Ctrlk
Edit

Drift Reconciliation

What is drift?

In Infrastructure as Code (IaC) and cloud operations, drift is when the actual state of your environment diverges from the expected state defined by your intended configuration. Whether that configuration lives in code, policy, or an approved baseline. Drift usually happens when changes occur outside the normal change-management path. Over time, drift increases the risk of surprises, inconsistent environments, failed deployments, and security or compliance gaps because what’s running no longer matches what teams think is running.

What Gomboc Drift Reconciliation does

Gomboc can reconcile drift when it’s notified and provided access to a Terraform plan file. Gomboc will show the exact code changes needed to make your Terraform configuration match what is deployed. This helps you:

  • Keep your code in sync with manual changes

  • Preserve “break-glass” updates made during incident response so they don’t get overwritten later

  • Clearly demonstrate what needs to change back if the drift is unwanted (revert-to-code)

HCP Terraform integration

HCP Terraform (Terraform Cloud) can run health assessments on a workspace to determine whether drift exists. When drift is detected, a webhook notification is sent to Gomboc. Gomboc then uses the plan output to determine the exact updates needed in your IaC and provides the deterministic fix to reconcile the drift.

Integration setup

Step 1: Create an HCP Terraform team token

In HCP Terraform, go to Organization Settings → Authentication Tokens and create a Team Token.

  • Save the token value somewhere secure—you won’t be able to view it again.

Step 2: Create the integration in the Gomboc portal

In the Gomboc Portal, navigate to:

Settings → Integrations → Drift

Create a new drift integration and paste the HCP Terraform Team Token from Step 1.

Step 3: Copy the Webhook URL and HMAC token from Gomboc

After creating the integration, Gomboc will provide:

  • A Webhook URL

  • An HMAC token (shared secret used to sign webhook requests)

You’ll paste both into HCP Terraform in the next steps.

Step 4: Enable health assessments on the HCP Terraform workspace

In HCP Terraform, open the target workspace and navigate to:

Workspace Settings → Health → Enable Health Assessments → Save

This is required for drift detection and drift notifications.

Step 5: Create the HCP Terraform notification (webhook)

In the target workspace, navigate to:

Workspace Settings → Notifications → Create a Notification

Configure:

  • Destination: Generic webhook

  • Webhook URL: paste the Gomboc Webhook URL

  • Token (optional): paste the Gomboc HMAC token (HCP Terraform uses this token to sign webhook payloads).

Under Workspace Events, choose Only certain events, then select:

  • ✅ Drift detected

Under Run Events, select No events (unless you also want run lifecycle notifications).

Click Create a notification.

Reconciliation steps

Step 1: Find the drift event in the Gomboc Portal

In Gomboc:

  • Go to Drift page

  • Open the workspace associated with the drift

  • Select the most recent drift run from the workspace details page run history

Step 2: Review the proposed reconciliation changes

  • Click on the drift run and Gomboc will show the exact IaC edits needed to make your Terraform configuration match what’s deployed

Step 3: Generate a PR with “Deliver fixes”

  • Click Deliver fixes to create a side PR containing the reconciliation changes

Step 4: Verify drift is resolved

Run Start health assessment again in HCP Terraform and confirm the workspace returns to a healthy/no-drift state

PreviousPolicy Sets: Backup & Version Control via APINextData Architecture & Flows

Last updated