search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.5k stars 3.84k forks source link

Detecting drift from the command line #24494

Open j4zzcat opened 1 year ago

j4zzcat commented 1 year ago

Describe the bug

Some of the stack names listed with cdk list cannot be fed into aws cloudformation <command> --stack-name <stack-name>.

Expected Behavior

The cloudformation module of the AWS CLI should accept the stack names listed in cdk list, or the other way around.

Current Behavior

Some of the stack names listed with cdk list cannot be fed into aws cloudformation <command> --stack-name <stack-name>.

Reproduction Steps

First, get a list of stacks:

$ cdk list
building... [omitted for clarity]

playground1
playground1-safetynet
playground1/es-hist-cluster1
playground1/es-rt-cluster1

Now, detect the drift:

$ aws cloudformation detect-stack-drift --stack-name "playground1/es-rt-cluster1"

An error occurred (ValidationError) when calling the DetectStackDrift operation: 
1 validation error detected: Value 'playground1/es-rt-cluster1' at 'stackName' failed to satisfy constraint: 
Member must satisfy regular expression pattern: [a-zA-Z][-a-zA-Z0-9]*|arn:[-a-zA-Z0-9:/._+]*

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.67.0 (build b6f7f39)

Framework Version

No response

Node.js Version

v19.6.1

OS

macOS 13.1

Language

Java

Language Version

No response

Other information

No response

pahud commented 1 year ago

This seems to be a nested stack from the parent stack playground1.

According to the doc

When detecting drift on a stack, CloudFormation does not detect drift on any nested stacks that belong to that stack. Instead, you can initiate a drift detection operation directly on the nested stack.

I believe you should be able to detect-stack-drift on that nested stack?

j4zzcat commented 1 year ago

The problem is that aws cloudformation detect-stack-drift --stack-name "playground1/es-rt-cluster1" doesn't recognize the stack playground1/es-rt-cluster1 (as listed in cdk list) as a valid name.

Indeed, looking in the AWS console, I can see that the nested stack names are different than the ones cdk list produces. For example, playground1/es-rt-cluster1 in CDK is actually playground1esrtcluster1D0DED288 in aws cloudformation, hence the problem.

So, in summary, nested stack names in CDK are not recognized by the lower layer of Cloudformation.

pahud commented 1 year ago

Thank you for your feedback. Yes this makes sense.

sc-juho commented 5 months ago

Honesty it feels like the CDK team is stuck on having to use CloudFormation, which has fundamental issues with drift detection. Perhaps it would make more sense to refactor CDK so that it would not use CloudFormation, but instead do direct API calls to AWS the same way how Terraform works?

I've seen https://aws.amazon.com/blogs/devops/implementing-automatic-drift-detection-in-cdk-pipelines-using-amazon-eventbridge/ and https://github.com/cdklabs/cdk-drift-monitor and they both look way too difficult and complex to use when compared how well terraform plan works. For example it would be insanity to try to build the EventBridge based solution to all of our 500+ AWS accounts.