AWS::EC2::VPC - False-positive drift on EnableDnsHostnames and EnableDnsSupport when using Git Sync
Opened this issue · 11 comments
Name of the resource
AWS::EC2::VPC
Resource Name
No response
Issue Description
EDIT (2024-09-28): The issue only occurs if Git Sync is used.
AWS is detecting a drift on a newly created VPC with EnableDnsHostnames and EnableDnsSupport set to true.
The "Actual" output is missing both values.
Expected Behavior
No drift should be detected.
Observed Behavior
Here is the drift report:
This is inconsistent with what is displayed in the VPC details:
Test Cases
EDIT (2024-09-28): The following template only reproduces the issue if the deployment is done with Git Sync.
Here is an extract of the provided template:
AWSTemplateFormatVersion: '2010-09-09'
Description: stack template
Parameters:
VpcCidrBlock:
Type: String
Resources:
VPC:
Properties:
CidrBlock: !Ref 'VpcCidrBlock'
EnableDnsHostnames: true
EnableDnsSupport: true
Type: AWS::EC2::VPCOther Details
No response
My local test does not replicate this issue. Can you provide a region or stackid?
Yes, the region is eu-west-3 and here is the stack id:
arn:aws:cloudformation:eu-west-3:432287323027:stack/DevelopmentStack/9f88fb50-7c05-11ef-8392-0e9fe9bec705
if you try with the extracted sample template, do you still see the same issue? If so, can you share the stack id?
Max quota for VPC per region reached on our account.
I am asking for a quota increase in order to test.
The request is still pending.
I have just deployed a new stack with the following id:
arn:aws:cloudformation:eu-west-3:432287323027:stack/issue-2138/2b504a60-7d07-11ef-8cec-0eae10b2d427
The template is:
AWSTemplateFormatVersion: '2010-09-09'
Description: stack template
Resources:
VPC:
Properties:
CidrBlock: '172.50.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
Type: AWS::EC2::VPCNo drift is detected in this case so this means other resources probably need to be deployed to reproduce the issue.
If you need anymore testing, do not hesitate to ask.
EDIT: The full template reproducing the issue is quite large but I can provide it if needed.
We also have a smaller stack reproducing the issue:
arn:aws:cloudformation:eu-west-3:432287323027:stack/HubStack/9afb6ed0-7c03-11ef-8098-0ac092c2d633
Apart from the VPC, this stack also deploys private subnets with route tables and also some VPC endpoints.
Here is the template
AWSTemplateFormatVersion: '2010-09-09'
Outputs:
EcrApiVpcEndpointRegionDnsEntry:
Export:
Name: ServicesHubEcrApiVpcEndpointRegionDnsEntry
Value: !Select
- 0
- !GetAtt 'EcrApiVpcEndpoint.DnsEntries'
EcrDkrVpcEndpointRegionDnsEntry:
Export:
Name: ServicesHubEcrDkrVpcEndpointRegionDnsEntry
Value: !Select
- 0
- !GetAtt 'EcrDkrVpcEndpoint.DnsEntries'
EcsAgentVpcEndpointRegionDnsEntry:
Export:
Name: ServicesHubEcsAgentVpcEndpointRegionDnsEntry
Value: !Select
- 0
- !GetAtt 'EcsAgentVpcEndpoint.DnsEntries'
EcsTelemetryVpcEndpointRegionDnsEntry:
Export:
Name: ServicesHubEcsTelemetryVpcEndpointRegionDnsEntry
Value: !Select
- 0
- !GetAtt 'EcsTelemetryVpcEndpoint.DnsEntries'
EcsVpcEndpointRegionDnsEntry:
Export:
Name: ServicesHubEcsVpcEndpointRegionDnsEntry
