Detecting unmanaged configuration changes in stack sets - AWS CloudFormation

Detecting unmanaged configuration changes in stack sets

Even as you manage your stacks and the resources they contain through CloudFormation, users can change those resources outside of CloudFormation. Users can edit resources directly by using the underlying service that created the resource. By performing drift detection on a stack set, you can determine if any of the stack instances belonging to that stack set differ, or have drifted, from their expected configuration.

How CloudFormation performs drift detection on a stack set

When CloudFormation performs drift detection on a stack set, it performs drift detection on the stack associated with each stack instance in the stack set. To do this, CloudFormation compares the current state of each resource in the stack with the expected state of that resource, as defined in the stack's template and any specified input parameters. If the current state of a resource varies from its expected state, that resource is considered to have drifted. If one or more resources in a stack have drifted, then the stack itself is considered to have drifted, and the stack instances that the stack is associated with is considered to have drifted as well. If one or more stack instances in a stack set have drifted, the stack set itself is considered to have drifted.

Drift detection identifies unmanaged changes; that is, changes made to stacks outside of CloudFormation. Changes made through CloudFormation to a stack directly, rather than at the stack-set level, aren't considered drift. For example, suppose you have a stack that is associated with a stack instance of a stack set. If you use CloudFormation to update that stack to use a different template, that is not considered drift, even though that stack now has a different template than any other stacks belonging to the stack set. This is because the stack still matches its expected template and parameter configuration in CloudFormation.

For detailed information on how CloudFormation performs drift detection on a stack, see Detecting unmanaged configuration changes to stacks and resources.

Because CloudFormation performs drift detection on each stack individually, it takes any overridden parameter values into account when determining whether a stack has drifted. For more information on overriding template parameters in stack instances, see Override parameters on stack instances.

If you perform drift detection directly on a stack that is associated with a stack instance, those drift results aren't available from the StackSets console page.

To detect drift on a stack set using the AWS Management Console
  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the StackSets page, select the stack set on which you want to perform drift detection.

  3. From the Actions menu, select Detect drifts.

    CloudFormation displays an information bar stating that drift detection has been initiated for the selected stack set.

  4. Optional: To monitor the progress of the drift detection operation:

    1. Select the stack set name to display the Stackset details page.

    2. Select the Operations tab, select the drift detection operation, and then select View drift details.

    CloudFormation displays the Operation details dialog box.

  5. Wait until CloudFormation completes the drift detection operation. When the drift detection operation completes, CloudFormation updates Drift status and Last drift check time for your stack set. These fields are listed on the Overview tab of the StackSet details page for the selected stack set.

    The drift detection operation may take some time, depending on the number of stack instances included in the stack set, and the number of resources included in the stack set. You can only run a single drift detection operation on a given stack set at one time. CloudFormation continues the drift detection operation even after you dismiss the information bar.

  6. To review the drift detection results for the stack instances in a stack set, select the Stack instances tab.

    The Stack name column lists the name of the stack associated with each stack instance, and the Drift status column lists the drift status of that stack. A stack is considered to have drifted if one or more of its resources have drifted.

  7. To review the drift detection results for the stack associated with a specific stack instance:

    1. Choose the Operations tab.

    2. Select the drift operation you want to view drift detection results for. A split panel will display the stack instance status and reason for the selected operation. For a drift operation, the status reason column shows the drift status of a stack instance.

    3. Choose the stack instance you want to view drift details for, and choose View resource drifts. In the Resource drift status table on the Resource Drifts page, each stack resource is listed with its drift status and the last time drift detection was initiated on the resource. The logical ID and physical ID of each resource is displayed to help you identify them.

  8. You can sort the resources based on their drift status using the Drift status column.

    To view the details on a modified resource:

    1. With the resource selected, choose View drift details.

      CloudFormation displays the drift detail page for that particular resource. This page lists the resource's differences. It also lists the resource's expected and current property values.

      Note

      If the stack belongs to a different Region and account than the one you're currently signed into, the Detect drift button will be disabled and you will be unable to view the details.

    
                    The Resource drift status section of the
                            Drift Details page, which contains drift
                        information for each resource in the stack that supports drift detection.
                        Details include drift status and expected and current property
                        values.
To detect drift on a stack set using the AWS CLI

To detect drift on an entire stack using the AWS CLI, use the following aws cloudformation commands:

  • detect-stack-set-drift to initiate a drift detection operation on a stack.

  • describe-stack-set-operation to monitor the status of the stack drift detection operation.

  • Once the drift detection operation has completed, use the following commands to return drift information you want:

    • Use describe-stack-set to return detailed information about the stack set, including detailed information about the last completed drift operation performed on the stack set. (Information about drift operations that are in progress isn't included.)

    • Use list-stack-instances to return a list of stack instances belonging to the stack set, including the drift status and last drift time checked of each instance.

