12

I can't seem to find any documentation about what happens when you manually mess with Cloudformation's objects.
I see it tags its objects, but does it recover if, say, someone deletes a routing rule?

EDIT: Just got two contradicting answers. I'd like to request some documentation / evidence, since I have to decide what directions I'm giving my colleagues about modifying these resources.

Nitz
  • 1,018
  • 1
  • 8
  • 18

3 Answers3

10

CloudFormation only creates or modifies AWS resources during deployment, update, or deletion of a stack. It does not continually 'check and enforce' individual stack resources' configuration states - drift can definitely occur.

As an example, if I deploy a CF Stack and then later manually modify an Inbound Rule on one of its Security Groups, this modification will persist until I run an explicit CF Update or redeploy the stack.

Here are some helpful snippets / links:

Q: Can I manage individual AWS resources that are part of an AWS CloudFormation stack?

Yes. AWS CloudFormation does not get in the way; you retain full control of all elements of your infrastructure. You can continue using all your existing AWS and third-party tools to manage your AWS resources.

AWS CloudFormation Stacks Updates: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html

Prevent Updates to Stack Resources: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

Please note the last link is only referring to protecting resources during a CloudFormation Update action, not ad-hoc changes made via the Management Console or API to individual resources.

Community
  • 1
Adam
  • 146
  • 5
  • 1
    Do you have actual experience with doing so, or is this just speculation? The documentation quote doesn't say anything about Cloudformation modifying/avoiding modifying your customizations. – Nitz Jun 18 '15 at 07:36
  • 5
    Yes, I have deployed many CF stacks and have never witnessed CF enforcing configuration. I have shot myself in the foot before by accidentally modifying several SGs that were a part of a CF stack and had to redeploy it. You were right about lacking documentation - this is the best I could find in 10 minutes. – Adam Jun 18 '15 at 15:33
  • 2
    Do you by 'redeploy' mean delete & deploy again, or is there another way? – Dusan Bajic Jun 22 '15 at 14:47
  • @DusanBajic one way to trick CF to "redeploy" some stack is to update the stack with a minor, innocuous change -- maybe adding an Output element? – solr Jul 29 '21 at 22:14
4

If you mess with resources that Cloudformation deploys, the resources wont be recovered/restored/put into compliance, if you really need to enforce integrity you will need to redeploy the stack.

Sirch
  • 5,697
  • 4
  • 19
  • 36
0

As far as I'm aware, CloudFormation will essentially enforce a "state of the world" and will correct misconfigured resources.

In your example, a deleted routing rule will be recreated. If someone has modified an ELB healthcheck, it will be reset back to the configuration declared in the template.

Craig Watson
  • 9,370
  • 3
  • 30
  • 46
  • 5
    I disagree. It may be the case for some resource but not others. For example, someone deleted a couple of CloudFromation created Auto Scaling Groups on the console, and now the stack fails to update because it can't find them. – Jeff Strunk Aug 06 '15 at 15:21
  • 1
    @JeffStrunk that would be because CloudFormation will not recreate a resource if there were no changes to the properties of that resource. It does a diff of the template, not the actual resources to determine if it should trigger for those resources. So if you delete a resource and then change a property of that resource in your CloudFormation template, that resource will likely be recreated when the update action fails to find it. – JacksonHaenchen Aug 29 '19 at 15:51