How I Built Graft Absorb: Turning Terraform Drift into Code

In the last post , I introduced Graft—a tool for patching Terraform modules without forking them. I mentioned it was middleware for something bigger. This is that something. The Problem Terraform modules should be black boxes. We manage them through input variables, and ideally, we never need to know what's inside. But when drift happens—someone changes a resource in the portal, an external process modifies a tag, a compliance tool enforces a setting— terraform plan exposes the internals. Suddenly you're staring at resource-level changes deep inside a module you didn't write. The typical response is painful: read through the plan output, find every difference, trace each change back to its source, and manually update configuration files to match the actual state. Even worse, if the module doesn't expose the right variables, there's simply no way to update the configuration to eliminate the drift. The common workaround is lifecycle { ignore_changes } . But ignoring changes is not the sa