    • Use describe-stack-instance to return detailed information about a specific stack instance, including its drift status and last drift time checked.

    • Use list-stack-instance-resource-drifts to return detailed information about the drift status of each resource in a stack instance.

    • Use stack-instance-resource-drifts-summary to return summary information about resource drifts for a stack instance.

  1. Use detect-stack-set-drift to detect drift on an entire stack set and its associated stack instances.

    The following example initiates drift detection on the stack set stack-set-drift-example.

    $ aws cloudformation detect-stack-set-drift \ --stack-set-name stack-set-drift-example { "OperationId": "c36e44aa-3a83-411a-b503-cb611example" }
  2. Because stack set drift detection operations can be a long-running operation, use describe-stack-set-operation to monitor the status of drift operation. This command takes the stack set operation ID returned by the detect-stack-set-drift command.

    The following examples uses the operation ID from the previous example to return information on the stack set drift detection operation. In this example, the operation is still running. Of the seven stack instances associated with this stack set, one stack instance has already been found to have drifted, two instances are in sync , and drift detection for the remaining four stack instances is still in progress. Because one instance has drifted, the drift status of the stack set itself is now DRIFTED.

    $ aws cloudformation describe-stack-set-operation \ --stack-set-name stack-set-drift-example \ --operation-id c36e44aa-3a83-411a-b503-cb611example { "StackSetOperation": { "Status": "RUNNING", "AdministrationRoleARN": "arn:aws:iam::123456789012:role/AWSCloudFormationStackSetAdministrationRole", "OperationPreferences": { "RegionOrder": [] }, "ExecutionRoleName": "AWSCloudFormationStackSetExecutionRole", "StackSetDriftDetectionDetails": { "DriftedStackInstancesCount": 1, "TotalStackInstancesCount": 7, "LastDriftCheckTimestamp": "2019-12-04T20:34:28.543Z", "InSyncStackInstancesCount": 2, "InProgressStackInstancesCount": 4, "DriftStatus": "DRIFTED", "FailedStackInstancesCount": 0 }, "Action": "DETECT_DRIFT", "CreationTimestamp": "2019-12-04T20:33:13.673Z", "StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22example", "OperationId": "c36e44aa-3a83-411a-b503-cb611example" } }

    Performing the same command later, this example shows the information returned once the drift detection operation has completed. Two of the seven total stack instances associated with this stack set have drifted, rendering the drift status of the stack set itself as DRIFTED.

    $ aws cloudformation describe-stack-set-operation \ --stack-set-name stack-set-drift-example \ --operation-id c36e44aa-3a83-411a-b503-cb611example { "StackSetOperation": { "Status": "SUCCEEDED", "AdministrationRoleARN": "arn:aws:iam::123456789012:role/AWSCloudFormationStackSetAdministrationRole", "OperationPreferences": { "RegionOrder": [] } "ExecutionRoleName": "AWSCloudFormationStackSetExecutionRole", "EndTimestamp": "2019-12-04T20:37:32.829Z", "StackSetDriftDetectionDetails": { "DriftedStackInstancesCount": 2, "TotalStackInstancesCount": 7, "LastDriftCheckTimestamp": "2019-12-04T20:36:55.612Z", "InSyncStackInstancesCount": 5, "InProgressStackInstancesCount": 0, "DriftStatus": "DRIFTED", "FailedStackInstancesCount": 0 }, "Action": "DETECT_DRIFT", "CreationTimestamp": "2019-12-04T20:33:13.673Z", "StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22example", "OperationId": "c36e44aa-3a83-411a-b503-cb611example" } }
  3. When the stack set drift detection operation is complete, use the describe-stack-set, list-stack-instances, describe-stack-instance, and list-stack-instance-resource-drifts commands to review the results.

    The describe-stack-set command includes the same detailed drift information returned by the describe-stack-set-operation command.

    $ aws cloudformation describe-stack-set \ --stack-set-name stack-set-drift-example { "StackSet": { "Status": "ACTIVE", "Description": "Demonstration of drift detection on stack sets.", "Parameters": [], "Tags": [ { "Value": "Drift detection", "Key": "Feature" } ], "ExecutionRoleName": "AWSCloudFormationStackSetExecutionRole", "Capabilities": [], "AdministrationRoleARN": "arn:aws:iam::123456789012:role/AWSCloudFormationStackSetAdministrationRole", "StackSetDriftDetectionDetails": { "DriftedStackInstancesCount": 2, "TotalStackInstancesCount": 7, "LastDriftCheckTimestamp": "2019-12-04T20:36:55.612Z", "InProgressStackInstancesCount": 0, "DriftStatus": "DRIFTED", "DriftDetectionStatus": "COMPLETED", "InSyncStackInstancesCount": 5, "FailedStackInstancesCount": 0 }, "StackSetARN": "arn:aws:cloudformation:us-east-1:123456789012:stackset/stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22example", "TemplateBody": [details omitted], "StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22ebexample", "StackSetName": "stack-set-drift-example" } }

    You can use the list-stack-instances command to return summary information about the stack instances associated with a stack set, including the drift status of each stack instance.

