By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFormation detect drift for IAM:Role does not detect manual change

0

I've created blank IAM:Role to check if drift detection works:

Resources:
  BlankRole:
    Type: AWS::IAM::Role
    Properties:
        RoleName: !Sub '${EnvType}-dp-blank-role'
        Description: "Blank role to check if drift would be detected"
        MaxSessionDuration: 3600
        Path: "/"
        AssumeRolePolicyDocument:
          Version: '2012-10-17'               
          Statement:
            - Effect: Allow
              Principal: {'Service': ['glue.amazonaws.com']}
              Action: ['sts:AssumeRole']

After stack was created I've made two manual changes adding in Permissions two policies: AWS managed - AWSGlueServiceRole Customer managed created automatically with one of the services

After that I've waited a minute and I've triggered drift detection. I was doing in for Resource detection, Stact detection (both in Console) and I tried this as well through CLI. Nothing works and CloudFormation does not see differences.

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
Meras
asked 7 months ago218 views
1 Answer
0
Accepted Answer

Hello.

The following document shows that "AWS::IAM::Role" does not support drift detection.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html

profile picture
EXPERT
Riku_Kobayashi
answered 7 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 7 months ago
  • Meras
    7 months ago

    If I will make change in component which exists in original Role template (i.e. ManagedPolicies - add new one) then some times Drift is shown. This fools me that it's actually works.

    I don't see why CloudFormation is considered as good tool If I cannot control consistency between planned resources and current resources.

  • Didier_Durand EXPERT
    7 months ago

    Agreed with Riku: not all features in all services support drift detection by CFN. You have to check the list that he points to to define which ones in your config are supported.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content