Plan Noise & Custom Rules
Terraform plans often contain recurring changes that aren't real problems — attribute ordering, computed defaults, provider quirks. DriftWise detects these patterns automatically and lets you suppress or fix them. For endpoint shapes, see the policy tag of the API reference (plan-noise, custom-rules, disabled-rules all live there).
Built-in rules
DriftWise ships with a library of known noise patterns. Examples:
| Rule | Provider | What it catches |
|---|---|---|
aws-tags-all | AWS | tags_all attribute always showing as changed |
aws-iam-policy-json | AWS | IAM policy JSON re-ordered on every plan |
aws-sg-self-ref | AWS | Security group inline ingress/egress conflicts |
Built-in rules are enabled by default. You can disable any built-in rule per-org without modifying the shipping catalog — the disable creates an exception row scoped to your org. Re-enabling deletes that row; re-disabling later creates a fresh one.
Disabling a built-in rule requires owner or admin role and a user identity for the audit trail (for API keys, the key's owning user is recorded).
The full catalog is available at GET /builtin-rules and can be
filtered by provider (aws, gcp, azure).
Viewing noise patterns
DriftWise tracks recurring plan changes across your analyses. The
GET /orgs/:id/plan-noise endpoint returns patterns that exceed your
recurrence threshold within the detection window, bundled with the
effective settings that drove the aggregation. The frontend dashboard
renders both together.
Detection sensitivity
Two settings control what counts as noise:
| Setting | Description |
|---|---|
recurrence_threshold | Minimum occurrences before a pattern is flagged (min: 1) |
window_days | Time window for counting recurrences (min: 1) |
Settings are org-wide and changed via PUT /plan-noise/settings
(owner/admin only). Changes take effect on the next list call — no
re-aggregation job fires.
Suppressing noise
When you identify a pattern as noise, suppress it via POST /plan-noise/suppress. Suppressions are bulk — pass equal-length
fingerprints and resource_addresses arrays; each index pair
produces one suppression.
| Field | Type | Required | Description |
|---|---|---|---|
fingerprints | string[] | yes | Pattern fingerprints to suppress (max 100) |
resource_addresses | string[] | yes | Terraform resource addresses (max 100) |
reason | string | yes | Why this is being suppressed |
duration | string | yes | 7d, 30d, 90d, or forever |
is_false_positive | bool | no | Flag as a false positive for tracking |
Suppressions are org-wide — they hide drift from every member,
so creation requires owner/admin role plus a user identity for the
audit trail. The list endpoint accepts ?include_expired=true to
include suppressions past their expiry (useful for audit). Deletion
restores visibility.
Generating fixes
DriftWise can generate AI-powered fix recommendations for noisy
patterns via POST /plan-noise/{fingerprint}/fix. Returns tiered
fix options (quick patch, structural refactor, long-term rework)
with explicit pros/cons and a trace ID for later retrieval.
Fix generation is gated by the same platform-LLM quota chain as AnalyzePlan: persisted BYOK bypasses; otherwise weekly+hourly reserve applies, released on transient LLM failure. Configure BYOK to bypass both platform gates.
Fix generation shares the platform-LLM quota with the analyze
endpoint. If you hit the weekly quota on analyze, fix generation
returns the same 402 plan_weekly_quota_exhausted response.
Custom rules
Create your own rules to detect org-specific noise or risk patterns. Creating a custom rule requires owner or admin role plus a user identity (recorded in the audit trail). Updates, toggles, and deletes require owner/admin only.
rule_type partitions the rule:
- Noise rules suppress recurring patterns specific to your
infrastructure (e.g. "EKS auto-upgrades minor versions, causing
plan noise"). Noise severity levels:
harmless,warning,caution. - Risk rules flag specific resource patterns as risky (e.g. "any S3 bucket without an explicit public-access block").
Config is validated per-type at save time — invalid configs return
400 with the specific validation failure. rule_type is immutable
after creation; to change a rule's type, delete it and create a new
one.
Rules can be toggled on/off via PATCH enabled: false without
losing their config, or hard-deleted via DELETE.
Endpoint reference
All plan-noise, custom-rules, and disabled-rules endpoints are
documented under the policy tag of the API
reference. The global
built-in rules catalog (GET /builtin-rules) lives under the same
tag despite being outside /orgs/:id/.