Terraform Drift Detection CLI

Catch infrastructure drift before it catches you.

TerraLock is a Go-based command-line tool that compares your live AWS infrastructure against your Terraform source of truth — surfacing unmanaged resources and generating ready-to-use Terraform blocks to close the gap.

See It In Action View on GitHub

About The Project

Infrastructure drift happens when live cloud resources diverge from their Terraform definitions — through manual console changes, failed teardowns, or out-of-band automation. TerraLock automates the detection process: it fetches your Terraform config directly from GitHub, scans your live AWS EC2 instances, and produces a diff report with generated Terraform blocks for any unmanaged resources found. The result is faster remediation and a reliable, auditable path back to infrastructure-as-code.

How TerraLock Works

Step 1 — Fetch

Pull from GitHub

Point TerraLock at a GitHub repo and it pulls your .tf files directly — no local checkout needed.

Step 2 — Parse

Extract Resources

Your Terraform is parsed using HashiCorp's HCL library, extracting every declared resource into a structured list.

Step 3 — Scan

Query Live AWS

TerraLock queries AWS live across EC2, Security Groups, IAM Roles, S3 Buckets, and VPCs.

Step 4 — Compare

Detect Drift

Live resources are checked against your Terraform declarations. Anything in AWS but not in code is flagged as drift.

Step 5 — Generate

Build Fix Files

Each missing resource is converted into a valid, ready-to-import .tf block with all attributes populated.

Step 6 — Fix

Resolve Drift

Drop the generated file into your repo, run terraform import, drift resolved.

Technologies

Go Language
Cobra CLI Framework
AWS SDK v2 Resource Scanning
GitHub CLI Repo Fetch
Terraform IaC Target
HCL Parser Config Parse

Demonstration

$ ./terralock scan \
  --repo Ryan-Dunne/TerraLock \

# Step 1 — fetch Terraform from GitHub
✔ gh-output-20260420-143201.tf written

# Step 2 — scan live AWS EC2 instances
✔ 4 running instances found

# Step 3 — compare against Terraform
⚠ i-0a1b2c3d: not in Terraform
⚠ i-0e4f5a6b: not in Terraform

# Step 4 — write remediation file
✔ missing-from-tf-20260420-143205.tf written

How It Works

terralock scan compares live cloud resources against declared Terraform configurations to surface all unmanaged resources.

The "scan" command outputs a .tf file containing generated Terraform Resource blocks ready to import or apply.

Future Features

More Resource Types
Nested Resource Support
CI/CD Integration
Grafana Alerts
Multiple Regions
Auto Import to Terraform Files

Documents

CV Research Document Design Document Functional Specification

The Team

Ryan Dunne

Ryan Dunne

Final Year Student @ SETU Carlow

Supervisor: Jamal Tauseef.

Contact