All Products
Search
Document Center

Resource Orchestration Service:Overview

Last Updated:Feb 01, 2024

When you change resource configurations outside Resource Orchestration Service (ROS), you can use the drift detection feature to identify the changes in your stacks. Then, you can take corrective measures to re-synchronize resources with their definitions in the stack template. This ensures that the actual configurations of resources are consistent with the template configurations.

Sample scenarios

Detect drift on a stack

If you want to check whether the actual configurations and the defined template configurations of a stack or stack resources are the same, you can use the drift detection feature to detect drift on the stack.

For more information, see Detect drift on a stack.

Detect drift on a resource

If you want to check whether the actual configurations are inconsistent with the template configurations of a specific resource in a stack, you can use the drift detection feature to detect drift on the resource.

For more information, see Detect drift on a resource.

Detect drift on a stack group

For more information, see Detect drift on a stack group.

Limits

  • When ROS detects drift on a stack, ROS cannot detect drift on a nested stack of the stack. You can directly detect drift on the nested stack.

  • In some cases, ROS may fail to return accurate drift results. You can familiarize yourself with the cases to properly interpret drift detection results.

    • Specific objects in arrays of a resource property are reported as drift. In fact, the objects are default values provided for the property from the underlying service that is responsible for the resource.

    • ROS may fail to compare specific resource properties that you specify in your stack templates with the properties of the generated stack resources. As a result, the properties are not included in the drift detection results. The properties are classified into the following categories:

      • Properties whose values ROS cannot map back to the initial resource property values in the stack template.

      • Properties whose values are not returned by the service responsible for the resource.

      • Properties whose values are designed to never be returned by the service responsible for the resource. The property values may contain confidential information that must not be exposed, such as passwords or sensitive data.

      • Properties that are not supported by ROS.

Considerations

You can call the GetResourceType operation to query whether the properties of a resource support drift detection. In this example, the properties of the ALIYUN::ESS::ScalingRule resource are queried. In the return values, the SupportDriftDetection parameter of the resource indicates whether the resource supports drift detection. A value of true indicates that the resource supports drift detection. In this case, each property of the resource is returned together with the SupportDriftDetection property to show whether the property supports drift detection.

{
    ...
    "ResourceType": "ALIYUN::ESS::ScalingRule",
    "Properties": {
        "ScalingRuleName": {
            ...
            "SupportDriftDetection": true
        },
        ...
    },
    "SupportDriftDetection": true
}

Functions and features

Drift detection object

Description

Permission required for drift detection

Resource

ROS compares the expected resource property values that you define in the template with the actual property values. A resource is considered to have drifted if an actual property value of the resource differs from the expected property value.

  • Read permissions on the resource.

  • ros:DetectStackResourceDrift permission.

Stack

A stack is considered to have drifted if a resource in the stack has drifted.

Note

ROS generates details of each resource in the stack that has drifted.

  • Read permissions on each resource in the stack. For example, if a stack contains the ALIYUN::VPC::EIP resource, you must have the vpc:DescribeEipAddresses permission to detect drift on the resource.

  • ros:DetectStackDrift permission.

Stack group

ROS determines the overall drift status of a stack group based on the drift status of the stack instances that belong to the stack group. A stack group is considered to have drifted if the associated stacks of its stack instances have drifted.

  • Read permissions on each resource in the stacks that belong to the stack group.

  • ros:DetectStackGroupDrift permission.

Resources and stacks that support drift detection

Drift detection object

Description

Resource

For more information, see Resource types that support drift detection and resource import.

Stack

Stacks in one of the following states support drift detection:

  • CREATE_COMPLETE

  • UPDATE_COMPLETE

  • ROLLBACK_COMPLETE

  • ROLLBACK_FAILED

  • CHECK_COMPLETE

References