">[</span><span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Resource exists in code but not in cloud </span><span class="p">[</span><span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Resource exists in cloud but not in code </span><span class="p">[</span><span class="sh">"</span><span class="s">update</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Resource exists in both but attributes differ </span><span class="p">[</span><span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Data source refresh </span> <span class="c1"># Compound actions (two-element arrays) </span><span class="p">[</span><span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Must destroy and recreate </span><span class="p">[</span><span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Create new before destroying old </span></code></pre> </div> <p>That last distinction matters. <code>["delete", "create"]</code> means Terraform will delete the resource first, then create the replacement — there will be downtime. <code>["create", "delete"]</code> means Terraform creates the new one first, then removes the old one — no downtime. The <code>create_before_destroy</code> lifecycle setting in your Terraform code controls which one you get.</p> <p>Here's how I mapped these to a simpler enum:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">enum</span> <span class="kn">import</span> <span class="n">Enum</span> <span class="k">class</span> <span class="nc">ChangeAction</span><span class="p">(</span><span class="nb">str</span><span class="p">,</span> <span class="n">Enum</span><span class="p">):</span> <span class="n">CREATE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span> <span class="n">UPDATE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">update</span><span class="sh">"</span> <span class="n">DELETE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span> <span class="n">REPLACE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">replace</span><span class="sh">"</span> <span class="n">NO_OP</span> <span class="o">=</span> <span class="sh">"</span><span class="s">no-op</span><span class="sh">"</span> <span class="n">ACTION_MAP</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">create</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">CREATE</span><span class="p">,</span> <span class="sh">"</span><span class="s">update</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">UPDATE</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">DELETE</span><span class="p">,</span> <span class="sh">"</span><span class="s">create,delete</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">REPLACE</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete,create</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">REPLACE</span><span class="p">,</span> <span class="sh">"</span><span class="s">no-op</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">NO_OP</span><span class="p">,</span> <span class="sh">"</span><span class="s">read</span><span class="sh">"</span><span class="p">:</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">NO_OP</span><span class="p">,</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">parse_action</span><span class="p">(</span><span class="n">actions</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">ChangeAction</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">actions</span><span class="p">)</span> <span class="k">return</span> <span class="n">ACTION_MAP</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">UPDATE</span><span class="p">)</span> </code></pre> </div> <p>I collapsed both compound actions into a single <code>REPLACE</code> because for drift detection, the direction doesn't matter — either way, the resource is being recreated.</p> <h2> Extracting attribute-level diffs </h2> <p>This is the core of what makes severity classification possible. The <code>before</code> and <code>after</code> objects are full resource representations, so you can diff them attribute by attribute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">extract_changes</span><span class="p">(</span><span class="n">before</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">after</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Find which specific attributes changed.</span><span class="sh">"""</span> <span class="n">changes</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">all_keys</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">before</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="o">|</span> <span class="nf">set</span><span class="p">(</span><span class="n">after</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">all_keys</span><span class="p">):</span> <span class="n">old_val</span> <span class="o">=</span> <span class="n">before</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">new_val</span> <span class="o">=</span> <span class="n">after</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="n">old_val</span> <span class="o">!=</span> <span class="n">new_val</span><span class="p">:</span> <span class="n">changes</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">attribute</span><span class="sh">"</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="sh">"</span><span class="s">old_value</span><span class="sh">"</span><span class="p">:</span> <span class="n">old_val</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_value</span><span class="sh">"</span><span class="p">:</span> <span class="n">new_val</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="n">changes</span> </code></pre> </div> <p>Simple, right? Mostly. There are a few gotchas.</p> <h3> Gotcha 1: Sensitive values </h3> <p>Some attributes are marked as sensitive — passwords, API keys, things you don't want showing up in logs. Terraform handles this through the <code>after_sensitive</code> field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"after"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"newsecret123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"after_sensitive"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You need to check <code>after_sensitive</code> before logging or displaying values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">extract_changes</span><span class="p">(</span><span class="n">before</span><span class="p">,</span> <span class="n">after</span><span class="p">,</span> <span class="n">after_sensitive</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">changes</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">after_sensitive</span> <span class="o">=</span> <span class="n">after_sensitive</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">all_keys</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">before</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="o">|</span> <span class="nf">set</span><span class="p">(</span><span class="n">after</span><span class="p">.