Infrastructure-as-Code (IaC) has become an essential practice for modern cloud development. Tools like Terraform allow organisations to define cloud resources in a consistent and repeatable manner. However, once infrastructure is deployed, manual changes, policy updates, or configuration modifications can cause infrastructure drift. Drift leads to unpredictable behaviour, security risks, and increased operational effort.
This article explains how to identify, prevent, and manage infrastructure drift using Terraform and Azure DevOps, suitable for full-stack teams working with ASP.NET Core, Angular, SQL Server, and Azure Cloud environments.
What Is Infrastructure Drift?
Infrastructure drift occurs when the actual deployed infrastructure differs from the Terraform state or code. This difference usually happens due to:
Manual changes in Azure Portal
Hotfixes applied directly on production
Auto-scaling or system-generated modifications
Policy updates or resource locks
Partial deployments
Drift leads to instability, failed pipelines, unpredictable performance, and difficult troubleshooting.
Why Managing Drift Is Important
Ensures that the environment remains consistent
Reduces deployment risks
Improves traceability and compliance
Prevents configuration mismatch between environments
Supports reliable CI/CD pipelines
Avoids security misconfigurations
When drift is controlled, the production environment always matches the source code, making deployments safer and predictable.
Workflow for Drift Detection and Management
A robust Terraform workflow in Azure DevOps should address:
Define infrastructure in Terraform
Run Terraform Plan in every pipeline execution
Compare actual cloud state with Terraform state
Detect drift automatically
Notify DevOps team
Apply controlled terraform apply to correct drift
Lock state and maintain consistency
Workflow Diagram: Drift Management Using Terraform and Azure DevOps
+------------------------------+
| Developer Updates Code |
+--------------+---------------+
|
v
+----------------+----------------+
| Azure DevOps Pipeline Starts |
+----------------+----------------+
|
+-----------+-----------+
| Run Terraform Init |
+-----------+-----------+
|
v
+-----------+-----------+
| Run Terraform Plan |
+-----------+-----------+
|
v
+------------------+--------------------+
| Compare Terraform State with Azure |
+------------------+--------------------+
|
+-------------------+---------------------+
| Drift Detected? |
+---------+-------------+----------------+
| Yes | No
v v
+----------------+--+ +----+---------------------+
| Notify Team (Email/ | Proceed with Deployment |
| DevOps Alerts) | or Validation |
+------------------+ +-------------------------+
|
v
+----------------+----------------+
| Controlled Terraform Apply |
| to Correct Drift |
+----------------+----------------+
|
v
+-------+--------+
| Infrastructure |
| Back in Sync |
+----------------+
How Terraform Helps Detect Drift
Terraform maintains a state file (terraform.tfstate) that stores the current configuration of all deployed resources. During a terraform plan, Terraform:
Reads the state file
Pulls live infrastructure data from Azure
Compares both states
Reports differences as drift
This plan step helps detect drift before applying changes.
Implementing Drift Management with Azure DevOps Pipelines
Step 1: Configure Terraform Backend
Store state securely in Azure Storage:
terraform {
backend "azurerm" {
resource_group_name = "rg-tfstate"
storage_account_name = "tfstateprod123"
container_name = "state"
key = "prod.terraform.tfstate"
}
}
This enables reliable drift detection across environments and developers.
Step 2: Create Azure DevOps Pipeline for Terraform
A typical pipeline includes:
Sample Azure DevOps YAML
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: TerraformInstaller@1
inputs:
terraformVersion: '1.5.0'
- script: terraform init
displayName: 'Terraform Init'
- script: terraform validate
displayName: 'Terraform Validate'
- script: terraform plan -out=tfplan
displayName: 'Terraform Plan'
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: 'tfplan'
ArtifactName: 'tf-plan-artifact'
Step 3: Add Manual Approval for Apply (to prevent accidental changes)
- stage: Apply
dependsOn: Build
condition: succeeded()
approval:
- approvers: [ "DevOpsTeam" ]
jobs:
- job: TerraformApply
steps:
- script: terraform apply -auto-approve tfplan
displayName: 'Terraform Apply'
The approval stage ensures drift is corrected only with team consent.
Automated Alerts for Drift Detection
To enhance visibility, integrate the following:
Example scheduled pipeline trigger
schedules:
- cron: "0 */6 * * *"
displayName: Every 6 hours
branches:
include:
- main
This checks drift automatically several times a day.
Strategies to Prevent Future Drift
Disable manual changes in Azure Portal by using:
Use Terraform exclusively for provisioning updates.
Enforce code reviews for any Terraform changes.
Maintain separate state files for dev, test, and production.
Implement detailed tagging and naming standards.
Educate teams on IaC best practices.
Best Practices for Drift Management
Always store state in a remote backend
Use State Locking (enabled by default in Azure backend)
Avoid manual hotfixes on cloud resources
Break IaC into modular structure
Run frequent Terraform Plan checks
Keep Terraform and provider versions consistent
Conclusion
Managing infrastructure drift is essential for maintaining predictable, secure, and stable cloud environments. By combining Terraform with Azure DevOps, organisations can implement automated drift detection, consistent deployments, and strong governance around infrastructure.
A structured CI/CD pipeline with regular plan checks, manual approvals, and controlled apply steps ensures that the environment always reflects the Terraform source code. This reduces operational risks and improves the reliability of modern applications built with ASP.NET Core, Angular, and SQL Server.