Value: !Select
- 0
- !GetAtt 'EcsVpcEndpoint.DnsEntries'
LogsVpcEndpointRegionDnsEntry:
Export:
Name: ServicesHubLogsVpcEndpointRegionDnsEntry
Value: !Select
- 0
- !GetAtt 'LogsVpcEndpoint.DnsEntries'
PrivateSubnet0CidrBlock:
Export:
Name: ServicesHubPrivateSubnet0CidrBlock
Value: !GetAtt 'PrivateSubnet0.CidrBlock'
PrivateSubnet0RouteTableId:
Export:
Name: ServicesHubPrivateSubnet0RouteTableId
Value: !Ref 'PrivateSubnet0RouteTable'
PrivateSubnet1CidrBlock:
Export:
Name: ServicesHubPrivateSubnet1CidrBlock
Value: !GetAtt 'PrivateSubnet1.CidrBlock'
PrivateSubnet1RouteTableId:
Export:
Name: ServicesHubPrivateSubnet1RouteTableId
Value: !Ref 'PrivateSubnet1RouteTable'
PrivateSubnet2CidrBlock:
Export:
Name: ServicesHubPrivateSubnet2CidrBlock
Value: !GetAtt 'PrivateSubnet2.CidrBlock'
PrivateSubnet2RouteTableId:
Export:
Name: ServicesHubPrivateSubnet2RouteTableId
Value: !Ref 'PrivateSubnet2RouteTable'
SqsVpcEndpointRegionDnsEntry:
Export:
Name: ServicesHubSqsVpcEndpointRegionDnsEntry
Value: !Select
- 0
- !GetAtt 'SqsVpcEndpoint.DnsEntries'
VpcId:
Export:
Name: ServicesHubVpcId
Value: !GetAtt 'VPC.VpcId'
Parameters:
PrivateSubnet0CidrBlock:
Type: String
PrivateSubnet1CidrBlock:
Type: String
PrivateSubnet2CidrBlock:
Type: String
VpcCidrBlock:
Type: String
Resources:
EcrApiVpcEndpoint:
Properties:
SecurityGroupIds:
- !Ref 'VpcEndpointsSecurityGroup'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.api'
SubnetIds:
- !Ref 'PrivateSubnet0'
- !Ref 'PrivateSubnet1'
- !Ref 'PrivateSubnet2'
VpcEndpointType: Interface
VpcId: !Ref 'VPC'
Type: AWS::EC2::VPCEndpoint
EcrDkrVpcEndpoint:
Properties:
SecurityGroupIds:
- !Ref 'VpcEndpointsSecurityGroup'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.dkr'
SubnetIds:
- !Ref 'PrivateSubnet0'
- !Ref 'PrivateSubnet1'
- !Ref 'PrivateSubnet2'
VpcEndpointType: Interface
VpcId: !Ref 'VPC'
Type: AWS::EC2::VPCEndpoint
EcsAgentVpcEndpoint:
Properties:
SecurityGroupIds:
- !Ref 'VpcEndpointsSecurityGroup'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs-agent'
SubnetIds:
- !Ref 'PrivateSubnet0'
- !Ref 'PrivateSubnet1'
- !Ref 'PrivateSubnet2'
VpcEndpointType: Interface
VpcId: !Ref 'VPC'
Type: AWS::EC2::VPCEndpoint
EcsTelemetryVpcEndpoint:
Properties:
SecurityGroupIds:
- !Ref 'VpcEndpointsSecurityGroup'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs-telemetry'
SubnetIds:
- !Ref 'PrivateSubnet0'
- !Ref 'PrivateSubnet1'
- !Ref 'PrivateSubnet2'
VpcEndpointType: Interface
VpcId: !Ref 'VPC'
Type: AWS::EC2::VPCEndpoint
EcsVpcEndpoint:
Properties:
SecurityGroupIds:
- !Ref 'VpcEndpointsSecurityGroup'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecs'
SubnetIds:
- !Ref 'PrivateSubnet0'
- !Ref 'PrivateSubnet1'
- !Ref 'PrivateSubnet2'
VpcEndpointType: Interface
VpcId: !Ref 'VPC'
Type: AWS::EC2::VPCEndpoint
LogsVpcEndpoint:
Properties:
SecurityGroupIds:
- !Ref 'VpcEndpointsSecurityGroup'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs'
SubnetIds:
- !Ref 'PrivateSubnet0'
- !Ref 'PrivateSubnet1'
- !Ref 'PrivateSubnet2'
VpcEndpointType: Interface
VpcId: !Ref 'VPC'
Type: AWS::EC2::VPCEndpoint
PrivateSubnet0:
Properties:
AvailabilityZone: !Select
- 0
- !GetAZs
Ref: AWS::Region
CidrBlock: !Ref 'PrivateSubnet0CidrBlock'
VpcId: !Ref 'VPC'
Type: AWS::EC2::Subnet
PrivateSubnet0RouteTable:
Properties:
VpcId: !Ref 'VPC'
Type: AWS::EC2::RouteTable
PrivateSubnet0RouteTableAssociation:
Properties:
RouteTableId: !Ref 'PrivateSubnet0RouteTable'
SubnetId: !Ref 'PrivateSubnet0'
Type: AWS::EC2::SubnetRouteTableAssociation
PrivateSubnet1:
Properties:
AvailabilityZone: !Select
- 1
- !GetAZs
Ref: AWS::Region
CidrBlock: !Ref 'PrivateSubnet1CidrBlock'
VpcId: !Ref 'VPC'
Type: AWS::EC2::Subnet
PrivateSubnet1RouteTable:
Properties:
VpcId: !Ref 'VPC'
Type: AWS::EC2::RouteTable
PrivateSubnet1RouteTableAssociation:
Properties:
RouteTableId: !Ref 'PrivateSubnet1RouteTable'
SubnetId: !Ref 'PrivateSubnet1'
Type: AWS::EC2::SubnetRouteTableAssociation
PrivateSubnet2:
Properties:
AvailabilityZone: !Select
- 2
- !GetAZs
Ref: AWS::Region
CidrBlock: !Ref 'PrivateSubnet2CidrBlock'
VpcId: !Ref 'VPC'
Type: AWS::EC2::Subnet
PrivateSubnet2RouteTable:
Properties:
VpcId: !Ref 'VPC'
Type: AWS::EC2::RouteTable
PrivateSubnet2RouteTableAssociation:
Properties:
RouteTableId: !Ref 'PrivateSubnet2RouteTable'
SubnetId: !Ref 'PrivateSubnet2'
Type: AWS::EC2::SubnetRouteTableAssociation
SqsVpcEndpoint:
Properties:
SecurityGroupIds:
- !Ref 'VpcEndpointsSecurityGroup'
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sqs'
SubnetIds:
- !Ref 'PrivateSubnet0'
- !Ref 'PrivateSubnet1'
- !Ref 'PrivateSubnet2'
VpcEndpointType: Interface
VpcId: !Ref 'VPC'
Type: AWS::EC2::VPCEndpoint
VPC:
Properties:
CidrBlock: !Ref 'VpcCidrBlock'
EnableDnsHostnames: true
EnableDnsSupport: true
Type: AWS::EC2::VPC
VpcEndpointsSecurityGroup:
Properties:
GroupDescription: VPC Endpoints firewall rules
SecurityGroupIngress:
- CidrIp: '0.0.0.0/0'
Description: HTTPS access to AWS APIs
FromPort: 443
IpProtocol: tcp
ToPort: 443
VpcId: !Ref 'VPC'
Type: AWS::EC2::SecurityGroupHope this helps.
Hello @wangcaro3793,
I have reproduced the issue with a minimal example.
The issue occurs only when using Git Sync.
Here are the YAML files I did use on my Git repository:
stack/cfn-issue-2138/deployment.yaml:
template-file-path: 'stack/cfn-issue-2138/template.yaml'stack/cfn-issue-2138/template.yaml:
AWSTemplateFormatVersion: '2010-09-09'
Description: cfn issue 2138 stack template
Resources:
VPC:
Properties:
CidrBlock: '172.50.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
Type: AWS::EC2::VPCThese have been used to deploy the following stack with Git Sync:
arn:aws:cloudformation:eu-west-3:432287323027:stack/CfnIssue2138/bbbefb50-7d61-11ef-9733-0655824fe323
And this stack also reproduces the drift issue on its VPC.
Hello @wangcaro3793, did you manage to reproduce the issue with Git Sync?
hi @gautaz I don't have git sync setup so I'm not sure. But thanks for identifying that this is an issue with Git Sync. I'll have to loop in different support.
Hello @wangcaro3793,
Do I need to keep the stacks which helped demonstrating the issue or is the issue now reproduced on AWS side?
There is no problem in keeping them for a while, I just do not want to keep unused resources lingering without being ever used.
no need to keep the stack you can tear it down @gautaz