Skip to main content

Using CloudFormation Drift Detection

Hands-On Lab

 

Photo of Craig Arcuri

Craig Arcuri

AWS Training Architect II in Content

Length

01:00:00

Difficulty

Intermediate

This lab instructs the student on CloudFormation drift detection. CloudFormation stack drift occurs when the resources in a stack have drifted from their original creation template. This can become a major problem — and drift detection can be used to identify it. After the problem is identified, the lab covers the stack update steps that can be taken to bring the CloudFormation stack back into synch with the original template.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using CloudFormation Drift Detection

Introduction

This lab instructs the student on CloudFormation drift detection. CloudFormation stack drift occurs when the resources in a stack have drifted from their original creation template. This can become a major problem — and drift detection can be used to identify it. After the problem is identified, the lab covers the stack update steps that can be taken to bring the CloudFormation stack back into synch with the original template. Stack updates should be used in most cases to update the stack at any time.

Before We Begin

Log in to the AWS environment using the cloud_user credentials provided.

Once inside the AWS account, make sure you are in the us-east-1 (N. Virginia) region.

There are two CloudFormation templates for this lab:

  • ec24drift.json will be used to create the original stack
  • afterdriftupdate.json will be used to update the stack after drift detection

Download these files at the GitHub repository.

Create CloudFormation Stack

Create a Key Pair and Get Details for Later in the Lab

  1. Navigate to EC2 then Key Pairs.
  2. Click Create Key Pair.
  3. Give it a key pair name of driftlab, and click Create.

Create CloudFormation Stack

Before we get started creating the stack, we need to copy some information into a text doc:

  1. Navigate to VPC page and select Your VPCs.
  2. Copy the VPC ID and paste it into a text file.
  3. Click Subnets in the left-hand menu.
  4. Select one of the listed subnets, and copy its subnet ID. Paste it into a text file, since we'll also need it later.

Now we can create out CloudFormation stack:

  1. In a new browser tab, navigate to CloudFormation.
  2. Click Create stack then With new resources.
  3. Select Template is ready.
  4. Select Upload a template file.
  5. Click Choose file, and select the ec24drift.json file.
  6. Click View in Designer.
  7. Click the checkbox at the top to validate it, and then click the cloud icon with the up arrow to create the stack.
  8. Click Next.
  9. On the stack details page, set the following values:
    • Stack name: driftlab
    • InstanceType: t2.micro
    • KeyName: driftlab
    • MySubnet: Paste in the subnet ID you copied earlier
    • myVPC: Paste in the VPC ID you copied earlier
  10. Click Next.
  11. On the stack options page, give it a "name" tag of "driftlab".
  12. Click Next.
  13. Click Create stack. Give it a few minutes to finish being created.

Terminate an EC2 Instance to Introduce Stack Drift

  1. In the other browser tab, navigate to EC2 then Instances.
  2. Select Instance3.
  3. Click Actions, Networking, then Change Security Groups.
  4. In the dialog that pops up, un-select the current one that's selected and click to select the default security group instead.
  5. Click Assign Security Groups.
  6. Un-select Instance3.
  7. Select Instance1.
  8. Click Actions, Instance State, then Terminate.
  9. In the dialog, click Yes, Terminate.
  10. Click Security Groups in the left-hand menu.
  11. Select the security group created in our stack (it will have driftlab-InstanceSecurityGroup in its name).
  12. Click the Inbound tab, and click Edit.
  13. Click Add Rule, and set the Type to HTTP.
  14. Click Add Rule again, and set the Type to HTTPS.
  15. Click Save.
  16. In a new browser tab, navigate to S3.
  17. Click to open the bucket created by the template we used (it will have driftlab in the name).
  18. Click the Properties tab.
  19. Click the Static website hosting card.
  20. Select Disable website hosting, and click Save.
  21. Back in the CloudFormation console, click Stack actions then Detect drift.
  22. Once drift detection is initiated, click Stack actions then View drift results.
  23. Select the first EC2 instance, and click View drift details. Here, you'll see how the resource was created from the template vs. what it has become.

Eliminate Drift from Stack

  1. In a code editor of your choice, open the ec24drift.json file, which represents the template after we accumulate drift, and the afterdriftupdate.json document, which is the template we'll use to update the stack and remove the drift.
  2. In the drift console, click to view each resource that's out of compliance, and compare its Actual code with its corresponding code in the afterdriftupdate.json file. Note that they will look similar, as this is the way the code needs to be corrected to remove the drift.

Manually Eliminate Drift on Individual Resource

  1. In the EC2 browser tab, navigate to Instances.
  2. Select Instance3 and click Actions, Networking, then Change Security Groups.
  3. Un-select the default security group, and select the driftlab- security group.
  4. Click Assign Security Groups.
  5. In the drifts console, select EC2Instance3, and click Detect drift for resource. Our EC2Instance3 now shows as IN_SYNC.

Note: This does not fall under compliance, but as we are not worried about compliance in this lab, we can use it.

Update Stack to Eliminate Drift

Let's update our stack using a new template that will update our stack and remove the drift:

  1. Still in the CloudFormation console, click Stacks in the left-hand menu.
  2. Select our driftlab stack, and click Update.
  3. Select Replace current template.
  4. Select Upload a template file, and click Choose file.
  5. Select the afterdriftupdate.json file, and click Next.
  6. Leave the parameters on the stack details page as-is, and click Next.
  7. Leave the stack options as-is, and click Next.
  8. Click Update stack. Give it a few minutes to finish being updated.
  9. Click Stack actions then Detect drift.
  10. Click Stack actions then View drift results. All should be in compliance.

Conclusion

Congratulations on successfully completing this hands-on lab!