Drift Detection

This page discusses the concept of drift detection which allows comparison of a cloud resource to its matching Infrastructure as Code (IAC) template. To use drift detection, both the cloud resource and the IAC template must be tagged with the same prancer_unique_id and resource_type tags. The article explains the steps to set up drift detection configuration, change drift detection configuration, run drift detection, and view the result of drift detection in infra findings page and resource explorer. The article includes screenshots to illustrate the process of configuring and running drift detection and how to interpret the results of drift detection.

Prerequisites:

  • To use this functionality tag cloud resource and the IAC template with same prancer_unique_id and resource_type tag.

    { "prancer_unique_id": "7846b5c5-4f0c-420f-a797-0c82845e80dd", "resource_type": "Microsoft.Storage/storageAccounts" }

Explanation:

  - **prancer_unique_id:** A unique ID would be used to distinguish the resources, and an IAC template would be found based on it.
  - **resource_type:**  Type of resource from the cloud provider documentation.

Collection must have one IAC mastersnapshot, one cloud mastersnapshot and one mastertest corresponding to the cloud mastersnapshot.

Setting up drift detection configuration

  • Before setting up Drift Configuration, it is crucial to have these files in place based off your functionality tag cloud resource and the IAC template with same prancer_unique_id and resource_type tag in your cloud environment. Below is an example of drift detection files of Azure cloud resource that are to be in your collection as follows:-

connector_source_azure_git


{
  "branchName": "drift",
  "companyName": "prancer",
  "fileType": "structure",
  "gitProvider": "https://github.com/prancer-io/prancer-armof.git",
  "private": false,
  "type": "filesystem"
}

ms_azure_git

{
  "connector": "git_prancer-xforia_connector", Tenant connector name will be auto generated here
  "connectorUsers": [
    {
      "id": "USER_1",
      "source": "connector_source_azure_git",
      "testUser": "USER_1"
    }
  ],
  "fileType": "masterSnapshot",
  "remoteFile": "azure/iac/master-snapshot.json",
  "snapshots": [],
  "type": "arm"
}

mastersnapshot file

{
  "connector": "git_prancer-xforia_connector", Tenant connector name will be auto generated here, make sure this is same
  "connectorUsers": [],
  "fileType": "mastertest",
  "masterSnapshot": "mastersnapshot_Azure_Drift_Detection",
  "notification": [],
  "remoteFile": "azure/cloud/master-compliance-test.json",
  "testSet": []
}

mastersnapshot file


{
  "connector": "git_prancer-xforia_connector",
  "connectorUsers": [
    {
      "id": "USER_1",
      "source": "Azure_Drift_Detection_connector",
      "subscriptionId": "a6941677-4c37-42fb-960c-dad8f25060a3",
      "testUser": "prancer-xforia"
    }
  ],
  "fileType": "masterSnapshot",
  "remoteFile": "azure/cloud/master-snapshot.json",
  "snapshots": [],
  "type": "azure"
}

  • User can set up their drift configuration by clicking on the drop-down in collections and choosing Drift Configuration.

../img/drift_detection/drift_detection_config.png)

  • Drift detection configuration screen will appear as shown below. From it user have to check Run Drift Detection and select IAC Master Snapshot and Cloud Master Snapshot from the dropdown menu.

../img/drift_detection/drift_detection_config_form.png)

Explanation:

  - **Run Drift Detection:** Checking this will run drift detection automatically when running compliance.
  - **IAC Master Snapshot:** Select an IAC mastersnapshot from the IAC mastersnapshot list in the dropdown.
  - **Cloud Master Snapshot:** Select a cloud mastersnapshot from the cloud mastersnapshot list in the dropdown.

Changing Drift Detection Configuration

  • User can view the existing drift configuration if any by clicking on the drop-down in collections and choosing Drift Configuration. ../img/drift_detection/drift_detection_config.png)

  • Change the parameters and click on save button

../img/drift_detection/drift_detection_config_edit.png)

Running Drift Detection

  • Drift detection will run automatically when running compliance if Run Drift Detection is checked in drift detection configuration. To start running compliance click on start and user will get notification 'Compliance along with drift detction started running successfully' as shown. ../img/drift_detection/drift_detection_run.png)

Result of Drift Detection

  • User can see the result of the drift detection in infra findings page. Then check the Drifted items box to filter out all the compliance report of the drifted resources as shown. ../img/drift_detection/drift_detection_infra_results.png)
  • When user clicks on one of the compliance report from the list to see the details, if drift is detected then Drift Detected warning appears as shown. ../img/drift_detection/drift_detection_result_warning.png)
  • Clicking on the Drift Detected warning will show the changes between the drifted IAC and cloud attributes of the snapshot as shown below. ../img/drift_detection/drift_detection_final_result.png)

Drift Detection result in Resource Explorer

User can find their resource in the Resource Explorer page. If you check the Drifted checkbox then all the resources associated with provided connector and collection which have drifted from their template will be shown. ../img/drift_detection/resource_explorer_drifted_list.png)

If you click on that resource Dashboard of that resource will appear. if drift is detected then Drift Detected warning appears as shown. ../img/drift_detection/resource_explorer_drifted_dashboard.png)

Clicking on the Drift Detected warning will show the changes between the drifted IAC and cloud attributes of the snapshot as shown below. ../img/drift_detection/resource_explorer_drifted_result.png) log