</span><span class="nf">keys</span><span class="p">())</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">all_keys</span><span class="p">):</span> <span class="n">old_val</span> <span class="o">=</span> <span class="n">before</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">new_val</span> <span class="o">=</span> <span class="n">after</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="n">old_val</span> <span class="o">!=</span> <span class="n">new_val</span><span class="p">:</span> <span class="n">is_sensitive</span> <span class="o">=</span> <span class="p">(</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">after_sensitive</span><span class="p">,</span> <span class="nb">dict</span><span class="p">)</span> <span class="ow">and</span> <span class="n">after_sensitive</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="p">)</span> <span class="n">changes</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">attribute</span><span class="sh">"</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="sh">"</span><span class="s">old_value</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">(sensitive)</span><span class="sh">"</span> <span class="k">if</span> <span class="n">is_sensitive</span> <span class="k">else</span> <span class="n">old_val</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_value</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">(sensitive)</span><span class="sh">"</span> <span class="k">if</span> <span class="n">is_sensitive</span> <span class="k">else</span> <span class="n">new_val</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="n">changes</span> </code></pre> </div> <p>I learned this one the hard way when a database password showed up in a Slack notification during testing. Don't be me.</p> <h3> Gotcha 2: Nested objects and lists </h3> <p>Some attributes are deeply nested. A security group's <code>ingress</code> attribute isn't a simple value — it's a list of rule objects, each with <code>from_port</code>, <code>to_port</code>, <code>protocol</code>, and <code>cidr_blocks</code>. When you compare <code>before["ingress"]</code> to <code>after["ingress"]</code>, Python's <code>!=</code> operator works because it does deep comparison on lists and dicts. But the diff you get is "ingress changed" — you lose the granularity of <em>which</em> rule was added or removed.</p> <p>For tfdrift, I made the decision to report at the attribute level, not the nested value level. So you get "ingress changed" rather than "a new rule was added allowing port 22 from 0.0.0.0/0." This is a tradeoff — you lose some detail, but you gain simplicity and the ability to do pattern-based severity matching on the attribute name.</p> <p>If you need deeper diffing, you'd want something like <code>deepdiff</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">deepdiff</span> <span class="kn">import</span> <span class="n">DeepDiff</span> <span class="n">diff</span> <span class="o">=</span> <span class="nc">DeepDiff</span><span class="p">(</span><span class="n">before</span><span class="p">[</span><span class="sh">"</span><span class="s">ingress</span><span class="sh">"</span><span class="p">],</span> <span class="n">after</span><span class="p">[</span><span class="sh">"</span><span class="s">ingress</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <p>But for severity classification, knowing that <code>ingress</code> changed is enough to classify it as Critical.</p> <h3> Gotcha 3: Null vs. absent </h3> <p>Terraform's JSON output isn't always consistent about null values. Sometimes a missing attribute is <code>null</code>, sometimes it's absent from the object entirely. Your comparison code needs to handle both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">old_val</span> <span class="o">=</span> <span class="n">before</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Returns None if key doesn't exist </span><span class="n">new_val</span> <span class="o">=</span> <span class="n">after</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c1"># Both None/absent means no change </span><span class="k">if</span> <span class="n">old_val</span> <span class="ow">is</span> <span class="bp">None</span> <span class="ow">and</span> <span class="n">new_val</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">continue</span> </code></pre> </div> <h3> Gotcha 4: Data sources show up in resource_changes </h3> <p>This surprised me. Data sources (<code>data.aws_ami.latest</code>, <code>data.aws_vpc.main</code>, etc.) appear in the <code>resource_changes</code> array with a <code>mode</code> of <code>"data"</code>. They're not real resources — they're just lookups. You need to filter them out:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">change</span> <span class="ow">in</span> <span class="n">plan_json</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">resource_changes</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">change</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># Skip data sources </span></code></pre> </div> <p>If you don't, you'll get false drift alerts every time a data source refreshes with slightly different results.</p> <h3> Gotcha 5: Module addresses </h3> <p>Resources inside modules have a <code>module_address</code> field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_instance.web"</span><span class="p">,</span><span class="w"> </span><span class="nl">"module_address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"module.compute.module.web_tier"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_instance"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"web"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>address</code> field alone is <code>aws_instance.web</code>, which isn't unique if you have the same resource name in multiple modules. The full address is <code>module.compute.module.web_tier.aws_instance.web</code>. In tfdrift I handle this like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@property</span> <span class="k">def</span> <span class="nf">full_address</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">module</span><span class="p">:</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">module</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">address</span><span class="si">}</span><span class="sh">"</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">address</span> </code></pre> </div> <h2> Handling variable files </h2> <p>Here's something I discovered only when testing against real infrastructure: a huge number of workspaces require variable files to plan successfully. Without the right <code>.tfvars</code> file, <code>terraform plan</code> fails immediately with "No value for required variable."