Diff Terraform state against the configuration in HCL and list every drift with file:line references and a suggested resolution.
Runs a refresh-only Terraform plan, parses the JSON output, and produces a markdown table of every drifted resource with file:line citations into the HCL plus a suggested resolution per row.
tf_dir: directory containing the root Terraform module.AWS_PROFILE, GOOGLE_APPLICATION_CREDENTIALS, etc.) — the skill assumes whichever provider is configured.state_file: path to a local state file; otherwise remote state is used.terraform -chdir=<tf_dir> init -backend=true -input=false.terraform -chdir=<tf_dir> plan -refresh-only -out=drift.tfplan.terraform -chdir=<tf_dir> show -json drift.tfplan > drift.json.resource_drift array from the JSON. Each entry has address, change.actions, change.before, change.after.rg -n "resource \"<type>\" \"<name>\"" <tf_dir> to get file:line.before vs after, collect the keys whose values differ.after (real cloud) is correct, suggest terraform apply to bring state in line; if before (state) is correct, suggest reverting the cloud change manually; ambiguous -> "review".drift-report.md containing the table plus a fenced JSON block of the raw drift entries for machine consumption. Exit code distinguishes pass vs drift.
Re-run terraform plan -refresh-only after terraform apply -refresh-only and confirm zero drift entries — a no-op apply confirms the report was accurate. Sample-check three rows by issuing the equivalent cloud API call directly (e.g., aws ec2 describe-instances) and confirm the attribute values match change.after. If they don't, the provider plugin may have stale schema; pin a newer provider version and rerun.
lifecycle.ignore_changes: exclude them from the table since drift is intentional.Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/terraform-drift-reporter.
Read-only AWS surface — list/describe EC2, S3 buckets, IAM users, and Lambda functions. Auth via STS-assumed role; no mutating tools.
Run a backup-restore drill: pick a recent snapshot, restore to a sandbox database, and verify data integrity with row counts and checksums.
Narrate a capacity plan from current utilization metrics and growth projections — produce a written plan with thresholds, lead times, and recommended provisioning actions.
Read-only Cloudflare surface — list zones, DNS records, deployed Workers, and page rules. Auth via scoped API token; no mutating tools.
Identify imports and module-init code that contribute to Cloudflare Worker cold starts and propose lazy-load rewrites.
Read a list of crontab specifications and detect overlapping execution windows that risk resource contention or duplicate work.