# Update CloudFormation stacks using change sets
When you need to update a stack, understanding how your changes will affect running resources before you implement them can help you update stacks with confidence. Change sets allow you to preview how proposed changes to a stack might impact your running resources, including the impact on resource properties and attributes. Whether your changes will delete or replace any critical resources, CloudFormation makes the changes to your stack only when you decide to execute the change set, allowing you to decide whether to proceed with your proposed changes or explore other changes by creating another change set. You can create and manage change sets using the CloudFormation console, AWS CLI, or CloudFormation API.
**Topics**
+ [Create a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-create.md)
+ [View a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-view.md)
+ [Using drift-aware change sets](drift-aware-change-sets.md)
+ [Execute a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-execute.md)
+ [Delete a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-delete.md)
+ [Example change sets for CloudFormation stacks](using-cfn-updating-stacks-changesets-samples.md)
+ [Change sets for nested stacks](change-sets-for-nested-stacks.md)
**Important**
Change sets don't indicate whether CloudFormation will successfully update a stack. For example, a change set doesn't check if you will surpass an account quota, if you're updating a resource that doesn't support updates, or if you have insufficient permissions to modify a resource, all of which can cause a stack update to fail. If an update fails, CloudFormation attempts to roll back your resources to their original state.
**Change Set Overview**
The following diagram summarizes how you use change sets to update a stack:
![\[Diagram showing four steps to update a stack using CloudFormation change sets.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/update-stack-changesets-diagram.png)
1. Create a change set by submitting changes for the stack that you want to update. You can submit a modified stack template or modified input parameter values. CloudFormation compares your stack with the changes that you submitted to generate the change set; it doesn't make changes to your stack at this point.
1. View the change set to see which stack settings and resources will change. For example, you can see which resources CloudFormation will add, modify, or delete. Additionally, you can see a before-and-after comparison of the resource properties and attributes, such as tags, that CloudFormation will modify.
1. Optional: If you want to consider other changes before you decide which changes to make, create additional change sets. Creating multiple change sets helps you understand and evaluate how different changes will affect your resources and properties. You can create as many change sets as you need.
1. Execute the change set that contains the changes that you want to apply to your stack. CloudFormation updates your stack with those changes.
**Note**
After you execute a change, CloudFormation removes all change sets that are associated with the stack because they aren't applicable to the updated stack.
You can also delete change sets to prevent executing a change set that shouldn't be applied.
# Create a change set for a CloudFormation stack
To create a change set for a running stack, submit the changes that you want to make by providing a modified template, new input parameter values, or both. CloudFormation generates a change set by comparing your stack with the changes you submitted.
You can either modify a template before creating the change set or during change set creation.
------
#### [ Create a change set (console) ]
**To create a change set**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, choose the running stack you want to create a change set for.
1. In the stack details pane, choose **Stack actions**, and then choose **Create a change set**.
1. On the **Create change set for *stack-name*** page, do one of the following to modify input parameter values, specify the location of an updated template, or modify the template:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-changesets-create.html)
1. On the **Specify stack details** page, specify a name for the change set and optionally specify a description of the change set to identify its purpose in the **Overview** section. If your template contains parameters, on the **Specify stack details** page, enter or modify applicable input parameter values, and then choose **Next**.
If you're reusing the stack's template, CloudFormation populates each parameter with the current value in the stack, with the exception of parameters declared with the `NoEcho` attribute. To use existing values for those parameters, select **Use existing value**.
For more information about using `NoEcho` to mask sensitive information, and using dynamic parameters to manage secrets, see the [Do not embed credentials in your templates](security-best-practices.md#creds) best practice.
1. On the **Configure stack options** page, update the stack's tags, IAM service role, stack policy, rollback configuration, Amazon SNS notification topic (if applicable), or change sets.
**Note**
Change sets for nested stacks are **Enabled** by default, which will create change sets for all nested stacks specified in your template. To create a change set for the current stack only, choose **Disabled**. For more information about change sets for nested stacks, see [Change sets for nested stacks](change-sets-for-nested-stacks.md).
1. If the template includes IAM resources, for **Capabilities**, choose **I acknowledge that CloudFormation might create IAM resources**. IAM resources can modify permissions in your AWS account; review these resources to ensure that you're permitting only the actions that you intend. For more information, see [Acknowledging IAM resources in CloudFormation templates](control-access-with-iam.md#using-iam-capabilities).
1. Choose **Next** to continue.
1. On the **Review *stack-name*** page, review the changes for this change set.
1. Choose **Submit**.
You're redirected to the **Changes** tab of the change set's details page. While CloudFormation generates the change set, the status of the change set is `CREATE_PENDING`. After it has created the change set, CloudFormation sets the status to `CREATE_COMPLETE`. In the **Changes** section, CloudFormation lists all of the changes that it will make to your stack. For more information, see [View a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-view.md).
Choose **View details** in the **Property-level changes** column to view changes made at the property-level.
If CloudFormation fails to create the change set (reports `FAILED` status), fix the error displayed in the **Status** field, and then recreate the change set.
1. After confirming the changes look correct, choose **Execute change set**
------
#### [ Create a change set for nested stacks (console) ]
**To create a change set for nested stacks**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, select the running stack you want to create a change set for.
1. In the stack details pane, choose **Stack actions**, and then choose **Create a change set**.
1. On the **Create change set for *stack-name*** page, do one of the following to modify input parameter values, specify the location of an updated template, or modify the template:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-changesets-create.html)
1. On the **Specify stack details** page, specify a name for the change set and optionally specify a description of the change set to identify its purpose in the **Overview** section. If your template contains parameters, on the **Specify stack details** page, enter or modify applicable input parameter values, and then choose **Next**.
If you're reusing the stack's template, CloudFormation populates each parameter with the current value in the stack, with the exception of parameters declared with the `NoEcho` attribute. To use existing values for those parameters, select **Use existing value**.
For more information about using `NoEcho` to mask sensitive information, as well as using dynamic parameters to manage secrets, see the [Do not embed credentials in your templates](security-best-practices.md#creds) best practice.
1. On the **Configure stack options** page, update the stack's tags, IAM service role, stack policy, rollback configuration, Amazon SNS notification topic (if applicable), or change sets. For more information, see [Configure stack options](cfn-console-create-stack.md#configure-stack-options).
