The bug that made my Terraform drift detector cry wolf (and the one-line fix) (opens in new tab)

terraform plan tells you what Terraform changed. It says nothing about the RDS parameter someone tweaked in the console at 2am, or the security group rule added by hand during an incident. To catch that kind of drift, you have to compare your tfstate against what AWS actually returns from the API — yourself. I built exactly that, and the first version was useless. Not because the diff was wrong, but because it screamed about drift on every single resource, every single time. Here's the bug, a...