Skip to content
Rime Docs

Drift Detection

Drift occurs when the actual state of your infrastructure diverges from the desired state configured in Rime. This typically happens when someone makes a change directly in Snowflake or AWS, bypassing Rime’s change management workflow. Rime detects drift automatically and gives you options to resolve it.

What drift looks like

Rime tracks two states for every managed resource:

  • Desired state — what you configured through the Rime UI (or through a config repo)
  • Actual state — what currently exists in your Snowflake account and AWS environment, tracked via Terraform state

When these two states match, the resource is in sync. When they diverge, Rime reports drift. Drift can take several forms:

Drift typeExample
Configuration changedSomeone altered a warehouse size from Medium to Large directly in Snowflake
Resource deletedSomeone dropped a schema directly in Snowflake that Rime still expects to exist
Resource addedSomeone created a new role directly in Snowflake that Rime does not manage
Permissions changedSomeone ran a GRANT or REVOKE statement outside Rime

Rime detects the first three types. Resources created outside Rime (the “resource added” case) are not tracked unless you import them into Rime’s management.

Scheduled reconciliation

Rime runs a reconciliation check on a regular schedule to compare actual state against desired state. During reconciliation:

  1. Rime refreshes the Terraform state by querying your Snowflake account and AWS environment for the current configuration of every managed resource
  2. It compares each resource’s actual state against the desired state stored in Rime
  3. Any discrepancies are flagged as drift

Reconciliation schedule

By default, reconciliation runs every 6 hours. You can adjust the schedule in Project Settings > Drift Detection:

SettingDescriptionDefault
Reconciliation intervalHow often Rime checks for drift6 hours
Enable scheduled checksWhether automatic reconciliation is activeEnabled

You can also trigger a reconciliation manually at any time from Infrastructure > Drift by selecting Check Now.

What reconciliation does not do

Reconciliation is read-only. It detects drift but does not fix it. You decide how to resolve each discrepancy. Rime never modifies your infrastructure during a drift check.

Drift alerts

When reconciliation detects drift, Rime creates a drift alert. Drift alerts appear in two places:

  • Infrastructure > Drift — a dedicated page listing all current drift events
  • Monitoring > Alerts — drift alerts are included in the unified alert dashboard alongside pipeline failures, volume anomalies, and other alert types

Configuring drift notifications

Navigate to Monitoring > Alert Rules and create or edit a rule with the Infrastructure Drift alert type. Configure:

  • Severity — how urgent drift should be rated (info, warning, critical). Most teams use warning for non-production projects and critical for production
  • Notification channels — where to send drift alerts (email, Slack, PagerDuty, webhooks). Available channels depend on your licensing tier
  • Escalation policy — optionally escalate if drift is not resolved within a time window

Drift alerts include the resource type, resource name, what changed, and the current vs expected values.

Viewing drift details

The Infrastructure > Drift page lists all resources currently in drift. Each entry shows:

  • Resource type and name — which resource has drifted
  • Drift type — configuration changed or resource deleted
  • Detected at — when the drift was first detected
  • Details — a side-by-side comparison of the desired value and the actual value for each drifted attribute

For configuration changes, the details view shows each attribute that differs. For example, if a warehouse was resized outside Rime:

AttributeDesiredActual
SizeSMALLLARGE
Auto-suspend300600

This makes it clear exactly what changed and helps you decide how to resolve it.

Resolving drift

When drift is detected, you have two options:

Reapply desired state

Select Reapply on a drifted resource to generate a plan that restores the resource to the configuration you defined in Rime. This goes through the normal plan/apply workflow — you review the change preview before anything is applied.

Use this when the change was unintentional or unauthorised. For example, if someone accidentally changed a warehouse size in the Snowflake console, reapplying restores it to the size you configured in Rime.

Accept actual state

Select Accept to update Rime’s desired state to match what currently exists. This tells Rime that the external change was intentional and should become the new baseline.

Use this when the change was made deliberately and should persist. For example, if a DBA increased a warehouse size during an incident to handle a spike in query volume, and you want to keep the larger size going forward.

After accepting, Rime updates the desired state and clears the drift alert. The resource is back in sync.

Bulk resolution

If reconciliation finds drift across multiple resources (common after a manual Snowflake session), you can select multiple resources and choose Reapply All or Accept All. Bulk reapply generates a single plan covering all selected resources.

Common drift scenarios

Manual Snowflake changes

The most frequent source of drift. A team member logs into the Snowflake console and modifies a warehouse, creates a schema, or adjusts grants. This is especially common during incidents when someone needs to make a quick fix.

Prevention: establish a team policy that all infrastructure changes go through Rime. For production environments, consider restricting direct Snowflake access to read-only roles for most users.

External Terraform runs

If your organisation also runs Terraform outside Rime against the same Snowflake account, those runs will modify resources that Rime manages. Rime’s next reconciliation will detect the changes as drift.

Prevention: avoid managing the same resources with both Rime and external Terraform. If you need to manage some resources outside Rime, exclude them from Rime’s management. Rime only tracks resources that you created or imported through its UI.

Snowflake automatic changes

Snowflake occasionally modifies resource metadata during upgrades or maintenance. These changes are usually cosmetic (default values being normalised, for example) and do not affect functionality.

Resolution: review the drift details. If the change is cosmetic, accept the actual state. If Snowflake changed something meaningful, evaluate whether the new value is acceptable.

Credential rotation

If AWS IAM credentials are rotated outside Rime, the IAM role or policy may be recreated with a different ARN. This breaks the Snowflake storage integration that references the old ARN.

Prevention: rotate credentials through Rime so that all dependent resources are updated in the same apply operation. If credentials were rotated externally, reapply the affected resources to update the references.

Environment promotion mistakes

Applying a staging configuration to production (or vice versa) causes drift in the unintended environment. This typically happens when someone applies changes in the wrong Rime project.

Prevention: use separate Rime projects for each environment with distinct names and visual indicators. Review the project name in the plan preview before applying.

Drift detection and governance

Drift events are recorded in Rime’s audit log. Each drift detection and resolution is logged with the timestamp, the resource affected, the type of drift, and who resolved it (and how). This supports compliance requirements that mandate tracking all infrastructure changes, including those made outside the standard workflow.

For organisations subject to regulatory requirements, configure drift alerts with short escalation windows to ensure that unplanned changes are reviewed promptly.