Understanding CloudFormation Stack Drift
— aws, cloudformation — 4 min read
AWS CloudFormation is a powerful infrastructure-as-code (IaC) service that allows developers to define and manage AWS resources using templates. With CloudFormation, you can create, update, and delete AWS resources in a controlled and automated way.
However, as with any complex system, there is a risk of things going wrong. One such issue is CloudFormation stack drift, which refers to the differences between the expected and actual state of resources in a stack. In this article, we will explore what stack drift is, what causes it, what impact it has, how to detect it, how to correct it, and how to prevent it.
What Is Cloudformation Stack Drift?
Stack drift is a situation where the actual state of resources in a CloudFormation stack is different from the expected state defined in the stack's template. Stack drift can occur when manual changes are made to resources outside of CloudFormation, such as modifying resource properties or deleting resources. This can happen due to a variety of reasons, such as human error or the need for quick fixes to address production issues.
Causes of Stack Drift
There are several causes of stack drift. Here are some common reasons why it occurs:
- Manual updates: Stack drift can occur when manual updates are made to resources in the stack outside of CloudFormation. These changes can be made using the AWS Management Console, CLI, SDKs, or APIs.
- Resource replacement: Stack drift can occur when a resource is replaced or recreated outside of CloudFormation. This can happen if a resource is deleted or destroyed, and a new one is created in its place, which can result in a new resource ID.
- Third-party integration: Stack drift can occur when third-party integrations modify resources in the stack.
Impact of Stack Drift
Stack drift can cause issues with resource consistency and make it difficult to manage and update stacks. For example, if a resource is manually deleted or modified, CloudFormation may not be able to update or delete it correctly. This can cause the stack update to fail, resulting in an inconsistent state of resources.
Detecting Stack Drift
CloudFormation can detect stack drift by comparing the current state of resources in a stack to their expected state as defined in the CloudFormation template.
You can detect stack drift by using the AWS Management Console, CLI, or API. When you initiate a stack drift detection operation, CloudFormation compares the actual state of the stack's resources to the expected state defined in the stack's template. If there is any difference between the two states, CloudFormation detects that the stack has drifted.
CloudFormation provides a drift detection report that shows which resources have drifted, the nature of the drift, and the time of the last drift detection. The drift detection report can be accessed via the AWS Management Console, CLI, or API. The report lists all resources that have drifted, including their current state and the expected state as defined in the stack's template.
Please refer to the drift detection documentation for more details.
Correcting Stack Drift
To correct stack drift, users can either update the CloudFormation stack to bring it back into compliance with the template, or update the template to reflect the current state of resources.
The first approach involves updating the stack to ensure that all resources are consistent with the template. The second approach involves updating the template to reflect any changes made outside of CloudFormation.
Both approaches have their pros and cons, and the choice of approach will depend on the specific circumstances of the stack and the resources in question.
You can also design a process to automatically remediate stack drift as well!
Preventing Stack Drift
To prevent stack drift, it's best to avoid making manual changes to resources in a stack that is managed by CloudFormation. Instead, use CloudFormation to manage updates to the stack and its resources.
If manual changes are necessary, be sure to update the CloudFormation template to reflect those changes, so that the template accurately represents the desired state of the stack.
Final Thoughts
Stack drift can be a significant issue when using CloudFormation to manage infrastructure as code. However, by understanding the causes of stack drift, detecting the drift, and taking steps to correct and prevent drift, users can mitigate the risks associated with stack drift and ensure the stability and consistency of their CloudFormation stacks.