Skip to main content
Ai promptsTerraform promptsDevops promptsAgent prompts

A Terraform Drift Detection Prompt That Categorizes and Remediates

Build a reusable Terraform drift detection prompt that categorizes drift and emits a remediation contract. Copy the prompt and run it on any plan output.

PPromptsCart Team·July 5, 2026·Updated July 5, 2026·7 min read

Someone fixed a production issue by bumping an autoscaling limit in the AWS console at midnight. Three weeks later a routine terraform apply quietly reverts it, and the incident comes back. That's infrastructure drift, and the gap between detecting it and safely fixing it is where a terraform drift detection prompt earns its keep: it reads the plan output, explains why each resource drifted, and tells you whether to import, apply, or leave it alone.

What ranks for this query is mostly vendor academy content pushing a drift-management platform, plus one generic prompt list with no structure. The platforms work if you buy in. A reusable prompt does the interpretation layer on whatever plan output you paste, in any model, without a new tool in the stack.

Drift detection versus drift interpretation

A clarifying point that the vendor posts blur: terraform plan already detects drift. It tells you what differs between state and reality. What it doesn't tell you is why, or what to safely do about it. A 600-line plan with 40 changed resources is detection. Knowing that 35 of those are harmless autoscaling noise and five are a console change you need to import is interpretation.

The prompt does interpretation. It categorizes each drifted resource by likely source, then routes it to a remediation action. That categorization is the whole value, because the remediation depends entirely on the cause.

Strong opinion: never let a drift prompt recommend apply by default. The safe default for unexplained drift is investigate, not reconcile. A prompt that cheerfully says "run apply to fix" on a resource someone changed by hand to mitigate an outage is how you re-break production. Make apply the exception the prompt has to justify, not the reflex.

What you can do with this prompt

  • Read raw terraform plan output and rank drifted resources by risk
  • Categorize each drift: console change, autoscaling, external automation, or unknown
  • Recommend a remediation per resource: import, apply, ignore, or investigate
  • Flag any diff containing a deletion so it never gets an auto-apply verdict
  • Summarize a noisy plan into a short "what actually changed" brief
  • Draft the change-ticket description for the resources you choose to remediate

Anatomy of the drift prompt

Variables → Prompt → Output

{{plan_output}}        raw `terraform plan` text
{{known_automation}}   systems allowed to change infra (autoscaler, etc.)
{{environment}}        prod / staging
{{change_window}}      recent manual changes the team is aware of

→ Categorization rubric + remediation refusal boundary →

→ Output contract (per resource):
   Resource: <address>
   Drift category: console | autoscaling | automation | unknown
   Risk: high | medium | low
   Remediation: import | apply | ignore | investigate
   Why: <one line>

The contract is per-resource and capped at a line each, so a 40-resource plan comes back as a scannable table instead of an essay. The remediation field is constrained to four values on purpose. A free-text recommendation invites the model to suggest something clever and wrong.

Step-by-step usage

1. Gather inputs

Run terraform plan and capture the full output. Paste it into {{plan_output}} raw. List the systems allowed to mutate infra in {{known_automation}} so the prompt can tell legitimate autoscaling from a real surprise.

2. Fill variables

Set {{environment}}. Prod drift and staging drift get different risk weights, and the prompt should know which it's reading. Add any manual changes the team made recently to {{change_window}} so they're categorized as console changes, not unknowns.

3. Run the prompt

Low temperature. Drift categorization is a classification task, and you want the same plan to produce the same verdicts so two engineers reading it agree.

4. Post-process

Read every resource the prompt marked "unknown" or "investigate". Those are the real findings. The autoscaling and known-automation rows are noise you can skim. Inverting that attention is the common mistake.

5. Iterate

If too much lands as "unknown", your {{known_automation}} list is incomplete. Add the systems that legitimately touch infra and rerun. You're teaching the prompt your environment, not rewriting it.

Prompt-craft patterns that matter here

The deletion guardrail. This is the refusal boundary that keeps the prompt safe.

Never recommend "apply" on a resource whose diff includes a destroy or
replace action, or whose drift category is "unknown". Route both to
"investigate" with a one-line reason. Apply is only valid for low-risk
drift with a known, benign category.
Investigate is the safe default, not apply

A drift prompt that defaults to "run apply to reconcile" will eventually revert a hand-applied fix from a live incident and bring the outage back. Make the prompt justify every apply recommendation and route anything unexplained or destructive to investigate. The safe default costs you a few minutes of review and saves you a repeat incident.

The category-before-risk ordering. Categorize the drift source first, then assign risk, because risk depends on category. Autoscaling drift in prod is low risk; an unknown console change in prod is high. If the model grades risk before it figures out the cause, the risk scores are guesses.

Plans read differently across models

Claude handles a long {{plan_output}} against a heading-based per-resource contract without losing the format on resource 30. GPT-4o tends to truncate or summarize a very long plan unless you instruct it to process every resource and restate the contract after the plan text. Both categorize accurately once the rubric is explicit; the difference is how much plan they hold before drifting from the format.

Variables you'll set

VariableRequiredWhat it is
{{plan_output}}YesRaw terraform plan text
{{known_automation}}NoSystems allowed to mutate infra
{{environment}}Yesprod or staging
{{change_window}}NoRecent manual changes the team knows about

Getting started

  1. Run terraform plan and copy the full output.
  2. Paste it into {{plan_output}} and set {{environment}}.
  3. List your known automation systems so legit drift is categorized.
  4. Run the prompt at a low temperature.
  5. Read the "unknown" and "investigate" rows first; skim the rest.
  6. Remediate only the resources with a justified verdict.
  7. For ongoing drift checks, start from the Infrastructure Drift Detection Harness.
Browse the drift detection prompt

A one-off drift read is a copied prompt. A weekly drift sweep across several state files is where the harness pays off, because the categorization rubric and the deletion guardrail are already enforced and don't drift themselves.

Skip the setup

The Infrastructure Drift Detection Harness does this end-to-end: the {{plan_output}} variable feeds a core prompt with the categorization rubric and the deletion-guardrail refusal boundary, plus a companion prompt that drafts the remediation change ticket for the resources you approve. It's part of The Complete AI Prompts Bundle, a one-time lifetime license to the whole catalog (plus every pack added later) if you run more than one of these jobs.

Get the Infrastructure Drift Detection Harness

Drift that caused an outage feeds straight into a writeup, so this pairs with the blameless incident postmortem prompt. Instrumenting the services where drift bites is the next layer, covered in the observability instrumentation prompt, and the Observability Instrumentation Harness ships that contract ready to run.

Browse all developer prompt packs
FAQ

Common questions

What is a Terraform drift detection prompt?
A Terraform drift detection prompt is a reusable instruction that reads terraform plan output and categorizes each drifted resource: console change, autoscaling, external automation, or unknown. It then emits a remediation verdict for each (import, apply, ignore, or investigate) in a fixed output contract.
Can an AI prompt detect drift on its own?
The prompt doesn't detect drift; terraform plan does. The prompt interprets the plan output, categorizes why each resource drifted, and recommends a remediation action. It turns a long, noisy plan into a ranked, explained verdict you can act on without reading every diff.
How do you stop the prompt from recommending a destructive apply?
Add a refusal boundary that forbids recommending apply on any resource whose drift category is unknown or where the diff includes a deletion. Those route to investigate instead, so the prompt never hands you a one-click remediation that could wipe a manually fixed resource.
Stop reading. Start shipping.

Get the prompt packs this guide is built on

Ready-to-paste prompts with documented variables and worked examples for ChatGPT, Claude, and Gemini. One-time payment, own it forever.