CloudFormation Stack Status Showing drifted after we trigger an update to it
Hello, I need your help to find out the potential reason why my cloudformation stack shows me drifted if i try to trigger an update on the cloudformation template. Basically i have a cloudformation template which is configuring few aws services like lambda function, api gateway , dynamo db , cognito user pool client. So what i am trying to do it i am trying to create a new user pool client and add that client to the api gateway as a trigger to lambda function but with this update my cloudformation stack starts showing drifted ?
As per my understanding, after the update the cloudformation template and resources should be aligned and it should not show drifted status ?
Can someone help to fix and identify the issue over here ?
Thanks
Template after update -
"Authorizer": { "Type": "AWS::ApiGatewayV2::Authorizer", "Properties": { "ApiId": { "Ref": "HttpApi" }, "Name": { "Fn::Sub": "ABC-${StackName}" }, "AuthorizerType": "JWT", "IdentitySource": ["$request.header.Authorization"], "AuthorizerUri": { "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaFunction.Arn}/invocations" }, "JwtConfiguration": { "Audience": [ { "Ref": "CognitoUserPoolClient8adb06df1504462ba54116be1d33f30a" }, { "Ref": "CognitoUserPoolClient7977a5a1837c41c9866d5ed814d14670" } ], "Issuer": { "Fn::Sub": "https://cognito-idp.${AWS::Region}.amazonaws.com/${CognitoUserPool}" } } } },
Regards, Shubhanshu
- Newest
- Most votes
- Most comments
Updating the template will compare deployed version with new template and do updated of what has changed between template versions. It won't automatically correct drifted configurations back to what is defined in template. There are basicly 2 ways to correct the drift. First is modify drifted resources back to what is defined in template. This doesn't require stack update but you can simply rerun drift detection again after modifying the resources. Second way is to modify the template to match with drifted configuration. This won't change drifted resources (as they already match the template) but it can cause some other resources to be updated/replaced if they depend on drifted ones. I would recommend using the first method as it would get you back to original configuration before the drift and then it would be more predictable to continue updating the stack.
Here are the instructions how to find what is actually drifted https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/detect-drift-stack.html
Hello Kallu, Actually the state of deployed version of cloudformation and current cloudformation template is same. Still it shows us drifted. That's our concern. Could you please help us here ?
Thanks
If you rerun the drift detection for the stack and check where the drift is reported using instructions from above URL it should point you what are the resource(s) and attributes.
Hello, We ran it couple of times although the resource status and the template status is aligned still it shows drifted. I will explain you our use case - Basically we were creating an user pool client and using that user pool client as a authorizer to one of the api gateway which we have created , then on update we are trying to add one more client and try to add that client as a authorizer to that api as we added the new client in the template body which added a new authorizer to the api gateway after that it starts showing drifted. Sharing you the template body and screenshot from the aws account in the question itself. Please check
Ok, we are getting closer ... if you now check the radio button next to "Authorizer" and then click "View drift details" -button it should show you what parameters have drifted.
Hello Kallu, I have checked it by clicking the view drift details and difference i found is for Authorizer Uri but in the updated template also authorizer Uri is there and also in gateway that is there. Not sure why it is showing as deleted.
Attached the screenshot in the question Could you please check ? Thanks
Relevant content
- asked 2 years ago
- asked 6 months ago
- Accepted Answerasked 2 months ago
- Accepted Answerasked 9 days ago
- Why can't I view the EventBridge trigger in my Lambda function that my CloudFormation stack created?
AWS OFFICIALUpdated a month ago - AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
Hi, Can someone help me on this ?