I've created blank IAM:Role to check if drift detection works:
Resources:
BlankRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub '${EnvType}-dp-blank-role'
Description: "Blank role to check if drift would be detected"
MaxSessionDuration: 3600
Path: "/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {'Service': ['glue.amazonaws.com']}
Action: ['sts:AssumeRole']
After stack was created I've made two manual changes adding in Permissions two policies:
AWS managed - AWSGlueServiceRole
Customer managed created automatically with one of the services
After that I've waited a minute and I've triggered drift detection.
I was doing in for Resource detection, Stact detection (both in Console) and I tried this as well through CLI.
Nothing works and CloudFormation does not see differences.
If I will make change in component which exists in original Role template (i.e. ManagedPolicies - add new one) then some times Drift is shown. This fools me that it's actually works.
I don't see why CloudFormation is considered as good tool If I cannot control consistency between planned resources and current resources.
Agreed with Riku: not all features in all services support drift detection by CFN. You have to check the list that he points to to define which ones in your config are supported.