# Detect unmanaged configuration changes to stacks and resources with drift detection
Even as you manage your resources through CloudFormation, users can change those resources outside of CloudFormation. Users can edit resources directly by using the underlying service that created the resource. For example, you can use the Amazon EC2 console to update a server instance that was created as part of a CloudFormation stack. Some changes may be accidental, and some may be made intentionally to respond to time-sensitive operational events. Regardless, changes made outside of CloudFormation can complicate stack update or deletion operations. You can use drift detection to identify stack resources to which configuration changes have been made outside of CloudFormation management. You can then take corrective action so that your stack resources are again in sync with their definitions in the stack template, such as updating the drifted resources directly so that they agree with their template definition. Resolving drift helps to ensure configuration consistency and successful stack operations.
**Topics**
+ [What is drift?](#what-is-drift)
+ [Drift detection status codes](#drift-status-codes)
+ [Considerations when detecting drift](#drift-considerations)
+ [Detect drift on an entire CloudFormation stack](detect-drift-stack.md)
+ [Detect drift on individual stack resources](detect-drift-resource.md)
+ [Resolve drift with an import operation](resource-import-resolve-drift.md)
## What is drift?
Drift detection enables you to detect whether a stack's actual configuration differs, or has *drifted*, from its expected configuration. Use CloudFormation to detect drift on an entire stack, or on individual resources within the stack. A resource is considered to have drifted if any of its actual property values differ from the expected property values. This includes if the property or resource has been deleted. A stack is considered to have drifted if one or more of its resources have drifted.
To determine whether a resource has drifted, CloudFormation determines the expected resource property values, as defined in the stack template and any values specified as template parameters. CloudFormation then compares those expected values with the actual values of those resource properties as they currently exist in the stack. A resource is considered to have drifted if one or more of its properties have been deleted, or had their value changed.
CloudFormation generates detailed information on each resource in the stack that has drifted.
CloudFormation detects drift on those AWS resources that support drift detection. Resources that don't support drift detection are assigned a drift status of NOT\$1CHECKED. For a list of AWS resources that support drift detection, see [Resource type support](resource-import-supported-resources.md).
In addition, CloudFormation supports drift detection on private resource types that are *provisionable*; that's, whose provisioning type is either `FULLY_MUTABLE` or `IMMUTABLE`. To perform drift detection on a resource of a private resource type, the default version of the resource type that you have registered in your account must be provisionable. For more information on resource provision type, see the `ProvisioningType` parameter of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeType.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeType.html) action in the *AWS CloudFormation API Reference* and of the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-type.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-type.html) command in the *AWS CLI Command Reference*. For more information on private resources, see [Managing extensions with the CloudFormation registry](registry.md).
You can perform drift detection on stacks with the following statuses: `CREATE_COMPLETE`, `UPDATE_COMPLETE`, `UPDATE_ROLLBACK_COMPLETE`, and `UPDATE_ROLLBACK_FAILED`.
When detecting drift on a stack, CloudFormation does not detect drift on any nested stacks that belong to that stack. For more information, see [Split a template into reusable pieces using nested stacks](using-cfn-nested-stacks.md). Instead, you can initiate a drift detection operation directly on the nested stack.
**Note**
CloudFormation only determines drift for property values that are explicitly set, either through the stack template or by specifying template parameters. This doesn't include default values for resource properties. To have CloudFormation track a resource property for purposes of determining drift, explicitly set the property value, even if you are setting it to the default value. CloudFormation also detects drift on stack-level tags.
## Drift detection status codes
The tables in this section describe the various status types used with drift detection:
+ **Drift detection operation status** describes the current state of the drift operation.
+ **Drift status**
For stack sets, this describes the drift status of the stack set as a whole, based on the drift status of the stack instances that belong to it.
For stack instances, this describes the drift status of the stack instance, based on the drift status of its associated stack.
