search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

AWS::EC2::VPC - False-positive drift on EnableDnsHostnames and EnableDnsSupport when using Git Sync #2138

Open gautaz opened 2 months ago

gautaz commented 2 months ago

Name of the resource

AWS::EC2::VPC

Resource Name

No response

Issue Description

EDIT (2024-09-28): The issue only occurs if Git Sync is used.

AWS is detecting a drift on a newly created VPC with EnableDnsHostnames and EnableDnsSupport set to true. The "Actual" output is missing both values.

Expected Behavior

No drift should be detected.

Observed Behavior

Here is the drift report:

image

This is inconsistent with what is displayed in the VPC details:

image

Test Cases

EDIT (2024-09-28): The following template only reproduces the issue if the deployment is done with Git Sync.

Here is an extract of the provided template:

AWSTemplateFormatVersion: '2010-09-09'
Description: stack template
Parameters:
  VpcCidrBlock:
    Type: String
Resources:
  VPC:
    Properties:
      CidrBlock: !Ref 'VpcCidrBlock'
      EnableDnsHostnames: true
      EnableDnsSupport: true
    Type: AWS::EC2::VPC

Other Details

No response

wangcaro3793 commented 2 months ago

My local test does not replicate this issue. Can you provide a region or stackid?

gautaz commented 2 months ago

Yes, the region is eu-west-3 and here is the stack id: arn:aws:cloudformation:eu-west-3:432287323027:stack/DevelopmentStack/9f88fb50-7c05-11ef-8392-0e9fe9bec705

wangcaro3793 commented 2 months ago

if you try with the extracted sample template, do you still see the same issue? If so, can you share the stack id?

gautaz commented 2 months ago

Max quota for VPC per region reached on our account. I am asking for a quota increase in order to test. The request is still pending.

gautaz commented 2 months ago

I have just deployed a new stack with the following id: arn:aws:cloudformation:eu-west-3:432287323027:stack/issue-2138/2b504a60-7d07-11ef-8cec-0eae10b2d427

The template is:

AWSTemplateFormatVersion: '2010-09-09'
Description: stack template
Resources:
  VPC:
    Properties:
      CidrBlock: '172.50.0.0/16'
      EnableDnsHostnames: true
      EnableDnsSupport: true
    Type: AWS::EC2::VPC

No drift is detected in this case so this means other resources probably need to be deployed to reproduce the issue.

If you need anymore testing, do not hesitate to ask.

EDIT: The full template reproducing the issue is quite large but I can provide it if needed.

gautaz commented 2 months ago

We also have a smaller stack reproducing the issue: arn:aws:cloudformation:eu-west-3:432287323027:stack/HubStack/9afb6ed0-7c03-11ef-8098-0ac092c2d633

Apart from the VPC, this stack also deploys private subnets with route tables and also some VPC endpoints.

Here is the template ```yaml AWSTemplateFormatVersion: '2010-09-09' Outputs: EcrApiVpcEndpointRegionDnsEntry: Export: Name: ServicesHubEcrApiVpcEndpointRegionDnsEntry Value: !Select - 0 - !GetAtt 'EcrApiVpcEndpoint.DnsEntries' EcrDkrVpcEndpointRegionDnsEntry: Export: Name: ServicesHubEcrDkrVpcEndpointRegionDnsEntry Value: !Select - 0 - !GetAtt 'EcrDkrVpcEndpoint.DnsEntries' EcsAgentVpcEndpointRegionDnsEntry: Export: Name: ServicesHubEcsAgentVpcEndpointRegionDnsEntry Value: !Select - 0 - !GetAtt 'EcsAgentVpcEndpoint.DnsEntries' EcsTelemetryVpcEndpointRegionDnsEntry: Export: Name: ServicesHubEcsTelemetryVpcEndpointRegionDnsEntry Value: !Select - 0 - !GetAtt 'EcsTelemetryVpcEndpoint.DnsEntries' EcsVpcEndpointRegionDnsEntry: Export: Name: ServicesHubEcsVpcEndpointRegionDnsEntry Value: !Select - 0 - !GetAtt 'EcsVpcEndpoint.DnsEntries' LogsVpcEndpointRegionDnsEntry: Export: Name: ServicesHubLogsVpcEndpointRegionDnsEntry Value: !Select - 0 - !GetAtt 'LogsVpcEndpoint.DnsEntries' PrivateSubnet0CidrBlock: Export: Name: ServicesHubPrivateSubnet0CidrBlock Value: !GetAtt 'PrivateSubnet0.CidrBlock' PrivateSubnet0RouteTableId: Export: Name: ServicesHubPrivateSubnet0RouteTableId Value: !Ref 'PrivateSubnet0RouteTable' PrivateSubnet1CidrBlock: Export: Name: ServicesHubPrivateSubnet1CidrBlock Value: !GetAtt 'PrivateSubnet1.CidrBlock' PrivateSubnet1RouteTableId: Export: Name: ServicesHubPrivateSubnet1RouteTableId Value: !Ref 'PrivateSubnet1RouteTable' PrivateSubnet2CidrBlock: Export: Name: ServicesHubPrivateSubnet2CidrBlock Value: !GetAtt 'PrivateSubnet2.CidrBlock' PrivateSubnet2RouteTableId: Export: Name: ServicesHubPrivateSubnet2RouteTableId Value: !Ref 'PrivateSubnet2RouteTable' SqsVpcEndpointRegionDnsEntry: Export: Name: ServicesHubSqsVpcEndpointRegionDnsEntry Value: !Select - 0 - !GetAtt 'SqsVpcEndpoint.DnsEntries' VpcId: Export: Name: ServicesHubVpcId Value: !GetAtt 'VPC.VpcId' Parameters: PrivateSubnet0CidrBlock: Type: String PrivateSubnet1CidrBlock: Type: String PrivateSubnet2CidrBlock: Type: String VpcCidrBlock: Type: String Resources: EcrApiVpcEndpoint: Properties: SecurityGroupIds: - !Ref 'VpcEndpointsSecurityGroup' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.api' SubnetIds: - !Ref 'PrivateSubnet0' - !Ref 'PrivateSubnet1' - !Ref 'PrivateSubnet2' VpcEndpointType: Interface VpcId: !Ref 'VPC' Type: AWS::EC2::VPCEndpoint EcrDkrVpcEndpoint: Properties: SecurityGroupIds: - !Ref 'VpcEndpointsSecurityGroup' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.dkr' SubnetIds: - !Ref 'PrivateSubnet0' - !Ref 'PrivateSubnet1' - !Ref 'PrivateSubnet2' VpcEndpointType: Interface VpcId: !Ref 'VPC' Type: AWS::EC2::VPCEndpoint EcsAgentVpcEndpoint: Properties: SecurityGroupIds: - !Ref 'VpcEndpointsSecurityGroup' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs-agent' SubnetIds: - !Ref 'PrivateSubnet0' - !Ref 'PrivateSubnet1' - !Ref 'PrivateSubnet2' VpcEndpointType: Interface VpcId: !Ref 'VPC' Type: AWS::EC2::VPCEndpoint EcsTelemetryVpcEndpoint: Properties: SecurityGroupIds: - !Ref 'VpcEndpointsSecurityGroup' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs-telemetry' SubnetIds: - !Ref 'PrivateSubnet0' - !Ref 'PrivateSubnet1' - !Ref 'PrivateSubnet2' VpcEndpointType: Interface VpcId: !Ref 'VPC' Type: AWS::EC2::VPCEndpoint EcsVpcEndpoint: Properties: SecurityGroupIds: - !Ref 'VpcEndpointsSecurityGroup' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs' SubnetIds: - !Ref 'PrivateSubnet0' - !Ref 'PrivateSubnet1' - !Ref 'PrivateSubnet2' VpcEndpointType: Interface VpcId: !Ref 'VPC' Type: AWS::EC2::VPCEndpoint LogsVpcEndpoint: Properties: SecurityGroupIds: - !Ref 'VpcEndpointsSecurityGroup' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' SubnetIds: - !Ref 'PrivateSubnet0' - !Ref 'PrivateSubnet1' - !Ref 'PrivateSubnet2' VpcEndpointType: Interface VpcId: !Ref 'VPC' Type: AWS::EC2::VPCEndpoint PrivateSubnet0: Properties: AvailabilityZone: !Select - 0 - !GetAZs Ref: AWS::Region CidrBlock: !Ref 'PrivateSubnet0CidrBlock' VpcId: !Ref 'VPC' Type: AWS::EC2::Subnet PrivateSubnet0RouteTable: Properties: VpcId: !Ref 'VPC' Type: AWS::EC2::RouteTable PrivateSubnet0RouteTableAssociation: Properties: RouteTableId: !Ref 'PrivateSubnet0RouteTable' SubnetId: !Ref 'PrivateSubnet0' Type: AWS::EC2::SubnetRouteTableAssociation PrivateSubnet1: Properties: AvailabilityZone: !Select - 1 - !GetAZs Ref: AWS::Region CidrBlock: !Ref 'PrivateSubnet1CidrBlock' VpcId: !Ref 'VPC' Type: AWS::EC2::Subnet PrivateSubnet1RouteTable: Properties: VpcId: !Ref 'VPC' Type: AWS::EC2::RouteTable PrivateSubnet1RouteTableAssociation: Properties: RouteTableId: !Ref 'PrivateSubnet1RouteTable' SubnetId: !Ref 'PrivateSubnet1' Type: AWS::EC2::SubnetRouteTableAssociation PrivateSubnet2: Properties: AvailabilityZone: !Select - 2 - !GetAZs Ref: AWS::Region CidrBlock: !Ref 'PrivateSubnet2CidrBlock' VpcId: !Ref 'VPC' Type: AWS::EC2::Subnet PrivateSubnet2RouteTable: Properties: VpcId: !Ref 'VPC' Type: AWS::EC2::RouteTable PrivateSubnet2RouteTableAssociation: Properties: RouteTableId: !Ref 'PrivateSubnet2RouteTable' SubnetId: !Ref 'PrivateSubnet2' Type: AWS::EC2::SubnetRouteTableAssociation SqsVpcEndpoint: Properties: SecurityGroupIds: - !Ref 'VpcEndpointsSecurityGroup' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sqs' SubnetIds: - !Ref 'PrivateSubnet0' - !Ref 'PrivateSubnet1' - !Ref 'PrivateSubnet2' VpcEndpointType: Interface VpcId: !Ref 'VPC' Type: AWS::EC2::VPCEndpoint VPC: Properties: CidrBlock: !Ref 'VpcCidrBlock' EnableDnsHostnames: true EnableDnsSupport: true Type: AWS::EC2::VPC VpcEndpointsSecurityGroup: Properties: GroupDescription: VPC Endpoints firewall rules SecurityGroupIngress: - CidrIp: '0.0.0.0/0' Description: HTTPS access to AWS APIs FromPort: 443 IpProtocol: tcp ToPort: 443 VpcId: !Ref 'VPC' Type: AWS::EC2::SecurityGroup ```

