Onica’s Announcements At A Glance series analyzes the latest AWS news and announcements, simplifying and explaining the significance for AWS consumers.
This Announcement At A Glance was written by Troy Ready
Announced just earlier this week, AWS CloudFormation has a new feature — drift detection. Traditionally, teams have been able to use templates to define resource configuration, then use the template to launch a CloudFormation stack. In an ideal world, when you need to make a change, you’d update the template. However, more often than not, changes get made directly to the resources, rather than the template, leaving a serious disconnect in your configuration changes. Enter drift detection.
There are a number of great aspects of CloudFormation’s new drift detection feature.
The biggest might be the confidence it enables in stack updates. Every team wants the assurance that updates to production stacks will be applied without collateral damage. Late night hot-fixes applied to an IAM policy can easily be overwritten without warning — the sort of event that damages faith in the principles of Infrastructure as Code. Drift detection eliminates some of that fear.
Compliance reporting is also improved. With drift detection, resource deviations from their approved forms in CloudFormation templates can be detected directly. This expands on existing audit capabilities in tools like AWS Config in an an easy-to-use way.
As is the case with all CloudFormation use, any tool is only as good as the resources and properties that it supports. The broad number of services (like EC2 Security Groups and IAM Roles) available at launch are promising, and we look forward to more being added.