Skip to content
master
Go to file
Code

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Jul 14, 2020
Jul 14, 2020
Jul 15, 2020

README.md

CloudFormation Remediate Drift

The following script will programmatically perform the following steps:

  • Check for drifted resources
  • Using CloudFormation outputs, extract any references to resources that have drifted and replace the references with the dereferenced values temporarily
  • Remove any supported drifted resources from the stack, whilst retaining the resource
  • Import the resources with their current state back into the stack
  • Perform an update on the stack back to its original template, effectively remediating the resources

This script is not thoroughly tested and you should attempt to use this on a non-critical resource before real-world usage as some resources refuse to re-import for a variety of reasons. I am not responsible for your data loss.

Usage

python3 index.py MyStackName

or to specify a region

python3 index.py MyStackName us-east-1

Supported Resources

The following resources are supported for import operations (other resources will be ignored, even if drift is detected):

  • AWS::ACMPCA::Certificate
  • AWS::ACMPCA::CertificateAuthority
  • AWS::ACMPCA::CertificateAuthorityActivation
  • AWS::AccessAnalyzer::Analyzer
  • AWS::ApiGateway::Authorizer
  • AWS::ApiGateway::Deployment
  • AWS::ApiGateway::Method
  • AWS::ApiGateway::Model
  • AWS::ApiGateway::RequestValidator
  • AWS::ApiGateway::Resource
  • AWS::ApiGateway::RestApi
  • AWS::ApiGateway::Stage
  • AWS::Athena::DataCatalog
  • AWS::Athena::NamedQuery
  • AWS::Athena::WorkGroup
  • AWS::AutoScaling::AutoScalingGroup
  • AWS::AutoScaling::LaunchConfiguration
  • AWS::AutoScaling::LifecycleHook
  • AWS::AutoScaling::ScalingPolicy
  • AWS::AutoScaling::ScheduledAction
  • AWS::CE::CostCategory
  • AWS::Cassandra::Keyspace
  • AWS::Cassandra::Table
  • AWS::Chatbot::SlackChannelConfiguration
  • AWS::CloudFormation::Stack
  • AWS::CloudTrail::Trail
  • AWS::CloudWatch::Alarm
  • AWS::CloudWatch::CompositeAlarm
  • AWS::CodeGuruProfiler::ProfilingGroup
  • AWS::CodeStarConnections::Connection
  • AWS::Config::ConformancePack
  • AWS::Config::OrganizationConformancePack
  • AWS::Detective::Graph
  • AWS::Detective::MemberInvitation
  • AWS::DynamoDB::Table
  • AWS::EC2::EIP
  • AWS::EC2::FlowLog
  • AWS::EC2::GatewayRouteTableAssociation
  • AWS::EC2::Instance
  • AWS::EC2::InternetGateway
  • AWS::EC2::LocalGatewayRoute
  • AWS::EC2::LocalGatewayRouteTableVPCAssociation
  • AWS::EC2::NatGateway
  • AWS::EC2::NetworkAcl
  • AWS::EC2::NetworkInterface
  • AWS::EC2::PrefixList
  • AWS::EC2::RouteTable
  • AWS::EC2::SecurityGroup
  • AWS::EC2::Subnet
  • AWS::EC2::VPC
  • AWS::EC2::Volume
  • AWS::ECS::CapacityProvider
  • AWS::ECS::Cluster
  • AWS::ECS::PrimaryTaskSet
  • AWS::ECS::Service
  • AWS::ECS::TaskDefinition
  • AWS::ECS::TaskSet
  • AWS::EFS::AccessPoint
  • AWS::EFS::FileSystem
  • AWS::ElasticLoadBalancing::LoadBalancer
  • AWS::ElasticLoadBalancingV2::Listener
  • AWS::ElasticLoadBalancingV2::ListenerRule
  • AWS::ElasticLoadBalancingV2::LoadBalancer
  • AWS::EventSchemas::RegistryPolicy
  • AWS::Events::Rule
  • AWS::FMS::NotificationChannel
  • AWS::FMS::Policy
  • AWS::GlobalAccelerator::Accelerator
  • AWS::GlobalAccelerator::EndpointGroup
  • AWS::GlobalAccelerator::Listener
  • AWS::ImageBuilder::Component
  • AWS::ImageBuilder::DistributionConfiguration
  • AWS::ImageBuilder::Image
  • AWS::ImageBuilder::ImagePipeline
  • AWS::ImageBuilder::ImageRecipe
  • AWS::ImageBuilder::InfrastructureConfiguration
  • AWS::IoT::ProvisioningTemplate
  • AWS::IoT::Thing
  • AWS::KinesisFirehose::DeliveryStream
  • AWS::Lambda::Alias
  • AWS::Lambda::Function
  • AWS::Lambda::Version
  • AWS::Logs::LogGroup
  • AWS::Logs::MetricFilter
  • AWS::Logs::SubscriptionFilter
  • AWS::Macie::CustomDataIdentifier
  • AWS::Macie::FindingsFilter
  • AWS::Macie::Session
  • AWS::NetworkManager::CustomerGatewayAssociation
  • AWS::NetworkManager::Device
  • AWS::NetworkManager::GlobalNetwork
  • AWS::NetworkManager::Link
  • AWS::NetworkManager::LinkAssociation
  • AWS::NetworkManager::Site
  • AWS::NetworkManager::TransitGatewayRegistration
  • AWS::QLDB::Stream
  • AWS::RDS::DBCluster
  • AWS::RDS::DBInstance
  • AWS::RDS::DBProxy
  • AWS::RDS::DBProxyTargetGroup
  • AWS::ResourceGroups::Group
  • AWS::Route53::HostedZone
  • AWS::S3::AccessPoint
  • AWS::S3::Bucket
  • AWS::SES::ConfigurationSet
  • AWS::SNS::Topic
  • AWS::SQS::Queue
  • AWS::SSM::Association
  • AWS::ServiceCatalog::CloudFormationProvisionedProduct
  • AWS::Synthetics::Canary
  • AWS::WAFv2::IPSet
  • AWS::WAFv2::RegexPatternSet
  • AWS::WAFv2::RuleGroup
  • AWS::WAFv2::WebACL
  • AWS::WAFv2::WebACLAssociation
  • AWS::IAM::Group
  • AWS::IAM::InstanceProfile
  • AWS::IAM::Role
  • AWS::IAM::User
  • AWS::IAM::ManagedPolicy

Known Issues

  • Templates with a high amount of drifted resources may cause an error regarding too many outputs
  • Drifted resources referenced within a Fn::Sub string may cause the process to fail

About

Automated CloudFormation drift remediation using Import functionality

Topics

Resources

License

Languages

You can’t perform that action at this time.