cloudformation-coverage-roadmap
cloudformation-coverage-roadmap copied to clipboard
Published
20 hours ago •
aws-cloudformation
aws-cloudformation
(AWS::EC2::VPCEndpoint) Drift detection not supported contrary to documentation
trafficstars
Name of the resource
AWS::EC2::VPCEndpoint
Resource Name
No response
Issue Description
AWS::EC2::VPCEndpoint resource types are not included in drift detection despite being listed as supported in official documentation.
Expected Behavior
AWS::EC2::VPCEndpoint to be included in drift detection.
Observed Behavior
It is not.
Test Cases
Reproduction
- Initial deployment
CDK code
vpc.add_interface_endpoint('InterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssm'),
open=False,
)
aws ec2 describe-vpc-endpoints
{
"VpcEndpoints": [
{
"VpcEndpointId": "vpce-0100b1c676c09bdbe",
"VpcEndpointType": "Interface",
"VpcId": "vpc-xxxxxxxxxxxxxxx",
"ServiceName": "com.amazonaws.eu-central-1.ssm",
"State": "available",
"PolicyDocument": "{\n \"Statement\": [\n {\n \"Action\": \"*\", \n \"Effect\": \"Allow\", \n \"Principal\": \"*\", \n \"Resource\": \"*\"\n }\n ]\n}",
"RouteTableIds": [],
"SubnetIds": [
"subnet-aaaaaaaaaaaaaaaaa",
"subnet-bbbbbbbbbbbbbbb",
"subnet-ccccccccccccccccccc"
],
"Groups": [
{
"GroupId": "sg-xxxxxxxxx",
"GroupName": "MyVpcInterfaceEndpointSecurityGroup7105AD38-ur1RjwgKTkLq"
}
],
"IpAddressType": "ipv4",
"DnsOptions": {
"DnsRecordIpType": "ipv4"
},
"PrivateDnsEnabled": true,
"RequesterManaged": false,
"NetworkInterfaceIds": [
"eni-0714aabc5f68f7634",
"eni-020f86237d4ed16da",
"eni-0a3f125dc2450d04c"
],
"DnsName": "vpce-0100b1c676c09bdbe-xxxxxxx-eu-central-1b.ssm.eu-central-1.vpce.amazonaws.com",
"HostedZoneId": "XXXXXXXXXXXXX"
},
{
"DnsName": "ssm.eu-central-1.amazonaws.com",
"HostedZoneId": "XXXXXXXXXXXXX"
}
],
"CreationTimestamp": "2024-03-06T09:26:16.094000+00:00",
"Tags": [],
"OwnerId": "000000000000"
}
]
}
- Detect drift
aws cloudformation detect-stack-drift --stack-name VpcEndpointStack
aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id a427ffd0-db9c-11ee-934e-0abde06aa525
{
"StackId": "arn:aws:cloudformation:eu-central-1:000000000000:stack/VpcEndpointStack/df262df0-db97-11ee-b4b5-02100ff45b07",
"StackDriftDetectionId": "a427ffd0-db9c-11ee-934e-0abde06aa525",
"StackDriftStatus": "IN_SYNC",
"DetectionStatus": "DETECTION_COMPLETE",
"DriftedStackResourceCount": 0,
"Timestamp": "2024-03-06T09:33:51.053000+00:00"
}
- Make out-of-band change
aws ec2 modify-vpc-endpoint --vpc-endpoint-id vpce-0100b1c676c09bdbe --remove-subnet-ids subnet-ccccccccccccccccccc --reset-policy
{
"Return": true
}
- Detect drift again
aws cloudformation detect-stack-drift --stack-name VpcEndpointStack
aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id 0073aa40-db9e-11ee-bc1c-0212336a28af
{
"StackId": "arn:aws:cloudformation:eu-central-1:000000000000:stack/VpcEndpointStack/df262df0-db97-11ee-b4b5-02100ff45b07",
"StackDriftDetectionId": "0073aa40-db9e-11ee-bc1c-0212336a28af",
"StackDriftStatus": "IN_SYNC",
"DetectionStatus": "DETECTION_COMPLETE",
"DriftedStackResourceCount": 0,
"Timestamp": "2024-03-06T09:43:35.396000+00:00"
}
- Make a drastic out-of-band change
aws ec2 delete-vpc-endpoints --vpc-endpoint-ids vpce-0100b1c676c09bdbe
{
"Unsuccessful": []
}
aws ec2 describe-vpc-endpoints
{
"VpcEndpoints": []
}
- Detect drift again
aws cloudformation detect-stack-drift --stack-name VpcEndpointStack
aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-id f168ff90-db9e-11ee-bcb5-0a1a054149df
{
"StackId": "arn:aws:cloudformation:eu-central-1:000000000000:stack/VpcEndpointStack/df262df0-db97-11ee-b4b5-02100ff45b07",
"StackDriftDetectionId": "f168ff90-db9e-11ee-bcb5-0a1a054149df",
"StackDriftStatus": "IN_SYNC",
"DetectionStatus": "DETECTION_COMPLETE",
"DriftedStackResourceCount": 0,
"Timestamp": "2024-03-06T09:50:19.657000+00:00"
}
Other Details
No response
