CloudFormation resources not updated on regular deployment

Question

Our team had an issue where someone manually modified an IAM role for an operational event. We hoped that a CloudFormation stack redeployment would revert the state of the IAM role, however, the manual change was still there.

My working theory is that since the IAM role arn is the same, that CloudFormation does not delete and recreate it. Is that accurate? And if so, how do we ensure all relevant resources are torn down during a deployment?

Answer 1

My working theory is that since the IAM role arn is the same, that CloudFormation does not delete and recreate it. Is that accurate?

CloudFormation (CFN) does not check for any changes made outside of its control. You could remove the role, and CFN would still "think" that the role is there.

If you change a resource created by CFN manually outside of CFN (bad practice), you have so called a stack drift. CFN by itself is not aware of any changes made to resources it creates that occurred outside its control. But, CFN provides special tools which you have to explicitly call to detect the drift:

• Detect drift on an entire CloudFormation stack

Not all resources support drift detection, but AWS::IAM::Role is one which does.

And if so, how do we ensure all relevant resources are torn down during a deployment?

Not sure what do you mean here. But you have to manually fix the drift. You have four choices:

1. Change the role back to its original state,
2. Update template to reflect the external changes,
3. Use import to import the changed role to stack,
4. Delete the entire stack, and create new one from the original template.

The last choice ensures that the modified role is also deleted and recreated in its original form.