Skip to content

iann0036/cfn-remediate-drift

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

index.py

index.py

 
 

requirements.txt

requirements.txt

 
 

test.yaml

test.yaml

 
 

Repository files navigation

CloudFormation Remediate Drift

Update 2022: Check out https://github.com/WeAreCloudar/cfn-drift-remediation for a new, better way to achieve this

The following script will programmatically perform the following steps:

  • Check for drifted resources
  • Using CloudFormation outputs, extract any references to resources that have drifted and replace the references with the dereferenced values temporarily
  • Remove any supported drifted resources from the stack, whilst retaining the resource
  • Import the resources with their current state back into the stack
  • Perform an update on the stack back to its original template, effectively remediating the resources

❗ This script is not thoroughly tested and you should attempt to use this on a non-critical resource before real-world usage as some resources refuse to re-import for a variety of reasons. I am not responsible for your data loss.

Usage

python3 index.py MyStackName

or to specify a region

python3 index.py MyStackName us-east-1

Supported Resources

The following resources are supported for import operations (other resources will be ignored, even if drift is detected):

  • AWS::ACMPCA::Certificate
  • AWS::ACMPCA::CertificateAuthority
  • AWS::ACMPCA::CertificateAuthorityActivation
  • AWS::AccessAnalyzer::Analyzer
  • AWS::ApiGateway::Authorizer
  • AWS::ApiGateway::Deployment
  • AWS::ApiGateway::Method
  • AWS::ApiGateway::Model
  • AWS::ApiGateway::RequestValidator
  • AWS::ApiGateway::Resource
  • AWS::ApiGateway::RestApi
  • AWS::ApiGateway::Stage
  • AWS::Athena::DataCatalog
  • AWS::Athena::NamedQuery
  • AWS::Athena::WorkGroup
  • AWS::AutoScaling::AutoScalingGroup
  • AWS::AutoScaling::LaunchConfiguration
  • AWS::AutoScaling::LifecycleHook
  • AWS::AutoScaling::ScalingPolicy
  • AWS::AutoScaling::ScheduledAction
  • AWS::CE::CostCategory
  • AWS::Cassandra::Keyspace
  • AWS::Cassandra::Table
  • AWS::Chatbot::SlackChannelConfiguration
  • AWS::CloudFormation::Stack
  • AWS::CloudTrail::Trail
  • AWS::CloudWatch::Alarm
  • AWS::CloudWatch::CompositeAlarm
  • AWS::CodeGuruProfiler::ProfilingGroup
  • AWS::CodeStarConnections::Connection
  • AWS::Config::ConformancePack
  • AWS::Config::OrganizationConformancePack
  • AWS::Detective::Graph
  • AWS::Detective::MemberInvitation
  • AWS::DynamoDB::Table
  • AWS::EC2::EIP
  • AWS::EC2::FlowLog
  • AWS::EC2::GatewayRouteTableAssociation
  • AWS::EC2::Instance
  • AWS::EC2::InternetGateway
  • AWS::EC2::LocalGatewayRoute
  • AWS::EC2::LocalGatewayRouteTableVPCAssociation
  • AWS::EC2::NatGateway
  • AWS::EC2::NetworkAcl
  • AWS::EC2::NetworkInterface
  • AWS::EC2::PrefixList
  • AWS::EC2::RouteTable
  • AWS::EC2::SecurityGroup
  • AWS::EC2::Subnet
  • AWS::EC2::VPC
  • AWS::EC2::Volume
  • AWS::ECS::CapacityProvider
  • AWS::ECS::Cluster
  • AWS::ECS::PrimaryTaskSet
  • AWS::ECS::Service
  • AWS::ECS::TaskDefinition
  • AWS::ECS::TaskSet
  • AWS::EFS::AccessPoint
  • AWS::EFS::FileSystem
  • AWS::ElasticLoadBalancing::LoadBalancer
  • AWS::ElasticLoadBalancingV2::Listener
  • AWS::ElasticLoadBalancingV2::ListenerRule
  • AWS::ElasticLoadBalancingV2::LoadBalancer
  • AWS::EventSchemas::RegistryPolicy
  • AWS::Events::Rule
  • AWS::FMS::NotificationChannel
  • AWS::FMS::Policy
  • AWS::GlobalAccelerator::Accelerator
  • AWS::GlobalAccelerator::EndpointGroup
  • AWS::GlobalAccelerator::Listener
  • AWS::ImageBuilder::Component
  • AWS::ImageBuilder::DistributionConfiguration
  • AWS::ImageBuilder::Image
  • AWS::ImageBuilder::ImagePipeline
  • AWS::ImageBuilder::ImageRecipe
  • AWS::ImageBuilder::InfrastructureConfiguration
  • AWS::IoT::ProvisioningTemplate
  • AWS::IoT::Thing
  • AWS::KinesisFirehose::DeliveryStream
  • AWS::Lambda::Alias
  • AWS::Lambda::Function
  • AWS::Lambda::Version
  • AWS::Logs::LogGroup
  • AWS::Logs::MetricFilter
  • AWS::Logs::SubscriptionFilter
  • AWS::Macie::CustomDataIdentifier
  • AWS::Macie::FindingsFilter
  • AWS::Macie::Session
  • AWS::NetworkManager::CustomerGatewayAssociation
  • AWS::NetworkManager::Device
  • AWS::NetworkManager::GlobalNetwork
  • AWS::NetworkManager::Link
  • AWS::NetworkManager::LinkAssociation
  • AWS::NetworkManager::Site
  • AWS::NetworkManager::TransitGatewayRegistration
  • AWS::QLDB::Stream
  • AWS::RDS::DBCluster
  • AWS::RDS::DBInstance
  • AWS::RDS::DBProxy
  • AWS::RDS::DBProxyTargetGroup
  • AWS::ResourceGroups::Group
  • AWS::Route53::HostedZone
  • AWS::S3::AccessPoint
  • AWS::S3::Bucket
  • AWS::SES::ConfigurationSet
  • AWS::SNS::Topic
  • AWS::SQS::Queue
  • AWS::SSM::Association
  • AWS::ServiceCatalog::CloudFormationProvisionedProduct
  • AWS::Synthetics::Canary
  • AWS::WAFv2::IPSet
  • AWS::WAFv2::RegexPatternSet
  • AWS::WAFv2::RuleGroup
  • AWS::WAFv2::WebACL
  • AWS::WAFv2::WebACLAssociation
  • AWS::IAM::Group
  • AWS::IAM::InstanceProfile
  • AWS::IAM::Role
  • AWS::IAM::User
  • AWS::IAM::ManagedPolicy

Known Issues

  • Templates with a high amount of drifted resources may cause an error regarding too many outputs
  • Drifted resources referenced within a Fn::Sub string may cause the process to fail

About

Automated CloudFormation drift remediation using Import functionality

Topics

aws cloudformation drift-detection

Resources

Readme

License

MIT license
Activity

Stars

25 stars

Watchers

3 watching

Forks

2 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Languages