For stacks, this describes the drift status of the stack as a whole, based on the drift status of its resources.
+ **Resource drift status** describes the drift status of an individual resource.
The following table lists the status codes CloudFormation assigns to stack drift detection operations.
| Drift detection operation status | Description |
| --- | --- |
| `DETECTION_COMPLETE` | The stack drift detection operation has successfully completed for all resources in the stack that support drift detection. |
| `DETECTION_FAILED` | The stack drift detection operation has failed for at least one resource in the stack. Results will be available for resources on which CloudFormation successfully completed drift detection. |
| `DETECTION_IN_PROGRESS` | The stack drift detection operation is currently in progress. |
The following table lists the drift status codes CloudFormation assigns to stacks.
| Drift status | Description |
| --- | --- |
| `DRIFTED` | For stacks: The stack differs, or has *drifted*, from its expected template configuration. A stack is considered to have drifted if one or more of its resources have drifted. For stack instances: A stack instance is considered to have drifted if the stack associated with it has drifted. For stack sets: A stack set is considered to have drifted if one or more stack instances has drifted. |
| `NOT_CHECKED` | CloudFormation has not checked if the stack, stack set, or stack instance differs from its expected template configuration. |
| `IN_SYNC` | The current configuration of each supported resource matches its expected template configuration. A stack, stack set, or stack instance with no resources that support drift detection will also have a status of IN\$1SYNC. |
The following table lists the drift status codes CloudFormation assigns to stack resources.
| Resource drift status | Description |
| --- | --- |
| `DELETED` | The resource differs from its expected template configuration because the resource has been deleted. |
| `MODIFIED` | The resource differs from its expected template configuration. |
| `NOT_CHECKED` | CloudFormation has not checked if the resource differs from its expected template configuration. |
| `IN_SYNC` | The resource's current configuration matches its expected template configuration. |
The following table lists the difference-type status codes CloudFormation assigns to resource properties that differ from their expected template configuration.
| Property difference types | Description |
| --- | --- |
| `ADD` | A value has been added to a resource property that's an array or list data type. |
| `REMOVE` | The property has been removed from the current resource configuration. |
| `NOT_EQUAL` | The current property value differs from its expected value as defined in the stack template. |
## Considerations when detecting drift
In order to successfully perform drift detection on a stack, a user must have the following permissions:
+ Read permission for each resource that supports drift detection included in the stack. For example, if the stack includes an `AWS::EC2::Instance` resource, you must have `ec2:DescribeInstances` permission to perform drift detection on the stack.
+ `cloudformation:DetectStackDrift`
+ `cloudformation:DetectStackResourceDrift`
+ `cloudformation:BatchDescribeTypeConfigurations`
For more information about setting permissions in CloudFormation, see [Control CloudFormation access with AWS Identity and Access Management](control-access-with-iam.md).
In certain edge cases, CloudFormation may not be able to always return accurate drift results. You should be aware of these edge cases in order to properly interpret your drift detection results.
+ In certain cases, objects contained in property arrays will be reported as drift, when in actuality they're default values supplied to the property from the underlying service responsible for the resource.
+ Certain resources have attachment relationships with related resources, such that a resource may actually attach or remove property values for another resource, defined in the same or another template. For example, the `AWS::EC2::SecurityGroupIngress` and `AWS::EC2::SecurityGroupEgress` resources may be used to attach and remove values from `AWS::EC2::SecurityGroup` resources. In these cases, CloudFormation analyses the stack template for attachments before performing the drift comparison. However, CloudFormation can't perform this analysis across stacks, and so may not return accurate drift results where resources that are attached reside in different stacks.
Resources that support drift detection and allow or require attachments from other resources include:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html)
+ CloudFormation does not perform drift detection on the `KMSKeyId` property of any resources. Because AWS KMS keys can be referenced by multiple aliases, CloudFormation can't guarantee consistently accurate drift results for this property.
