Skip to main content

Using CloudFormation Drift Detection

Hands-On Lab

 

Photo of Craig Arcuri

Craig Arcuri

AWS Training Architect II in Content

Length

01:00:00

Difficulty

Intermediate

This lab instructs the student on CloudFormation drift detection. CloudFormation stack drift occurs when the resources in a stack have drifted from their original creation template. This can become a major problem — and drift detection can be used to identify it. After the problem is identified, the lab covers the stack update steps that can be taken to bring the CloudFormation stack back into synch with the original template.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using CloudFormation Drift Detection

Introduction

This lab instructs the student on CloudFormation drift detection. CloudFormation stack drift occurs when the resources in a stack have drifted from their original creation template. This can become a major problem — and drift detection can be used to identify it. After the problem is identified, the lab covers the stack update steps that can be taken to bring the CloudFormation stack back into synch with the original template. Stack updates should be used in most cases to update the stack at any time.

Solution

Log in to the AWS environment using the cloud_user credentials provided.

Once inside the AWS account, make sure you are in the us-east-1 (N. Virginia) region.

There are two CloudFormation templates for this lab:

  • ec24drift.json will be used to create the original stack
  • afterdriftupdate.json will be used to update the stack after drift detection

Download these files at the GitHub repository.

Create CloudFormation Stack

Create a Key Pair and Get Details for Later in the Lab

  1. Navigate to EC2 > Key Pairs.
  2. Click Create Key Pair.
  3. Give it a key pair name of "driftlab", and click Create.
  4. Navigate to VPC.
  5. Copy the VPC ID and paste it into a text file, since we'll need it in a few minutes.
  6. Click Subnets in the left-hand menu.
  7. Select one of the listed subnets, and copy its subnet ID. Paste it into a text file, since we'll also need it later.

Create CloudFormation Stack

  1. In a new browser tab, navigate to CloudFormation.
  2. Click Create stack.
  3. Select Upload a template file.
  4. Click Choose file, and select the ec24drift.json file.
  5. Click View in Designer.
  6. Click the checkbox at the top to validate it, and then click the cloud icon with the up arrow to create the stack.
  7. Click Next.
  8. On the stack details page, set the following values:
    • Stack name: driftlab
    • InstanceType: t2.micro
    • KeyName: driftlab
    • MySubnet: Paste in the subnet ID you copied earlier
    • myVPC: Paste in the VPC ID you copied earlier
  9. Click Next.
  10. On the stack options page, set the Key as "name" and Value as "driftlab".
  11. Click Next.
  12. Click Create stack.
  13. Once its creation is complete, click the refresh icon next to where it says New events available.

Terminate an EC2 Instance to Introduce Stack Drift

  1. In the other browser tab, navigate to EC2 > Instances.
  2. Select Instance3.
  3. Click Actions > Networking > Change Security Groups.
  4. In the dialog that pops up, un-select the current one that's selected and click to select the default security group instead.
  5. Click Assign Security Groups.
  6. Select Instance1.
  7. Click Actions > Instance State > Terminate.
  8. In the dialog, click Yes, Terminate.
  9. Click Security Groups in the left-hand menu.
  10. Select the security group created in our stack (it will have a custom name, not default).
  11. Click the Inbound tab, and click Edit.
  12. Click Add Rule, and set the Type to HTTP.
  13. Click Add Rule again, and set the Type to HTTPS.
  14. Click Save.
  15. In a new browser tab, navigate to S3.
  16. Click to open the bucket created by the template we used (it will have driftlab in the name).
  17. Click the Properties tab.
  18. Click the Static website hosting card.
  19. Select Disable website hosting, and click Save.
  20. Back in the CloudFormation console, click Stack actions > Detect drift.
  21. Once drift detection is initiated, click Stack actions > View drift results.
  22. Select the first EC2 instance, and click View drift details. Here, you'll see how the resource was created from the template vs. what it has become.

Eliminate Drift from Stack

  1. In a code editor of your choice, open the afterdriftupdate.json file you downloaded at the beginning of the lab. This is the template we'll use to update the stack.
  2. In the drift console, click to view each resource that's out of compliance, and compare its Actual code with its corresponding code in the JSON file.

Eliminate Drift on Individual Resource

  1. In the EC2 browser tab, select Instance3 and click Actions > Networking > Change Security Groups.
  2. Un-select the default security group, and select the driftlab- security group.
  3. Click Assign Security Groups.
  4. In the drifts console, select EC2Instance3, and click Detect drift for resource. It should show it's now back in compliance.

Update Stack to Eliminate Drift

  1. Head back to our stack, and click Update.
  2. Click Replace current template.
  3. Click Upload a template file, select the afterdriftupdate.json file, and click Next.
  4. Leave the parameters on the stack details page as-is, and click Next.
  5. Leave the stack options as-is, and click Next.
  6. Click Update stack.
  7. Click Stack actions > Detect drift.
  8. Click Stack actions > View drift results. All should be in compliance.

Conclusion

Congratulations on successfully completing this hands-on lab!