Managing infrastructure drift doesn't always start with your code. Changes are often made directly to cloud resources, whether through urgent security hotfixes, manual fixes, or automated optimization and security tools. To ensure your Infrastructure as Code stays fully aligned, env zero now suggests a pull request based on those cloud-side changes, allowing you to easily review, merge, and sync your environments.

This enhancement expands drift remediation to cover the full lifecycle: detecting drift, analyzing its source, and giving you the flexibility to either align the cloud with your code or update your code to reflect changes made directly in the cloud, all handled manually or automatically based on your policies.

Configuration Drift vs. Cloud Drift

Configuration drift happens when your Infrastructure as Code no longer matches what is running in the cloud. Cloud drift is a common cause of configuration drift and refers to changes made directly to cloud resources outside the normal IaC workflow. In practice, teams deal with both. The important part is having drift detection and configuration drift management that can reconcile either direction.

Why It Matters

Infrastructure environments are dynamic by nature. While the best practice is to make all changes through Infrastructure as Code, reality doesn't always follow the ideal. Urgent fixes, security updates, or automated tools often introduce changes directly in the cloud.

To keep your environments consistent and reliable, env zero now expands drift remediation beyond just redeploying your code. When changes are made directly in the cloud, whether manually or by automated systems, you can choose to update your code to reflect them. This can be done automatically or with manual review, giving you flexibility to decide how to manage each situation.

Handling Out of Band Changes

Out of band changes are updates made outside your Infrastructure as Code workflow, for example clicking in the cloud console, applying a hotfix during an incident, or changes introduced by external automation. These changes are often valid in the moment, but they create configuration drift over time. Configuration drift management is about keeping your desired state and actual state aligned, without losing visibility into what changed and why.

How It Works

Before diving into remediation, it helps to clearly separate automated drift detection from drift remediation. Drift detection identifies differences between your IaC and the live environment. Drift remediation is the action you take after drift is found. env zero now supports both directions of remediation so you can choose the outcome that fits the context.

When env zero detects drift between your Infrastructure as Code and the live cloud environment, it analyzes the difference and uses AI to generate code changes that reflect the current state of your infrastructure while preserving your existing structure and conventions.

You can choose how to reconcile the drift:

• Redeploy your code: Apply your current codebase to bring the infrastructure back to its intended state.
• Update your code: env zero rewrites only the relevant blocks, whether standalone resources or modules, and generates the necessary changes as a pull request in your connected version control system. You can review and merge the PR manually or configure it to be applied automatically based on policy.

What Happens When You Choose Update Your Code

When you choose to update your code, env zero analyzes the detected drift and generates updated Terraform code that reflects the live cloud state. Only the affected resources or module blocks are modified, preserving your existing structure and conventions. The changes are committed to a new branch and opened as a pull request in your connected version control system.

This closes the loop for configuration drift management by keeping the repository aligned with cloud side changes.

env zero generates a pull request that summarizes the infrastructure differences that triggered the update.

‍

When you inspect the diff, you’ll see exactly which lines were changed to bring your code in line with the live environment.

This flexibility enables you to choose whether to enforce the state defined in your code or adapt it to reflect what’s currently running, depending on the context of the change.

Automated Drift Detection and Remediation

Automated drift detection is only useful if remediation is predictable. env zero lets you choose what happens when drift is found, and you can apply policies so remediation behavior matches the environment type. For example, you may prefer strict enforcement in production, and more flexibility in development environments.

You can also configure env zero to take action automatically based on your policies. The following options are available for automated drift remediation:

• Disabled – No automatic action is taken when drift is detected. You’ll receive a notification, but resolution is manual.
• Sync Cloud to match Code – env zero automatically applies the changes from your IaC code to the cloud, resolving drift by deploying the current configuration.
• Sync Code to match Cloud – env zero automatically opens a Pull Request to update your codebase to reflect the cloud state, syncing from the infrastructure back to the repository.
• Smart Remediation –
  
  • When a change is detected in the cloud (e.g. a manual update or external automation), env zero generates the necessary code changes and opens a pull request to update the code.
  • When a change is detected in the codebase (e.g., a merge to main that hasn’t been applied), env zero automatically runs a deployment to apply it to the cloud.

env zero links all actions and pull requests to the affected environment, giving you full visibility and control over every change.

For more information about connecting your VCS, managing drift settings, and configuring automatic remediation, see Automatic Drift Remediation.

