AWS::Lambda::Function Drift Detection does not support CodeSigningConfigArn Property

linyunxiang commented 3 years ago

Name of the resource

AWS::Lambda::Function

Resource Name

No response

Issue Description

If an AWS::Lambda::Function resource has the CodeSigningConfigArn Property, Drift Detection would not see the actual CodeSigningConfigArn applied to the function. Thus gives false alarm.

Expected Behavior

Drift Detection should be able to detect the actual CodeSigningConfigArn applied to the function.

Observed Behavior

Incorrect Drfit Status:

$ aws cloudformation describe-stack-resource-drifts --stack-name lambda ... ... "LogicalResourceId": "lambda", "PhysicalResourceId": "lambda-lambda-kdA5SUV57nal", "ResourceType": "AWS::Lambda::Function", "ExpectedProperties": "{\"CodeSigningConfigArn\":\"arn:aws:lambda:us-east-1:XXXXX:code-signing-config:csc-09e35593b36aeefd4\",\"Handler\":\"index.handler\",\"Role\":\"arn:aws:iam::XXXXX:role/lambda-Role-1N9NYQ88CHZB2\",\"Runtime\":\"nodejs12.x\"}", "ActualProperties": "{\"Handler\":\"index.handler\",\"Role\":\"arn:aws:iam::XXXXX:role/lambda-Role-1N9NYQ88CHZB2\",\"Runtime\":\"nodejs12.x\"}", "PropertyDifferences": [ { "PropertyPath": "/CodeSigningConfigArn", "ExpectedValue": "arn:aws:lambda:us-east-1:XXXXX:code-signing-config:csc-09e35593b36aeefd4", "ActualValue": "null", "DifferenceType": "REMOVE" } ], "StackResourceDriftStatus": "MODIFIED", ... ...

Test Cases

Create an AWS::Lambda::Function resource with CodeSigningConfigArn Property and then try drift detection.

Other Details

No response

Manouchehri commented 1 year ago

Yep, still an issue here.

alkaales commented 1 year ago

Can you provide the CFN template you are using? I just tested this, and drift result is IN_SYNC.

aws-cloudformation / cloudformation-coverage-roadmap