+ There are certain resource properties that you can specify in your stack template that, by their very nature, CloudFormation will not be able to compare to the properties in the resulting stack resources. These properties therefore cannot be included in drift detection results. Such properties fall into two broad categories:
+ Property values that CloudFormation cannot map back to their initial resource property value in the stack template.
For example, CloudFormation cannot map the source code of a Lambda function back to the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-lambda-function-code.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-lambda-function-code.html) property type of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) resource, and therefore CloudFormation can't include it in drift detection results.
+ Property values that the service that is responsible for the resource doesn't return.
There are certain property values that, by design, are never returned by the service to which the resource belongs. These tend to contain confidential information, such as passwords or other sensitive data that shouldn't be exposed. For example, the IAM service will never return the value of the `Password` property of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-iam-user-loginprofile.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-iam-user-loginprofile.html) property type, and therefore CloudFormation can't include it in drift detection results.
+ Objects in an array may be actually service defaults and not drift added manually.
+ If you encounter any false positive, send us your comments using the feedback link in the CloudFormation console, or reach out to us through [AWS re:Post](https://repost.aws/).
+ Some properties can have input values that are equal but not identical. To avoid false positives, you should ensure that your expected configuration matches the actual configuration.
+ For example, the expected configuration of resource property can be 1024 MB and the actual configuration of the same resource property can be 1GB. 1024 MB and 1GB are equal but not identical.
When drift detection runs on this resource property, it will signal drifted results.
To avoid this false positive, change the expected configuration of the resource property to 1024MB and then run drift detection.
# Detect drift on an entire CloudFormation stack
Performing a drift detection operation on a stack determines whether the stack has drifted from its expected template configuration, and returns detailed information about the drift status of each resource in the stack that supports drift detection.
**To detect drift on an entire stack using the AWS Management Console**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. From the list of stacks, select the stack on which you want to perform drift detection. In the stack details pane, choose **Stack actions**, and then choose **Detect drift**.
![\[The Detect drift for current stack command selected on the Stack actions menu for the selected stack.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/console-stacks-actions-detect-drift-1.png)
CloudFormation displays an information bar stating that drift detection has been initiated for the selected stack.
1. Wait until CloudFormation completes the drift detection operation. When the drift detection operation completes, CloudFormation updates **Drift status** and **Last drift check time** for your stack. These fields are listed in the **Overview** section of the **Stack info** pane of the stack details page.
The drift detection operation may take several minutes, depending on the number of resources included in the stack. You can only run a single drift detection operation on a given stack at the same time. CloudFormation continues the drift detection operation even after you dismiss the information bar.
1. Review the drift detection results for the stack and its resources. With your stack selected, from the **Stack actions** menu select **View drift results**.
CloudFormation lists the overall drift status of the stack, in addition to the last time drift detection was initiated on the stack or any of its individual resources. A stack is considered to have drifted if one or more of its resources have drifted.
![\[The Drifts page for the selected stack, showing overall stack drift status, drift detection status, and the last time drift detection was initiated on the stack or any of its individual resources.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/console-stacks-drifts-overview-1.png)
In the **Resource drift status** section, CloudFormation lists each stack resource, its drift status, and the last time drift detection was initiated on the resource. The logical ID and physical ID of each resource is displayed to help you identify them. In addition, for resources with a status of **MODIFIED**, CloudFormation displays resource drift details.
You can sort the resources based on their drift status using the **Drift status** column.
1. To view the details on a modified resource.
1. With the modified resource selected, select **View drift details**.
CloudFormation displays the drift detail page for that resource. This page lists the resource's expected and current property values, and any differences between the two.
To highlight a difference, in the **Differences** section select the property name.
+ Added properties are highlighted in green in the **Current** column of the **Details** section.
+ Deleted properties are highlighted in red in the **Expected** column of the **Details** section.
+ Properties whose value have been changed are highlighted in yellow in the both **Expected** and **Current** columns.
