Skip to content

fireflycons/aws-nested-changeset-bug

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

root-stack.yaml

root-stack.yaml

 
 

security-group.yaml

security-group.yaml

 
 

vpc.yaml

vpc.yaml

 
 

Repository files navigation

Nested Changeset Bug

Around the time of re:Invent 2020, AWS introduced a new feature to generate changesets across a group of nested stacks. This was of particular interest to me as at the time I was working at an organisation that has a lot of nested stacks.

However, when I first tried it out, I came across a nasty bug which I duly reported via the organsiation's enterprise support plan. This repo contains the CloudFormation submitted to AWS support that reproduces this bug. The bug was acknowledged and a fix estimate given for March 2021.

Update: July 2021. This bug is still not fixed. Come on guys!

If you would like to see for yourself whether or not the bug is fixed, give this a go!

Steps to Reproduce

  1. Package and deploy the stack, setting the DeployRule parameter to 0
  2. From the CloudFormation Console, select Create Changeset against the root stack, using current template
  3. Set the DeployRule parameter value to 1
  4. Ensure "Change sets for nested stacks" is selected
  5. Create the changeset

Now examine the changesets created across the nested stacks. You will observe the following

  1. The root stack shows that SecurityGroupStack will be changed
  2. Click through to the SecurityGroupStack changeset
  3. Observe that the security group will be REPLACED (should not be)
  4. Check the JSON changes. Observe that the change reason is parameter VpcId
  5. Now go to the VPC nested stack and note that changeset is failed due to "The submitted information didn't contain changes."

If we now go ahead and execute this changeset, then the correct update happens. The new rule is added and the security group is NOT replaced.

Imagine my surprise when I tried this on a stack with a dozen nested stacks, each with many resources depending on the VpcId from a VPC stack that was unchanged. I saw 100+ resources across these stacks that were all claiming that they needed REPLACEMENT due to a perceived change in VpcId

Reproduction using PSCloudFormation

If you have my PSCloudFormation (v4.1.6.6 or higher), it is super-simple to deploy this stack

New-PSCFNStack -StackName nested-changeset-bug -TemplateLocation .\root-stack.yaml -DeployRule 0
New-PSCFNChangeSet -StackName nested-changeset-bug -UsePreviousTemplate -IncludeNestedStacks -ShowInBrowser -DeployRule 1

About

Reproduction of bug in AWS Nested Changeset feature

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published