Automated drift detection runs continuously across your cloud environments, identifying configuration drift early and helping prevent unmanaged cloud configuration changes before they create larger operational risks.

Together, drift detection and drift remediation form the foundation of effective cloud governance. Strong configuration drift management ensures teams maintain visibility into cloud configuration changes, resource management decisions, and infrastructure lifecycle consistency across environments.

Choosing the Right Drift Remediation Strategy

Not all drift should be treated the same way. Some drift is clearly unwanted and should be remediated by redeploying the declared state. Other drift is intentional and legitimate, and the right outcome is to update the repository so Infrastructure as Code reflects what is actually running. Effective configuration drift management requires consistent decision making based on risk, environment type, cloud governance standards, and compliance requirements.

A simple rule that works well in practice:

In production, default to syncing cloud to match code unless there is a documented exception. In non production environments, default to updating code when the drift is a legitimate operational change.

Real World Example

Imagine a security tool automatically updates a firewall rule in production to block a newly discovered vulnerability. Automated drift detection identifies the configuration drift within the affected cloud resources. Instead of overwriting the fix by redeploying the previous configuration, env zero can generate a pull request that updates the Infrastructure as Code to reflect the new rule. The team reviews the change, confirms it is valid, and merges it. The repository and the cloud environment are aligned again without losing the security update.

Wrapping Up

Being able to update your code based on changes made directly in the cloud gives you a new level of control and flexibility. Whether you're responding to critical security updates, operational fixes, or changes introduced automatically by optimization and security tools, env zero ensures your cloud environment and your Infrastructure as Code remain fully aligned. 

This capability helps teams move faster, reduce risk, and simplify the way they manage infrastructure changes.

Ready to see how env zero can help you manage drift end-to-end and keep your code and cloud in sync? Schedule a demo today.

FAQ's

What is the difference between configuration drift and cloud drift?

Configuration drift refers to the mismatch between what is defined in your Infrastructure-as-Code and what is actually running in the cloud. It represents the gap between the intended state and the real state of your infrastructure.

Cloud drift is one of the most common causes of configuration drift. It happens when changes are made directly to cloud resources outside the IaC workflow, such as through the console, CLI, or automated tools.

In practice, teams deal with both simultaneously. Effective drift management requires the ability to detect and reconcile changes in either direction, ensuring that code and infrastructure remain aligned at all times.

How does env0 handle drift remediation differently from traditional approaches?

Traditional drift remediation typically focuses on enforcing the declared state by redeploying Infrastructure-as-Code to overwrite any changes in the cloud. While this works for unwanted drift, it can create problems when changes are intentional or necessary.

env0 introduces a bi-directional remediation model. Teams can either sync the cloud to match the code or update the code to reflect the current state of the cloud. This flexibility allows teams to handle real-world scenarios where not all changes originate from code.

By generating pull requests for cloud-side changes, env0 ensures that the repository remains the source of truth while preserving legitimate updates made outside the IaC workflow.

When should teams choose to update code instead of redeploying infrastructure?

The decision depends on the context and intent behind the change. If the drift is caused by unauthorized or risky modifications, the safest approach is to redeploy the code and restore the intended state.

However, if the change is intentional, such as a security hotfix, operational adjustment, or automated optimization, updating the code is often the better option. This ensures that the Infrastructure-as-Code reflects the current reality of the environment.

A common strategy is to enforce strict alignment in production by default, while allowing more flexibility in non-production environments. This approach balances control with adaptability.

How do automated drift detection and remediation work together?

Drift detection identifies differences between the IaC and the live cloud environment, providing visibility into what has changed. Remediation is the action taken after detection to resolve those differences.

env0 integrates both processes into a continuous workflow. Drift is detected automatically, analyzed with context, and then handled based on predefined policies. This can include automatic redeployment, pull request generation, or manual review.

By linking detection and remediation, env0 ensures that drift is not just identified but actively managed, reducing the risk of inconsistencies and improving overall infrastructure reliability.

What are the benefits of using pull requests for drift remediation?

Using pull requests for drift remediation brings infrastructure changes back into the standard development workflow. Instead of making direct updates in the cloud or manually editing code, teams can review and approve changes through version control.

This approach improves transparency by clearly showing what has changed and why. It also maintains auditability, as every update is tracked, reviewed, and documented within the repository.

By integrating remediation into Git workflows, env0 ensures that infrastructure changes remain consistent, controlled, and aligned with team practices, while reducing manual effort and the risk of errors.