My understanding is that a CloudFormation stack is drifted if a resource under it is changed and its actual state is deviated from what is defined in the template. A drift must never happen if the resource is changed through an update of the existing stack using a new template.
I found a drift in the API Gateway Authorizer of a stack when it is only changed through a template update. Is this a potential bug in either CloudFormation or API Gateway Authorizer?
Steps to reproduce:
- Create a new CloudFormation stack using the following template. It will create an API Gateway Authorizer (my-http-api-authorizer) and a Congnito user pool client (my-client-1) among other things.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "My stack",
"Resources": {
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "HelloLambdaRole",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"LambdaFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"FunctionName": "my-lambda-function",
"Runtime": "python3.12",
"Handler": "index.my_handler",
"Code": {
"ZipFile": "def my_handler(event, context):\n message = \"Hello Lambda World!\"\n return message\n"
},
"Role": {
"Fn::GetAtt": "LambdaExecutionRole.Arn"
}
}
},
"LambdaIntegration": {
"Type": "AWS::ApiGatewayV2::Integration",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"IntegrationType": "AWS_PROXY",
"IntegrationUri": {
"Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaFunction}"
},
"PayloadFormatVersion": "2.0"
}
},
"LambdaIntegrationPermission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {
"Ref": "LambdaFunction"
},
"Action": "lambda:InvokeFunction",
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Sub": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${HttpApi}/*"
}
}
},
"CognitoUserPool": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"UserPoolName": "userpool",
"AdminCreateUserConfig": {
"AllowAdminCreateUserOnly": true
}
}
},
"CognitoUserPoolClient1": {
"Type": "AWS::Cognito::UserPoolClient",
"DependsOn": "CognitoResourceServer",
"Properties": {
"ClientName": "my-client-1",
"UserPoolId": {
"Ref": "CognitoUserPool"
},
"GenerateSecret": true,
"AllowedOAuthFlows": ["client_credentials"],
"AllowedOAuthFlowsUserPoolClient": true,
"AllowedOAuthScopes": ["my_res_server/read"]
}
},
"CognitoResourceServer": {
"Type": "AWS::Cognito::UserPoolResourceServer",
"Properties": {
"Identifier": "my_res_server",
"Name": "MY-RESOURCE-SERVER",
"UserPoolId": {
"Ref": "CognitoUserPool"
},
"Scopes": [
{
"ScopeName": "read",
"ScopeDescription": "read access"
}
]
}
},
"CognitoUserPoolDomain": {
"Type": "AWS::Cognito::UserPoolDomain",
"Properties": {
"Domain": "my-userpool-domain",
"UserPoolId": {
"Ref": "CognitoUserPool"
}
}
},
"HttpApi": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"Name": "my-http-api",
"ProtocolType": "HTTP"
}
},
"Authorizer": {
"Type": "AWS::ApiGatewayV2::Authorizer",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"Name": "my-http-api-authorizer",
"AuthorizerType": "JWT",
"IdentitySource": ["$request.header.Authorization"],
"AuthorizerUri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaFunction.Arn}/invocations"
},
"JwtConfiguration": {
"Audience": [{ "Ref": "CognitoUserPoolClient1" }],
"Issuer": {
"Fn::Sub": "https://cognito-idp.${AWS::Region}.amazonaws.com/${CognitoUserPool}"
}
}
}
},
"HttpApiRoute": {
"Type": "AWS::ApiGatewayV2::Route",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"RouteKey": "POST /{proxy+}",
"AuthorizationType": "JWT",
"AuthorizerId": {
"Ref": "Authorizer"
},
"Target": {
"Fn::Join": [
"/",
[
"integrations",
{
"Ref": "LambdaIntegration"
}
]
]
}
}
},
"HttpApiStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"StageName": "prod",
"AutoDeploy": true
}
}
},
"Outputs": {
"CognitoUserPoolId": {
"Value": {
"Ref": "CognitoUserPool"
}
},
"CognitoUserPoolDomain": {
"Value": {
"Ref": "CognitoUserPoolDomain"
}
},
"TokenEndpoint": {
"Value": {
"Fn::Sub": "https://${CognitoUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com/oauth2/token"
}
},
"HttpApiEndpoint": {
"Value": {
"Fn::Sub": "https://${HttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}/prod"
}
}
}
}
- Update the same stack by choosing 'Replace existing template'. Here the delta is addition of one more Cognito user pool client (my-client-2) and addition of this new Audience to the API Gateway Authorizer (my-http-api-authorizer).
