View IaC Drifts

 For mapped resources, your IaC code configuration might differ from that on the cloud, which raises an IaC or a code-to-cloud drift. IaC drifts happen only on mapped resources.

If the tfstate (Terraform state) file is provided via the file or URL, Tenable Cloud Security can accurately map between the IaC and cloud resources. The tfstate data file includes unique IDs (ARNs/resource IDs) that can be used to link an IaC resource with a cloud resource.

If the tfstate file is not available, Tenable Cloud Security first creates a fingerprint for each IaC resource for matching against cloud resources. The fingerprint is sampled from multiple resource attributes, and the attributes used to form each fingerprint differ between resource types. By default, the following attributes are used for resources for each cloud provider:

  • AWS: Resource Type + Name Tag

  • Azure: Resource Type + Resource Group + Resource Name

  • GCP: Resource Type + Project + Name

  • Kubernetes: Resource Type + Namespace + Name

Mapping resources can be complex in larger environments since IaC to cloud resources can be many-to-many relationships. For example,

  • IaC utilizing Terragrunt or Kustomize represents one-to-many IaC-to-Cloud relationship, since many different resources can be created using a single resource definition.

  • When considering multiple repository (Git) branches, it is possible that many versions of an IaC resource correspond to a single cloud resource.

To view the code to cloud drift:

  1. In the left navigation bar, click Resources.
    The Resources page appears.

  2. Click the Resources with Drift tab.

    The list of all resource types with drifts appears.

  3. Click the Filters icon.
    The list of available resource filters appears.

  4. In the Compliance state section, select Has IaC Drifts.

  5. (Optional) Use the following filter options to further filter the resource types:

    • Projects — Filters by project names.

    • Cloud Accounts — Filters by cloud accounts.

    • Repository — Filters by repositories.

    • K8s clusters — Filters by Kubernetes clusters.

    • Source — Filters by types: IaC, Cloud, State File, Mapped (IaC & Cloud).

    • Insights — Filters by the types of violations found: Exposed blob stores, Exposed databases, Read/write IAM, and Exposed security groups.

    • Compliance State — Filters by compliance states: Has Violations, Has IaC Drifts, and Has Cloud Drifts.

    • Resource Type — Filters by resource types.

    • VPC Filter — Filters by VPC source.

  6. Select the required filters and click Apply.

    Tenable Cloud Security shows the results on the Resources page.

  7. Click the resource type that you want to view.
    All resources with drift for that resource type appear.

  8. Click the resource ID that you want to view.
    The Resource Details tab appears.

  9. Click Drifts.
    Tenable Cloud Security shows the comparison of the IaC code and cloud code mapping.

  10. Click the Drift values filter to select the type of drift:

    • Computed — Configuration that is computed at run time. For example, IaC does not have a value for ARN, but the cloud equivalent configuration usually has an ARN value. In this case, the ARN might show as Computed on the IaC side or not show at all.
    • Missing in IaC — Configuration that does not exist in IaC, but exists in the cloud. Therefore, it is a new parameter added or modified in the cloud.

    • Missing in Cloud — Configuration that was configured in IaC, but Tenable Cloud Security could not find a match for it in the cloud. The configuration could be missing due to some of the following reasons:

      • The IaC configuration was not pushed and therefore, the configuration was not propagated to the cloud.

      • The IaC configuration does not have an equivalent cloud value.

      • Someone disabled or removed the configuration from the cloud.