**Note**
Change sets for nested stacks are **Enabled** by default, which will create change sets for all nested stacks specified in your template. For more information about change sets for nested stacks, see [Change sets for nested stacks](change-sets-for-nested-stacks.md).
1. If the template includes IAM resources, for **Capabilities**, choose **I acknowledge that CloudFormation might create IAM resources**. IAM resources can modify permissions in your AWS account; review these resources to ensure that you're permitting only the actions that you intend. For more information, see [Acknowledging IAM resources in CloudFormation templates](control-access-with-iam.md#using-iam-capabilities).
1. Choose **Next** to continue.
1. On the **Review *stack-name*** page, review the changes for this change set.
1. Choose **Submit**.
**Note**
CloudFormation property-level change sets does not resolve cross-stack references when you create change sets for nested stacks. Change sets can mark resources in a child stack for conditional replacement if they reference the output of a parent stack, and the parent stack has been modified
You're redirected to the **Changes** tab of the change set's details page. While CloudFormation generates the change set, the status of the change set is `CREATE_PENDING`. After it has created the change set, CloudFormation sets the status to `CREATE_COMPLETE`. In the **Changes** section, CloudFormation lists all of the changes that it will make to your stack. For more information, see [View a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-view.md).
If CloudFormation fails to create the change set (reports `FAILED` status), fix the error displayed in the **Status** field, and then recreate the change set.
1. After confirming the changes look correct, choose **Execute change set**
------
**To create a change set (AWS CLI)**
+ Use the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html) command.
You submit your changes as command options. You can specify new parameter values, a modified template, or both. For example, the following command creates a change set named `SampleChangeSet` for the `MyStack` stack. The change set uses the current stack's template, but with a different value for the `Purpose` parameter:
```
aws cloudformation create-change-set --stack-name MyStack \
--change-set-name SampleChangeSet --use-previous-template \
--parameters \
ParameterKey="InstanceType",UsePreviousValue=true ParameterKey="KeyPairName",UsePreviousValue=true ParameterKey="Purpose",ParameterValue="production"
```
# View a change set for a CloudFormation stack
After you create a change set, you can view the proposed changes before executing them. You can use the CloudFormation console, AWS CLI, or CloudFormation API to view change sets. The CloudFormation console provides a summary of the changes and a detailed list of changes in JSON format. The AWS CLI and AWS CloudFormation API return a detailed list of changes in JSON format.
------
#### [ View a change set (console) ]
**To view a change set**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, choose the name of the stack that contains the change set that you want to view.
1. In the navigation pane, choose **Change Sets** to view a list of the stack's change sets.
1. Choose the name of the change set that you want to view.
The CloudFormation console directs you to the change set's details page, where you can see the time the change set was created, its status, the input used to generate the change set, and a summary of the changes.
In the **Changes** section, each row represents a resource that CloudFormation will add, modify, or remove.
+ **Add** – CloudFormation creates a resource when you add a resource to the stack's template.
+ **Modify** – CloudFormation modifies a resource when you change the properties of a resource in the stack's template.
+ **Remove** – CloudFormation deletes a resource when you delete a resource from the stack's template.
**Note**
A modification can cause the resource to be interrupted or replaced (recreated). For more information about resource update behaviors, see [Understand update behaviors of stack resources](using-cfn-updating-stacks-update-behaviors.md).
To focus on specific changes, use the filter view. For example, filter for a specific resource type, such as `AWS::EC2::Instance`. To filter for a specific resource, specify its logical or physical ID, such as `myWebServer` or `i-123abcd4`.
1. In the **Changes** section, choose **View details** in the **Property-level changes** column to view property value changes made to your resource.
1. The CloudFormation console directs you to the property-level changes page for a resource, where you can see the template configuration of the resource before executing a change set and what the template configuration will look like after executing the change set.
The **Property-level changes** section table shows the **Path**, **Change type**, **Before value**, and **After value** for impacted properties. In the table, choose the checkbox for each change you want to highlight in the **Before** and **After** views of your template to see what changes will be made at the property-level.
+ **Add** – Added properties are highlighted green.
+ **Modify** – Modified properties are highlighted blue.
+ **Remove** – Removed properties are highlighted red.
------
#### [ View a change set for nested stack (console) ]
**To view a change set for nested stacks (console)**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, choose the name of the stack that contains the change set that you want to view.
1. In the navigation pane, choose **Change sets** to view a list of the stack's change sets.
1. Choose the name of the change set that you want to view.
The CloudFormation console directs you to the change set's details page, where you can see the time the change set was created, its status, the input used to generate the change set, and a summary of the changes.
In the **Changes** section, each row represents a resource that CloudFormation will add, modify, remove, or show the status of dynamic.
+ **Add** – CloudFormation creates a resource when you add a resource to the stack's template.
+ **Modify** – CloudFormation modifies a resource when you change the properties of a resource in the stack's template.
+ **Remove** – CloudFormation deletes a resource when you delete a resource from the stack's template.
+ **Dynamic** – CloudFormation can't determine the exact resource change action from the nested stack's template.
**Note**
A modification can cause the resource to be interrupted or replaced (recreated). For more information about resource update behaviors, see [Understand update behaviors of stack resources](using-cfn-updating-stacks-update-behaviors.md).
To focus on specific changes, use the filter view. For example, filter for a specific resource type, such as **AWS::CloudFormation::Stack**. To filter for a specific resource, specify its logical or physical ID, such as **DeadLetterQueue** or **NestedStack**.
1. In the **Changes** section, choose **View nested change set** of the nested change set you want to view.
The CloudFormation console directs you to the nested change set's details page. You can choose **Go to root change set** to view the root change set or, you can choose **View parent change set** to view the parent change set. For more information see, [Change sets for nested stacks](change-sets-for-nested-stacks.md).
**Note**
CloudFormation property-level change sets does not resolve cross-stack references when you create change sets for nested stacks. Change sets can mark resources in a child stack for conditional replacement if they reference the output of a parent stack, and the parent stack has been modified
------
**To view a change set (AWS CLI)**
1. To get the ID of the change set, run the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-change-sets.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-change-sets.html) command.
