> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nuon.co/llms.txt
> Use this file to discover all available pages before exploring further.

# 021 - Drift Detection for Components and Sandboxes

> Detect infrastructure drift automatically on your installations

*Oct 13, 2025*

<div className="badge badge--primary">v0.19.662</div>

## Drift Detection

Drift detection allows you to automatically identify discrepancies between your defined infrastructure and what's
actually running. You can now configure periodic drift detection checks for components and sandboxes through a simple
cron schedule.

## Features

### Drift Detection for Sandboxes

You can now define a cron schedule in your `sandbox.toml` that periodically checks for drift by performing a "terraform
plan":

```toml theme={null}
terraform_version = "1.11.3"
drift_schedule = "0 * * * *"  # Runs every hour at minute 0
```

### Drift Detection for Components

Similarly, drift detection can be configured at the component level for Terraform, Helm, and Kubernetes Manifest
components.

Example for a Helm component:

```toml theme={null}
name = "helm_chart"
type = "helm_chart"
chart_name = "nuon"
namespace = "{{.nuon.install.id}}-test"
storage_driver = "configmap"
drift_schedule = "0 * * * *"  # Runs every hour at minute 0
```

> **Note:** Changes to drift\_schedule require rebuilding the sandbox or component to take effect.

### Drift Visibility

The install components page now clearly highlights components that have drifted from their defined state and provides
direct links to the relevant workflows to review the differences.

<img src="https://mintcdn.com/nuoninc/TTMsp1_UzqUpi7R7/updates/assets/021/drift-install-components-page.png?fit=max&auto=format&n=TTMsp1_UzqUpi7R7&q=85&s=281f478dd1cb34a216842ae75f85c921" alt="Dashboard to view drifted component" width="2428" height="752" data-path="updates/assets/021/drift-install-components-page.png" />

Install workflows page also marks the workflows that are drift scans.

<img src="https://mintcdn.com/nuoninc/TTMsp1_UzqUpi7R7/updates/assets/021/install-workflows.png?fit=max&auto=format&n=TTMsp1_UzqUpi7R7&q=85&s=b7d8ea6c203da9770afe5bb3d0fb5063" alt="Install workflows flagging drift scans" width="2426" height="1592" data-path="updates/assets/021/install-workflows.png" />

## Limitations

**Current Workflow Constraint:** At present, only one workflow can run per install at a time. This means:

* If a drift detection workflow is running when you attempt to manually deploy a component or reprovision a sandbox,
  your workflow will be queued until the drift workflow completes.
* We're actively working to remove this limitation in an upcoming release.

### Deny plans and continue workflow

We can now deny plan and continue with the workflow with rest of the component. Deny button comes with additional option
to deny and skip steps.

<img src="https://mintcdn.com/nuoninc/W1BzCWTTB874cWIb/updates/assets/021-approval-deny-continue-01.png?fit=max&auto=format&n=W1BzCWTTB874cWIb&q=85&s=01dab17b6ad850ebd31f33bed5660608" alt="Denied and continued plan" width="1844" height="703" data-path="updates/assets/021-approval-deny-continue-01.png" />

### Actions TUI

Actions and Action Runs for installs can now be viewed via the cli.

```bash theme={null}
NUON_PREVIEW=true nuon installs actions
```

<img src="https://mintcdn.com/nuoninc/TTMsp1_UzqUpi7R7/updates/assets/021/install-workflows.png?fit=max&auto=format&n=TTMsp1_UzqUpi7R7&q=85&s=b7d8ea6c203da9770afe5bb3d0fb5063" alt="Actions TUI" width="2426" height="1592" data-path="updates/assets/021/install-workflows.png" />

### Nuon Runner Cloudformation Stack

The stack has been updated to remove a policy in order to reduce permissions available to the Runner ASG instances. It
is recommended to update the stack to version `v0.1.8`.

## Bug Fixes and Improvements

* Improvements to generate steps to improve resilience in Temporal.
* Fix to disable server side apply on helm client for components.
* Fix where some Nuon plans can not be generated if outputs are not ready yet.
* Fix where some app configs from older cli versions (pre 0.19.620) would not correctly build.
* Fix where some build runners could run out of memory and not recover.