</p> <p>My first scan of a real environment found 150+ workspaces. About 80% of the subdirectory workspaces failed because they expected variables to be passed in. The main workspace had a <code>terraform.tfvars</code> file and worked fine.</p> <p>The fix was auto-detection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">find_var_files</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">:</span> <span class="n">Path</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Find .tfvars files in a workspace directory.</span><span class="sh">"""</span> <span class="n">var_files</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># terraform.tfvars is the default — always include if present </span> <span class="n">default</span> <span class="o">=</span> <span class="n">workspace_path</span> <span class="o">/</span> <span class="sh">"</span><span class="s">terraform.tfvars</span><span class="sh">"</span> <span class="k">if</span> <span class="n">default</span><span class="p">.</span><span class="nf">exists</span><span class="p">():</span> <span class="n">var_files</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">default</span><span class="p">))</span> <span class="c1"># Also check for other .tfvars files </span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">.</span><span class="nf">glob</span><span class="p">(</span><span class="sh">"</span><span class="s">*.tfvars</span><span class="sh">"</span><span class="p">)):</span> <span class="k">if</span> <span class="n">f</span><span class="p">.</span><span class="n">name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">terraform.tfvars</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># Already added </span> <span class="k">if</span> <span class="n">f</span><span class="p">.</span><span class="n">name</span><span class="p">.</span><span class="nf">endswith</span><span class="p">(</span><span class="sh">"</span><span class="s">.auto.tfvars</span><span class="sh">"</span><span class="p">):</span> <span class="k">continue</span> <span class="c1"># Terraform loads these automatically </span> <span class="n">var_files</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">f</span><span class="p">))</span> <span class="k">return</span> <span class="n">var_files</span> </code></pre> </div> <p>Then when building the plan command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">plan_cmd</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">vf</span> <span class="ow">in</span> <span class="nf">find_var_files</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">):</span> <span class="n">plan_cmd</span><span class="p">.</span><span class="nf">extend</span><span class="p">([</span><span class="sh">"</span><span class="s">-var-file</span><span class="sh">"</span><span class="p">,</span> <span class="n">vf</span><span class="p">])</span> </code></pre> </div> <p>This single change took my scan success rate from about 20% to 85% on that same codebase.</p> <h2> The -detailed-exitcode flag </h2> <p>Here's a useful trick: <code>terraform plan</code> supports a <code>-detailed-exitcode</code> flag that changes the exit code behavior:</p> <ul> <li>Exit code 0: Plan succeeded, no changes</li> <li>Exit code 1: Error</li> <li>Exit code 2: Plan succeeded, changes detected</li> </ul> <p>This means you can quickly check for drift without parsing any JSON at all:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-detailed-exitcode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="c1"># No drift — skip JSON parsing entirely </span> <span class="k">return</span> <span class="p">[]</span> <span class="k">elif</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="c1"># Error — log and move on </span> <span class="k">return</span> <span class="nf">handle_error</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">stderr</span><span class="p">)</span> <span class="k">elif</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span> <span class="c1"># Drift detected — now parse the JSON </span> <span class="k">return</span> <span class="nf">parse_plan_json</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">)</span> </code></pre> </div> <p>This is a nice optimization because it means you only run <code>terraform show -json</code> (which can be slow for large state files) when there's actually something to look at.</p> <h2> Putting it all together </h2> <p>Here's the complete flow in simplified form:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">scan_workspace</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">DriftedResource</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Scan a single workspace for drift.</span><span class="sh">"""</span> <span class="c1"># 1. Run terraform init </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">init</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-backend=true</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># 2. Build plan command with var files </span> <span class="n">plan_cmd</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-detailed-exitcode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-input=false</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-no-color</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-out=tfplan</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="k">for</span> <span class="n">vf</span> <span class="ow">in</span> <span class="nf">find_var_files</span><span class="p">(</span><span class="nc">Path</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">)):</span> <span class="n">plan_cmd</span><span class="p">.