search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

CloudFormation reports incorrect drift for AWS::ECS::TaskDefinition which have EFSVolumeConfiguration #1283

Open MarkCBell opened 2 years ago

MarkCBell commented 2 years ago

Name of the resource

AWS::ECS::TaskDefinition

Resource Name

No response

Issue Description

Stacks that contain an AWS::ECS::TaskDefinition that have a Volume with an EFSVolumeConfiguration are always reported as drifted even when they have deployed correctly.

Expected Behavior

When performing drift detection on an AWS::ECS::TaskDefinition, the deployed resource's EFSVolumeConfiguration should be only be reported as drifted if it does not match the template.

Observed Behavior

When performing drift detection on an AWS::ECS::TaskDefinition, it's "actual" EFSVolumeConfiguration is always reported as null regardless of what has actually been deployed. Therefore, if the template defines an EFSVolumeConfiguration then this results in the stack being incorrectly reported as drifted even if the resource has been successfully deployed matching the template.

Test Cases

Deploy a stack from the following CloudFormation template:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  EFSFileSystem:
    Type: AWS::EFS::FileSystem

  ECSTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - Name: TestContainer
          Image: helloworld
      Memory: 1024
      Volumes:
        - Name: efs_fs
          EFSVolumeConfiguration:
            FilesystemId: !Ref EFSFileSystem

Now run a drift detection and note that the ECSTaskDefinition is listed as "Modified" with the drift details showing that a Volumes.0.EFSVolumeConfiguration property was expected but was not found on the resources (even though it really is present). Note that similar effects are seen for all other EFSVolumeConfiguration volume properties (e.g. TransitEncryption: ENABLED).

Other Details

No response

r-heimann commented 1 year ago

I can confirm this false-positive drift of AWS::ECS::TaskDefinition that have a Volume with an EFSVolumeConfiguration:

Property Change Expected value Current value
Volumes.0.EFSVolumeConfiguration REMOVE {"FilesystemId":"fs-XXXXXXXXXX","TransitEncryption":"ENABLED"} -
greg5123334 commented 1 year ago

Confirmed here too.

        file_system = efs.FileSystem(self, "MyEfsFileSystem",
                                     vpc=vpc,
                                     lifecycle_policy=efs.LifecyclePolicy.AFTER_14_DAYS,
                                     # files are not transitioned to infrequent access (IA) storage by default
                                     performance_mode=efs.PerformanceMode.GENERAL_PURPOSE,  # default
                                     out_of_infrequent_access_policy=efs.OutOfInfrequentAccessPolicy.AFTER_1_ACCESS,
                                     removal_policy=RemovalPolicy.DESTROY,
                                     )
        volume_one = ecs.Volume(
            name='SeaDrive',
            efs_volume_configuration=ecs.EfsVolumeConfiguration(
                file_system_id=file_system.file_system_id, )
        )

        task_def = ecs.FargateTaskDefinition(self, "TaskDef",
                                             memory_limit_mib=512,
                                             cpu=256,
                                             volumes=[volume_one],
                                             )

Expected:

{
  "ContainerDefinitions": [
    {
      "Essential": true,
      "Image": "amazon/amazon-ecs-sample",
      "LogConfiguration": {
        "LogDriver": "awslogs",
        "Options": {
          "awslogs-group": "EcsStack-LogGroupF5B46931-kTlBIimGGd5b",
          "awslogs-region": "eu-central-1",
          "awslogs-stream-prefix": "EventDemo",
          "mode": "non-blocking"
        }
      },
      "Name": "ContainerDef",
      "PortMappings": [
        {
          "ContainerPort": 7600,
          "Protocol": "tcp"
        }
      ]
    }
  ],
  "Cpu": 256,
  "ExecutionRoleArn": "arn:aws:iam::00000000:role/EcsStack-TaskDefExecutionRoleB4775C97-14U5IOXNDS6HA",
  "Family": "EcsStackTaskDefF4279AC8",
  "Memory": 512,
  "NetworkMode": "awsvpc",
  "RequiresCompatibilities": [
    "FARGATE"
  ],
  "TaskRoleArn": "arn:aws:iam::000000000000:role/EcsStack-TaskDefTaskRole1EDB4A67-1FI4C8XLU5O8U",
  "Volumes": [
    {
      "EFSVolumeConfiguration": {
        "FilesystemId": "fs-xxxxxxx"
      },
      "Name": "SeaDrive"
    }
  ]
}

Actual:

{
  "ContainerDefinitions": [
    {
      "Essential": true,
      "Image": "amazon/amazon-ecs-sample",
      "LogConfiguration": {
        "LogDriver": "awslogs",
        "Options": {
          "awslogs-group": "EcsStack-LogGroupF5B46931-kTlBIimGGd5b",
          "awslogs-region": "eu-central-1",
          "awslogs-stream-prefix": "EventDemo",
          "mode": "non-blocking"
        }
      },
      "Name": "ContainerDef",
      "PortMappings": [
        {
          "ContainerPort": 7600,
          "Protocol": "tcp"
        }
      ]
    }
  ],
  "Cpu": 256,
  "ExecutionRoleArn": "arn:aws:iam::00000:role/EcsStack-TaskDefExecutionRoleB4775C97-14U5IOXNDS6HA",
  "Family": "EcsStackTaskDefF4279AC8",
  "Memory": 512,
  "NetworkMode": "awsvpc",
  "RequiresCompatibilities": [
    "FARGATE"
  ],
  "TaskRoleArn": "arn:aws:iam::00000:role/EcsStack-TaskDefTaskRole1EDB4A67-1FI4C8XLU5O8U",
  "Volumes": [
    {
      "Name": "SeaDrive"
    }
  ]
}
r-heimann commented 6 months ago

I believe this issue has been fixed, no false-positive drift here anymore.