1
00:00:00,400 --> 00:00:01,970
‫So we've seen that CloudFormation

2
00:00:01,970 --> 00:00:04,430
‫is great to create infrastructure.

3
00:00:04,430 --> 00:00:07,340
‫But we are not protected by CloudFormation

4
00:00:07,340 --> 00:00:09,770
‫against manual changes in the configuration

5
00:00:09,770 --> 00:00:11,610
‫of what we create with CloudFormation.

6
00:00:11,610 --> 00:00:14,550
‫So to make it clear, someone that is not you

7
00:00:14,550 --> 00:00:16,150
‫could go into the console

8
00:00:16,150 --> 00:00:18,360
‫and change the configuration of some resources

9
00:00:18,360 --> 00:00:20,930
‫that were indeed created with CloudFormation.

10
00:00:20,930 --> 00:00:22,390
‫So this is called a drift.

11
00:00:22,390 --> 00:00:24,070
‫And to detect the drift,

12
00:00:24,070 --> 00:00:26,990
‫we can use the feature called CloudFormation drift.

13
00:00:26,990 --> 00:00:28,620
‫So not all resources are supported

14
00:00:28,620 --> 00:00:30,550
‫but you can go to this URL to check it out.

15
00:00:30,550 --> 00:00:31,760
‫But I found that the coverage

16
00:00:31,760 --> 00:00:33,240
‫is already pretty, pretty good.

17
00:00:33,240 --> 00:00:35,220
‫So let's go in the hands-on to get a demo

18
00:00:35,220 --> 00:00:38,100
‫of how CloudFormation drift works.

19
00:00:38,100 --> 00:00:40,840
‫So let's go ahead and practice drift by creating a stack

20
00:00:40,840 --> 00:00:43,770
‫the template is ready, I'm going to upload it

21
00:00:43,770 --> 00:00:47,623
‫and we'll choose 3-drift-security-group.yaml.

22
00:00:48,630 --> 00:00:51,440
‫We can view this template in the designer

23
00:00:51,440 --> 00:00:52,910
‫just to have a look

24
00:00:52,910 --> 00:00:55,090
‫and if you look at the template itself

25
00:00:55,090 --> 00:00:56,550
‫which is not very handy here

26
00:00:56,550 --> 00:00:59,700
‫we have two security groups, one and two

27
00:00:59,700 --> 00:01:02,250
‫and if we look at them, there's an SSHSecurityGroup

28
00:01:03,240 --> 00:01:05,360
‫and an HTTPSecurityGroup,

29
00:01:05,360 --> 00:01:07,900
‫as well as a VPC parameter

30
00:01:07,900 --> 00:01:10,430
‫to link it to the security groups.

31
00:01:10,430 --> 00:01:12,400
‫And so what we want to do is to ensure

32
00:01:12,400 --> 00:01:14,750
‫that the configuration of the security groups

33
00:01:14,750 --> 00:01:16,480
‫has not changed over time.

34
00:01:16,480 --> 00:01:19,660
‫So let's go ahead and first create the template.

35
00:01:19,660 --> 00:01:22,400
‫So I've clicked on the cloud upload button

36
00:01:22,400 --> 00:01:25,200
‫which is going to make me click on next

37
00:01:25,200 --> 00:01:26,900
‫and then I'll call it DemoDriftSG,

38
00:01:28,390 --> 00:01:30,080
‫we need to specify a VPCid

39
00:01:30,080 --> 00:01:34,210
‫so I will use the drop down and specify my default one.

40
00:01:34,210 --> 00:01:35,600
‫Click on next,

41
00:01:35,600 --> 00:01:38,630
‫scroll down and click on create stack.

42
00:01:38,630 --> 00:01:40,980
‫So the effect of this is that this is going to create

43
00:01:40,980 --> 00:01:42,910
‫two security groups for me

44
00:01:42,910 --> 00:01:45,770
‫and as you can expect, I'm going to change manually

45
00:01:45,770 --> 00:01:47,140
‫the security group configuration.

46
00:01:47,140 --> 00:01:48,970
‫So they should be very quick,

47
00:01:48,970 --> 00:01:51,470
‫the security groups are in create in progress

48
00:01:51,470 --> 00:01:53,390
‫and they're now both completed.

49
00:01:53,390 --> 00:01:55,100
‫So if I've got a resources

50
00:01:55,100 --> 00:01:58,090
‫I have a link to my both security groups.

51
00:01:58,090 --> 00:02:02,380
‫So if I go to my HTTPSecurityGroup, under inbound rule,

52
00:02:02,380 --> 00:02:03,840
‫I can edit it.

53
00:02:03,840 --> 00:02:06,790
‫And for example, I can change this rule to say

54
00:02:06,790 --> 00:02:10,350
‫that I want a different Cidrip and I can add a description.

