Resource Orchestration Service (ROS) provides the drift detection feature to identify the configuration changes in your stacks that are beyond the control of ROS. You can then take corrective measures to re-synchronize resources with their template definitions. For example, you can update the affected resources or use the template correction function to correct the template. Drift correction helps you ensure that changes in resources can be identified and the relevant actions can be taken.

You can make direct changes to the resources in a stack without updating the template in ROS. For example, you can use the ECS console to update an ECS instance that is created as part of an ROS resource stack. Changes made directly to the resources in a stack can cause issues when you want to update or delete the stack. You can use the drift detection feature to identify the configuration changes of resources in a stack that are made beyond the management scope of ROS.

The drift detection feature enables you to detect whether the actual configuration of a stack differs or has drifted from its expected configuration. You can use ROS to detect drift on an entire stack or on individual resources within the stack. For example, you can detect whether a property or resource of the stack is deleted.

  • A resource is considered to have drifted if one of its actual property values differs from the expected property value.
  • A stack is considered to have drifted if one or more of its resources have drifted.

To determine whether a resource has drifted, ROS compares the expected resource property values defined in the template with the actual values of the resource properties.

Note A resource is considered to have drifted if one or more of its properties values have been deleted or modified. ROS generates details on each resource in the stack that has drifted.

Precautions

ROS only detects drift on resources that support drift detection. Resources that do not support drift detection are assigned the NOT_CHECKED state. For more information, see Resources that support drift detection.

You can detect drift on stacks in one of the following states:
  • CREATE_COMPLETE
  • UPDATE_COMPLETE
  • ROLLBACK_COMPLETE
  • ROLLBACK_FAILED
  • CHECK_COMPLETE

When detecting drift on a stack, ROS does not detect drift on any nested stacks that belong to this stack. To detect drift on nested stacks, you must initiate a drift detection operation on the nested stacks.

ROS determines drift of property values either through templates or specifying template parameters. Drift detection does not detect the default values of resource properties. If you want to track the drift of a resource property, you must explicitly set the property value even if the value is the same as the default value.

To detect drift on stacks, you must have the following permissions:

  • Read permission on resources that support drift detection in the stack. For example, if the stack contains an ALIYUN::VPC::EIP resource, you must have the vpc:DescribeEipAddresses permission to detect drift on the stack.
  • To detect drift on stacks, you must have the ros:DetectStackDrift permission.
  • To detect drift on resources, you must have the ros:DetectStackResourceDrift permission.

In some cases, ROS may not be able to return accurate drift detection results. We recommend that you familiarize yourself with these cases to avoid incorrectly interpreting drift detection results.

  • In some cases, objects contained in property arrays are reported as drift. In fact, these are default values provided to the properties from the underlying service responsible for the resource.
  • You can specify certain resource properties in your template. If ROS cannot compare these properties with the actual properties in the stack resources, these properties are not included in drift detection results. The types of such properties are as follows:
    • Properties that ROS cannot map back to their actual resource properties in the template.
    • Property values that the service responsible for the resource does not return.
    • Property values that are designed to never be returned by the service responsible for the resource. These property values may contain confidential information such as passwords or other sensitive data that must not be exposed.
    • Resource properties that are not supported by ROS.

    You can query whether the resource properties support drift detection. For more information, see GetResourceType. For example, you can query the return values of the ALIYUN::ESS::ScalingRule resource. In the return values, the last SupportDriftDetection field indicates whether the resource supports drift detection. If the value of this field is true, the resource supports drift detection and each property contains a SupportDriftDetection field that indicates whether the property supports drift detection.

    {
        ...
        "ResourceType": "ALIYUN::ESS::ScalingRule",
        "Properties": {
            "ScalingRuleName": {
                ...
                "SupportDriftDetection": true
            },
            ...
        },
        "SupportDriftDetection": true
    }

Drift detection status codes

The following section describes the status types of drift detection:

  • Drift detection operation status: describes the current status of the drift detection operation.
  • Drift status of stack groups, stack instances, or stacks.
    • Stack group drift status: describes the drift status of a stack group based on the drift status of the stack instances that belong to the group.
    • Stack instance drift status: describes the drift status of a stack instance based on the drift status of the stack associated with the instance.
    • Stack drift status: describes the drift status of a stack based on the drift status of its resources.
  • Resource drift status: describes the drift status of an individual resource.
The following table describes the status codes assigned by ROS to stack drift detection operations.
Drift detection operation status Description
DETECTION_COMPLETE The stack drift detection operation has been successfully completed for all resources in the stack that support drift detection.
DETECTION_FAILED The stack drift detection operation has failed for at least one resource in the stack.
DETECTION_IN_PROGRESS The stack drift detection operation is in progress.

The following table describes the drift status codes assigned by ROS to stacks.

Drift status Description
DRIFTED
  • For a stack: The stack differs or has drifted from its expected configuration. A stack is considered to have drifted if one or more of its resources have drifted.
  • For a stack instance: The stack instance is considered to have drifted if the stack associated with it has drifted.
  • For a stack group: The stack group is considered to have drifted if one or more of its stack instances have drifted.
NOT_CHECKED ROS has not detected whether the stack, stack instance, or stack group differs from its expected configuration.
IN_SYNC The current configuration of each resource that supports drift detection matches its expected configuration.
Note Stacks, stack instances, or stack groups are also assigned the IN_SYNC state when they have no resources that support drift detection.

The following table describes the drift status codes assigned by ROS to stack resources.

Resource drift status Description
DELETED The resource differs from its expected configuration because the resource has been deleted.
MODIFIED The resource differs from its expected configuration.
NOT_CHECKED ROS has not detected whether the resource differs from its expected configuration.
IN_SYNC The current configuration of the resource matches its expected configuration.
The following table describes the different types of status codes assigned by ROS to resource properties that differ from their expected configuration.
Property difference type Description
ADD A value has been added to a resource property that is of the array or list data type.
REMOVE The property has been removed from the current resource configuration.
NOT_EQUAL The current property value differs from the expected value as defined in the template.

References

The following table describes the topics related to drift detection.
Topic Description
Detect drift on a stack You can perform drift detection on a stack to determine whether the stack has drifted from its expected configuration. The operation returns the details about the drift status of the resources in the stack that support drift detection.
Detect drift on a resource You can perform drift detection on individual resources in a stack to determine whether the resources have drifted from the expected configuration.
Resources that support drift detection ROS detects drift only on resources that support drift detection.
Detect drift on a stack group You can detect whether any stack instances in a stack group differ from their expected configurations or have drifted.
Correct drift on a stack Stack drift correction helps ensure the consistency between resource configurations and their template definitions. Changes can be synchronized between stack configurations and template definitions.