    In this example, executing list-stack-instances on the example stack set with the drift status filter set to DRIFTED enables you to identify which two stack instances have a drift status of DRIFTED.

    $ aws cloudformation list-stack-instances \ --stack-set-name stack-set-drift-example \ --filters Name=DRIFT_STATUS,Values=DRIFTED { "Summaries": [ { "StackId": "arn:aws:cloudformation:eu-west-1:123456789012:stack/StackSet-stack-set-drift-example-b0fb6083-60c0-4e39-af15-2f071e0db90c/0e4f0940-16d4-11ea-93d8-0641cexample", "Status": "CURRENT", "Account": "012345678910", "Region": "eu-west-1", "LastDriftCheckTimestamp": "2019-12-04T20:37:32.687Z", "DriftStatus": "DRIFTED", "StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22eexample "LastOperationId": "c36e44aa-3a83-411a-b503-cb611example" }, { "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-stack-set-drift-example-b7fde68e-e541-44c2-b33d-ef2e2988071a/008e6030-16d4-11ea-8090-12f89example", "Status": "CURRENT", "Account": "123456789012", "Region": "us-east-1", "LastDriftCheckTimestamp": "2019-12-04T20:34:28.275Z", "DriftStatus": "DRIFTED", "StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22eexample" "LastOperationId": "c36e44aa-3a83-411a-b503-cb611example" }, [additional stack instances omitted] ] }

    The describe-stack-instance command also returns this information, but for a single stack instance, as in the example below.

    $ aws cloudformation describe-stack-instance \ --stack-set-name stack-set-drift-example \ --stack-instance-account 012345678910 --stack-instance-region us-east-1 { "StackInstance": { "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/StackSet-stack-set-drift-example-b7fde68e-e541-44c2-b33d-ef2e2988071a/008e6030-16d4-11ea-8090-12f89example", "Status": "CURRENT", "Account": "123456789012", "Region": "us-east-1", "ParameterOverrides": [], "DriftStatus": "DRIFTED", "LastDriftCheckTimestamp": "2019-12-04T20:34:28.275Z", "StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22eexample" "LastOperationId": "c36e44aa-3a83-411a-b503-cb611example" } }
  4. Once you've identified which stack instances have drifted, you can use the information about the stack instances that is returned by the list-stack-instances or describe-stack-instance commands to execute list-stack-instance-resource-drifts. This command returns detailed information about which resources in the stack have drifted for a particular drift operation.

    The following example uses the stack-instance-resource-drift-statuses parameter to request stack drift information for the resources that have been modified or deleted in the previous drift operation example. The request returns information on the one resource that has been modified, including details about two of its properties and their changed values. No resources have been deleted.

    $ aws cloudformation list-stack-instance-resource-drifts \ --stack-set-name my-stack-set-with-resource-drift \ --stack-instance-account 123456789012 \ --stack-instance-region us-east-1 \ --operation-id c36e44aa-3a83-411a-b503-cb611example \ --stack-instance-resource-drift-statuses MODIFIED DELETED { "Summaries": [ { "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/my-stack-set-with-resource-drift/489e5570-df85-11e7-a7d9-50example", "ResourceType": "AWS::SQS::Queue", "Timestamp": "2018-03-26T17:23:34.489Z", "PhysicalResourceId": "https://sqs.us-east-1.amazonaws.com/123456789012/my-stack-with-resource-drift-Queue-494PBHCO76H4", "StackResourceDriftStatus": "MODIFIED", "PropertyDifferences": [ { "PropertyPath": "/DelaySeconds", "ActualValue": "120", "ExpectedValue": "20", "DifferenceType": "NOT_EQUAL" }, { "PropertyPath": "/RedrivePolicy/maxReceiveCount", "ActualValue": "12", "ExpectedValue": "10", "DifferenceType": "NOT_EQUAL" } ], "LogicalResourceId": "Queue" } ] }

Stopping drift detection on a stack set

Because drift detection on a stack set can be a long-running operation, there may be instances when you want to stop a drift detection operation that is currently running on a stack set.

To stop drift detection on a stack set using the AWS Management Console
  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the StackSets page, select the name of the stack set.

    CloudFormation displays the StackSets details page for the selected stack set.

  3. On the StackSets details page, select the Operations tab, and then select the drift detection operation.

  4. Select Stop operation.

To stop drift detection on a stack set using the AWS CLI
  • Use the stop-stack-set-operation command. You must supply both the stack set name and the operation ID of the drift detection stack set operation.

    $ aws cloudformation stop-stack-set-operation \ --stack-set-name stack-set-drift-example \ --operation-id 624af370-311a-11e8-b6b7-500cexample