Why I built DriftE: A Privacy-First Approach to exposing Infrastructure Reality

 

This is now v1.5.0 - with a lot of feedback from users already implemented. We welcome yours too!

Content

As a Cloud Architect/DevOps/SRE for over a decade, I’ve seen the same pattern repeat: a team achieves 100% Terraform coverage, only for "shadow infrastructure" to creep in via manual console hotfixes, emergency troubleshooting, or scripts that never made it into the IaC repository.

The problem? Standard terraform plan is inherently limited to what is already in your state files. It won't tell you about the rogue RDS instance, extra OpenSearch nodes that got added to Staging env to "speed it up a bit" or the permissive IAM role created in the console last Friday night.

I built DriftE to solve ALL this, but with a specific architectural constraint: I don't want your cloud credentials.

The "Anti-SaaS" Security Model

Most modern drift detection platforms operate on a "SaaS-first" model that requires you to hand over cross-account roles or IAM users with broad read-only permissions to their backend. For security-conscious enterprise teams, this is often a non-starter.

DriftE uses a local-first hybrid architecture:

1. Standalone Local Runner: A single, compiled binary that you run within your own infra or local workstation.
2. Credential Isolation: The runner uses the local AWS profile (similar to AWS cli). It performs all cloud discovery locally. Your credentials NEVER leave your environment and are never transmitted to our servers.
3. Metadata-Only Sync: The runner identifies discrepancies, encrypts the deltas and sends only that metadata to our SaaS/backend via HTTPS.

Why a Standalone Binary?

We intentionally avoided the "heavy agent" or "persistent container" requirement. A standalone binary means:

• No complex dependencies to manage.
• Runs on-demand, part of a pipeline/workflow or as a simple cron job.
• High-performance execution without the overhead of a managed runtime.

Transparency and Access

We are building this for professionals, which means that if the standard/Free tier doesn't meet your needs, the other tiers have Transparent pricing, right on the main page. There's no "Contact Sales" buttons to see a price or start a trial (unless you really want to contact sales for a custom Enterprise setup/offer :) - and there's a way to do that too).

• Free Tier: A fully functional free tier exists for small environments and side projects.
• Trial: We offer a 14-day Pro trial with no credit card required. We want you to see the value in your own infrastructure before any commitment.

Resources for the Community

I'm looking for feedback on the localized execution model and the attribute-level comparison logic.

• Showcase (Interactive Previews): https://drifte.io/showcase
• Documentation: https://docs.drifte.io
• Public Changelog (v1.5.0): https://docs.drifte.io/reference/changelog

I'll be in the comments to discuss the technical specifics of the DuckDB-based comparison engine or the distribution strategy.