CloudFormation Drift - krdheeraj51/aws-labs GitHub Wiki

Overview:

CloudFormation drift detection helps you identify whether the actual configuration of your stack resources differs from the expected configuration defined in your CloudFormation template. This is useful for ensuring that your infrastructure remains consistent and compliant with your desired state.

Key Points:

Drift Detection:

Drift detection can be performed on an entire stack or on individual resources within a stack.
When you initiate drift detection, CloudFormation compares the current state of your resources with the expected state defined in the template.

Drift Status:

IN_SYNC: The resource's actual configuration matches the expected configuration.
MODIFIED: The resource's actual configuration differs from the expected configuration.
DELETED: The resource has been deleted.
NOT_CHECKED: Drift detection has not been performed on the resource.

Detecting Drift:

You can detect drift using the AWS Management Console, AWS CLI, or AWS SDKs.
In the console, select the stack and choose "Detect drift" from the stack actions menu1.
For individual resources, use the detect-stack-resource-drift command in the AWS CLI2.

Resolving Drift:

To resolve drift, you can update the stack to match the current configuration or update the template to reflect the desired state.
In some cases, you may need to use the resource import feature to update the resource without replacing it3.

Example of Detecting Drift:

Using AWS CLI:

aws cloudformation detect-stack-drift --stack-name my-stack

Using AWS Management Console:

Open the CloudFormation console.
Select the stack you want to check.
Choose "Stack actions" and then "Detect drift."
Review the drift detection results.

Example of Resolving Drift:

Using Resource Import:

Add a DeletionPolicy attribute set to Retain to the resource.
Remove the resource from the template and update the stack.
Describe the resource’s actual state in the template and import the resource back into the stack3.