![\[The Resource drift status section of the Drift Details page, which contains drift information for each resource in the stack that supports drift detection. Details include drift status and expected and current property values.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/console-stacks-drifts-drift-details-differences-1.png)
**To detect drift on an entire stack using the AWS CLI**
**Important**
Review the **Last drift check time** for the stack and confirm that it's earlier than the timestamp shown in the resource drift results to prevent the use of stale data.
To detect drift on an entire stack using the AWS CLI, use the following AWS CLI commands:
+ **detect-stack-drift** to initiate a drift detection operation on a stack.
+ **describe-stack-drift-detection-status** to monitor the status of the stack drift detection operation.
+ **describe-stack-resource-drifts** to review the details of the stack drift detection operation.
1. Use the **detect-stack-drift** to detect drift on an entire stack. Specify the stack name or ARN. You can also specify the logical IDs of any specific resources that you want to use as filters for this drift detection operation.
```
aws cloudformation detect-stack-drift --stack-name my-stack-with-resource-drift
```
Output:
```
{
"StackDriftDetectionId": "624af370-311a-11e8-b6b7-500cexample"
}
```
1. Because stack drift detection operations can be long-running, use **describe-stack-drift-detection-status** to monitor the status of drift operation. This command takes the stack drift detection ID returned by the **detect-stack-drift** command.
In the example below, we've taken the stack drift detection ID returned by the **detect-stack-drift** example above and passed it as a parameter to **describe-stack-drift-detection-status**. The parameter returns operation details that show that the drift detection operation has completed, a single stack resource has drifted, and that the entire stack is considered to have drifted as a result.
```
aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id 624af370-311a-11e8-b6b7-500cexample
```
Output:
```
{
"StackId": "arn:aws:cloudformation:us-east-1:099908667365:stack/my-stack-with-resource-drift/489e5570-df85-11e7-a7d9-50example",
"StackDriftDetectionId": "624af370-311a-11e8-b6b7-500cexample",
"StackDriftStatus": "DRIFTED",
"Timestamp": "2018-03-26T17:23:22.279Z",
"DetectionStatus": "DETECTION_COMPLETE",
"DriftedStackResourceCount": 1
}
```
1. When the stack drift detection operation is complete, use the **describe-stack-resource-drifts** command to review the results, including actual and expected property values for resources that have drifted.
The example below uses the `--stack-resource-drift-status-filters` option to request stack drift information for those resources that have been modified or deleted. The request returns information on the one resource that has been modified, including details about two of its properties whose values have been changed. No resources have been deleted.
```
aws cloudformation describe-stack-resource-drifts --stack-name my-stack-with-resource-drift --stack-resource-drift-status-filters MODIFIED DELETED
```
Output:
```
{
"StackResourceDrifts": [
{
"StackId": "arn:aws:cloudformation:us-east-1:099908667365:stack/my-stack-with-resource-drift/489e5570-df85-11e7-a7d9-50example",
"ActualProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,\"DelaySeconds\":120,\"RedrivePolicy\":{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:099908667365:my-stack-with-resource-drift-DLQ-1BCY7HHD5QIM3\",\"maxReceiveCount\":12},\"MessageRetentionPeriod\":345600,\"MaximumMessageSize\":262144,\"VisibilityTimeout\":60,\"QueueName\":\"my-stack-with-resource-drift-Queue-494PBHCO76H4\"}",
"ResourceType": "AWS::SQS::Queue",
"Timestamp": "2018-03-26T17:23:34.489Z",
"PhysicalResourceId": "https://sqs.us-east-1.amazonaws.com/099908667365/my-stack-with-resource-drift-Queue-494PBHCO76H4",
"StackResourceDriftStatus": "MODIFIED",
"ExpectedProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,\"DelaySeconds\":20,\"RedrivePolicy\":{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:099908667365:my-stack-with-resource-drift-DLQ-1BCY7HHD5QIM3\",\"maxReceiveCount\":10},\"MessageRetentionPeriod\":345600,\"MaximumMessageSize\":262144,\"VisibilityTimeout\":60,\"QueueName\":\"my-stack-with-resource-drift-Queue-494PBHCO76H4\"}",
"PropertyDifferences": [
{
"PropertyPath": "/DelaySeconds",
"ActualValue": "120",
"ExpectedValue": "20",
"DifferenceType": "NOT_EQUAL"
},
{
"PropertyPath": "/RedrivePolicy/maxReceiveCount",
"ActualValue": "12",
"ExpectedValue": "10",
"DifferenceType": "NOT_EQUAL"
}
],
"LogicalResourceId": "Queue"
}
]
}
```
# Detect drift on individual stack resources
You can detect drift on specific resources within a stack, rather than the entire stack. This is especially useful when you only need to determine if specific resources now match their expected template configurations again.
