Terraform drift occurs when the actual state of infrastructure diverges from what is defined in Terraform configuration files. A common scenario illustrates this: an emergency fix made in the AWS console—like opening an SSH port—doesn't get reflected in the Terraform code, resulting in security risks and compliance issues. Companies running multi-cloud environments face this problem frequently, often due to manual changes or overlapping automation tools. The financial implications can be staggering, with single resource drift costing thousands annually, especially when scaled across numerous resources. For instance, a shift from an m5.large to an m5.4xlarge database instance doesn't seem significant at first glance. However, this change can lead to an extra $6,300 in costs over a year. A detailed breakdown of resource drift illustrates how quickly expenses can pile up, with one example showing a monthly cost impact of over $1,375 from just four resource types. To combat this, Terraform provides tools for drift detection, such as the `terraform plan` command with the `-detailed-exitcode` flag. Integrating this into CI/CD pipelines allows teams to receive automated alerts when drift is detected. Continuous monitoring is essential. Relying solely on pre-deployment checks isn't enough since drift can occur anytime. Teams can implement cron-based scanning for ongoing drift detection, scanning critical infrastructure every 15 minutes and adjusting security-related drift immediately. When drift is identified, teams can choose to reconcile the infrastructure with the code or align the code with the current infrastructure, depending on whether the changes are considered legitimate operational improvements. This dual approach ensures that teams can maintain their infrastructure as code principles while addressing real-world changes effectively.