(AWS::EC2::LaunchTemplate) "Smart" drift detection

Name of the resource

AWS::EC2::LaunchTemplate

Resource name

No response

Description

Cloudformation drift detection is reporting AWS::EC2::LaunchTemplate as IN_SYNC, despite having been modified directly by out-of-band changes.

For the full discussion and my replication, kindly refer to the associated issue (AWS::EC2::LaunchTemplate) Implement Drift Detection #1682

Snippet of Cloudformation template

{
  "LaunchTemplate04EC5460": {
    "Type": "AWS::EC2::LaunchTemplate",
    "Properties": {
      "LaunchTemplateData": {
        "ImageId": {
          "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestamznamihvmx8664gp2C96584B6F00A464EAD1953AFF4B05118Parameter"
        },
        "InstanceType": "t2.micro",
        "TagSpecifications": [
          {
            "ResourceType": "instance",
            "Tags": [
              {
                "Key": "Name",
                "Value": "Ec2Stack/LaunchTemplateNestedStack/LaunchTemplate"
              }
            ]
          },
          {
            "ResourceType": "volume",
            "Tags": [
              {
                "Key": "Name",
                "Value": "Ec2Stack/LaunchTemplateNestedStack/LaunchTemplate"
              }
            ]
          }
        ],
        "UserData": {
          "Fn::Base64": "#!/bin/bash"
        }
      },
      "TagSpecifications": [
        {
          "ResourceType": "launch-template",
          "Tags": [
            {
              "Key": "Name",
              "Value": "Ec2Stack/LaunchTemplateNestedStack/LaunchTemplate"
            }
          ]
        }
      ]
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
  }
}

Above is a snippet of the Cloudformation template deployed during testing. a describe call returns the following properties...

{
    "LaunchTemplates": [
        {
            "LaunchTemplateId": "lt-01ef0cd996b75a977",
            "LaunchTemplateName": "LaunchTemplate04EC5460_mUsgVJDQsAoD",
            "CreateTime": "2024-03-21T11:36:30+00:00",
            "CreatedBy": "arn:aws:sts::000000000000:assumed-role/cdk-hnb659fds-cfn-exec-role-000000000000-eu-central-1/AWSCloudFormation",
            "DefaultVersionNumber": 1,
            "LatestVersionNumber": 2,
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "Ec2Stack/LaunchTemplateNestedStack/LaunchTemplate"
                }
            ]
        }
    ]
}

since launch templates are immutable, the only property returned in the describe call that indicates any changes have been made is LatestVersionNumber.

according to the current discussion on the GitHub ticket, since LatestVersionNumber is a readOnly property in the resource schema, Cloudformation does not include this property in drift detection.

excerpt of schema

readOnlyProperties:
  - /properties/DefaultVersionNumber
  - /properties/LaunchTemplateId
  - /properties/LatestVersionNumber
writeOnlyProperties:
  - /properties/LaunchTemplateData
  - /properties/VersionDescription
  - /properties/TagSpecifications
createOnlyProperties:
  - /properties/LaunchTemplateName

although technically correct, i feel the comment is also very valid. a customer should not need to need to go to such lengths to learn why modified resources are not reporting as drifted, despite the official docs explicitly stating it is supported.

i feel this is a good opportunity to improve the general experience for all. when detecting drift on a Launch Template, from the customer's perspective Cloudformation should be "smart" enough to see the LatestVersionNumber has changed, and to then drill deeper into the various properties to compare with that of the previous version.

Different perspectives are appreciated and welcomed. and i'll be happy to provide any further clarity and context if needed.

Other Details

No response

aws-cloudformation / cloudformation-coverage-roadmap