Configure backend credentials and run `terraform init` in your CI job before any plan step.
Execute `terraform plan -refresh-only -detailed-exitcode -input=false -out=tfplan`; exit code 0 means no drift, exit code 1 means error, exit code 2 means drift detected.
In your CI script, capture the exit code with `EXIT_CODE=$?` immediately after the plan command; check `[ $EXIT_CODE -eq 2 ]` to branch on drift.
On drift, fail the pipeline or open an alert; optionally run `terraform show -json tfplan` to emit a structured drift report as a pipeline artifact.
For scheduled drift checks, add a cron-triggered CI job that runs the refresh-only plan and posts results to a Slack webhook or incident channel.
Avoid `terraform apply` in the refresh-only flow; this plan variant only refreshes state and never proposes changes.
Known gotchas
Exit code 2 is only meaningful after a successful plan; a provider credential failure also returns non-zero and must be distinguished from drift.
`-refresh-only` does not detect drift for resources whose provider does not support refresh (e.g., some null_resource or external data sources).
Do not confuse `-detailed-exitcode` with `-refresh=false`; running with `-refresh=false` will suppress the very refresh needed to detect drift.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp