Skip to content

docs: add Terraform drift detection tutorial#300

Merged
gsavage merged 8 commits into
mainfrom
mintlify/9dc5c128
Jul 3, 2026
Merged

docs: add Terraform drift detection tutorial#300
gsavage merged 8 commits into
mainfrom
mintlify/9dc5c128

Conversation

@mintlify

@mintlify mintlify Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Adds a new tutorial covering Terraform drift detection with Kosli, based on the source Google Doc.

What's new

  • tutorials/terraform_drift_detection.mdx — full tutorial covering:
    • The two-mechanism model (statefile provenance + reconciliation via plan)
    • A vendor-neutral DIY detector with a complete GitHub Actions example
    • Hardening pitfalls (monitor the monitor, IaC coverage, race conditions, cadence, least privilege)
    • Turning detection into audit-grade evidence via Kosli Environment attestation
    • Walkthrough of the kosli-dev/tf reference wrapper and reusable workflows
    • Adapting to other CI systems and an implementation checklist
  • Nav entry added under Tutorials → Security, next to the existing "Detecting unauthorized Terraform changes" tutorial.

Live page will be at /tutorials/terraform_drift_detection.


Generated by Mintlify Agent.

Requested by: graham@kosli.com via Slack
Mintlify session: slack_1775036725.228749_D0AM66349C1

@mintlify mintlify Bot requested a review from a team as a code owner July 1, 2026 14:46
@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Claude finished @gsavage's task in 2m 22s —— View job


Review of PR #300 — Terraform drift detection tutorials

  • Read changed files and gather context
  • Verify navigation config
  • Check links, spelling, and conventions
  • Post review findings

Summary

This PR replaces the single hands-on unauthorized_iac_changes.md tutorial with two focused, production-oriented pages — one per drift type — and does the housekeeping well. After multiple revision rounds, the previous review findings (British spellings, missing name:/on: block) have all been addressed.

What looks good

  • Clean split. Each page covers one drift mechanism with a clear "why the other detector can't see this" framing. The cross-references between the two pages are solid.
  • Navigation and redirects. Both new pages are in config/navigation.json under Security. Redirects cover both the old URL (/tutorials/unauthorized_iac_changes) and the intermediate single-page URL (/tutorials/terraform_drift_detection).
  • Cleanup. Orphaned images (authorized-iac-change.png, unauthorized-iac-change.png) are removed. No dangling references remain.
  • All internal links are root-relative and point to files that exist. No relative links.
  • American spelling — all previous British spelling findings (recognise, unauthorised, licence, unrecognised) are resolved.

Remaining findings

All minor — nothing blocking.

Category File Finding
Suggestion detecting_non_terraform_changes.mdx:6-11 Shared intro block is nearly identical across both pages. Could be a snippets/ fragment if maintenance surface matters, but fine as-is for standalone readability.
Suggestion config/redirects.json:6-9 The /tutorials/terraform_drift_detection redirect lands on the "non-Terraform changes" page. Readers who bookmarked the old single-page tutorial might expect to also see statefile-provenance content. The cross-link in the intro mitigates this.
Note The old page was a runnable hands-on tutorial (clone repo, create flow, run commands). The new pages are architectural/operational guides referencing kosli-dev/tf. This is a deliberate content shift — worth confirming that the hands-on tutorial content isn't needed elsewhere (e.g., a quickstart or getting-started flow).

Verdict

Solid restructuring. The two pages are well-written, cross-linked, and correctly wired into nav and redirects. Previous review feedback has been incorporated. No critical or blocking issues remain.

Comment thread tutorials/terraform_drift_detection.mdx Outdated
Comment thread tutorials/terraform_drift_detection.mdx Outdated
Comment thread tutorials/terraform_drift_detection.mdx Outdated
Comment thread tutorials/terraform_drift_detection.mdx Outdated
Comment thread tutorials/terraform_drift_detection.mdx Outdated
Comment thread tutorials/terraform_drift_detection.mdx Outdated
@mintlify

mintlify Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
kosli 🟢 Ready View Preview Jul 1, 2026, 2:52 PM

Comment thread tutorials/terraform_drift_detection_diy.mdx Outdated
Comment thread tutorials/terraform_drift_detection_kosli.mdx Outdated
Comment thread tutorials/terraform_drift_detection_kosli.mdx Outdated
Comment thread tutorials/terraform_drift_detection_kosli.mdx Outdated
Comment thread tutorials/terraform_drift_detection_kosli.mdx Outdated
Comment thread tutorials/terraform_drift_detection_kosli.mdx Outdated
Comment thread tutorials/detecting_unexpected_statefile_changes.mdx
gsavage added 3 commits July 3, 2026 14:34
Makes the caller workflow snippet a complete, copy-pasteable file, matching
the sibling example in detecting_non_terraform_changes.mdx.
The latest implementation avoids the race entirely, so the caveat no longer
applies.
authorized-iac-change.png and unauthorized-iac-change.png were only used in
the outdated drift detection page deleted earlier on this branch.
Comment thread tutorials/detecting_non_terraform_changes.mdx
Comment thread tutorials/detecting_non_terraform_changes.mdx
@@ -0,0 +1,134 @@
---
title: Detecting unexpected statefile changes
description: Detect Terraform applies that bypass CI by attesting statefile provenance into a Kosli Environment — the class of drift a scheduled plan can never see.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Same as the sibling page — an icon field in frontmatter (e.g. icon: "file-shield") would add visual polish in the nav.

Comment on lines +6 to +11
<Tooltip tip="Drift occurs when infrastructure diverges from the desired state defined in your version-controlled Terraform config.">Terraform drift</Tooltip> comes in two distinct types, and each is invisible to a detector built for the other:

1. **Unexpected statefile changes** — someone runs `terraform apply` outside your pipeline, so the statefile and the world still agree and a plan comes back empty. See [Detecting unexpected statefile changes](/tutorials/detecting_unexpected_statefile_changes).
2. **Non-Terraform changes** — someone edits the world directly via the cloud console, API, or CLI: a hotfix in the console, a partial apply failure, an out-of-band automation. Reality no longer matches the statefile, so a `terraform plan` catches it. This page covers detecting this type.

Both pages implement Kosli's [Drift Detection](https://sdlc.kosli.com/controls/runtime/drift_detection/) control (SDLC-CTRL-0018), a detective control that mitigates configuration drift risk under our secure SDLC framework.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The intro block (lines 6–11) is nearly identical across both new pages. Fine for standalone reading, but if maintenance surface is a concern, a snippets/ fragment could DRY it up. Minor — the cross-referencing is well done either way.

Comment thread config/redirects.json
Comment on lines +6 to +9
{
"source": "/tutorials/terraform_drift_detection",
"destination": "/tutorials/detecting_non_terraform_changes"
},

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improvement: The redirect from the intermediate URL (/tutorials/terraform_drift_detection) lands on the "non-Terraform changes" page. A reader who bookmarked the old single-page tutorial might expect to see the statefile-provenance content too. Consider whether a short landing page or a redirect to a parent group would be friendlier — or at minimum, the target page's intro already cross-links to the sibling, which mitigates this. Noting for awareness.

@gsavage gsavage merged commit bb969d0 into main Jul 3, 2026
6 checks passed
@gsavage gsavage deleted the mintlify/9dc5c128 branch July 3, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants