As AWS CDK (Cloud Development Kit) continues to evolve, so does its tooling to ensure infrastructure consistency. A significant addition to the CDK CLI is the cdk drift command, introduced in version 2.1017.0 (build f227c9b) yesterday. It facilitates drift detection. - a critical feature for maintaining the integrity of your cloud resources. This blog post aims to demystify drift detection in AWS CDK, contrasting it with the cdk diff command, and providing a practical example to illustrate its application.
What is Drift Detection?
Drift detection in AWS CloudFormation identifies discrepancies between the actual state of your stack resources and their expected configurations as defined in your templates. Such drifts often result from manual changes made outside the CDK or CloudFormation workflows, leading to potential inconsistencies, security vulnerabilities, or operational issues. The cdk drift command integrates with CloudFormation's drift detection capabilities, enabling CDK users to detect and address these inconsistencies directly from the CLI.
cdk drift vs. cdk diff: Understanding the Difference
While both cdk drift and cdk diff are tools for comparing infrastructure states, they serve distinct purposes:
cdk diff: Compares your local CDK application's synthesized CloudFormation template with the last deployed stack template. It highlights changes you intend to deploy but does not consider the current state of live resources. It is useful for previewing changes before deployment to avoid surprises.
cdk drift: Compares the last deployed stack template with the actual live configuration of resources in your AWS account. It detects changes made outside of the CDK or CloudFormation, such as manual modifications via the AWS Console or CLI.
In essence, cdk diff is proactive, showing what will change upon deployment, whereas cdk drift is reactive, revealing unauthorized or unintended changes that have already occurred.
Getting Started with cdk drift
To use the cdk drift command, make sure you're using AWS CDK CLI version 2.1017.0
npm install -g [email protected]
npx cdk --version
# Should output something like: 2.1017.0 (build f227c9b)
npx cdk -h # it will start listing command option for drift
POC: Detecting Drift in an S3 Bucket
- Let's walk through a scenario to understand how cdk drift operates. Define and Deploy an S3 Bucket Using CDK.
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
// import * as sqs from 'aws-cdk-lib/aws-sqs';
import * as s3 from 'aws-cdk-lib/aws-s3';
export class CdkdriftStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new s3.Bucket(this, 'MyBucket', {
versioned: true,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
}
}
const app = new cdk.App();
new CdkdriftStack(app, 'CdkdriftStack');
- Verify the bucket created and run cdk diff.
- Lets do some manual changes, After deployment, navigate to the AWS Console, manually disable the bucket versioning
- Run the
cdk diffagain and this shows no difference because your local CDK code still defines the bucket as versioned. cdk diffonly compares your local template with the last deployed template, which still expects versioning enabled. Runcdk drift- This triggers drift detection against the live stack. It detects that the bucket's versioning property has drifted (disabled manually).
The introduction of the cdk drift command enhances AWS CDK's capabilities, providing developers with a powerful tool to ensure their infrastructure remains consistent with defined configurations. By understanding and utilizing drift detection, teams can proactively manage their cloud resources, reduce unexpected issues, and maintain compliance with organizational standards.
References
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html
https://github.com/aws/aws-cdk/issues/1723
💬 Let's Connect
LinkedIn: https://www.linkedin.com/in/arunksingh16/
GitHub: https://github.com/arunksingh16
Twitter: https://twitter.com/arun16
Medium: https://medium.com/@arunksingh16
Top comments (0)