Specify the name of the stack that has the change set that you want to view, as shown in the following example:
```
aws cloudformation list-change-sets --stack-name MyStack
```
CloudFormation returns a list of change sets, similar to the following:
```
{
"Summaries": [
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet",
"CreationTime": "2020-11-18T20:44:05.889Z",
"StackName": "MyStack",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000"
},
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-conditional",
"CreationTime": "2020-11-18T21:15:56.398Z",
"StackName": "MyStack",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet-conditional/1a2345b6-0000-00a0-a123-00abc0abc000"
},
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-replacement",
"CreationTime": "2020-11-18T21:03:37.706Z",
"StackName": "MyStack",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet-replacement/1a2345b6-0000-00a0-a123-00abc0abc000"
}
]
}
```
1. Run the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-change-set.html) command, specifying the ID of the change set that you want to view. For example:
```
aws cloudformation describe-change-set \
--change-set-name arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000
```
CloudFormation returns information about the specified change set.
```
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-direct",
"Parameters": [
{
"ParameterValue": "testing",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "ellioty-useast1",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "False"
},
"Type": "Resource"
}
],
"CreationTime": "2020-11-18T23:35:25.813Z",
"Capabilities": [],
"StackName": "MyStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet-direct/9edde307-960d-4e6e-ad66-b09ea2f20255"
}
```
Use `--include-property-values` with **describe-change-set** to list the property-level changes.
The `Changes` key lists changes to resources. If you were to execute this change set, CloudFormation would update the tags of the `i-1abc23d4` EC2 instance. For a description of each field, see the [https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_Change.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_Change.html) data type in the *AWS CloudFormation API Reference*.
For additional examples of change sets, see [Example change sets for CloudFormation stacks](using-cfn-updating-stacks-changesets-samples.md).
**To view property-level changes in a change set (AWS CLI)**
+ The following command lists the property-level changes related to a change set for a `AWS::EC2::NetworkInterface` resource that will remove the `Ipv4Prefixes` property, modifies the `Description` for the resource, and adds a `Tag`:
```
aws cloudformation describe-change-set --include-property-values \
--change-set-name arn:aws:cloudformation:us-east-1:123456789012:changeSet/ExampleChangeSet/9f7b541b-126b-44f7-998e-932174557841
```
The following is example output.
```
"ChangeSetName": "ExampleChangeSet",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:803642222207:changeSet/ExampleChangeSet/9f7b541b-126b-44f7-998e-932174557841",
"StackId": "arn:aws:cloudformation:us-east-1:803642222207:stack/ExampleStack/ab664180-f686-11ee-9e29-12cd92393671",
"StackName": "ExampleStack",
"Description": null,
"Parameters": null,
"CreationTime": "2024-04-09T18:04:59.935000+00:00",
"ExecutionStatus": "AVAILABLE",
"Status": "CREATE_COMPLETE",
"StatusReason": null,
"NotificationARNs": [],
"RollbackConfiguration": {
"RollbackTriggers": []
},
"Capabilities": [],
"Tags": null,
"ParentChangeSetId": null,
"IncludeNestedStacks": true,
"RootChangeSetId": null,
"OnStackFailure": null,
{
"Changes": [
{
"Type": "Resource",
"ResourceChange": {
"Action": "Modify",
"LogicalResourceId": "EC2NetworkInterface00eni067fd35b649a05b7100Tpyls",
"PhysicalResourceId": "eni-067fd35b649a05b71",
"ResourceType": "AWS::EC2::NetworkInterface",
"Replacement": "False",
"Scope": [
"Properties",
"Tags"
],
"Details": [
{
"Target": {
"Attribute": "Properties",
"Name": "Ipv4Prefixes",
"RequiresRecreation": "Never",
"Path": "/Properties/Ipv4Prefixes",
"BeforeValue": "[]",
"AttributeChangeType": "Remove"
},
"Evaluation": "Static",
"ChangeSource": "DirectModification"
},
{
"Target": {
"Attribute": "Properties",
"Name": "Description",
"RequiresRecreation": "Never",
"Path": "/Properties/Description",
"BeforeValue": "",
"AfterValue": "Description",
"AttributeChangeType": "Modify"
},
"Evaluation": "Static",
"ChangeSource": "DirectModification"
},
{
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never",
"Path": "/Properties/Tags/0",
"AfterValue": "{\"Key\":\"Test\",\"Value\":\"Test\"}",
"AttributeChangeType": "Add"
},
"Evaluation": "Static",
"ChangeSource": "DirectModification"
}
],
"BeforeContext": "{\"Properties\":{\"Description\":\"\",\"PrivateIpAddress\":\"172.31.76.2\",\"PrivateIpAddresses\":[{\"PrivateIpAddress\":\"172.31.76.2\",\"Primary\":\"true\"}],\"SecondaryPrivateIpAddressCount\":\"0\",\"Ipv6PrefixCount\":\"0\",\"Ipv4Prefixes\":[],\"Ipv4PrefixCount\":\"0\",\"GroupSet\":[\"sg-05a45689b1059e82d\"],\"Ipv6Prefixes\":[],\"SubnetId\":\"subnet-455e8969\",\"SourceDestCheck\":\"true\",\"InterfaceType\":\"interface\",\"Tags\":[]},\"UpdateReplacePolicy\":\"Retain\",\"DeletionPolicy\":\"Retain\"}",
"AfterContext": "{\"Properties\":{\"Description\":\"Description\",\"PrivateIpAddress\":\"172.31.76.2\",\"PrivateIpAddresses\":[{\"PrivateIpAddress\":\"172.31.76.2\",\"Primary\":\"true\"}],\"SecondaryPrivateIpAddressCount\":\"0\",\"Ipv6PrefixCount\":\"0\",\"Ipv4PrefixCount\":\"0\",\"GroupSet\":[\"sg-05a45689b1059e82d\"],\"Ipv6Prefixes\":[],\"SubnetId\":\"subnet-455e8969\",\"SourceDestCheck\":\"true\",\"InterfaceType\":\"interface\",\"Tags\":[{\"Value\":\"Test\",\"Key\":\"Test\"}]},\"UpdateReplacePolicy\":\"Retain\",\"DeletionPolicy\":\"Retain\"}"
}
}
],
"ChangeSetName": "ExampleChangeSet",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/ExampleChangeSet/9f7b541b-126b-44f7-998e-932174557841",
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/ExampleStack/ab664180-f686-11ee-9e29-12cd92393671",
```
# Using drift-aware change sets
Drift-aware change sets are enhanced CloudFormation change sets that allow you to identify and manage stack drift in a safe manner. Stacks drift from their expected template configuration when stack resources are changed outside CloudFormation, using the AWS Management Console, AWS CLI, or SDK of underlying services. Drift-aware change sets compare templates with the actual state of your stack resources and bring drifted resources in line with their template definitions. When the template definition of a resource is updated to match its actual state, drift-aware change sets reset the drift status of the resource without modifying the resource.