When performing drift detection on a resource, CloudFormation also updates the overall stack drift status and the **Last drift check time**, if applicable. For example, suppose a stack has a drift status of `IN_SYNC`. You have CloudFormation perform drift detection on one or more resources contained in that stack, and CloudFormation detects that one or more of those resources has drifted. CloudFormation updates the stack drift status to `DRIFTED`. Conversely, suppose you have a stack with a drift status of `DRIFTED` because of a single drifted resource. If you set that resource back to its expected property values, and then detect drift on the resource again, CloudFormation will update both resource drift status and stack drift status to `IN_SYNC` without requiring you to detect drift on the entire stack again.
**To detect drift on an individual resource using the AWS Management Console**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. From the list of stacks, select the stack that contains the resource. CloudFormation displays the stack details for that stack.
1. In the left navigation pane, under **Stacks**, choose **Stack actions**, and then choose **Detect drift**.
1. Under **Resource drift status**, choose the resource and then select **Detect drift for resource**.
CloudFormation performs drift detection on the selected resource. If successful, CloudFormation updates the resource's drift status, and the overall stack drift status, if necessary. CloudFormation also updates time stamp for when drift detection was last performed on the resource, and the stack as a whole. If the resource has been modified, CloudFormation displays detailed drift information about the expected and current property values of the resource.
1. Review the drift detection results for the resource.
1. To view the details on a modified resource.
1. With the modified resource selected, select **View drift details**.
CloudFormation displays the drift details for that resource, including the resource's expected and current property values, and any differences between the two.
To highlight a difference, in the **Differences** section select the property name.
+ Added properties are highlighted in green in the **Current** column of the **Details** section.
+ Deleted properties are highlighted in red in the **Expected** column of the **Details** section.
+ Properties whose value have been changed are highlighted in yellow in the both **Expected** and **Current** columns.
![\[The Resource drift status section of the Drift Details page, which contains drift information for each resource in the stack that supports drift detection. Details include drift status and expected and current property values.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/console-stacks-drifts-drift-details-differences-1.png)
**To detect drift on an individual resource using the AWS CLI**
+
**Important**
Review the **Last drift check time** for the stack resource and confirm that it's earlier than the timestamp shown in the resource drift results to prevent the use of stale data.
To detect drift on an individual resource using the AWS CLI, use the **detect-stack-resource-drift** command. Specify the logical ID of the resource and the stack in which it's contained.
The following example runs a drift detection operation on a specific stack resources, `my-drifted-resource`. The response returns information that confirms the resource has been modified, including details about two of its properties whose values have been changed.