55
00:02:10,350 --> 00:02:12,710
‫So Foobar, and then this one,

56
00:02:12,710 --> 00:02:15,790
‫maybe I want to add HTTPS as well

57
00:02:15,790 --> 00:02:18,800
‫in this Security Group from anywhere.

58
00:02:18,800 --> 00:02:20,323
‫Okay, click on save rule.

59
00:02:21,750 --> 00:02:24,980
‫And in terms of the other Security Group

60
00:02:24,980 --> 00:02:27,900
‫which is right here, this one, I can go

61
00:02:27,900 --> 00:02:30,620
‫into inbound rule and I can edit them

62
00:02:30,620 --> 00:02:34,120
‫and just delete this rule overall and click on save.

63
00:02:34,120 --> 00:02:35,551
‫So obviously the configuration

64
00:02:35,551 --> 00:02:37,970
‫of our security groups have changed,

65
00:02:37,970 --> 00:02:40,590
‫and so therefore I'm going to have to detect the drift

66
00:02:40,590 --> 00:02:41,950
‫but right now CloudFormation

67
00:02:41,950 --> 00:02:43,990
‫is not aware that anything has changed.

68
00:02:43,990 --> 00:02:46,640
‫So to make it aware, we can click on stack actions

69
00:02:46,640 --> 00:02:49,260
‫and then click on detect drift.

70
00:02:49,260 --> 00:02:52,510
‫And this is going to start a drift detection mechanism

71
00:02:52,510 --> 00:02:55,230
‫and then under stack action view drift results.

72
00:02:55,230 --> 00:02:57,580
‫We can look at the results and as you can see,

73
00:02:57,580 --> 00:02:58,760
‫it's already finished.

74
00:02:58,760 --> 00:03:01,140
‫The drift status is drifted.

75
00:03:01,140 --> 00:03:04,350
‫And so there are two modified Security Groups

76
00:03:04,350 --> 00:03:07,040
‫and we can click on one for example

77
00:03:07,040 --> 00:03:09,670
‫and click on view drift detail.

78
00:03:09,670 --> 00:03:13,590
‫So it is saying that's the Cidrip IP is not equal

79
00:03:13,590 --> 00:03:14,870
‫and there's been one rule added.

80
00:03:14,870 --> 00:03:16,080
‫So there's two differences

81
00:03:16,080 --> 00:03:20,280
‫and it shows us what the expected configuration is

82
00:03:20,280 --> 00:03:22,540
‫and what the actual configuration is.

83
00:03:22,540 --> 00:03:24,640
‫So as we can see here, well, they're not equal

84
00:03:24,640 --> 00:03:27,260
‫and so we can go ahead and either update our templates

85
00:03:27,260 --> 00:03:28,770
‫to match the actual configuration,

86
00:03:28,770 --> 00:03:30,260
‫because maybe this is something we want to include

87
00:03:30,260 --> 00:03:31,250
‫in our templates

88
00:03:31,250 --> 00:03:34,540
‫or we want to revert our stack

89
00:03:34,540 --> 00:03:37,219
‫by making sure that this is applied instead.

90
00:03:37,219 --> 00:03:39,270
‫And we could go, for example into cloud trial

91
00:03:39,270 --> 00:03:42,680
‫to understand who has changed our security group and when

92
00:03:42,680 --> 00:03:44,830
‫to really understand the root cause of this.

93
00:03:44,830 --> 00:03:46,430
‫And so for the SSHSecurityGroup,

94
00:03:46,430 --> 00:03:49,980
‫again I can click on view drift details, and it's modified

95
00:03:49,980 --> 00:03:51,570
‫and we can see here there's a change.

96
00:03:51,570 --> 00:03:52,880
‫This rule has been removed

97
00:03:52,880 --> 00:03:55,890
‫and so the expected is this and the actual is that.

98
00:03:55,890 --> 00:03:59,550
‫So it's really, really cool to see really the drift

99
00:03:59,550 --> 00:04:00,950
‫because they're really helpful to know

100
00:04:00,950 --> 00:04:02,210
‫if your CloudFormation templates

101
00:04:02,210 --> 00:04:03,630
‫have drifted once in a while.

102
00:04:03,630 --> 00:04:06,250
‫So I would recommend for you to run the drifts quite often

103
00:04:06,250 --> 00:04:08,510
‫if you can, you can also access the drift menu

104
00:04:08,510 --> 00:04:10,330
‫from the left hand side on the drifts

105
00:04:10,330 --> 00:04:14,190
‫and this will take you to the drift menu, but that's it.

106
00:04:14,190 --> 00:04:17,110
‫And when you're done just delete this templates

107
00:04:17,110 --> 00:04:18,280
‫and you're good to go.

108
00:04:18,280 --> 00:04:20,030
‫I will see you in the next lecture.