The benefits of using drift-aware change sets include:
+ **Preview overwrites of drift** – Detect whether a deployment will revert critical out-of-band changes made during incident response.
+ **Systematic drift reconciliation** – Safely align drifted resources with compliant template definitions, either by overwriting drifted properties with template values or updating the template to match actual resource state.
+ **Enhanced rollback capabilities** – If a deployment fails, restore resources to their actual pre-deployment state, not the previous template state.
+ **Complete visibility** – See exactly how your deployment will affect actual resource configurations before making changes.
Traditional change sets provide a comparison of your new template with the previous template for a stack, but do not account for stack drift. Drift-aware change sets solve this problem by providing a three-way comparison between:
+ **Actual state** – The live configuration of your resources. CloudFormation will read the configuration of resources in your account at the time of change set creation via underlying service APIs.
+ **Previous deployment state** – The configuration defined in the template from your last CloudFormation deployment.
+ **Desired state** – The configuration defined in your new template.
Drift-aware change sets will update the actual state of all stack resources to match the desired state, even if a resource was not explicitly changed in the template.
## Considerations
+ **Resource type support** – Drift-aware change sets support a comparison of the desired state with the actual state for hundreds of resource types. For unsupported resource types, drift-aware change sets fall back to comparing the previous deployment state with the desired state. See the Supported Resource Types section for details.
+ **Write-only properties** – For properties containing sensitive data (passwords, secrets), drift-aware change sets compare against previous deployment values rather than actual values.
+ **AWS-managed properties** – Drift-aware change sets preserve out-of-band changes made by AWS services to managed properties, such as the desired capacity of an Auto Scaling group. See the AWS-managed properties section for details.
+ **External tag keys** – Drift-aware change sets do not remove or modify tag keys that were not specified in the template, preventing conflicts with attribute-based access control (ABAC) systems.
+ **Replacement of drifted resources** – Drift-aware change sets do not support drift reconciliation for immutable properties.
+ **Cross-stack attachments** – Some resource types, such as `AWS::IAM::Policy`, can influence the actual state of other resource types, such as `AWS::IAM::Role`. Drift-aware change sets handle attachment of resources within a stack. If a resource is modified via attachment of a secondary resource from a different stack, drift-aware change sets will detect the modification as drift and can revert the attachment. Popular attachable resources include `AWS::IAM::Policy`, `AWS::IAM::ManagedPolicy`, `AWS::EC2::SecurityGroupIngress`, and `AWS::EC2::SecurityGroupEgress`.
## AWS-managed properties
You can configure specific resource properties for active AWS management. For example, you can allow Amazon Relational Database Service (Amazon RDS) to automatically upgrade the minor engine version of an Amazon RDS table. These changes can show up as stack drift in CloudFormation. Drift-aware change sets recognize that drift is expected for AWS-managed properties and leave their actual value untouched if you have not modified the property in their template. Top examples of AWS-managed properties are:
+ Enabling the `AutoMinorVersionUpgrade` property of an Amazon RDS table to allow automatic updates of engine version.
+ Using the `AWS::ApplicationAutoScaling::ScalableTarget` resource to enable auto-scaling for properties such as the read/write capacity units of an Amazon DynamoDB table and the desired count of an Amazon Elastic Container Service cluster.
+ Using the `AWS::AutoScaling::ScalingPolicy` for Auto Scaling groups.
Drift-aware change sets clarify the properties which were identified as AWS-managed. See the AWS CLI section for details.
## Using drift-aware change sets (console)
You can create and manage drift-aware change sets through the CloudFormation console using the same workflow as traditional change sets, with additional options for deployment modes.
### Creating drift-aware change sets
**To create a drift-aware change set (console)**
1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the **Stacks** page, select the stack that you want to update.
1. Choose **Stack actions**, and then choose **Create change set for current stack**.
1. On the **Create change set** page, for **Change set type**, choose **Drift aware change set**.
1. Choose **Create change set**.
1. On the change set details page, review the three-way comparison showing actual, previous deployment, and desired state for each affected resource.
1. If you're satisfied with the changes, choose **Execute change set**.
### Reviewing drift-aware change sets
When you view a drift-aware change set in the console, you'll see enhanced information compared to traditional change sets:
+ **Stack drift status** – Indicates whether the stack has drifted from its last deployment.
+ **Property comparison** – Shows a JSON diff between the actual and desired state of an affected resource.
+ **Drift indicators** – Clearly marks properties within the JSON diff that have drifted. Click on **View drift** to see the previous deployment value for a property.
+ **Value source indicators** – Shows whether before values for a property come from actual state or previous deployment state.
## Using drift-aware change sets (AWS CLI)
You can create and manage drift-aware change sets using the AWS CLI by adding the `--deployment-mode REVERT_DRIFT` parameter to the **create-change-set** command.
### Creating drift-aware change sets
**To create a drift-aware change set**
Use the [create-change-set](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html) command with the `--deployment-mode REVERT_DRIFT` parameter to create a drift-aware change set.
```
aws cloudformation create-change-set \
--stack-name my-stack \
--change-set-name my-drift-aware-changeset \
--template-body file://updated-template.yaml \
--deployment-mode REVERT_DRIFT \
--capabilities CAPABILITY_IAM
```
### Reviewing drift-aware change sets
**To review the details of a drift-aware change set**
Use the [describe-change-set](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-change-set.html) command to review the details of a drift-aware change set:
```
aws cloudformation describe-change-set \
--change-set-name my-drift-aware-changeset \
--stack-name my-stack
```
The response includes enhanced information for drift-aware change sets:
+ `StackDriftStatus` – Shows whether the stack has drifted (`DRIFTED`, `IN_SYNC`, `NOT_CHECKED`, or `UNKNOWN`).
+ `ResourceDriftStatus` – Shows the drift status for each resource (`DELETED`, `MODIFIED`, `IN_SYNC`, or `NOT_CHECKED`).