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "My stack",
"Resources": {
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "HelloLambdaRole",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"LambdaFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"FunctionName": "my-lambda-function",
"Runtime": "python3.12",
"Handler": "index.my_handler",
"Code": {
"ZipFile": "def my_handler(event, context):\n message = \"Hello Lambda World!\"\n return message\n"
},
"Role": {
"Fn::GetAtt": "LambdaExecutionRole.Arn"
}
}
},
"LambdaIntegration": {
"Type": "AWS::ApiGatewayV2::Integration",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"IntegrationType": "AWS_PROXY",
"IntegrationUri": {
"Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaFunction}"
},
"PayloadFormatVersion": "2.0"
}
},
"LambdaIntegrationPermission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {
"Ref": "LambdaFunction"
},
"Action": "lambda:InvokeFunction",
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Sub": "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${HttpApi}/*"
}
}
},
"CognitoUserPool": {
"Type": "AWS::Cognito::UserPool",
"Properties": {
"UserPoolName": "userpool",
"AdminCreateUserConfig": {
"AllowAdminCreateUserOnly": true
}
}
},
"CognitoUserPoolClient1": {
"Type": "AWS::Cognito::UserPoolClient",
"DependsOn": "CognitoResourceServer",
"Properties": {
"ClientName": "my-client-1",
"UserPoolId": {
"Ref": "CognitoUserPool"
},
"GenerateSecret": true,
"AllowedOAuthFlows": ["client_credentials"],
"AllowedOAuthFlowsUserPoolClient": true,
"AllowedOAuthScopes": ["my_res_server/read"]
}
},
"CognitoUserPoolClient2": {
"Type": "AWS::Cognito::UserPoolClient",
"DependsOn": "CognitoResourceServer",
"Properties": {
"ClientName": "my-client-2",
"UserPoolId": {
"Ref": "CognitoUserPool"
},
"GenerateSecret": true,
"AllowedOAuthFlows": ["client_credentials"],
"AllowedOAuthFlowsUserPoolClient": true,
"AllowedOAuthScopes": ["my_res_server/read"]
}
},
"CognitoResourceServer": {
"Type": "AWS::Cognito::UserPoolResourceServer",
"Properties": {
"Identifier": "my_res_server",
"Name": "MY-RESOURCE-SERVER",
"UserPoolId": {
"Ref": "CognitoUserPool"
},
"Scopes": [
{
"ScopeName": "read",
"ScopeDescription": "read access"
}
]
}
},
"CognitoUserPoolDomain": {
"Type": "AWS::Cognito::UserPoolDomain",
"Properties": {
"Domain": "my-userpool-domain",
"UserPoolId": {
"Ref": "CognitoUserPool"
}
}
},
"HttpApi": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"Name": "my-http-api",
"ProtocolType": "HTTP"
}
},
"Authorizer": {
"Type": "AWS::ApiGatewayV2::Authorizer",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"Name": "my-http-api-authorizer",
"AuthorizerType": "JWT",
"IdentitySource": ["$request.header.Authorization"],
"AuthorizerUri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaFunction.Arn}/invocations"
},
"JwtConfiguration": {
"Audience": [
{ "Ref": "CognitoUserPoolClient1" },
{ "Ref": "CognitoUserPoolClient2" }
],
"Issuer": {
"Fn::Sub": "https://cognito-idp.${AWS::Region}.amazonaws.com/${CognitoUserPool}"
}
}
}
},
"HttpApiRoute": {
"Type": "AWS::ApiGatewayV2::Route",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"RouteKey": "POST /{proxy+}",
"AuthorizationType": "JWT",
"AuthorizerId": {
"Ref": "Authorizer"
},
"Target": {
"Fn::Join": [
"/",
[
"integrations",
{
"Ref": "LambdaIntegration"
}
]
]
}
}
},
"HttpApiStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"ApiId": {
"Ref": "HttpApi"
},
"StageName": "prod",
"AutoDeploy": true
}
}
},
"Outputs": {
"CognitoUserPoolId": {
"Value": {
"Ref": "CognitoUserPool"
}
},
"CognitoUserPoolDomain": {
"Value": {
"Ref": "CognitoUserPoolDomain"
}
},
"TokenEndpoint": {
"Value": {
"Fn::Sub": "https://${CognitoUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com/oauth2/token"
}
},
"HttpApiEndpoint": {
"Value": {
"Fn::Sub": "https://${HttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}/prod"
}
}
}
}
- Once the update is completed, check the drift status and notice that the stack is drifted, the Authorizer drift status is MODIFIED. Select 'View drift details' of the Authorizer, it will display like the following image.
The property "AuthorizerUri" is Expected but missing from the Actual box.
Is this a bug or am I doing something wrong?
Thanks,
Malem
Thank you @shibata for the answer. This solves the problem. But as the current value is "-" and the AuthorizerUri would have been ignored at the first run, I still wonder why the drift is not detected right after the stack creation, at this point both the Actual box and the Expected box contain the AuthorizerUri. CloudFormation only detects the drift after the stack update. I would expect that the drift be detected right after the stack creation. Do you agree?