```
aws cloudformation detect-stack-resource-drift \
--stack-name my-stack-with-resource-drift \
--logical-resource-id my-drifted-resource
```
Output:
```
{
"StackResourceDrift": {
"StackId": "arn:aws:cloudformation:us-east-1:099908667365:stack/my-stack-with-resource-drift/489e5570-df85-11e7-a7d9-50example",
"ActualProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,\"DelaySeconds\":120,\"RedrivePolicy\":{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:099908667365:my-stack-with-resource-drift-DLQ-1BCY7HHD5QIM3\",\"maxReceiveCount\":12},\"MessageRetentionPeriod\":345600,\"MaximumMessageSize\":262144,\"VisibilityTimeout\":60,\"QueueName\":\"my-stack-with-resource-drift-Queue-494PBHCO76H4\"}",
"ResourceType": "AWS::SQS::Queue",
"Timestamp": "2018-03-26T18:54:28.462Z",
"PhysicalResourceId": "https://sqs.us-east-1.amazonaws.com/099908667365/my-stack-with-resource-drift-Queue-494PBHCO76H4",
"StackResourceDriftStatus": "MODIFIED",
"ExpectedProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,\"DelaySeconds\":20,\"RedrivePolicy\":{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:099908667365:my-stack-with-resource-drift-DLQ-1BCY7HHD5QIM3\",\"maxReceiveCount\":10},\"MessageRetentionPeriod\":345600,\"MaximumMessageSize\":262144,\"VisibilityTimeout\":60,\"QueueName\":\"my-stack-with-resource-drift-Queue-494PBHCO76H4\"}",
"PropertyDifferences": [
{
"PropertyPath": "/DelaySeconds",
"ActualValue": "120",
"ExpectedValue": "20",
"DifferenceType": "NOT_EQUAL"
},
{
"PropertyPath": "/RedrivePolicy/maxReceiveCount",
"ActualValue": "12",
"ExpectedValue": "10",
"DifferenceType": "NOT_EQUAL"
}
],
"LogicalResourceId": "my-drifted-resource"
}
}
```
# Resolve drift with an import operation
There may be cases where a resource's configuration has drifted from its intended configuration and you want to accept the new configuration as the intended configuration. In most cases, you would resolve the drift results by updating the resource definition in the stack template with a new configuration and then perform a stack update. However, if the new configuration updates a resource property that requires replacement, then the resource will be recreated during the stack update. If you want to retain the existing resource, you can use the resource import feature to update the resource and resolve the drift results without causing the resource to be replaced.
Resolving drift for a resource through an import operation consists of the following basic steps:
+ [Add a DeletionPolicy attribute, set to Retain, to the resource](#resource-import-resolve-drift-console-step-01-update-stack). This ensures the existing resource is retained rather than deleted when it's removed from the stack.
+ [Remove the resource from the template and run a stack update operation](#resource-import-resolve-drift-console-step-02-remove-drift). This removes the resource from the stack, but doesn't delete it.
+ [Describe the resource’s actual state in the stack template, and then import the existing resource back into the stack](#resource-import-resolve-drift-console-step-03-update-template). This adds the resource back into the stack and resolves the property differences that were causing the drift results.
For more information on resource import, see [Import AWS resources into a CloudFormation stack manually](import-resources-manually.md). For a list of resources that support import, see [Resource type support](resource-import-supported-resources.md).
In this example, we use the following template, named `templateToImport.json`.
------
#### [ Example JSON ]
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Import test",
"Resources": {
"ServiceTable":{
"Type":"AWS::DynamoDB::Table",
"Properties":{
"TableName":"Service",
"AttributeDefinitions":[
{
"AttributeName":"key",
"AttributeType":"S"
}
],
"KeySchema":[
{
"AttributeName":"key",
"KeyType":"HASH"
}
],
"BillingMode": "PROVISIONED",
"ProvisionedThroughput":{
"ReadCapacityUnits":5,
"WriteCapacityUnits":1
}
}
},
"GamesTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"TableName": "Games",
"AttributeDefinitions": [
{
"AttributeName": "key",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "key",
"KeyType": "HASH"
}
],
"BillingMode": "PROVISIONED",
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 1
}
}
}
}
}
```
------
#### [ Example YAML ]
```
AWSTemplateFormatVersion: 2010-09-09
Description: Import test
Resources:
ServiceTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: Service
AttributeDefinitions:
- AttributeName: key
AttributeType: S
KeySchema:
- AttributeName: key
KeyType: HASH
BillingMode: PROVISIONED
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 1
GamesTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: Games
AttributeDefinitions:
- AttributeName: key
AttributeType: S
KeySchema:
- AttributeName: key
KeyType: HASH
BillingMode: PROVISIONED
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 1
```
------
In this example, let's assume a user changed a resource outside of CloudFormation. After running drift detect, we discovered that `GamesTable` has been modified `BillingMode` to `PAY_PER_REQUEST`. For more information about drift detect, see [Detect unmanaged configuration changes to stacks and resources with drift detection](using-cfn-stack-drift.md).
