Just announced at re:Invent 2017 by Anil Kumar during the “Deep Dive on AWS CloudFormation” talk: Drift Detection capabilities will be added to CloudFormation next year. (Discussion starts at 12m0s)
So, what is Drift Detection? Try as you might, having all of your “infrastructure as code” doesn’t prevent manual changes to your CFN stacks after deployment. Such changes are called “out-of-band” because they did not change due to CloudFormation. These changes can come from several places:
- Manual changes via the AWS console.
- API calls that modify existing AWS objects (i.e. changing the Provisioned Read/Writes to a Dynamo DB, changing the parameters to an auto-scaling group, etc)
- Deleting objects entirely.
While these out-of-band changes may indeed be due to legitimate needs, they don’t get reflected back into the source CFN templates without some human effort, and often they don’t get done at all. So, Drift Detection would at least let you discover when this has happened.
Anil showed what it might look like, both from the CLI / API perspective and from the AWS Console webapp.
aws cloudformation command will sprout a couple new subcommands that are specific to this feature.
The output of the existing
aws cloudformation describe-stack* CLI commands will have additional JSON elements to enumerate the status of each stack as being
The AWS Console for Cloudformation will display this information as well, and include a graphical / colorized diff capability that will clearly highlight the property names that have been added, modified and deleted. This screen shows both the expected value and the current value.
This post will be updated as more information becomes available.