Skip to main content
A baseline is a captured snapshot of a resource’s complete configuration at a specific point in time. It’s the reference that drift detection compares against. Without a baseline, InfraAudit has nothing to compare the current state to — so drift detection produces no findings until at least one baseline exists per resource.

What a baseline contains

A baseline stores the full JSON configuration of a resource as returned by the cloud provider API. For an EC2 instance, this includes instance type, AMI ID, security group associations, IAM instance profile, tags, network interfaces, and more. The configuration is stored as-is from the API response — no transformation or filtering is applied (except for attributes on the global exclusion list, which are always omitted).

When baselines are created

Baselines are created in four ways:
  1. Initial sync — when you first connect a provider, InfraAudit automatically captures a baseline for every discovered resource.
  2. Manual capture — you can capture a new baseline at any time via the UI, CLI, or API.
  3. Post-resolve — when you resolve a drift finding, InfraAudit can optionally capture a new baseline from the current live state to accept the change.
  4. Scheduled capture — if configured, InfraAudit can capture new baselines on a schedule. This is useful for resources that change intentionally over time — you track drift from “last known good” rather than the original setup.

Multiple baselines per resource

A single resource can have many baselines over its lifetime. The most recent baseline is the default target for drift comparison. You can compare against an older baseline by specifying it explicitly: 
infraudit drift detect --resource <resource-id> --baseline <baseline-id>

Managing baselines

# List all baselines for a resource
infraudit baseline list --resource <resource-id>

# View the full contents of a specific baseline
infraudit baseline get <baseline-id>

# Compare two baselines directly
infraudit baseline diff <baseline-id-1> <baseline-id-2>

# Delete a baseline
infraudit baseline delete <baseline-id>

Promoting a baseline after a planned change

After you intentionally change a resource’s configuration (for example, as part of a deployment), promote the current live state to a new baseline so drift detection doesn’t keep flagging the intended change: 
infraudit baseline create --resource <resource-id>
This:
  1. Captures the current live configuration as a new baseline.
  2. Sets it as the active baseline for future comparisons.
  3. Resolves any existing drift findings for the resource, since the “drift” is now the accepted expected state.

Deleting baselines

Deleting a baseline removes the snapshot from the history. It does not delete the resource, delete drift findings, or affect other baselines. You cannot delete the only baseline for a resource if drift detection is enabled for it. 
infraudit baseline delete <baseline-id>

Storage and retention

Baselines are stored as JSONB in PostgreSQL. A single baseline for a resource with a complex configuration (such as a Cloud SQL instance) can be 10–50 KB. For 1,000 resources with weekly baseline captures over a year, expect approximately 2 GB of baseline data. To manage storage growth, set a retention policy that automatically removes baselines older than a given number of days: 
BASELINE_RETENTION_DAYS=90
The retention policy never deletes the most recent baseline for any resource, so drift detection always has a reference point regardless of how the policy is configured.