+ `BeforeValueFrom` – Indicates whether the before value for a property comes from `ACTUAL_STATE` or `PREVIOUS_DEPLOYMENT_STATE`.
+ `Drift` – Contains the drift details for a property including `PreviousValue`, `ActualValue`, and `DriftDetectionTimestamp`.
+ `ResourceDriftIgnoredProperties` – Contains the properties of a resource for which the change set will not revert drift and the reasons for ignoring drift.
For more information, see [DescribeChangeSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeChangeSet.html) in the *AWS CloudFormation API Reference*.
### Executing drift-aware change sets
**To execute a drift-aware change set**
After reviewing the change set, use the [execute-change-set](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/execute-change-set.html) command to apply the changes:
```
aws cloudformation execute-change-set \
--change-set-name my-drift-aware-changeset \
--stack-name my-stack
```
If the deployment fails, CloudFormation will roll back resources to their actual pre-deployment state and preserve out-of-band changes made since the last deployment.
## Supported resource types
Drift-aware change sets support a three-way comparison of actual state, previous deployment state, and desired state for all [resource types](resource-import-supported-resources.md) that support drift detection, except the following resource types:
+ `AWS::SageMaker::MlflowTrackingServer`
+ `AWS::Route53Resolver::FirewallRuleGroup`
+ `AWS::MediaLive::Multiplexprogram`
+ `AWS::VpcLattice::ResourceConfiguration`
+ `AWS::S3::StorageLensGroup`
+ `AWS::Bedrock::AgentAlias`
+ `AWS::MSK::Cluster`
+ `AWS::RDS::DBProxy`
+ `AWS::Redshift::ClusterParameterGroup`
+ `AWS::QBusiness::Index`
+ `AWS::NetworkManager::CoreNetwork`
+ `AWS::IAM::OIDCProvider`
+ `AWS::Organizations::ResourcePolicy`
+ `AWS::SNS::TopicInlinePolicy`
+ `AWS::Route53::KeySigningKey`
+ `AWS::DataZone::PolicyGrant`
+ `AWS::Transfer::Certificate`
+ `AWS::SageMaker::ImageVersion`
+ `AWS::Neptune::DBParameterGroup`
+ `AWS::ODB::CloudVmCluster`
+ `AWS::RolesAnywhere::TrustAnchor`
+ `AWS::Detective::Graph`
+ `AWS::Maester::DocumentType`
+ `AWS::SageMaker::ModelPackageGroup`
+ `AWS::S3Express::BucketPolicy`
+ `AWS::Panorama::PackageVersion`
+ `AWS::S3Tables::TableBucketPolicy`
Drift-aware change sets fall back to a comparison of previous deployment state and desired state for resources that do not support the three-way comparison.
# Execute a change set for a CloudFormation stack
To make the changes described in a change set to your stack, execute the change set.
**Important**
After you execute a change set, CloudFormation deletes any additional change sets that are associated with the stack because they're no longer valid for the updated stack. If an update fails, you need to create a new change set.
**Stack Policies and Executing a Change Set**
If you execute a change set on a stack that has a stack policy associated with it, CloudFormation enforces the policy when it updates the stack. You can't specify a temporary stack policy that overrides the existing policy when you execute a change set. To update a protected resource, you must update the stack policy or use the direct update method. For more information, see [Update stacks directly](using-cfn-updating-stacks-direct.md).
------
#### [ Execute a change set (console) ]
**To execute a change set**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, choose the name the stack that you want to update.
1. In the navigation pane, choose **Change sets** to view a list of the stack's change sets.
1. Choose the name of the change set that you want to execute.
1. On the change set's details page, choose **Execute change set**.
CloudFormation immediately starts updating the stack. The CloudFormation console directs you to the **Events** tab, where you can monitor the progress of the stack update. For more information, see [Monitor stack progress](monitor-stack-progress.md).
------
#### [ Execute a change set for nested stacks (console) ]
**To execute a change set for nested stacks**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, choose the name the stack that you want to update. You must choose the stack name associated with the root change set.
1. In the navigation pane, choose **Change sets** to view a list of the stack's change sets.
1. Choose the name of the root change set that you want to execute.
1. On the change set's details page, choose **Execute change set**.
**Note**
CloudFormation executes the changes described in your root change set and nested change sets, if **Enabled** for change sets for nested stacks was selected during the [Create a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-create.md) process.
CloudFormation immediately starts updating the stack. The CloudFormation console directs you to the **Events** tab, where you can monitor the progress of the stack update. For more information, see [Monitor stack progress](monitor-stack-progress.md).
------
**To execute a change set (AWS CLI)**
+ Run the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/execute-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/execute-change-set.html) command.
Specify the change set ID of the change set that you want to execute, as shown in the following example:
```
aws cloudformation execute-change-set \
--change-set-name \
arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000
```
The command in the example executes a change set with the ID `arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000`.
After you run the command, CloudFormation starts updating the stack. To view the stack's progress, use the [describe-stacks](service_code_examples.md#describe-stacks-sdk) command.
# Delete a change set for a CloudFormation stack
Deleting a change set removes it from the list of change sets for the stack. Deleting a change set prevents you or another user from accidentally executing a change set that shouldn't be applied. Unless you delete them, CloudFormation retains all change sets until you update the stack.
------
#### [ Delete a change set ]
**To delete a change set (console)**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, select the name of the stack that contains the change set that you want to delete.
1. In the navigation pane, choose **Change sets** to view a list of the stack's change sets.
1. Select the name of the change set that you want to delete.
1. On the change set's details page, choose **Delete change set**.
CloudFormation immediately starts to delete the change set from the stack's list of change sets, and you're redirected to the **Stacks** page.
------
#### [ Delete a change set for nested stacks (console) ]
**To delete a change set for nested stacks**
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. On the navigation bar at the top of the screen, choose your AWS Region.
1. On the **Stacks** page, select the stack name associated with the root change set.
1. In the navigation pane, choose **Change sets** to view a list of the stack's change sets.
1. Select the name of the change set that you want to delete.
1. On the change set's details page, choose **Delete**. By choosing **Delete change set**, you will delete the whole hierarchy of nested change sets.
**Note**
The delete operation for change sets for nested stacks is asynchronous and will show a `DELETE_PENDING` status, followed by a `DELETE_IN_PROGRESS` status. Upon completion of the delete change set operation, the change sets will be removed from the list. Nested stacks in the `REVIEW_IN_PROGRESS` status will also be deleted if they were created during the change set creation.
