Cloudrift

Pre-apply infrastructure governance for Terraform

Validate infrastructure changes against policies and live AWS state — before you apply

---

Cloudrift is an open-source infrastructure governance tool that validates your Terraform plans against live AWS state and security policies — catching misconfigurations before terraform apply, not after.

┌─────────────────────────────────────────────────────────────┐
│                  CLOUDRIFT UNIQUE POSITION                  │
│                                                             │
│   Terraform Plan  ──┐                                       │
│                     ├──▶  Policy Engine  ──▶  ALLOW/BLOCK  │
│   Live AWS State  ──┘        (OPA)                          │
│                                                             │
│   Competitors check EITHER plan OR live state               │
│   Cloudrift checks BOTH — catches drift AND policy violations│
└─────────────────────────────────────────────────────────────┘

Table of Contents

• Why Cloudrift?
• Features
• Installation
• Quick Start
• Usage
• Output Formats
• Policy Engine
• CI/CD Integration
• Desktop Dashboard
• Configuration
• Project Structure
• Roadmap
• Contributing
• Related Projects
• License

Why Cloudrift?

Feature	Cloudrift	Terraform Cloud	Checkov	driftctl
Pre-apply validation	✅	❌	✅	❌
Live state comparison	✅	❌	❌	✅
Policy engine (OPA)	✅	Sentinel ($$$)	✅	❌
SARIF output	✅	❌	✅	❌
Open source	✅	❌	✅	✅
Self-hosted	✅	❌	✅	✅

Key differentiator: Cloudrift compares your Terraform plan against live AWS state — catching drift that would be silently overwritten by terraform apply.

Features

• Drift Detection — Compare Terraform plans against live AWS infrastructure
• Policy Engine — 7 built-in OPA security policies + custom policy support
• Multiple Output Formats — Console, JSON, SARIF for CI/CD integration
• Multi-Service Support — S3 buckets and EC2 instances
• CI/CD Ready — GitHub Actions, GitLab CI, Jenkins integration
• GitHub Security Integration — SARIF output for Security tab

Installation

Via Go

go install github.com/inayathulla/cloudrift@latest

Via Docker

docker pull inayathulla/cloudrift

Build from Source

git clone https://github.com/inayathulla/cloudrift.git
cd cloudrift
go build -o cloudrift .

Quick Start

1. Generate a Terraform plan

cd your-terraform-project
terraform init
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > plan.json

2. Create a configuration file

Create cloudrift.yml:

aws_profile: default
region: us-east-1
plan_path: ./plan.json

3. Run Cloudrift

# Scan S3 buckets
cloudrift scan --service=s3

# Scan EC2 instances
cloudrift scan --service=ec2

# Output as JSON
cloudrift scan --service=s3 --format=json

# Fail CI/CD on policy violations
cloudrift scan --service=s3 --fail-on-violation

Usage

cloudrift scan [flags]

Flags

Flag	Short	Default	Description
--config	-c	cloudrift.yml	Path to configuration file
--service	-s	s3	AWS service to scan (s3, ec2)
--format	-f	console	Output format (console, json, sarif)
--output	-o	stdout	Write output to file
--policy-dir	-p	-	Directory with custom OPA policies
--fail-on-violation	-	false	Exit non-zero on violations
--skip-policies	-	false	Skip policy evaluation
--no-emoji	-	false	Use ASCII instead of emojis

Supported Resources

Resource	Service	Attributes Checked
S3 Buckets	--service=s3	ACL, tags, versioning, encryption, logging, public access block, lifecycle rules
EC2 Instances	--service=ec2	Instance type, AMI, subnet, security groups, tags, EBS optimization, monitoring

For detailed usage instructions, see docs/USAGE.md.

Output Formats

Console (default)

cloudrift scan --service=s3

🚀 Starting Cloudrift scan...
🔐 Connected as: arn:aws:iam::123456789012:root [us-east-1]
✔️  Evaluated 7 policies in 23ms
⚠️  Found 2 policy violations

⚠️  Drift detected!
🪣 my-bucket
  🔐 Encryption mismatch:
    • expected → "AES256"
    • actual   → ""

JSON

cloudrift scan --service=s3 --format=json

{
  "service": "S3",
  "account_id": "123456789012",
  "drift_count": 1,
  "drifts": [
    {
      "resource_name": "my-bucket",
      "diffs": {
        "encryption_algorithm": ["AES256", ""]
      }
    }
  ]
}

SARIF (GitHub Security)

cloudrift scan --service=s3 --format=sarif --output=results.sarif

Upload to GitHub Code Scanning for Security tab integration.

