Version: 0.8.0


$ driftctl scan [OPTIONS]
$ driftctl scan --from tfstate+s3://terraform.tfstate --to github+tf --output console://


Scan resources from the input Terraform statefile and compare it to your current profile infrastructure.




Currently, driftctl only supports reading IaC from a Terraform state. We are investigating to support the Terraform code as well, as a state does not represent an intention.


Multiple states can be read by passing --from flags


# I want to read a local state and a state stored in an S3 bucket:
$ driftctl scan \
--from tfstate+s3://statebucketdriftctl/terraform.tfstate \
--from tfstate://terraform_toto.tfstate
# You can also read all files under a given prefix for S3
$ driftctl scan --from tfstate+s3://statebucketdriftctl/states
# In a given local folder
# driftctl will recursively use all files under this folder.
# N.B. Symlinks under the root folder will be ignored.
# If the folder itself is a symlink it will be followed.
$ driftctl scan --from tfstate://my-states/directory
# Only match state files in that directory
$ driftctl scan --from tfstate://my-states/directory/*.tfstate
# Using glob pattern to recursively use any *.tfstate file.
$ driftctl scan --from tfstate://path/to/**/*.tfstate
$ driftctl scan --from tfstate+s3://path/to/**/*.tfstate
# We also support HTTP(s) URLs with authentication
# the tool will fetch the file from the given URL
# You can use the --headers option if you need to add extra headers to the request (e.g: for authentication purposes)
$ driftctl scan --from tfstate+ --headers 'Authorization=Basic ...; X-Custom-Header=value'
# You can also read the current state for a given workspace from Terraform Cloud/Enterprise
# Don't forget to provide your Terraform Cloud API token
$ driftctl scan --from tfstate+tfcloud://$WORKSPACE_ID --tfc-token $TFC_TOKEN

Supported IaC sources#

  • Terraform state
  • Local: --from tfstate://terraform.tfstate
  • S3: --from tfstate+s3://my-bucket/path/to/state.tfstate
  • HTTPS: --from tfstate+https://my-url/state.tfstate
  • Terraform Cloud / Terraform Enterprise: --from tfstate+tfcloud://WORKSPACE_ID

You can use any unsupported backend by using terraform to pipe your state in a file and then use this file with driftctl:

$ terraform state pull > state.tfstate
$ driftctl scan --from tfstate://state.tfstate


driftctl needs read-only access so you could use the policy below to ensure minimal access to your state file.

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mybucket"
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/path/to/my/key"

HTTP + GitLab#

The HTTP backend supports the GitLab managed Terraform State using their API.

All you need is a GitLab repository that contains a Terraform state and an access token with the read_api scope.

Here's what the command looks like:

$ GITLAB_TOKEN=<access_token> \
driftctl scan \
--from tfstate+<project_id>/terraform/state/<path_to_state> \
--headers "Authorization=Bearer ${GITLAB_TOKEN}"

You can find more information about the GitLab managed Terraform State on the GitLab documentation website.


driftctl supports multiple kinds of output formats and by default uses the standard output (console).


Environment: DCTL_OUTPUT


$ driftctl scan
$ driftctl scan --output console://
$ DCTL_OUTPUT=console:// driftctl scan


Found missing resources:
- driftctl-bucket-test-2
Found resources not covered by IaC:
- driftctl-bucket-test-3
Found changed resources:
- driftctl-bucket-test-1 (aws_s3_bucket):
~ Versioning.0.Enabled: false => true
Found 3 resource(s)
- 33% coverage
- 1 covered by IaC
- 1 not covered by IaC
- 1 missing on cloud provider
- 1/1 changed outside of IaC



$ driftctl scan --output json:///tmp/result.json # Will output results to /tmp/result.json
$ driftctl scan --output json://result.json # Will output results to ./result.json
$ driftctl scan --output json://stdout # Will output results in json to stdout directly
$ DCTL_OUTPUT=json://result.json driftctl scan


"summary": {
"total_resources": 3,
"total_changed": 1,
"total_unmanaged": 1,
"total_missing": 1,
"total_managed": 1
"managed": [
// list of resources found in IaC and in sync with remote
"id": "driftctl-bucket-test-1",
"type": "aws_s3_bucket"
"unmanaged": [
// list of resources found in remote but not in IaC
"id": "driftctl-bucket-test-3",
"type": "aws_s3_bucket"
"missing": [
// list of resources found in IaC but not on remote
"id": "driftctl-bucket-test-2",
"type": "aws_s3_bucket"
"differences": [
// A list of changes on managed resources
"res": {
"id": "driftctl-bucket-test-1",
"type": "aws_s3_bucket"
"changelog": [
"type": "update", // Kind of change, could be one of update, create, delete
"path": [
// Path of the change, sorted from root to leaf
"from": false, // Mixed type
"to": true // Mixed type
"coverage": 33

Computed Fields#

From Terraform documentation, a computed field is often used to represent values that are not user configurable or can not be known at time of terraform plan or apply.

Since those values are not known ahead of time from terraform point of view, it is obviously possible that the values displayed in a terraform state file are not up-to-date and may require a terraform refresh.

Thus, it could be possible that driftctl finds drifts that are considered false positives because of those outdated values.

We decided to output computed fields and to display a message at the end of the scan to remind you of this behavior.

Found changed resources:
- eipalloc-0e2894d8ea42851df (aws_eip):
~ AssociationId: "" => "eipassoc-0ee67e1ca759733a2" (computed)
~ Instance: "" => "i-004611704837fd09a" (computed)
~ NetworkInterface: "" => "eni-0a62972b0471447f6" (computed)
~ PrivateDns: <nil> => "" (computed)
~ PrivateIp: "" => "" (computed)
Found 1 resource(s)
- 100% coverage
- 1 covered by IaC
- 0 not covered by IaC
- 0 missing on cloud provider
- 1/1 changed outside of IaC
You have diffs on computed fields, check the documentation for potential false positive drifts


driftctl supports multiple providers. By default it will scan against AWS, but you can change this using --to.


Environment: DCTL_TO

$ driftctl scan --to PROVIDER+TYPE
# examples:
$ driftctl scan --to aws+tf
$ DCTL_TO=github+tf driftctl scan

Supported Providers#

driftctl supports these providers:

  • github+tf
  • aws+tf


This flag prevents stdout to be use for anything but the scan result.


When running driftctl against an AWS account, you may experience unnecessary noises with resources that don't belong to you. It can be the case if you have an organization account in which you will by default have a service-linked role associated to your account (e.g. AWSServiceRoleForOrganizations). For now, driftctl ignores those service-linked resources by default.

If you still want to include those resources in the report anyway, you can enable the strict mode.

For now, resources include:

  • Service-linked AWS IAM roles, including their policies and policy attachments


# Enable the strict mode
$ driftctl scan --strict