![\[The drift results display the expected and actual results in the console.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/drift-results-gamestable.png)
Our stack is now out of date, our resources are live, but we want to preserve the intended resource configuration. We can do this by resolving drift through an import operation, without interrupting services.
## Resolve drift with an import operation using the CloudFormation console
### Step 1. Update stack with Retain deletion policy
**To update stack using a `DeletionPolicy` attribute with the `Retain` option**
1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the **Stacks** page, choose the stack that has drifted.
1. Choose **Update**, and then choose **Replace current template** from the stack details pane.
1. On the **Specify template** page, provide your updated template that contains the `DeletionPolicy` attribute with the `Retain` option using one of the following methods:
+ Choose **Amazon S3 URL**, and then specify the URL for your template in the text box.
+ Choose **Upload a template file**, and then browse for your template.
Then, choose **Next**.
1. Review the **Specify stack details** page and choose **Next**.
1. Review the **Configure stack options** page and choose **Next**.
1. On the **Review *stack-name*** page, choose **Update stack**.
*Results*: On the **Events** page of your stack, the status is `UPDATE_COMPLETE`.
To resolve drift through an import operation, without interrupting services, specify a `Retain` [DeletionPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html) for the resources you want to remove from your stack. In the following example, we've added a [DeletionPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html) attribute, set to `Retain`, to the `GamesTable` resource.
------
#### [ Example JSON ]
```
"GamesTable": {
"Type": "AWS::DynamoDB::Table",
"DeletionPolicy": "Retain",
"Properties": {
"TableName": "Games",
```
------
#### [ Example YAML ]
```
GamesTable:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
TableName: Games
```
------
### Step 2. Remove drifted resources, related parameters, and outputs
**To remove drifted resources, related parameters, and outputs**
1. Choose **Update**, and then choose **Replace current template** from the stack details pane.
1. On the **Specify template** page, provide your updated template with its resources, related parameters, and outputs removed from the stack template using one of the following methods:
+ Choose **Amazon S3 URL**, and then specify the URL for your template in the text box.
+ Choose **Upload a template file**, and then browse for your template.
Then, choose **Next**.
1. Review the **Specify stack details** page and choose **Next**.
1. Review the **Configure stack options** page and choose **Next**.
1. On the **Review *stack-name*** page, choose **Update stack**.
*Results*: The **Logical ID** `GamesTable` has a status of `DELETE_SKIPPED` on the **Events** page of your stack.
Wait until CloudFormation completes the stack update operation. After the stack update operation completes, remove the resource, related parameters, and outputs from the stack template. Then, import the updated template. After completing these actions, the example template now looks like the following.