CloudFormation immediately starts to delete the change set from the stack's list of change sets.
**Note**
If you have nested stacks that are stuck in an in-progress operation, see Troubleshooting Errors in [Nested stacks rollback failure](troubleshooting.md#troubleshooting-errors-nested-stacks-are-stuck).
------
**To delete a change set (AWS CLI)**
+ Run the [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-change-set.html) command, specifying the ID of the change set that you want to delete, as shown in the following example:
```
aws cloudformation delete-change-set \
--change-set-name \
arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000
```
# Example change sets for CloudFormation stacks
This section provides examples of the change sets that CloudFormation would create for common stack changes. They show how to edit a template directly; modify a single input parameter; plan for resource recreation (replacements), which prevents you from losing data that wasn't backed up or interrupting applications that are running in your stack; and add and remove resources. To illustrate how change sets work, we'll walk through the changes that were submitted and discuss the resulting change set. Because each example builds on and assumes that you understand the previous example, we recommend that you read them in order. For a description of each field in a change set, see the [Change](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_Change.html) data type in the *AWS CloudFormation API Reference*.
You can use the [console](using-cfn-updating-stacks-changesets-view.md), AWS CLI, or CloudFormation [https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeChangeSet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeChangeSet.html) API operation to view change set details.
We generated each of the following change sets from a stack with the following [sample template](https://s3.amazonaws.com/cloudformation-examples/user-guide/changesets/ec2-instance.txt):
```
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "A sample EC2 instance template for testing change sets.",
"Parameters" : {
"Purpose" : {
"Type" : "String",
"Default" : "testing",
"AllowedValues" : ["testing", "production"],
"Description" : "The purpose of this instance."
},
"KeyPairName" : {
"Type": "AWS::EC2::KeyPair::KeyName",
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the instance"
},
"InstanceType" : {
"Type" : "String",
"Default" : "t2.micro",
"AllowedValues" : ["t2.micro", "t2.small", "t2.medium"],
"Description" : "The EC2 instance type."
}
},
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"KeyName" : { "Ref" : "KeyPairName" },
"InstanceType" : { "Ref" : "InstanceType" },
"ImageId" : "ami-8fcee4e5",
"Tags" : [
{
"Key" : "Purpose",
"Value" : { "Ref" : "Purpose" }
}
]
}
}
}
}
```
## Directly editing a template
When you directly modify resources in the stack's template to generate a change set, CloudFormation classifies the change as a direct modification, as opposed to changes initiated by an updated parameter value. The following change set, which added a new tag to the `i-1abc23d4` instance, is an example of a direct modification. All other input values, such as the parameter values and capabilities, are unchanged, so we'll focus on the `Changes` structure.
```
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-direct",
"Parameters": [
{
"ParameterValue": "testing",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "False"
},
"Type": "Resource"
}
],
"CreationTime": "2020-11-18T23:35:25.813Z",
"Capabilities": [],
"StackName": "MyStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet-direct/1a2345b6-0000-00a0-a123-00abc0abc000"
}
```
In the `Changes` structure, there's only one `ResourceChange` structure. This structure describes information such as the type of resource CloudFormation will change, the action CloudFormation will take, the ID of the resource, the scope of the change, and whether the change requires a replacement (where CloudFormation creates a new resource and then deletes the old one). In the example, the change set indicates that CloudFormation will modify the `Tags` attribute of the `i-1abc23d4` EC2 instance, and doesn't require the instance to be replaced.
In the `Details` structure, CloudFormation labels this change as a direct modification that will never require the instance to be recreated (replaced). You can confidently execute this change, knowing that CloudFormation won't replace the instance.
CloudFormation shows this change as a `Static` evaluation. A static evaluation means that CloudFormation can determine the tag's value before executing the change set. In some cases, CloudFormation can determine a value only after you execute a change set. CloudFormation labels those changes as `Dynamic` evaluations. For example, if you reference an updated resource that's conditionally replaced, CloudFormation can't determine whether the reference to the updated resource will change.
## Modifying an input parameter value
When you modify an input parameter value, CloudFormation generates two changes for each resource that uses the updated parameter value. In this example, we want to highlight what those changes look like and which information you should focus on. The following example was generated by changing the value of the `Purpose` input parameter only.
The `Purpose` parameter specifies a tag key value for the EC2 instance. In the example, the parameter value was changed from `testing` to `production`. The new value is shown in the `Parameters` structure.
```
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet",
"Parameters": [
{
"ParameterValue": "production",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
},
{
"CausingEntity": "Purpose",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "False"
},
"Type": "Resource"
}
],
"CreationTime": "2020-11-18T23:59:18.447Z",
"Capabilities": [],
"StackName": "MyStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000"
}
```
The `Changes` structure functions similar to way it does in the [Directly editing a template](#using-cfn-updating-stacks-changesets-samples-directly-editing-a-template) example. There's only one `ResourceChange` structure; it describes a change to the `Tags` attribute of the `i-1abc23d4` EC2 instance.
However, in the `Details` structure, the change set shows two changes for the `Tags` attribute, even though only a single parameter value was changed. Resources that reference a changed parameter value (using the `Ref` intrinsic function) always result in two changes: one with a `Dynamic` evaluation and another with a `Static` evaluation. You can see these types of changes by viewing the following fields:
+ For the `Static` evaluation change, view the `ChangeSource` field. In this example, the `ChangeSource` field equals `ParameterReference`, meaning that this change is a result of an updated parameter reference value. The change set must contain a similar `Dynamic` evaluation change.
+ You can find the matching `Dynamic` evaluation change by comparing the `Target` structure for both changes, which will contain the same information. In this example, the `Target` structures for both changes contain the same values for the `Attribute` and `RequireRecreation` fields.
For these types of changes, focus on the static evaluation, which gives you the most detailed information about the change. In this example, the static evaluation shows that the change is the result of a change in a parameter reference value (`ParameterReference`). The exact parameter that was changed is indicated by the `CauseEntity` field (the `Purpose` parameter).
## Determining the value of the replacement field
The `Replacement` field in a `ResourceChange` structure indicates whether CloudFormation will recreate the resource. Planning for resource recreation (replacements) prevents you from losing data that wasn't backed up or interrupting applications that are running in your stack.