Hope this helps.

gautaz commented 2 months ago

Hello @wangcaro3793,

I have reproduced the issue with a minimal example. The issue occurs only when using Git Sync.

Here are the YAML files I did use on my Git repository:

stack/cfn-issue-2138/deployment.yaml:

template-file-path: 'stack/cfn-issue-2138/template.yaml'

stack/cfn-issue-2138/template.yaml:

AWSTemplateFormatVersion: '2010-09-09'
Description: cfn issue 2138 stack template
Resources:
  VPC:
    Properties:
      CidrBlock: '172.50.0.0/16'
      EnableDnsHostnames: true
      EnableDnsSupport: true
    Type: AWS::EC2::VPC

These have been used to deploy the following stack with Git Sync: arn:aws:cloudformation:eu-west-3:432287323027:stack/CfnIssue2138/bbbefb50-7d61-11ef-9733-0655824fe323

And this stack also reproduces the drift issue on its VPC.

gautaz commented 1 month ago

Hello @wangcaro3793, did you manage to reproduce the issue with Git Sync?

wangcaro3793 commented 1 month ago

hi @gautaz I don't have git sync setup so I'm not sure. But thanks for identifying that this is an issue with Git Sync. I'll have to loop in different support.

gautaz commented 1 month ago

Hello @wangcaro3793,

Do I need to keep the stacks which helped demonstrating the issue or is the issue now reproduced on AWS side? There is no problem in keeping them for a while, I just do not want to keep unused resources lingering without being ever used.

wangcaro3793 commented 1 month ago

no need to keep the stack you can tear it down @gautaz