💾 Archived View for cfdocs.wetterberg.nu › stacksets-drift.gemini captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

Detecting unmanaged configuration changes in stack sets

Search

Even as you manage your stacks and the resources they contain through CloudFormation, users can change those resources outside of CloudFormation. Users can edit resources directly by using the underlying service that created the resource. By performing drift detection on a stack set, you can determine if any of the stack instances belonging to that stack set differ, or have *drifted*, from their expected configuration.

How CloudFormation performs drift detection on a stack set

When CloudFormation performs drift detection on a stack set, it performs drift detection on the stack associated with each stack instance in the stack set. To do this, CloudFormation compares the current state of each resource in the stack with the expected state of that resource, as defined in the stack's template and and any specified input parameters. If the current state of a resource varies from its expected state, that resource is considered to have drifted. If one or more resources in a stack have drifted, then the stack itself is considered to have drifted, and the stack instances that the stack is associated with is considered to have drifted as well. If one or more stack instances in a stack set have drifted, the stack set itself is considered to have drifted.

Drift detection identifies unmanaged changes; that is, changes made to stacks outside of CloudFormation. Changes made through CloudFormation to a stack directly, rather than at the stack-set level, are not considered drift. For example, suppose you have a stack that is associated with a stack instance of a stack set. If you use CloudFormation to update that stack to use a different template, that is not considered drift, even though that stack now has a different template than any other stacks belonging to the stack set. This is because the stack still matches its expected template and parameter configuration in CloudFormation.

For detailed information on how CloudFormation performs drift detection on a stack, see Detecting unmanaged configuration changes to stacks and resources.

Detecting unmanaged configuration changes to stacks and resources

Because CloudFormation performs drift detection on each stack individually, it takes any overridden parameter values into account when determining whether a stack has drifted. For more information on overriding template parameters in stack instances, see Override parameters on stack instances.

Override parameters on stack instances

If you perform drift detection directly on a stack that is associated with a stack instance, those drift results are not available from the *StackSets* console page.

directly on a stack

https://console.aws.amazon.com/cloudformation

https://console.aws.amazon.com/cloudformation

{P Image}

To detect drift on an entire stack using the AWS CLI, use the following `aws cloudformation` commands:

describe-stack-resource-drifts

Stopping drift detection on a stack set

Because drift detection on a stack set can be a long-running operation, there may be instances when you want to stop a drift detection operation that is currently running on a stack set.

https://console.aws.amazon.com/cloudformation