aws-sam-cli icon indicating copy to clipboard operation
aws-sam-cli copied to clipboard
verified publisher icon aws

Feature request: add support for sam drift

Open softprops opened this issue 2 years ago • 3 comments

Describe your idea/feature/enhancement

Provide a clear description. Ex. I wish SAM CLI would [...]

I wish sam could make it easy to see and understand drift in provisioned resources through a new sam drift command.

Proposal

Add details of how to add this to the product.

though not ideal, sometimes engineers may change resources provisioned by sam in aws consoles. In these cases you only have one option to detect this, cf. This breaks the “flow” sam cli provides as you have to drop down a level to tools with a lesser quality dx.

sam deploy is a good example of a dx enhancement over cloudformation deploy . I can see an easily surmised display of my stack state. I would the same for detecting and understanding drift state

Things to consider:

  1. Will this require any updates to the SAM Spec

no

Additional Details

softprops avatar Oct 15 '23 03:10 softprops

Hi there,

I think CFN recently introduced some APIs that we can use for this feature reuquest detect_stack_drift and describe_stack_drift_detection_status.

Do you think running this before sam deploy (possibly via an additional flag) and printing results would be sufficient or do you recommend something else there?

mndeveci avatar Oct 18 '23 00:10 mndeveci

As an opt in feature that would be nice. It adds time to deploys so I wouldn’t make it a default

I would find it valuable as a standalone command. In our ci/cd workflows we typically run a no execute version of deploy when a pr is owned to given engineers a heads up of what will happen when the pr is merged.

we’ve found that for some deployments, if enough time has passed, that changes to underlying resources may have crept in through the aws console and we’d love to learn about those before a change is automatically deployed on merge.

I would love to give engineers a heads up as soon as a pr is opened on a sam app that they may be bumping into some underlying drift giving them time to decide how to resolve that way before merging a change which executes the deploy. Today we typically learn about that drift much to late

softprops avatar Oct 28 '23 13:10 softprops

I'm interested in this drift detection feature too. I do some work for a company with EventBridge schedulers in a SAM template, and occasionally someone will manually adjust the CRON expressions through the AWS Console user interface, during peak seasons when they need to run more often. I was surprised to realize that running sam deploy with the original SAM template does not override the manual adjustments or even warn about them.

Of course, I agree that in a perfect world no one would manually change any resource managed by CloudFormation. But it's much more convenient when even a non-coder manager can click a few buttons instead of touching source code or waiting for (and paying for) a coder to handle it.

jean-webdev avatar Sep 26 '25 09:09 jean-webdev