The issue is related to Incorrect Drift Detection being done on the resource AWS::Config::ConfigRule.
Two issues identified and are shared below in detail:
ConfigRule, when being created via CloudFormation, making use of "InputParameters" property, the resource is being marked as modified immediately post creation with no out of band changes being done.
The same resource also has another issue related to its "Source", which is also causing the resource to be marked as MODIFIED. Clicking on "Edit" Rule and saving it with no changes being made, is creating a new source entry as below, which is causing the drift to be detected:
For the first issue, the resource's describe call, which would be used during the drift detection, might have to be fixed/InputParameters to be included in the response. Else, CloudFormation would ideally need to find a way to retrieve the 'actual' InputParameters.
As far as the second issue is concerned, from CloudFormation pov, appears to be a warranted drift since it identifies an additional source entry. However, this too should ideally be followed up with the concerned team to fix the same.
Observed Behavior
Resource being shown as MODIFIED, leading to misconceptions for customers.
Test Cases
Steps to replicate:
Create a sample config rule with template as follows to replicate the 1st issue:
Resources:
PermissionToCallLambdaIAMPolicyBlacklisted:
Type: AWS::Lambda::Permission
Properties:
FunctionName: functionarn
Action: lambda:InvokeFunction
Principal: config.amazonaws.com
MyRule:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: myconfigrule1
Description: Checks that an IAM resource do not contain blacklisted policy content.
Scope:
ComplianceResourceTypes:
- 'AWS::IAM::User'
- 'AWS::IAM::Group'
- 'AWS::IAM::Role'
Source:
Owner: CUSTOM_LAMBDA
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
SourceIdentifier: <arn of lambda>
-> Detect drift post successful creation of stack to see stack in IN_SYNC.
-> Navigate to config rule console -> click on "Edit" -> Change nothing and click "save"
-> Detect drift once again to see the config rule resource to be marked as drift showing the added source entry.
For the second resource, the same template can be used but include "InputParameters" property.
Name of the resource
AWS::Config::ConfigRule
Resource Name
No response
Issue Description
The issue is related to Incorrect Drift Detection being done on the resource AWS::Config::ConfigRule.
Two issues identified and are shared below in detail:
Expected Behavior
For the first issue, the resource's describe call, which would be used during the drift detection, might have to be fixed/InputParameters to be included in the response. Else, CloudFormation would ideally need to find a way to retrieve the 'actual' InputParameters.
As far as the second issue is concerned, from CloudFormation pov, appears to be a warranted drift since it identifies an additional source entry. However, this too should ideally be followed up with the concerned team to fix the same.
Observed Behavior
Resource being shown as MODIFIED, leading to misconceptions for customers.
Test Cases
Steps to replicate:
Create a sample config rule with template as follows to replicate the 1st issue:
-> Detect drift post successful creation of stack to see stack in IN_SYNC. -> Navigate to config rule console -> click on "Edit" -> Change nothing and click "save" -> Detect drift once again to see the config rule resource to be marked as drift showing the added source entry.
For the second resource, the same template can be used but include "InputParameters" property.
Other Details
No response