How can I check if a resource was created by CloudFormation?

Question

I have inherited an AWS account with a lot of resources. Some of them were created manually, other by CloudFormation.

How can I check if a resource (in my case Security Group) was created by CloudFormation and belongs to a stack?

For some security groups aws ec2 describe-security-groups --group-ids real_id results in:

...
"Tags": [
            {
                "Value": "REAL_NAME",
                "Key": "aws:cloudformation:logical-id"
            },
            {
                "Value": "arn:aws:cloudformation:<REAL_ID>",
                "Key": "aws:cloudformation:stack-id"
            },
]
...

Other security groups don't have any tags.

Is it the only indicator? I mean, someone could easily remove tags form an SG created by CloudFormation.

Answer 1

As per the official documentation, in addition to any tags you define, AWS CloudFormation automatically creates the following stack-level tags with the prefix aws::

aws:cloudformation:logical-id

aws:cloudformation:stack-id

aws:cloudformation:stack-name

All stack-level tags, including automatically created tags, are propagated to resources that AWS CloudFormation supports. Currently, tags are not propagated to Amazon EBS volumes that are created from block device mappings.

--

This should be a good place to start with but since CF doesn't enforce the stack state so if someone deleted something manually then you would never know.

If I were you, I would export everything (supported) via Cloudformer and re-design the whole setup my way.

Another way:

You can pass PhysicalResourceId of a resource to describe_stack_resources and get the stack information if it belongs to a CF stack. This is an example:

cf = boto3.client('cloudformation') cf.describe_stack_resources(PhysicalResourceId="i-0xxxxxxxxxxxxxxxx")

https://boto3.readthedocs.io/en/latest/reference/services/cloudformation.html#CloudFormation.Client.describe_stack_resources