------
#### [ Example JSON ]
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Import test",
"Resources": {
"ServiceTable":{
"Type":"AWS::DynamoDB::Table",
"Properties":{
"TableName":"Service",
"AttributeDefinitions":[
{
"AttributeName":"key",
"AttributeType":"S"
}
],
"KeySchema":[
{
"AttributeName":"key",
"KeyType":"HASH"
}
],
"BillingMode": "PROVISIONED",
"ProvisionedThroughput":{
"ReadCapacityUnits":5,
"WriteCapacityUnits":1
}
}
}
}
}
```
------
#### [ Example YAML ]
```
AWSTemplateFormatVersion: 2010-09-09
Description: Import test
Resources:
ServiceTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: Service
AttributeDefinitions:
- AttributeName: key
AttributeType: S
KeySchema:
- AttributeName: key
KeyType: HASH
BillingMode: PROVISIONED
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 1
```
------
### Step 3. Update template to match the live state of your resources
**To update template to match the live state of resources**
1. To import the updated template, choose **Stack actions** and then choose **Import resources into stack**.
![\[The Import resources into stack option in the console.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/stack-actions-import.png)
1. Review the **Import overview** page for a list of things you're required to provide during this operation, and then choose **Next**.
1. On the **Specify template** page, provide your updated template using one of the following methods:
+ Choose **Amazon S3 URL**, and then specify the URL for your template in the text box.
+ Choose **Upload a template file**, and then browse for your template.
Then, choose **Next**.
1. On the **Identify resources** page, identify each target resource. For more information, see [Resource identifiers](import-resources-manually.md#resource-import-identifiers-unique-ids).
1. Under **Identifier property**, choose the type of resource identifier. For example, the `TableName` property identifies the `AWS::DynamoDB::Table` resource.
1. Under **Identifier value**, enter the actual property value. In the example template, the `TableName` for the `GamesTable` resource is `Games`.
1. Choose **Next**.
1. Review the **Specify stack details** page, and choose **Next**.
1. On the **Import overview** page, review the resources being imported, and then choose **Import resources**. This will import the `AWS::DynamoDB::Table` resource type back into your stack.
*Results*: In this example, we resolved the resource drift through an import operation, without interrupting services. You can check the progress of an import action in the CloudFormation console in the Events tab. Imported resources will have a `IMPORT_COMPLETE` status followed by a `CREATE_COMPLETE` status with **Resource import complete** as the status reason.
Wait until CloudFormation completes the stack update operation. After the stack update operation completes, update your template to match the actual, drifted state of your resources. For example, the `BillingMode` will be set to `PAY_PER_REQUEST` and `ReadCapacityUnits` and `WriteCapacityUnits` will be set to `0`.
------
#### [ Example JSON ]
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Import test",
"Resources": {
"ServiceTable":{
"Type":"AWS::DynamoDB::Table",
"Properties":{
"TableName":"Service",
"AttributeDefinitions":[
{
"AttributeName":"key",
"AttributeType":"S"
}
],
"KeySchema":[
{
"AttributeName":"key",
"KeyType":"HASH"
}
],
"BillingMode": "PROVISIONED",
"ProvisionedThroughput":{
"ReadCapacityUnits":5,
"WriteCapacityUnits":1
}
}
},
"GamesTable": {
"Type": "AWS::DynamoDB::Table",
"DeletionPolicy": "Retain",
"Properties": {
"TableName": "Games",
"AttributeDefinitions": [
{
"AttributeName": "key",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "key",
"KeyType": "HASH"
}
],
"BillingMode": "PAY_PER_REQUEST",
"ProvisionedThroughput": {
"ReadCapacityUnits": 0,
"WriteCapacityUnits": 0
}
}
}
}
}
```
------
#### [ Example YAML ]
```
AWSTemplateFormatVersion: 2010-09-09
Description: Import test
Resources:
ServiceTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: Service
AttributeDefinitions:
- AttributeName: key
AttributeType: S
KeySchema:
- AttributeName: key
KeyType: HASH
BillingMode: PROVISIONED
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 1
GamesTable:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
TableName: Games
AttributeDefinitions:
- AttributeName: key
AttributeType: S
KeySchema:
- AttributeName: key
KeyType: HASH
BillingMode: PAY_PER_REQUEST
ProvisionedThroughput:
ReadCapacityUnits: 0
WriteCapacityUnits: 0
```
------