Policy Engine

Cloudrift includes 7 built-in OPA security policies:

Policy	Severity	Description
S3-001	high	S3 buckets must have encryption enabled
S3-003 to S3-006	high	S3 public access block settings
S3-007, S3-008	critical	No public ACLs allowed
TAG-001	medium	Environment tag required
TAG-002 to TAG-004	low	Owner, Project, Name tags recommended

Custom Policies

Create custom OPA policies:

# my-policies/custom.rego
package cloudrift.custom

deny[result] {
    input.resource.type == "aws_s3_bucket"
    not input.resource.planned.tags.CostCenter

    result := {
        "policy_id": "CUSTOM-001",
        "msg": "S3 bucket must have CostCenter tag",
        "severity": "medium"
    }
}

cloudrift scan --service=s3 --policy-dir=./my-policies

CI/CD Integration

GitHub Actions

name: Drift Detection
on: [pull_request]

jobs:
  drift-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3

      - name: Terraform Plan
        run: |
          terraform init
          terraform plan -out=tfplan.binary
          terraform show -json tfplan.binary > plan.json

      - name: Install Cloudrift
        run: go install github.com/inayathulla/cloudrift@latest

      - name: Run Drift Scan
        run: cloudrift scan --service=s3 --format=sarif --output=results.sarif --fail-on-violation
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: results.sarif

GitLab CI

drift-scan:
  image: golang:1.21
  script:
    - go install github.com/inayathulla/cloudrift@latest
    - terraform init && terraform plan -out=tfplan.binary
    - terraform show -json tfplan.binary > plan.json
    - cloudrift scan --service=s3 --format=json --fail-on-violation

Desktop Dashboard

Cloudrift UI is a native desktop application (Flutter) that provides a visual security dashboard for Cloudrift. It invokes the CLI, parses JSON output, and displays results with real-time charts, drift diff viewers, and compliance scoring.

# Clone and run
git clone https://github.com/inayathulla/cloudrift-ui.git
cd cloudrift-ui
flutter pub get && flutter run -d macos

Features include: KPI dashboard, three-column drift diff viewer, policy browser with remediation, animated compliance ring, scan history with trend charts, and a dark cybersecurity theme.

See the Cloudrift UI README for full documentation.

Configuration

Field	Description	Required
aws_profile	AWS credentials profile name	Yes
region	AWS region to scan	Yes
plan_path	Path to Terraform plan JSON	Yes

Example Configurations

S3 Scanning:

# config/cloudrift.yml
aws_profile: default
region: us-east-1
plan_path: ./examples/plan.json

EC2 Scanning:

# config/cloudrift-ec2.yml
aws_profile: default
region: us-east-1
plan_path: ./examples/ec2-plan.json

Project Structure

cloudrift/
├── cmd/                          # CLI commands
│   ├── root.go
│   └── scan.go
├── internal/
│   ├── aws/                      # AWS API integrations
│   │   ├── config.go             # AWS SDK configuration
│   │   ├── s3.go                 # S3 API client
│   │   └── ec2.go                # EC2 API client
│   ├── detector/                 # Drift detection logic
│   │   ├── interface.go          # Detector interface
│   │   ├── s3.go                 # S3 drift detector
│   │   ├── ec2.go                # EC2 drift detector
│   │   ├── s3_printer.go         # S3 console output
│   │   └── ec2_printer.go        # EC2 console output
│   ├── output/                   # Output formatters
│   │   ├── json.go               # JSON formatter
│   │   ├── sarif.go              # SARIF formatter
│   │   └── console.go            # Console formatter
│   ├── policy/                   # OPA policy engine
│   │   ├── engine.go             # Policy evaluation
│   │   ├── loader.go             # Policy loading
│   │   └── policies/             # Built-in policies
│   │       ├── security/
│   │       ├── tagging/
│   │       └── cost/
│   ├── models/                   # Data structures
│   └── parser/                   # Terraform plan parser
├── config/                       # Example configurations
├── examples/                     # Example Terraform plans
├── docs/                         # Documentation
│   └── USAGE.md                  # Detailed usage guide
└── tests/                        # Unit tests

Roadmap

Completed ✅

• S3 drift detection
• EC2 drift detection
• JSON output format
• SARIF output format
• OPA policy engine
• Built-in security policies
• Custom policy support
• --fail-on-violation flag
• Desktop dashboard (Cloudrift UI)

In Progress 🚧

• IAM drift detection
• Security Groups detection
• RDS drift detection

Planned 📋

• Compliance packs (CIS, SOC2, HIPAA)
• Multi-account scanning
• Slack/PagerDuty alerts

Contributing

Contributions are welcome!

# Clone
git clone https://github.com/inayathulla/cloudrift.git
cd cloudrift

# Build
go build -o cloudrift .

# Test
go test ./...

# Run
./cloudrift scan --service=s3 --config=config/cloudrift.yml

Related Projects

Project	Description
Cloudrift UI	Native desktop security dashboard (Flutter) that visualizes Cloudrift scan results with drift diff viewers, policy browsers, compliance scoring, and trend charts.

Connect

• Issues & Features: GitHub Issues
• Email: inayathulla2020@gmail.com
• LinkedIn: Inayathulla Khan Lavani

---

License

Apache License 2.0

---

_{Built for DevOps teams who believe in shift-left infrastructure governance}