AWS Cloudformation and manual changes
I can't seem to find any documentation about what happens when you manually mess with Cloudformation's objects.
I see it tags its objects, but does it recover if, say, someone deletes a routing rule?
EDIT: Just got two contradicting answers. I'd like to request some documentation / evidence, since I have to decide what directions I'm giving my colleagues about modifying these resources.
Solution 1:
CloudFormation only creates or modifies AWS resources during deployment, update, or deletion of a stack. It does not continually 'check and enforce' individual stack resources' configuration states - drift can definitely occur.
As an example, if I deploy a CF Stack and then later manually modify an Inbound Rule on one of its Security Groups, this modification will persist until I run an explicit CF Update or redeploy the stack.
Here are some helpful snippets / links:
Q: Can I manage individual AWS resources that are part of an AWS CloudFormation stack?
Yes. AWS CloudFormation does not get in the way; you retain full control of all elements of your infrastructure. You can continue using all your existing AWS and third-party tools to manage your AWS resources.
AWS CloudFormation Stacks Updates: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html
Prevent Updates to Stack Resources: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html
Please note the last link is only referring to protecting resources during a CloudFormation Update action, not ad-hoc changes made via the Management Console or API to individual resources.
Solution 2:
If you mess with resources that Cloudformation deploys, the resources wont be recovered/restored/put into compliance, if you really need to enforce integrity you will need to redeploy the stack.