Drift Detection
This page discusses the concept of drift detection which allows comparison of a cloud resource to its matching Infrastructure as Code (IAC) template. To use drift detection, both the cloud resource and the IAC template must be tagged with the same prancer_unique_id
and resource_type
tags. The article explains the steps to set up drift detection configuration, change drift detection configuration, run drift detection, and view the result of drift detection in infra findings page and resource explorer. The article includes screenshots to illustrate the process of configuring and running drift detection and how to interpret the results of drift detection.
Prerequisites:
-
To use this functionality tag cloud resource and the IAC template with same
prancer_unique_id
andresource_type
tag.{ "prancer_unique_id": "7846b5c5-4f0c-420f-a797-0c82845e80dd", "resource_type": "Microsoft.Storage/storageAccounts" }
Explanation:
- **prancer_unique_id:** A unique ID would be used to distinguish the resources, and an IAC template would be found based on it.
- **resource_type:** Type of resource from the cloud provider documentation.
Collection must have one IAC mastersnapshot, one cloud mastersnapshot and one mastertest corresponding to the cloud mastersnapshot.
Setting up drift detection configuration
- Before setting up Drift Configuration, it is crucial to have these files in place based off your functionality tag cloud resource and the IAC template with same
prancer_unique_id
andresource_type
tag in your cloud environment. Below is an example of drift detection files of Azure cloud resource that are to be in your collection as follows:-
connector_source_azure_git
{
"branchName": "drift",
"companyName": "prancer",
"fileType": "structure",
"gitProvider": "https://github.com/prancer-io/prancer-armof.git",
"private": false,
"type": "filesystem"
}
ms_azure_git
{
"connector": "git_prancer-xforia_connector", Tenant connector name will be auto generated here
"connectorUsers": [
{
"id": "USER_1",
"source": "connector_source_azure_git",
"testUser": "USER_1"
}
],
"fileType": "masterSnapshot",
"remoteFile": "azure/iac/master-snapshot.json",
"snapshots": [],
"type": "arm"
}
mastersnapshot file
{
"connector": "git_prancer-xforia_connector", Tenant connector name will be auto generated here, make sure this is same
"connectorUsers": [],
"fileType": "mastertest",
"masterSnapshot": "mastersnapshot_Azure_Drift_Detection",
"notification": [],
"remoteFile": "azure/cloud/master-compliance-test.json",
"testSet": []
}
mastersnapshot file
{
"connector": "git_prancer-xforia_connector",
"connectorUsers": [
{
"id": "USER_1",
"source": "Azure_Drift_Detection_connector",
"subscriptionId": "a6941677-4c37-42fb-960c-dad8f25060a3",
"testUser": "prancer-xforia"
}
],
"fileType": "masterSnapshot",
"remoteFile": "azure/cloud/master-snapshot.json",
"snapshots": [],
"type": "azure"
}
- User can set up their drift configuration by clicking on the drop-down in collections and choosing Drift Configuration.
- Drift detection configuration screen will appear as shown below. From it user have to check
Run Drift Detection
and selectIAC Master Snapshot
andCloud Master Snapshot
from the dropdown menu.
Explanation:
- **Run Drift Detection:** Checking this will run drift detection automatically when running compliance.
- **IAC Master Snapshot:** Select an IAC mastersnapshot from the IAC mastersnapshot list in the dropdown.
- **Cloud Master Snapshot:** Select a cloud mastersnapshot from the cloud mastersnapshot list in the dropdown.
Changing Drift Detection Configuration
-
User can view the existing drift configuration if any by clicking on the drop-down in collections and choosing Drift Configuration.
-
Change the parameters and click on save button
Running Drift Detection
- Drift detection will run automatically when running compliance if
Run Drift Detection
is checked in drift detection configuration. To start running compliance click on start and user will get notification 'Compliance along with drift detction started running successfully' as shown.
Result of Drift Detection
- User can see the result of the drift detection in infra findings page. Then check the
Drifted items
box to filter out all the compliance report of the drifted resources as shown. - When user clicks on one of the compliance report from the list to see the details, if drift is detected then
Drift Detected
warning appears as shown. - Clicking on the
Drift Detected
warning will show the changes between the drifted IAC and cloud attributes of the snapshot as shown below.
Drift Detection result in Resource Explorer
User can find their resource in the Resource Explorer
page. If you check the Drifted
checkbox then all the
resources associated with provided connector and collection which have drifted from their template will be shown.
If you click on that resource Dashboard
of that resource will appear. if drift is detected then Drift Detected
warning appears as shown.
Clicking on the Drift Detected
warning will show the changes between the drifted IAC and cloud attributes of the snapshot as shown below.
log