</span><span class="nf">extend</span><span class="p">([</span><span class="sh">"</span><span class="s">-var-file</span><span class="sh">"</span><span class="p">,</span> <span class="n">vf</span><span class="p">])</span> <span class="c1"># 3. Run plan </span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="n">plan_cmd</span><span class="p">,</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">2</span><span class="p">:</span> <span class="k">return</span> <span class="p">[]</span> <span class="c1"># No drift or error </span> <span class="c1"># 4. Get JSON output </span> <span class="n">show</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">terraform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">show</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tfplan</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">workspace_path</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">plan_json</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">show</span><span class="p">.</span><span class="n">stdout</span><span class="p">)</span> <span class="c1"># 5. Parse changes </span> <span class="n">drifted</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">change</span> <span class="ow">in</span> <span class="n">plan_json</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">resource_changes</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">change</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="n">actions</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">actions</span><span class="sh">"</span><span class="p">]</span> <span class="n">action</span> <span class="o">=</span> <span class="nf">parse_action</span><span class="p">(</span><span class="n">actions</span><span class="p">)</span> <span class="k">if</span> <span class="n">action</span> <span class="o">==</span> <span class="n">ChangeAction</span><span class="p">.</span><span class="n">NO_OP</span><span class="p">:</span> <span class="k">continue</span> <span class="n">before</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">before</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">after</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">after</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">sensitive</span> <span class="o">=</span> <span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">change</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">after_sensitive</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">attr_changes</span> <span class="o">=</span> <span class="nf">extract_changes</span><span class="p">(</span><span class="n">before</span><span class="p">,</span> <span class="n">after</span><span class="p">,</span> <span class="n">sensitive</span><span class="p">)</span> <span class="n">drifted</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nc">DriftedResource</span><span class="p">(</span> <span class="n">address</span><span class="o">=</span><span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">address</span><span class="sh">"</span><span class="p">],</span> <span class="n">resource_type</span><span class="o">=</span><span class="n">change</span><span class="p">[</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">],</span> <span class="n">action</span><span class="o">=</span><span class="n">action</span><span class="p">,</span> <span class="n">changes</span><span class="o">=</span><span class="n">attr_changes</span><span class="p">,</span> <span class="n">module</span><span class="o">=</span><span class="n">change</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">module_address</span><span class="sh">"</span><span class="p">),</span> <span class="p">))</span> <span class="c1"># 6. Clean up plan file </span> <span class="nc">Path</span><span class="p">(</span><span class="n">workspace_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">tfplan</span><span class="sh">"</span><span class="p">).</span><span class="nf">unlink</span><span class="p">(</span><span class="n">missing_ok</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="n">drifted</span> </code></pre> </div> <p>That's roughly 60 lines to go from a Terraform workspace directory to a structured list of drifted resources with attribute-level detail. The actual tfdrift implementation adds severity classification, ignore rules, error handling, and reporting on top of this, but the core parsing logic is what you see here.</p> <h2> Lessons learned </h2> <p><strong>Shell out, don't replicate.</strong> I briefly considered using the Terraform provider SDKs directly (like boto3 for AWS) to compare state. That would've been months of work and broken with every provider update. Shelling out to <code>terraform plan -json</code> gives you free compatibility with every provider, every backend, and every Terraform version since 0.12. The tradeoff is requiring a Terraform installation, but anyone who needs drift detection already has one.</p> <p><strong>The JSON format is stable but undocumented.</strong> HashiCorp has <a href="https://developer.hashicorp.com/terraform/internals/json-format" rel="noopener noreferrer">documentation</a> for the JSON output format, but it's sparse. The format has been stable since Terraform 0.12 (2019), and I haven't encountered breaking changes across versions. But it's not formally versioned, so in theory a future release could change things. Supporting OpenTofu via a <code>--binary</code> flag is a hedge against that.</p> <p><strong>Test against real infrastructure early.</strong> I built the parser against synthetic test data first and thought it was done. Then I pointed it at a real codebase with 150+ workspaces and discovered the variable file problem, the module address problem, and several edge cases with nested attributes. Synthetic tests are necessary but not sufficient.</p> <p><strong>Clean up after yourself.</strong> The <code>tfplan</code> binary file that <code>terraform plan -out</code> creates will accumulate if you don't delete it. In a scan across 150 workspaces, that's 150 binary files sitting in various directories. Always clean up in a <code>finally</code> block.</p> <h2> Try it yourself </h2> <p>All of this code is in the tfdrift source:</p> <ul> <li> <strong>Plan execution</strong>: <a href="https://github.com/sudarshan8417/tfdrift/blob/main/src/tfdrift/detectors/drift.py" rel="noopener noreferrer"><code>src/tfdrift/detectors/drift.py</code></a> </li> <li> <strong>Data models</strong>: <a href="https://github.com/sudarshan8417/tfdrift/blob/main/src/tfdrift/models.py" rel="noopener noreferrer"><code>src/tfdrift/models.py</code></a> </li> <li> <strong>Severity classification</strong>: <a href="https://github.com/sudarshan8417/tfdrift/blob/main/src/tfdrift/severity.py" rel="noopener noreferrer"><code>src/tfdrift/severity.py</code></a> </li> </ul> <p>Or just install it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>tfdrift tfdrift scan <span class="nt">--path</span> ./your-terraform-dir <span class="nt">--verbose</span> </code></pre> </div> <p>If you're building your own Terraform tooling and run into edge cases I didn't cover, I'd love to hear about them. Open an issue or drop a comment.