Skip to main content
Version: 0.40.0

.driftignore generator

Some people do not have the goal of reaching a 100% IAC coverage with their infrastructure. And for them, driftctl can be annoying to continuously deliver drift notifications on resources they don't care. For this use case, there's a solution.

You can start using driftctl with a clean state, by ignoring all the current resources that are not yet under control. driftctl provides a command to automatically generate a .driftignore file from a previous scan given the type of resources you want to exclude (e.g. unmanaged or missing resources). This command parses a JSON input from a given file and sends output to stdout.

# Append all current drift to .driftignore
$ driftctl scan -o json://stdout | driftctl gen-driftignore

# Print proposed driftignore based on all current drift to stdout
$ driftctl scan -o json://stdout | driftctl gen-driftignore -o -

# Unmanaged resources will be excluded
# In this example, we use a file as an intermediate step instead of piping into
# gen-driftignore
$ driftctl scan --from tfstate://state1.tfstate -o json://result.json
$ driftctl gen-driftignore -i result.json --exclude-unmanaged

You can filter which kind of resource you want to ignore using these flags:

  • --exclude-unmanaged : Exclude resources not managed by IaC
  • --exclude-missing : Exclude resources missing on cloud provider

Using Docker

Run a scan with JSON output enabled:

$ docker run -it --rm \
-v ~/.aws:/root/.aws:ro \
-v $(pwd):/app \
-v ~/.driftctl:/root/.driftctl \
-e AWS_PROFILE=driftctl-demo \
-e AWS_REGION=us-east-1 \
snyk/driftctl scan --from tfstate://**/*.tfstate --output json://drifts.json
[...]

Finally, generate the .driftignore file from the JSON:

$ docker run -it --rm \
-v ~/.aws:/root/.aws:ro \
-v $(pwd):/app \
-v ~/.driftctl:/root/.driftctl \
-e AWS_PROFILE=driftctl-demo \
-e AWS_REGION=us-east-1 \
snyk/driftctl gen-driftignore -i drifts.json
[...]