https://github.com/iann0036/cfn-remediate-drift

Automated CloudFormation drift remediation using Import functionality
https://github.com/iann0036/cfn-remediate-drift

aws cloudformation drift-detection

Last synced: 6 months ago
JSON representation

Automated CloudFormation drift remediation using Import functionality

• Host: GitHub
• URL: https://github.com/iann0036/cfn-remediate-drift
• Owner: iann0036
• License: mit
• Created: 2020-07-14T22:33:25.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2022-02-23T08:47:42.000Z (over 3 years ago)
• Last Synced: 2025-05-01T12:49:43.236Z (6 months ago)
• Topics: aws, cloudformation, drift-detection
• Language: Python
• Homepage:
• Size: 32.2 KB
• Stars: 27
• Watchers: 2
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# CloudFormation Remediate Drift

**Update 2022: Check out https://github.com/WeAreCloudar/cfn-drift-remediation for a new, better way to achieve this**

The following script will programmatically perform the following steps:

* Check for drifted resources

* Using CloudFormation outputs, extract any references to resources that have drifted and replace the references with the dereferenced values temporarily

* Remove any *supported* drifted resources from the stack, whilst retaining the resource

* Import the resources with their current state back into the stack

* Perform an update on the stack back to its original template, effectively remediating the resources

> :exclamation: This script is not thoroughly tested and you should attempt to use this on a non-critical resource before real-world usage as some resources refuse to re-import for a variety of reasons. I am not responsible for your data loss.

## Usage

```

python3 index.py MyStackName

```

or to specify a region

```

python3 index.py MyStackName us-east-1

```

### Supported Resources

The following resources are supported for import operations (other resources will be ignored, even if drift is detected):

* AWS::ACMPCA::Certificate

* AWS::ACMPCA::CertificateAuthority

* AWS::ACMPCA::CertificateAuthorityActivation

* AWS::AccessAnalyzer::Analyzer

* AWS::ApiGateway::Authorizer

* AWS::ApiGateway::Deployment

* AWS::ApiGateway::Method

* AWS::ApiGateway::Model

* AWS::ApiGateway::RequestValidator

* AWS::ApiGateway::Resource

* AWS::ApiGateway::RestApi

* AWS::ApiGateway::Stage

* AWS::Athena::DataCatalog

* AWS::Athena::NamedQuery

* AWS::Athena::WorkGroup

* AWS::AutoScaling::AutoScalingGroup

* AWS::AutoScaling::LaunchConfiguration

* AWS::AutoScaling::LifecycleHook

* AWS::AutoScaling::ScalingPolicy

* AWS::AutoScaling::ScheduledAction

* AWS::CE::CostCategory

* AWS::Cassandra::Keyspace

* AWS::Cassandra::Table

* AWS::Chatbot::SlackChannelConfiguration

* AWS::CloudFormation::Stack

* AWS::CloudTrail::Trail

* AWS::CloudWatch::Alarm

* AWS::CloudWatch::CompositeAlarm

* AWS::CodeGuruProfiler::ProfilingGroup

* AWS::CodeStarConnections::Connection

* AWS::Config::ConformancePack

* AWS::Config::OrganizationConformancePack

* AWS::Detective::Graph

* AWS::Detective::MemberInvitation

* AWS::DynamoDB::Table

* AWS::EC2::EIP

* AWS::EC2::FlowLog

* AWS::EC2::GatewayRouteTableAssociation

* AWS::EC2::Instance

* AWS::EC2::InternetGateway

* AWS::EC2::LocalGatewayRoute

* AWS::EC2::LocalGatewayRouteTableVPCAssociation

* AWS::EC2::NatGateway

* AWS::EC2::NetworkAcl

* AWS::EC2::NetworkInterface

* AWS::EC2::PrefixList

* AWS::EC2::RouteTable

* AWS::EC2::SecurityGroup

* AWS::EC2::Subnet

* AWS::EC2::VPC

* AWS::EC2::Volume

* AWS::ECS::CapacityProvider

* AWS::ECS::Cluster

* AWS::ECS::PrimaryTaskSet

* AWS::ECS::Service

* AWS::ECS::TaskDefinition

* AWS::ECS::TaskSet

* AWS::EFS::AccessPoint

* AWS::EFS::FileSystem

* AWS::ElasticLoadBalancing::LoadBalancer

* AWS::ElasticLoadBalancingV2::Listener

* AWS::ElasticLoadBalancingV2::ListenerRule

* AWS::ElasticLoadBalancingV2::LoadBalancer

* AWS::EventSchemas::RegistryPolicy

* AWS::Events::Rule

* AWS::FMS::NotificationChannel

* AWS::FMS::Policy

* AWS::GlobalAccelerator::Accelerator

* AWS::GlobalAccelerator::EndpointGroup

* AWS::GlobalAccelerator::Listener

* AWS::ImageBuilder::Component

* AWS::ImageBuilder::DistributionConfiguration

* AWS::ImageBuilder::Image

* AWS::ImageBuilder::ImagePipeline

* AWS::ImageBuilder::ImageRecipe

* AWS::ImageBuilder::InfrastructureConfiguration

* AWS::IoT::ProvisioningTemplate

* AWS::IoT::Thing

* AWS::KinesisFirehose::DeliveryStream

* AWS::Lambda::Alias

* AWS::Lambda::Function

* AWS::Lambda::Version

* AWS::Logs::LogGroup

* AWS::Logs::MetricFilter

* AWS::Logs::SubscriptionFilter

* AWS::Macie::CustomDataIdentifier

* AWS::Macie::FindingsFilter

* AWS::Macie::Session

* AWS::NetworkManager::CustomerGatewayAssociation

* AWS::NetworkManager::Device

* AWS::NetworkManager::GlobalNetwork

* AWS::NetworkManager::Link

* AWS::NetworkManager::LinkAssociation

* AWS::NetworkManager::Site

* AWS::NetworkManager::TransitGatewayRegistration

* AWS::QLDB::Stream

* AWS::RDS::DBCluster

* AWS::RDS::DBInstance

* AWS::RDS::DBProxy

* AWS::RDS::DBProxyTargetGroup

* AWS::ResourceGroups::Group

* AWS::Route53::HostedZone

* AWS::S3::AccessPoint

* AWS::S3::Bucket

* AWS::SES::ConfigurationSet

* AWS::SNS::Topic

* AWS::SQS::Queue

* AWS::SSM::Association

* AWS::ServiceCatalog::CloudFormationProvisionedProduct

* AWS::Synthetics::Canary

* AWS::WAFv2::IPSet

* AWS::WAFv2::RegexPatternSet

* AWS::WAFv2::RuleGroup

* AWS::WAFv2::WebACL

* AWS::WAFv2::WebACLAssociation

* AWS::IAM::Group

* AWS::IAM::InstanceProfile

* AWS::IAM::Role

* AWS::IAM::User

* AWS::IAM::ManagedPolicy

### Known Issues

* Templates with a high amount of drifted resources may cause an error regarding too many outputs

* Drifted resources referenced within a `Fn::Sub` string may cause the process to fail