</p> <p><em>This is part 3 of a series on infrastructure drift detection. Part 1: <a href="https://dev.to/sudarshan_thakur_1e141b99/i-built-tfdrift-free-terraform-drift-detection-with-severity-alerts-2n96">I Built a Free Terraform Drift Detector — Here's Why</a>. Part 2: <a href="https://dev.to/sudarshan_thakur_1e141b99/why-severity-classification-changes-everything-about-drift-detection-2lig">Why Severity Classification Changes Everything About Drift Detection</a>. Coming next: Setting Up Continuous Drift Monitoring With GitHub Actions and Slack.</em></p> devops python showdev terraform Sudarshan Thakur Sat, 02 May 2026 17:53:38 +0000 https://forem.com/sudarshan_thakur_1e141b99/why-severity-classification-changes-everything-about-drift-detection-2lig https://forem.com/sudarshan_thakur_1e141b99/why-severity-classification-changes-everything-about-drift-detection-2lig <p>Here's a scenario every DevOps engineer has lived through at least once.</p> <p>You set up drift detection for your Terraform infrastructure. Maybe it's a cron job running <code>terraform plan</code>, maybe it's a fancier tool. Either way, it works. It finds drift. It sends alerts.</p> <p>The problem is it finds <em>everything</em>. Tag changes. Description updates. Auto-scaling group adjustments. Security group modifications. Instance type changes. All of it lands in the same Slack channel with the same urgency.</p> <p>For the first week, your team looks at every alert. By week three, people start skimming. By month two, that Slack channel is muted. I know this because it happened to us.</p> <p>And buried in that noise? A security group change that opened SSH to the internet. Nobody caught it for eleven days.</p> <h2> The core problem isn't detection. It's prioritization. </h2> <p><code>terraform plan</code> is perfectly capable of detecting drift. It's been doing it since 2014. The detection part is solved. What isn't solved is the question that comes after detection: <strong>so what?</strong></p> <p>When plan tells you that 47 resources have changed across your infrastructure, the natural human response is "I don't have time for this." And honestly, that's rational. Most of those 47 changes probably don't matter. Tags get updated by cost allocation scripts. Auto-scaling groups adjust desired capacity constantly — that's literally their job. Someone updated a description field three weeks ago.</p> <p>But somewhere in those 47 changes, there might be an IAM policy that was broadened to allow <code>s3:*</code> on all buckets. Or a KMS key policy that added an unknown account. Or a database that got its <code>publicly_accessible</code> flag flipped to true.</p> <p>The problem is you can't tell which is which without reading through every single diff. Every. Single. Time.</p> <p>Research on alert fatigue in operations backs this up. When teams receive more than about 50 alerts per day, response quality drops measurably. Critical alert response times degrade by up to 40%. The monitoring industry learned this lesson a decade ago with tools like PagerDuty adding severity levels and intelligent routing. Infrastructure drift detection hasn't caught up.</p> <h2> Not all drift is created equal </h2> <p>Once you actually think about it, drift falls into pretty natural categories based on security and operational impact.</p> <p><strong>Some drift is a fire.</strong> Someone modified a security group's ingress rules. Someone changed an IAM policy. Someone disabled encryption on a storage bucket. Someone opened up public access on a database. These changes directly affect your security perimeter. If you miss them, you might end up in a breach disclosure filing. I'd call these Critical.</p> <p><strong>Some drift is a problem.</strong> Someone changed an instance type in production — your capacity planning just went out the window. Someone modified a database engine version — your upgrade runbooks are now wrong. Someone changed a Lambda runtime — hope nothing depends on that specific Python version. These won't get you breached, but they can cause outages. That's High.</p> <p><strong>Some drift is worth knowing about.</strong> Most attribute changes that don't fall into the above categories. A CloudFront distribution's cache behavior was modified. A load balancer's idle timeout was changed. Not urgent, but you should probably investigate when you get a chance. That's Medium.</p> <p><strong>Some drift is noise.</strong> Tags. Descriptions. Labels. Metadata that external systems update constantly. Flagging these as drift is technically correct and operationally useless. That's Low.</p> <p>The moment you apply these categories, your 47 alerts become 2 Critical, 3 High, 8 Medium, and 34 Low. Suddenly you know exactly where to look.</p> <h2> How we implemented this </h2> <p>When I built <a href="https://github.com/sudarshan8417/tfdrift" rel="noopener noreferrer">tfdrift</a>, severity classification was the feature I cared about most. The technical approach is straightforward but the design decisions were interesting.</p> <p><strong>Pattern matching on resource type + attribute.</strong> Each severity rule is a pattern like <code>aws_security_group.*.ingress</code> → Critical. The <code>*</code> matches any resource name. When terraform plan reports that <code>aws_security_group.api_gateway.ingress</code> changed, it matches the Critical pattern.</p> <p>Why resource type + attribute and not just resource type? Because a security group changing its <em>tags</em> is Low, but a security group changing its <em>ingress rules</em> is Critical. The attribute matters as much as the resource type.</p> <p><strong>Maximum severity wins.</strong> When a single resource has multiple changed attributes at different severity levels — say, both a tag change and an ingress change — we classify it at the highest level. A security group with a Low tag change and a Critical ingress change gets reported as Critical. You don't want someone to dismiss a Critical change because it also had some Low-severity noise attached.