DEV Community

Twisted-Code'r
Twisted-Code'r

Posted on

I built an open-source Terraform drift scanner in 2 days, before starting college

#terraform #aws #devops #opensource

I'm 18, based in Kerala, India, and I start college in about 9 months. I wanted to build something real before that happens — not a todo app, not a tutorial project. Something that solves an actual problem developers face.

So I spent a few weeks researching what DevOps and platform engineers actually complain about. One problem kept coming up: infrastructure drift.

You define your infrastructure in Terraform. Someone goes into the AWS console and changes something manually. Now your Terraform state says one thing and AWS says another. Most teams find out during an incident, not before.

Existing tools tell you drift exists. None of them tell you why it matters, who caused it, or what to do about it. That felt like an obvious gap.

So I built SynchroIaC.

What it does

You add one GitHub Action to your repo. It runs on a schedule — daily, or on every push. It reads your Terraform state, calls AWS APIs with a read-only IAM role, diffs the two, and sends the results to a dashboard.

For each drift it detects, you can:

  • Get an AI explanation of what changed and why it matters
  • Generate a fix PR automatically
  • Mark it resolved or keep it open

Risk is classified automatically: low, medium, high, critical. A security group opened to the world is critical. A tag change is low.

Your AWS credentials never leave your GitHub Actions environment. SynchroIaC only receives the diff output.

The stack

  • Go scanner binary (runs in customer's GitHub Actions)
  • Next.js API layer on Vercel (the actual product)
  • Supabase for storage
  • OpenRouter free models for AI explanations
  • GitHub API for fix PR generation
  • Paddle for billing
  • Resend for drift alert emails

How long it took

2 days of actual building. The hardest part was testing — making sure the API layer correctly scoped every query by organization so one customer could never see another's data.

Try it in 3 steps

1. Add the workflow to your repo

name: Drift Check
on:
  schedule:
    - cron: "0 9 * * 1-5"
  workflow_dispatch:

jobs:
  drift:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Jeffrin-dev/SynchroIaC@v0.1.0
        with:
          api-key: ${{ secrets.SYNCHROIAC_API_KEY }}
          project-id: ${{ secrets.SYNCHROIAC_PROJECT_ID }}
          terraform-path: ./terraform
          aws-region: us-east-1
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Enter fullscreen mode Exit fullscreen mode

2. Add your secrets

  • SYNCHROIAC_API_KEY — from the dashboard settings
  • SYNCHROIAC_PROJECT_ID — from the dashboard projects page
  • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY — read-only IAM user

3. Watch the dashboard

Drift shows up at synchroiac-io.vercel.app with risk levels, AI explanations, and fix PRs.

What I want from you

This is v0.1.0. It works. I ran 11 end-to-end tests against the live API before shipping.

But I'm 18 and I haven't worked at a company that uses Terraform at scale. I want to know:

  • Does this solve a real pain point for your team?
  • What AWS resources should I add next — RDS? ECS? Lambda?
  • What would make you actually pay for this?

Brutal feedback welcome.

Repo: github.com/Jeffrin-dev/SynchroIaC

Dashboard: synchroiac-io.vercel.app

Marketplace: GitHub Actions Marketplace — SynchroIaC Drift Scanner

Top comments (0)