How can I determine what caused a nested Cloudformation stack to be updated when I made no changes to the template?
To be clear: I have a script that uploads my templates to s3, and I always upload them all even if I didn't change them, so in S3 I think the modified date is still changed. But I'm pretty sure this shouldn't trigger an update to the stack? In this case, I had changed a different template and was running an update for that.
Part of the reason I'm learning Cloudformation is to build my infra with some predictability - if I have some components relying on specific ec2 instance IDs, unpredictable replacements will be a hassle to manage because I'll have to go around updating IDs in configurations (for example variables for my Github Actions CD pipeline across multiple repos.)
In this case the unwanted update was for a template that creates these resources:
- AWS::IAM::Role
- AWS::IAM::InstanceProfile
- AWS::EC2::Instance.
What I did change was an AWS::IAM::RolePolicy in a different template for the same parent stack, adding the following actions:
- For my VPC resource: ec2:CreateVpcEndpoint, ec2:DeleteVpcEndpoints
- For an S3 bucket: s3:PutObject
Are there internal updates in AWS that might trigger updates, like a new version of an AMI or something?
Even if the "changed file" resulted in no changes to the resource itself?
What's strange is that there are three other sub-stacks that don't get updated, despite also having files uploaded to S3.