Drift detection
Every time you rundevhelm plan or devhelm deploy, the CLI:
- Loads your YAML configuration
- Fetches the current state of each resource from the API
- Compares the desired state (YAML) against the current state (API)
- Reports differences as create, update, or delete operations
.devhelm/state.json that records which resources this config manages (name → API ID). It scopes --prune to this config’s resources, disambiguates renames (via moved blocks), and lets you adopt existing resources with devhelm import. Inspect it with devhelm state show, or rebuild it from the API with devhelm state pull.
What drift looks like
If someone changes a monitor’s frequency in the dashboard from60 to 30, the next plan shows:
deploy reverts the dashboard change back to what’s defined in YAML.
Special handling
| Resource | Drift comparison |
|---|---|
| Secrets | Compared by SHA-256 hash (values are write-only) |
| Alert channels | Compared by config hash (sensitive fields not read back) |
| Dependencies | Compared by alert sensitivity and component |
| All others | Full field-by-field comparison |
Deploy locking
Only one deploy can run at a time per organization. The lock prevents race conditions when multiple CI jobs or team members deploy concurrently.How locks work
- Before applying changes, the CLI acquires a lock via
POST /api/v1/deploy/lock - The lock includes the deployer identity and a 30-minute TTL
- After the deploy completes (or fails), the lock is released
- If the lock is held by another session, the CLI exits immediately with exit code
11(unless--lock-timeoutis set)
Waiting for a lock
Use--lock-timeout to wait instead of failing immediately:
Skipping the lock
For development or testing, skip locking entirely:Force-unlocking
If a deploy crashes without releasing its lock, force-unlock it:Avoiding conflicts
YAML + dashboard
If your team uses both YAML config and the dashboard:- Resources in YAML are managed by the CLI. Dashboard changes will be overwritten on the next deploy.
- Resources not in YAML are left untouched by default.
--prunedeletes only resources tracked in this config’s.devhelm/state.json;--prune-org-cliwidens that to all CLI-managed resources in the org;--prune-allalso deletes dashboard- and Terraform-managed resources.
YAML + Terraform
Don’t manage the same resource with both tools. Each resource should have a single source of truth:| Resource | Managed by |
|---|---|
| API monitors | devhelm.yml |
| Infrastructure monitors | devhelm_monitor Terraform resource |
Plan as a safety net
Always rundevhelm plan before deploying to catch unexpected changes:
--dry-run --detailed-exitcode to gate merges.
Next steps
Deploy workflow
The validate-plan-deploy lifecycle.
CI/CD patterns
Automate deploys and drift checks in CI.