DEPRECATION NOTICE: Drift detection of managed resources Drift detection of managed resources, including
snyk iac describe --only-managed and snyk iac describe --drifthas been deprecated. The end-of-life date for drift detection of managed resources is September 30. 2023.
Note: This feature is available in Snyk CLI version v1.876.0 or greater.
snyk iac describe [<OPTIONS>]
snyk iac describecommand detects infrastructure drift and unmanaged resources. It compares resources in your Terraform state file against actual resources in your cloud provider and outputs a report.
- Resources in your Terraform state files are managed resources.
- Changes to managed resources not reflected in the Terraform state file are drifts.
- Resources that exist but are not in your Terraform state file are unmanaged resources.
Possible exit codes and their meaning:
0: success, no drift found 1: drifts or unmanaged resources found 2: failure
-doption to output the debug logs.
Note: To use the
describecommand, you must use one of these options:
Report resources not found in any Terraform states.
Scan managed resources found in Terraform states for changes.
Scan both managed and unmanaged resources.
Note that you can also use
ORG_IDworks in both the CLI and the API. The organization slug name works in the CLI, but not in the API.
Specify multiple Terraform state files to be read. Glob patterns are supported.
Specify the cloud provider to scan (default: AWS with Terraform).
github+tf(GitHub with Terraform)
aws+tf(Amazon Web Services with Terraform)
gcp+tf(Google Cloud Platform with Terraform)
azure+tf(Azure with Terraform)
Specify a Terraform provider version to use. If none is specified, default versions are used as follows:
Read the Terraform lock file (
.terraform.lock.hcl) from a custom path (default: current directory).
If parsing the lockfile fails, errors are logged and scan continues.
Note: When you are using both the
Use a specific HTTP header or headers for the HTTP backend when fetching Terraform state.
Specify an API token to authenticate to the Terraform Cloud or Enterprise API.
Read the current state for a given workspace from Terraform Enterprise by passing the
tfc-endpointvalue that is specific to your org's Terraform Enterprise installation.
Change the directory path used for
iac describeconfiguration (default
$HOME). This can be useful, for example, if you want to invoke this command in an AWS Lambda function where you can only use the
Specify the services whose resources are inspected for drift or unmanaged resources.
This option cannot be used with a
.snykdrift ignore rule; the content in
.snykwill be ignored.
Use filter rules.
Filter rules allow you to build a JMESPath expression to include or exclude a set of resources from the report.
To filter on resource attributes, deep mode must be enabled. Deep mode is enabled by default for
--only-managed. To enable deep mode while using
--only-unmanaged, use the
Enable deep mode. Deep mode enables you to use the
--filteroption to include or exclude resources in the report based on their attributes.
Deep mode is enabled by default for
--deepif you want to filter on attributes while using
Enable strict mode.
iac describecommand ignores service-linked resources by default (like service-linked AWS IAM roles, their policies and policy attachments). To include those resources in the report you can enable strict mode. Note that this can create noise when used with an AWS account.
Ignore all set policies, the current policy in the
.snykfile, org level ignores, and the project policy in the Snyk Web UI.
Manually pass a path to a
Output only the scan result to stdout.
Output the report as a JSON data structure to stdout.
Output the report as html to stdout.
Output the report as html into a file.
$ snyk iac describe --all --from="tfstate://terraform.tfstate"
$ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=XXX snyk iac describe --all
$ AWS_PROFILE=profile_name snyk iac describe --all
$ snyk iac describe --from="tfstate+s3://my-bucket/path/to/state.tfstate"
$ snyk iac describe --all --from="tfstate://terraform_S3.tfstate,tfstate://terraform_VPC.tfstate"
$ snyk iac describe --all --from="tfstate://path/to/**/*.tfstate"