</p> <p><strong>60+ built-in rules.</strong> We ship default patterns for AWS (26 rules), Azure (13 rules), and GCP (10 rules), plus cloud-agnostic Low rules for tags, labels, and descriptions. These are opinionated defaults based on what we think matters most from a security perspective. You can override everything in a YAML config file.</p> <p>Here's what the default Critical rules look like for AWS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">aws_security_group</span><span class="err">.*.</span><span class="nx">ingress</span> <span class="c1"># network access</span> <span class="nx">aws_security_group</span><span class="err">.*.</span><span class="nx">egress</span> <span class="c1"># network access</span> <span class="nx">aws_iam_policy</span><span class="err">.*.</span><span class="nx">policy</span> <span class="c1"># identity &amp; access</span> <span class="nx">aws_iam_role</span><span class="err">.*.</span><span class="nx">assume_role_policy</span> <span class="c1"># identity &amp; access</span> <span class="nx">aws_s3_bucket_public_access_block</span><span class="err">.*</span> <span class="c1"># data exposure</span> <span class="nx">aws_s3_bucket_policy</span><span class="err">.*.</span><span class="nx">policy</span> <span class="c1"># data exposure</span> <span class="nx">aws_kms_key</span><span class="err">.*.</span><span class="nx">key_policy</span> <span class="c1"># encryption</span> <span class="nx">aws_network_acl_rule</span><span class="err">.*</span> <span class="c1"># network access</span> </code></pre> </div> <p>And for Azure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">azurerm_network_security_group</span><span class="err">.*.</span><span class="nx">security_rule</span> <span class="c1"># network access</span> <span class="nx">azurerm_role_assignment</span><span class="err">.*</span> <span class="c1"># identity &amp; access</span> <span class="nx">azurerm_key_vault_access_policy</span><span class="err">.*</span> <span class="c1"># secrets management</span> <span class="nx">azurerm_storage_account</span><span class="err">.*.</span><span class="nx">network_rules</span> <span class="c1"># data exposure</span> </code></pre> </div> <p>And GCP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">google_compute_firewall</span><span class="err">.*.</span><span class="nx">allow</span> <span class="c1"># network access</span> <span class="nx">google_compute_firewall</span><span class="err">.*.</span><span class="nx">source_ranges</span> <span class="c1"># network access</span> <span class="nx">google_project_iam_binding</span><span class="err">.*</span> <span class="c1"># identity &amp; access</span> <span class="nx">google_project_iam_member</span><span class="err">.*</span> <span class="c1"># identity &amp; access</span> </code></pre> </div> <p><strong>Ignore rules for expected drift.</strong> Beyond severity, we also support a <code>.tfdriftignore</code> file for drift you never want to see. The classic example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">aws_autoscaling_group</span><span class="err">.*.</span><span class="nx">desired_capacity</span> <span class="nx">aws_ecs_service</span><span class="err">.*.</span><span class="nx">desired_count</span> </code></pre> </div> <p>Auto-scaling groups change <code>desired_capacity</code> every few minutes. That's not drift — that's the system working correctly. Filtering this out before severity classification reduces noise even further.</p> <h2> The numbers </h2> <p>I tested this approach against a sandbox AWS environment with 150+ Terraform workspaces — EC2, IAM, S3, RDS, VPC, the usual mix. I introduced drift through the AWS console and CLI to simulate the kind of changes that happen in real environments: security group tweaks, tag updates, instance type changes, IAM policy modifications.</p> <p>The results:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Alert volume</th> <th>Security changes caught</th> </tr> </thead> <tbody> <tr> <td>Binary detection (terraform plan)</td> <td>100%</td> <td>100% (buried in noise)</td> </tr> <tr> <td>Severity ≥ High only</td> <td>27%</td> <td>94%</td> </tr> <tr> <td>Severity ≥ High + ignore rules</td> <td>19%</td> <td>97%</td> </tr> </tbody> </table></div> <p>Filtering to High and Critical severity cut the alert volume by <strong>73%</strong> while still catching <strong>94%</strong> of the changes that actually mattered from a security perspective. Adding ignore rules brought noise down to just 19% of the original volume at 97% precision.</p> <p>The 6% of security-relevant changes that got missed at the High threshold were Medium-severity changes that a human might consider security-adjacent — things like Lambda runtime version changes. Whether those matter depends on your risk tolerance, and you can always adjust the severity rules to promote specific attributes.</p> <h2> The .tfdrift.yml as a living document </h2> <p>Here's something I didn't fully appreciate until I started getting feedback from other engineers: the severity configuration file becomes a <strong>living document of your team's operational values.</strong></p> <p>When you configure which changes are Critical and which are Low, you're encoding institutional knowledge about what matters to <em>your</em> organization. A fintech company might classify <code>aws_rds_instance.*.storage_encrypted</code> as Critical. A dev agency might not care about it at all.</p> <p>The <code>.tfdrift.yml</code> file captures these decisions in version-controlled, reviewable code. When a new engineer joins the team and asks "do we care about CloudFront distribution changes?", the answer is in the config file. When an incident happens because of undetected drift, the post-mortem action item is "add this resource type to our Critical patterns" — a one-line YAML change.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">severity</span><span class="pi">:</span> <span class="na">critical</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws_security_group.*.ingress</span> <span class="pi">-</span> <span class="s">aws_iam_policy.*.policy</span> <span class="c1"># Added after the March 15 incident — ticket INC-4521</span> <span class="pi">-</span> <span class="s">aws_cloudfront_distribution.*.origin</span> <span class="na">high</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws_instance.*.instance_type</span> <span class="pi">-</span> <span class="s">aws_rds_instance.