The value in the `Replacement` field depends on whether a change requires a replacement, indicated by the `RequiresRecreation` field in a change's `Target` structure. For example, if the `RequiresRecreation` field is `Never`, the `Replacement` field is `False`. However, if there are multiple changes on a single resource and each change has a different value for the `RequiresRecreation` field, CloudFormation updates the resource using the most intrusive behavior. In other words, if only one of the many changes requires a replacement, CloudFormation must replace the resource and, therefore, sets the `Replacement` field to `True`.
The following change set was generated by changing the values for every parameter (`Purpose`, `InstanceType`, and `KeyPairName`), which are all used by the EC2 instance. With these changes, CloudFormation will be required to replace the instance because the `Replacement` field is equal to `True`.
```
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-multiple",
"Parameters": [
{
"ParameterValue": "production",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyNewKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.small",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-7bef86f8",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Properties",
"Name": "KeyName",
"RequiresRecreation": "Always"
}
},
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Properties",
"Name": "InstanceType",
"RequiresRecreation": "Conditionally"
}
},
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
},
{
"CausingEntity": "KeyPairName",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Properties",
"Name": "KeyName",
"RequiresRecreation": "Always"
}
},
{
"CausingEntity": "InstanceType",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Properties",
"Name": "InstanceType",
"RequiresRecreation": "Conditionally"
}
},
{
"CausingEntity": "Purpose",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags",
"Properties"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "True"
},
"Type": "Resource"
}
],
"CreationTime": "2020-11-18T00:39:35.974Z",
"Capabilities": [],
"StackName": "MyStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet-multiple/1a2345b6-0000-00a0-a123-00abc0abc000"
}
```
Identify the change that requires the resource to be replaced by viewing each change (the static evaluations in the `Details` structure). In this example, each change has a different value for the `RequireRecreation` field, but the change to the `KeyName` property has the most intrusive update behavior, always requiring a recreation. CloudFormation will replace the instance because the key name was changed.
If the key name were unchanged, the change to the `InstanceType` property would have the most intrusive update behavior (`Conditionally`), so the `Replacement` field would be `Conditionally`. To find the conditions in which CloudFormation replaces the instance, view the update behavior for the `InstanceType` property of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource type.
## Adding and removing resources
The following example was generated by submitting a modified template that removes the EC2 instance and adds an Auto Scaling group and launch configuration.
```
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-addremove",
"Parameters": [
{
"ParameterValue": "testing",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"Action": "Add",
"ResourceType": "AWS::AutoScaling::AutoScalingGroup",
"Scope": [],
"Details": [],
"LogicalResourceId": "AutoScalingGroup"
},
"Type": "Resource"
},
{
"ResourceChange": {
"Action": "Add",
"ResourceType": "AWS::AutoScaling::LaunchConfiguration",
"Scope": [],
"Details": [],
"LogicalResourceId": "LaunchConfig"
},
"Type": "Resource"
},
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [],
"Action": "Remove",
"Scope": [],
"LogicalResourceId": "MyEC2Instance"
},
"Type": "Resource"
}
],
"CreationTime": "2020-11-18T01:44:08.444Z",
"Capabilities": [],
"StackName": "MyStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet-addremove/1a2345b6-0000-00a0-a123-00abc0abc000"
}
```
In the `Changes` structure, there are three `ResourceChange` structures, one for each resource. For each resource, the `Action` field indicates whether CloudFormation adds or removes the resource. The `Scope` and `Details` fields are empty because they apply only to modified resources.
For new resources, CloudFormation can't determine the value of some fields until you execute the change set. For example, CloudFormation doesn't provide the physical IDs of the Auto Scaling group and launch configuration because they don't exist yet. CloudFormation creates the new resources when you execute the change set.
## Viewing property-level changes
The following example shows property-level changes to the `Tag` property of an Amazon EC2 instance. The tag `Value` and `Key` will change to `Test`.
```
"ChangeSetName": "SampleChangeSet",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/SampleChangeSet/38d91d27-798d-4736-9bf1-fb7c46207807",
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/SampleEc2Template/68edcdc0-f6b6-11ee-966c-126d572cdd11",
"StackName": "SampleEc2Template",
"Description": "A sample EC2 instance template for testing change sets.",
"Parameters": [
{
"ParameterKey": "KeyPairName",
"ParameterValue": "BatchTest"
},
{
"ParameterKey": "Purpose",
"ParameterValue": "testing"
},
{
"ParameterKey": "InstanceType",
"ParameterValue": "t2.micro"
}
],
"CreationTime": "2024-04-09T21:29:10.759000+00:00",
"ExecutionStatus": "AVAILABLE",
"Status": "CREATE_COMPLETE",
"StatusReason": null,
"NotificationARNs": [],
"RollbackConfiguration": {
:...skipping...
{
"Changes": [
{
"Type": "Resource",
"ResourceChange": {
"Action": "Modify",
"LogicalResourceId": "MyEC2Instance",
"PhysicalResourceId": "i-0cc7856a36315e62b",
"ResourceType": "AWS::EC2::Instance",
"Replacement": "False",
"Scope": [
"Tags"
],
"Details": [
{
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never",
"Path": "/Properties/Tags/0/Value",
"BeforeValue": "testing",
"AfterValue": "Test",
"AttributeChangeType": "Modify"
},
"Evaluation": "Static",
"ChangeSource": "DirectModification"
},
{
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never",
"Path": "/Properties/Tags/0/Key",
"BeforeValue": "Purpose",
"AfterValue": "Test",
"AttributeChangeType": "Modify"
},
"Evaluation": "Static",
"ChangeSource": "DirectModification"
}
],
"BeforeContext": "{\"Properties\":{\"KeyName\":\"BatchTest\",\"ImageId\":\"ami-8fcee4e5\",\"InstanceType\":\"t2.micro\",\"Tags\":[{\"Value\":\"testing\",\"Key\":\"Purpose\"}]}}",
"AfterContext": "{\"Properties\":{\"KeyName\":\"BatchTest\",\"ImageId\":\"ami-8fcee4e5\",\"InstanceType\":\"t2.micro\",\"Tags\":[{\"Value\":\"Test\",\"Key\":\"Test\"}]}}"
}
}
]
```
The `Details` structure shows the values for `Key` and `Value` before the change set is executed, and what they will be after the change set is executed.
