cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

Drift Detection for AWS::IAM::ManagedPolicy resource reported as IN_SYNC when there is drift

Open satanupa opened this issue 1 year ago • 1 comments
trafficstars

Name of the resource

AWS::IAM::ManagedPolicy

Resource Name

No response

Issue Description

Drift detection on a stack with AWS::IAM::ManagedPolicy resource reports back as "IN_SYNC" even when there is drift between the actual resource and template specification for the PolicyDocument property.

Expected: { "Path": "/", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:CreateDBInstance", "rds:CreateDBClusterParameterGroup" ], "Resource": "arn:aws:rds:region:account-no:db:test*", "Effect": "Allow", "Sid": "Statement1" } ] }, "Description": "Policy for creating a test database" }

Actual: { "Path": "/", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:CreateDBInstance" ], "Resource": "arn:aws:rds:region:account-no:db:test*", "Effect": "Allow", "Sid": "Statement1" } ] }, "Description": "Policy for creating a test database" }

Expected Behavior

If there is a difference in the policy document json between actual resource and template specification, the resource should report as modified when performing drift detection.

Observed Behavior

Resource reports as "IN_SYNC" even when there is drift between the actual resource and template specification for the PolicyDocument property.

Test Cases

  1. Create a Cloudformation stack to provision a ManagedPolicy resource. Resources:
Resources:
 CreateTestDBPolicy:
  Type: 'AWS::IAM::ManagedPolicy'
  Properties:
    Description: Policy for creating a test database
    Path: /
    PolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Sid: 'Statement1'
          Effect: Allow
          Action: 
           - 'rds:CreateDBInstance'
           - 'rds:CreateDBClusterParameterGroup'
          Resource: !Join 
            - ''
            - - 'arn:aws:rds:'
              - !Ref 'AWS::Region'
              - ':'
              - !Ref 'AWS::AccountId'
              - ':db:test*'
  1. Once the stack is created, Manually modify the managed policy physical resource - you can change any part(s) of the policy. eg: remove "'rds:CreateDBClusterParameterGroup'" from policy document.
  2. Trigger drift detection on stack, the resource will report as "IN_SYNC" check the drift details and we can observe difference in Actual and Expected properties.

Other Details

No response

satanupa avatar Nov 27 '23 23:11 satanupa