💾 Archived View for cfdocs.wetterberg.nu › using-cfn-stack-drift.gemini captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Detecting unmanaged configuration changes to stacks and resources

Search

Even as you manage your resources through CloudFormation, users can change those resources *outside* of CloudFormation. Users can edit resources directly by using the underlying service that created the resource. For example, you can use the Amazon EC2 console to update a server instance that was created as part of a CloudFormation stack. Some changes may be accidental, and some may be made intentionally to respond to time-sensitive operational events. Regardless, changes made outside of CloudFormation can complicate stack update or deletion operations. You can use drift detection to identify stack resources to which configuration changes have been made outside of CloudFormation management. You can then take corrective action so that your stack resources are again in sync with their definitions in the stack template, such as updating the drifted resources directly so that they agree with their template definition. Resolving drift helps to ensure configuration consistency and successful stack operations.

Detect drift on an entire CloudFormation stack

Detect drift on individual stack resources

Resolve drift with an import operation

What is drift?

Drift detection enables you to detect whether a stack's actual configuration differs, or has *drifted*, from its expected configuration. Use AWS CloudFormation to detect drift on an entire stack, or on individual resources within the stack. A resource is considered to have drifted if any of its actual property values differ from the expected property values. This includes if the property or resource has been deleted. A stack is considered to have drifted if one or more of its resources have drifted.

In order to determine whether a resource has drifted, CloudFormation determines the expected resource property values, as defined in the stack template and any values specified as template parameters. CloudFormation then compares those expected values with the actual values of those resource properties as they currently exist in the stack. A resource is considered to have drifted if one or more of its properties have been deleted, or had their value changed.

AWS CloudFormation generates detailed information on each resource in the stack that has drifted.

CloudFormation detects drift on those AWS resources that support drift detection. Resources that do not support drift detection are assigned a drift status of NOT_CHECKED. For a list of AWS resources that support drift detection, see Resources that support import and drift detection operations.

Resources that support import and drift detection operations

In addition, CloudFormation supports drift detection on private resource types that are *provisionable*; that is, whose provisioning type is either `FULLY_MUTABLE` or `IMMUTABLE`. To perform drift detection on a resource of a private resource type, the default version of the resource type *that you have registered in your account* must be provisionable. For more information on resource provision type, see the `ProvisioningType` parameter of the DescribeType action in the AWS CloudFormation API Reference and of the DescribeType command in the AWS CLI Command Reference. For more information on private resources, see Using the AWS CloudFormation registry.

DescribeType

DescribeType

Using the AWS CloudFormation registry

You can perform drift detection on stacks with the following statuses: `CREATE_COMPLETE`, `UPDATE_COMPLETE`, `UPDATE_ROLLBACK_COMPLETE`, and `UPDATE_ROLLBACK_FAILED`.

When detecting drift on a stack, CloudFormation does not detect drift on any nested stacks that belong to that stack. Instead, you can initiate a drift detection operation directly on the nested stack.

nested stacks

CloudFormation only determines drift for property values that are explicitly set, either through the stack template or by specifying template parameters. This does not include default values for resource properties. To have CloudFormation track a resource property for purposes of determining drift, explicitly set the property value, even if you are setting it to the default value.

Drift detection status codes

The tables in this section describe the various status types used with drift detection:

The following table lists the status codes CloudFormation assigns to stack drift detection operations.

| Drift detection operation status | Description |

| --- | --- |

| `DETECTION_COMPLETE` | The stack drift detection operation has successfully completed for all resources in the stack that support drift detection. |

| `DETECTION_FAILED` | The stack drift detection operation has failed for at least one resource in the stack. Results will be available for resources on which CloudFormation successfully completed drift detection. |

| `DETECTION_IN_PROGRESS` | The stack drift detection operation is currently in progress. |

The following table lists the drift status codes CloudFormation assigns to stacks.

| Drift status | Description |

| --- | --- |

| `DRIFTED` | For stacks: The stack differs, or has *drifted*, from its expected template configuration. A stack is considered to have drifted if one or more of its resources have drifted. For stack instances: A stack instance is considered to have drifted if the stack associated with it has drifted. For stack sets: A stack set is considered to have drifted if one or more stack instances has drifted. |

| `NOT_CHECKED` | AWS CloudFormation has not checked if the stack, stack set, or stack instance differs from its expected template configuration. |

| `IN_SYNC` | The current configuration of each supported resource matches its expected template configuration. A stack, stack set, or stack instance with no resources that support drift detection will also have a status of IN_SYNC. |

The following table lists the drift status codes CloudFormation assigns to stack resources.

| Resource drift status | Description |

| --- | --- |

| `DELETED` | The resource differs from its expected template configuration because the resource has been deleted. |

| `MODIFIED` | The resource differs from its expected template configuration. |

| `NOT_CHECKED` | CloudFormation has not checked if the resource differs from its expected template configuration. |

| `IN_SYNC` | The resource’s current configuration matches its expected template configuration. |

The following table lists the difference-type status codes CloudFormation assigns to resource properties that differ from their expected template configuration.

| Property difference types | Description |

| --- | --- |

| `ADD` | A value has been added to a resource property that is an array or list data type. |

| `REMOVE` | The property has been removed from the current resource configuration. |

| `NOT_EQUAL` | The current property value differs from its expected value as defined in the stack template. |

Considerations when detecting drift

In order to successfully perform drift detection on a stack, a user must have the following permissions:

For more information on setting permissions in CloudFormation, see Controlling access with AWS Identity and Access Management.

Controlling access with AWS Identity and Access Management

In certain edge cases, CloudFormation may not be able to always return accurate drift results. You should be aware of these edge cases in order to properly interpret your drift detection results.

[See the AWS documentation website for more details]

Code

Function

IAM User LoginProfile

https://forums.aws.amazon.com