*.publicly_accessible</span> </code></pre> </div> <p>That comment in the config file? That's tribal knowledge being captured instead of lost.</p> <h2> What severity classification doesn't solve </h2> <p>I want to be honest about the limitations.</p> <p><strong>It can't see values.</strong> The classification is based on <em>which</em> attribute changed, not <em>what</em> it changed to. A security group rule opening port 443 to a known CIDR range is very different from one opening port 22 to 0.0.0.0/0. Both get classified as Critical because the attribute is <code>ingress</code>. Value-aware classification is on the roadmap, but it adds significant complexity.</p> <p><strong>It doesn't understand context.</strong> The same change might be Critical in production and Low in dev. Right now you handle this by maintaining separate config files per environment. Native environment-aware severity is something I want to build.</p> <p><strong>It's still just detection.</strong> Even with severity classification, the loop is: drift happens → tool detects it → alert goes out → human decides what to do. One of the more interesting pieces of feedback I've gotten is about moving from detection to governance — where Critical drift can automatically block deployments or trigger remediation. That's the next frontier, but it's also the scariest one.</p> <h2> Try it </h2> <p>If this resonates with your experience managing Terraform infrastructure, give tfdrift a try:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>tfdrift tfdrift scan <span class="nt">--path</span> ./your-terraform-dir </code></pre> </div> <p>The severity rules are opinionated out of the box, and you can customize everything. If you have thoughts on what the default rules should cover — especially for Azure and GCP where our coverage is thinner — I'd genuinely love to hear about it.</p> <p><strong>GitHub</strong>: <a href="https://github.com/sudarshan8417/tfdrift" rel="noopener noreferrer">github.com/sudarshan8417/tfdrift</a></p> <p><em>This is part of a series on infrastructure drift detection. Previously: <a href="https://dev.to/sudarshan_thakur_1e141b99/i-built-tfdrift-free-terraform-drift-detection-with-severity-alerts-2n96">I Built a Free Terraform Drift Detector — Here's Why</a>. Next up: How I Built a Terraform Plan JSON Parser in Python.</em></p> terraform devops security opensource Sudarshan Thakur Tue, 21 Apr 2026 19:31:10 +0000 https://forem.com/sudarshan_thakur_1e141b99/i-built-tfdrift-free-terraform-drift-detection-with-severity-alerts-2n96 https://forem.com/sudarshan_thakur_1e141b99/i-built-tfdrift-free-terraform-drift-detection-with-severity-alerts-2n96 <h1> I Built a Free Terraform Drift Detector — Here's Why </h1> <p>If you manage Terraform infrastructure, you've probably experienced this: someone tweaks a security group in the AWS console "just for testing," forgets about it, and three months later your <code>terraform apply</code> blows up — or worse, that change silently creates a security hole that nobody catches.</p> <p>This is infrastructure drift. And there's no good free tool to detect it properly.</p> <p>So I built <a href="https://github.com/sudarshan8417/tfdrift" rel="noopener noreferrer"><strong>tfdrift</strong></a> — a free, open-source CLI that detects Terraform drift, classifies it by severity, and alerts your team.</p> <h2> The problem with "just run terraform plan" </h2> <p>Yes, <code>terraform plan</code> detects drift. But in practice, it falls short for teams managing real infrastructure:</p> <p><strong>No severity awareness.</strong> Someone changed a tag? Same alert as someone opening port 22 to the world. <code>terraform plan</code> treats all changes equally — but they're not. An IAM policy change is a security incident. A tag change is noise.</p> <p><strong>No multi-workspace scanning.</strong> If you have 20 Terraform workspaces across environments, you need to <code>cd</code> into each one and run <code>plan</code> manually. Nobody does this consistently.</p> <p><strong>No notifications.</strong> You only discover drift when you happen to run <code>plan</code>. By then, the damage may already be done.</p> <p><strong>No ignore rules.</strong> Auto-scaling groups constantly change <code>desired_capacity</code>. ECS services change <code>desired_count</code>. These are expected — but <code>plan</code> flags them every time, creating alert fatigue.</p> <h2> What tfdrift does </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>tfdrift tfdrift scan <span class="nt">--path</span> ./infrastructure </code></pre> </div> <p>It recursively discovers all Terraform workspaces, runs <code>terraform plan -json</code> on each, parses the output, and gives you a structured report with severity classification:</p> <ul> <li> <strong>CRITICAL</strong> — Security group ingress/egress changes, IAM policy modifications, S3 public access changes</li> <li> <strong>HIGH</strong> — Instance type changes, RDS public accessibility, encryption config changes</li> <li> <strong>MEDIUM</strong> — Most other attribute changes</li> <li> <strong>LOW</strong> — Tags, descriptions</li> </ul> <p>Here's what the output looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>⚠️ Drift detected: 7 resource(s) across 2/4 workspace(s) 🔴 critical: 2 🟠 high: 2 🟡 medium: 2 🔵 low: 1 📂 infrastructure/production (5 drifted, 3.2s) ┌──────────┬───────────────────────────────────┬────────┬─────────────────────┐ │ Severity │ Resource │ Action │ Changed attributes │ ├──────────┼───────────────────────────────────┼────────┼─────────────────────┤ │ CRITICAL │ aws_security_group.api_sg │ update │ ingress │ │ CRITICAL │ aws_iam_role_policy.lambda_exec │ update │ policy │ │ HIGH │ aws_instance.web_server │ update │ instance_type, ami │ │ HIGH │ aws_rds_instance.primary │ update │ publicly_accessible │ │ LOW │ aws_s3_bucket.assets │ update │ tags │ └──────────┴───────────────────────────────────┴────────┴─────────────────────┘ </code></pre> </div> <p>Now you immediately know what matters.