Introduction

Infrastructure as code is an excellent approach with many advantages, such as automating the deployment process or making it easier to maintain the solution. Many tools support it nowadays. The choice of the particular library depends on the needs and personal preferences. We can build AWS cloud infrastructure using native tools such as AWS CloudFormation or AWS CDK and 3rd party tools such as Ansible, Terraform, or Pulumi.

In addition to the advantages, we should be careful about some things when using this method of an infrastructure maintenance. One of them is the drift concept, i.e., manual changes done to the infrastructure that had been previously built using IaC. Regardless of the tool used, we are vulnerable to a scenario in which the infrastructure is defined and implemented as code and then modified by a programmer or administrator directly in the AWS Management Console or using AWS CLI calls. In this case, the infrastructure code is not updated, and we may encounter unexpected problems during the next modification. It is worth protecting yourself against such situations and detecting them as soon as possible.

Try Drift Detector out!

Automatically control your AWS account state!

Try now

How to detect the drift?

Using CloudFormation in the AWS cloud, individual resources are grouped into so-called stacks. We can check specific stacks for consistency with the current state defined as IaC. We can do this using the AWS Management Console:

Detect drift AWS Console

Assuming the scenario when the checked stack is drifted, we can find the results of a drift detection:

Drift details in the AWS Management Console

We can also perform similar operation using the AWS CLI:

$ aws cloudformation detect-stack-drift --stack-name ServerlessApiStack
{
    "StackDriftDetectionId": "324d20f0-817e-11eb-bbcc-0ad9a0231ad1"
}

$ aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id 324d20f0-817e-11eb-bbcc-0ad9a0231ad1
{
    "StackId": "arn:aws:cloudformation:eu-west-1:<AccountId>:stack/ServerlessApiStack/965b0990-811f-11eb-ae0d-0a8c9dea2e67",
    "StackDriftDetectionId": "324d20f0-817e-11eb-bbcc-0ad9a0231ad1",
    "StackDriftStatus": "DRIFTED",
    "DetectionStatus": "DETECTION_COMPLETE",
    "DriftedStackResourceCount": 1,
    "Timestamp": "2021-03-10T08:54:17.471000+00:00"
}

However, no solution would help in continually monitoring the entire account for this type of anomaly. Drift Detector solves this problem.

How does it work?

Drift Detector allows you to periodically check and notify Slack in the event of a drift anomaly. To implement this solution in your AWS account, you need to install Drift Detector from the Serverless Application Repository.:

Deploy Drift Detector using SAR

Or from the Drift Detector website:

Deploy Drift Detector using Landing Page

Both options allow you to configure the tool according to your preferences. Drift Detector will check the entire account to detect drifts conforming to the defined schedule. If Drift Detector discovers such a situation, the relevant messages will appear in the desired Slack channel, appropriately formatted. It is possible to display all resources included in the stack affected by the drift:

Deploy Drift Detector using Landing Page

Besides that, we can display only drifted resources in a specific stack:

Deploy Drift Detector using Landing Page

It is also possible to display only stacks affected by drift without any stacks in the IN_SYNC status.

Summary

Drift Detector introduces continuous monitoring of resources in the AWS account in terms of detecting the drift anomaly. It is worth introducing this type of process to control the state of your environment better.

Try Drift Detector out!

Automatically control your AWS account state!

Try now