CloudFormation Drift Detection
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed intrinsic functions in CloudFormation.
In this blog post, we are going to discuss drift detection is cloudformation.
CloudFormation Drift Detection:
Drift detection enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. A resource is considered to have drifted if any of its actual property values differ from the expected property values. This includes if the property or resource has been deleted. A stack is considered to have drifted if one or more of its resources have drifted.
In order to determine whether a resource has drifted, CloudFormation determines the expected resource property values, as defined in the stack template and any values specified as template parameters. CloudFormation then compares those expected values with the actual values of those resource properties as they currently exist in the stack. A resource is considered to have drifted if one or more of its properties have been deleted, or had their value changed. AWS CloudFormation generates detailed information on each resource in the stack that has drifted.
Note: CloudFormation detects drift on those resources that support drift detection. Resources that do not support drift detection are assigned a drift status of NOT_CHECKED.
Drift Detection Status Codes:
- DETECTION_COMPLETE: The stack drift detection operation has successfully completed for all resources in the stack that support drift detection.
- DETECTION_FAILED: The stack drift detection operation has failed for at least one resource in the stack. Results will be available for resources on which CloudFormation successfully completed drift detection.
- DETECTION_IN_PROGRESS: The stack drift detection operation is currently in progress.
- DRIFTED: The stack differs, or has drifted, from its expected template configuration. A stack is considered to have drifted if one or more of its resources have drifted.
- NOT_CHECKED: AWS CloudFormation has not checked if the stack differs from its expected template configuration.
- IN_SYNC: The current configuration of each supported resource matches its expected template configuration. A stack with no resources that support drift detection will also have a status of IN_SYNC.
- DELETED: The resource differs from its expected template configuration because the resource has been deleted.
- MODIFIED: The resource differs from its expected template configuration.
- ADD: A value has been added to a resource property that is an array or list data type.
- REMOVE: The property has been removed from the current resource configuration.
- NOT_EQUAL: The current property value differs from its expected value as defined in the stack template.
Next, we are going to create a stack with a vpc and subnet and demonstrate drift detection by changing the resource parameter.
Step 1: Login to AWS console and navigate to ‘CloudFormation’.
Step 2: Create a cloudformation stack using below YAML code.
Resources: myVPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: 'true' EnableDnsHostnames: 'true' Tags: - Key: "Name" Value: "myVPC" mySUBNET: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref myVPC #references myVPC id CidrBlock: 10.0.0.0/24 MapPublicIpOnLaunch: 'true' Tags: - Key: "Name" Value: "mySUBNET"
Note: Make sure your code indentation is correct. You can also use cloudformation_drift_detection_demo.yaml from below GitHub repo.
Next, we are going to change ‘DNS hostnames’ property of myVPC to disabled.
Step 3: Change myVPC DNS hostnames property to false.
Note: Due to the above change the myVPC resource definition in the stack template and actual configuration differs. Hence there is a drift in myVPC configuration.
Step 4: Navigate to ‘Drifts’ and click ‘Detect stack drift’.
Observe: Drift has been detected on myVPC as we have changed ‘DNS hostnames’ property from enabled to disabled.
Step 5: Click ‘View drift details’ to get the details of the drift.
Note: We have performed drift detection over the stack level. It is also possible to detect drift on the individual resource level.
Next, change the vpc ‘DNS hostnames’ configuration back to enabled to make it consistent with stack template configuration.
Step 6: Select ‘myVPC’ resource and click ‘Detect drift for resource’.
Note: Instead of the entire stack, cloudformation will only check resource myVPC for any drift and since we have again made myVPC configuration consistent with stack template, post check drift status will be ‘IN_SYNC’.
Note: Our stack level drift detection is still showing ‘DRIFTED’ status though resources are in SYNC. You can perform a stack level drift detection to make the stack drift ‘IN_SYNC’ as well.
Step 7: Cleanup.
Note: This will also delete the underlying resources for this stack.
Hope you have enjoyed this article. In the next blog post, we will discuss CloudFormation StackSets.
To get more details on CloudFormation, please refer below AWS documentation