</p> <h2> I tested it against real AWS infrastructure </h2> <p>To validate the tool beyond unit tests, I set up a sample AWS environment with EC2 instances managed by Terraform. I ran tfdrift against it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tfdrift scan <span class="nt">--path</span> ./dev-terraform/development/ec2 <span class="nt">--verbose</span> </code></pre> </div> <p>Within 4 seconds, it detected a drifted EC2 instance — an <code>aws_instance</code> resource that had been modified outside of Terraform. The tool correctly classified it as <strong>HIGH</strong> severity because <code>instance_type</code> was among the changed attributes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>⚠️ Drift detected: 1 resource(s) across 1/4 workspace(s) 🟠 high: 1 📂 development/ec2/dev-machines (1 drifted, 4.2s) ┌──────────┬──────────────────────┬────────┬────────────────────────────────────┐ │ Severity │ Resource │ Action │ Changed attributes │ ├──────────┼──────────────────────┼────────┼────────────────────────────────────┤ │ HIGH │ aws_instance.this[0] │ create │ instance_type, tags, monitoring, │ │ │ │ │ metadata_options, volume_tags │ └──────────┴──────────────────────┴────────┴────────────────────────────────────┘ </code></pre> </div> <p>That drift had been sitting there undetected. A simple <code>terraform plan</code> would have found it too — but nobody was running <code>plan</code> against that workspace regularly. With tfdrift's watch mode, this could have been caught automatically and sent to Slack within minutes.</p> <h2> Key features </h2> <p><strong>Watch mode</strong> — continuous monitoring with Slack alerts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tfdrift watch <span class="nt">--interval</span> 30m <span class="nt">--slack-webhook</span> https://hooks.slack.com/services/XXX </code></pre> </div> <p><strong>Auto-remediation</strong> — with safety guards that block destructive changes on critical resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tfdrift scan <span class="nt">--auto-fix</span> <span class="nt">--confirm</span> <span class="nt">--env</span> dev </code></pre> </div> <p><strong>Ignore rules</strong> — a <code>.tfdriftignore</code> file for expected drift:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws_autoscaling_group.*.desired_capacity aws_ecs_service.*.desired_count *.tags.LastModified </code></pre> </div> <p><strong>CI/CD integration</strong> — exit codes designed for pipelines (0 = clean, 1 = drift, 2 = error, 3 = remediated), plus a ready-made GitHub Actions workflow.</p> <p><strong>JSON and Markdown output</strong> — for programmatic use or generating reports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tfdrift scan <span class="nt">--format</span> json <span class="nt">--output</span> drift-report.json tfdrift scan <span class="nt">--format</span> markdown <span class="nt">--output</span> drift-report.md </code></pre> </div> <h2> How it compares </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>tfdrift</th> <th>terraform plan</th> <th>Terraform Enterprise</th> </tr> </thead> <tbody> <tr> <td>Actively maintained</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Severity classification</td> <td>✅</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>Multi-workspace scan</td> <td>✅</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Auto-remediation</td> <td>✅</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Watch mode + alerts</td> <td>✅</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Ignore rules</td> <td>✅</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>Cost</td> <td>Free</td> <td>Free</td> <td>$15K+/yr</td> </tr> </tbody> </table></div> <h2> The architecture </h2> <p>tfdrift is written in Python and built with a modular architecture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tfdrift/ ├── detectors/ # Drift detection engine (terraform plan parser) ├── reporters/ # Output formatters (JSON, Markdown, table, Slack) ├── remediators/ # Auto-fix logic with safety guards ├── severity.py # 30+ built-in AWS severity rules ├── config.py # .tfdrift.yml and .tfdriftignore parser └── cli.py # CLI (Click) </code></pre> </div> <p>The severity engine uses pattern matching to classify drift. For example, any change to <code>aws_security_group.*.ingress</code> is automatically classified as CRITICAL, while <code>*.tags</code> changes are classified as LOW. You can extend these rules in your <code>.tfdrift.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">severity</span><span class="pi">:</span> <span class="na">critical</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws_security_group.*.ingress</span> <span class="pi">-</span> <span class="s">aws_iam_policy.*.policy</span> <span class="na">high</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws_instance.*.instance_type</span> <span class="pi">-</span> <span class="s">aws_rds_instance.*.publicly_accessible</span> </code></pre> </div> <h2> Why I built this </h2> <p>I'm a DevOps engineer working with AWS, Terraform, and Kubernetes daily. Infrastructure drift was a recurring problem — security-critical changes mixed in with harmless noise, and no good free tool to sort through it.</p> <p>The existing options were either expensive (Terraform Enterprise at $15K+/year) or too basic (raw <code>terraform plan</code> in a cron job).</p> <p>I wanted something that could:</p> <ul> <li>Tell me <strong>what</strong> drifted and <strong>how bad</strong> it is</li> <li>Scan all my workspaces in one command</li> <li>Send me a Slack alert at 2 AM when someone modifies a security group</li> <li>Let me ignore the noise (auto-scaling changes, tag updates)</li> <li>Run in CI/CD and fail the pipeline if critical drift is found</li> </ul> <p>So I built it.</p> <h2> Try it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>tfdrift <span class="c"># Scan your infrastructure</span> tfdrift scan <span class="nt">--path</span> ./your-terraform-dir <span class="c"># Set up continuous monitoring</span> tfdrift watch <span class="nt">--interval</span> 1h <span class="nt">--slack-webhook</span> <span class="nv">$SLACK_WEBHOOK</span> <span class="c"># Generate a config file</span> tfdrift init </code></pre> </div> <p>The code is fully open source: <strong><a href="https://github.com/sudarshan8417/tfdrift" rel="noopener noreferrer">github.com/sudarshan8417/tfdrift</a></strong></p> <p>I'd love feedback, bug reports, and contributions. If you've dealt with Terraform drift at your organization, I'd especially love to hear what features you'd want next — Azure/GCP support, a web dashboard, PagerDuty integration?</p> <p>Drop a comment or <a href="https://github.com/sudarshan8417/tfdrift/issues" rel="noopener noreferrer">open an issue on GitHub</a>.</p> <p><em>If you found this useful, consider giving the repo a ⭐ on GitHub — it helps other engineers find the tool.</em></p> devops security automation cloud