# Change sets for nested stacks
With *change sets for nested stacks* you can preview the changes to your application and infrastructure resources across the entire nested stack hierarchy and proceed with updates when you've confirmed that all the changes are as intended.
See the following sections for more details about change sets for nested stacks:
**Topics**
+ [Overview of change sets and nested stacks](#overview-of-change-sets-and-nested-stacks)
+ [Working with change sets for nested stacks (console)](#change-sets-for-nested-stacks-console)
+ [Working with change sets for nested stacks (AWS CLI)](#change-sets-for-nested-stacks-cli)
## Overview of change sets and nested stacks
Change sets for nested stacks combines the following features together to expand the scope of previewing changes to the entire stack hierarchy:
+ A *change set* is a CloudFormation capability that offers a preview of how proposed changes to a stack will impact existing or newly created resources. Upon creating a change set, CloudFormation provides a list of proposed changes by comparing your stack with the changes to the resources you submitted. For more information about change sets, see [Update CloudFormation stacks using change sets](using-cfn-updating-stacks-changesets.md).
+ A *nested stack* is stack created as part of another stack. For example, you might have networking and security related resources in one nested stack and application resources in another. Partitioning application models this way helps with code maintainability and reuse. For more information about nested stacks, see [Split a template into reusable pieces using nested stacks](using-cfn-nested-stacks.md).
## Working with change sets for nested stacks (console)
+ **Create a change set** – Creates a change set by submitting changes from any level of the stack hierarchy. You can submit a modified stack template or modified input parameter values and CloudFormation compares your nested stack with the changes that you submitted to generate a change set. Change sets for nested stacks is enabled by default in the CloudFormation console. For more information, see [Create a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-create.md).
![\[Create a change set for nested stacks is Enabled by default.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/change-sets-for-nested-sets-enabled-default.png)
**Note**
A root change set is the change set associated with the stack from which the whole hierarchy of change sets are created. You must execute or delete change sets for nested stacks from the root change set. For more information, see [Performing stack operations on nested stacks](using-cfn-nested-stacks.md#perform-stack-operations-on-nested-stacks).
+ **View the change set** – Visualize changes to resources inside nested stacks before executing them. You can view the proposed changes in the **Changes** section of your change set by navigating through the current stack and its nested change sets. For more information, see [View a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-view.md).
+ **Execute the change set** – Execute the changes described in the change set that pertain to the current stack and its descendants. The execute operation must be made from the root change set. For more information, see [Execute a change set for a CloudFormation stackStack Policies and Executing a Change Set](using-cfn-updating-stacks-changesets-execute.md).
+ **Delete the change set** – Removes the change sets from the current stack. Deleting a change set helps to prevent you or another user from accidentally initiating a change set that shouldn't be applied. The delete operation must be executed from the root change set. For more information, see [Delete a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-delete.md).
## Working with change sets for nested stacks (AWS CLI)
### create-change-set
+ [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-change-set.html) – Change sets for nested stacks isn't enabled by default for the AWS CLI. To create a change set for the entire stack hierarchy, specify the `--include-nested-stacks` option. For more information, see [Create a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-create.md).
The following AWS CLI example creates a change set for the specified root stack.
```
aws cloudformation create-change-set \
--stack-name my-root-stack \
--change-set-name my-root-stack-change-set \
--template-body file://template.yaml \
--capabilities CAPABILITY_IAM \
--include-nested-stacks
```
The following is example output.
```
{
"Id":"arn:aws:cloudformation:us-west-2:123456789012:changeSet/my-root-stack-change-set/4eca1a01-e285-xmpl-8026-9a1967bfb4b0",
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:Stack/my-root-stack/d0a825a0-e4cd-xmpl-b9fb-061c69e99204"
}
```
### describe-change-set
+ [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-change-set.html) – Returns a list of changes that CloudFormation will make if you execute the change set. If the change set specified contains child change sets that belong to nested stacks, then `ChangeSetId` will return information about that change set. For more information, see [View a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-view.md).
The following AWS CLI example describes the change set for the specified root stack.
```
aws cloudformation describe-change-set \
--change-set-name my-root-stack-change-set \
--stack-name my-root-stack
```
The following is example output.
```
{
"Changes": [
{
"Type": "Resource",
"ResourceChange": {
"Action": "Modify",
"LogicalResourceId": "ChildStack",
"PhysicalResourceId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-nested-stack/d0a825a0-e4cd-xmpl-b9fb-061c69e99205",
"ResourceType": "AWS::CloudFormation::Stack",
"Replacement": "False",
"ChangeSetId": "arn:aws:cloudformation:us-west-2:123456789012:changeSet/my-nested-stack-change-set/4eca1a01-e285-xmpl-8026-9a1967bfb4b0",
"Scope": [
"Properties"
],
"Details": [
{
"Target": {
"Attribute": "Properties",
"RequiresRecreation": "Never"
},
"Evaluation": "Dynamic",
"ChangeSource": "Automatic"
}
]
}
}
],
"ChangeSetName": "my-root-stack-change-set",
"ChangeSetId": "arn:aws:cloudformation:us-west-2:123456789012:changeSet/my-root-stack-change-set/4eca1a01-e285-xmpl-8026-9a1967bfb4b0",
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-root-stack/d0a825a0-e4cd-xmpl-b9fb-061c69e99204",
"StackName": "my-root-stack",
"IncludeNestedStacks": true,
"ParentChangeSetId": null,
"RootChangeSetId": null,
"Description": null,
"Parameters": null,
"CreationTime": "2020-11-18T05:20:56.651Z",
"ExecutionStatus": "AVAILABLE",
"Status": "CREATE_COMPLETE",
"StatusReason": null,
"NotificationARNs": [
],
"RollbackConfiguration": {
},
"Capabilities": [
"CAPABILITY_IAM"
],
"Tags": null
}
```
The following AWS CLI example describes the change set for the specified nested stack.
```
aws cloudformation describe-change-set \
--change-set-name my-nested-stack-change-set \
--stack-name my-nested-stack
```
The following is example output.
```
{
"Changes": [
{
"Type": "Resource",
"ResourceChange": {
"Action": "Modify",
"LogicalResourceId": "function",
"PhysicalResourceId": "my-function",
"ResourceType": "AWS::Lambda::Function",
"Replacement": "False",
"ChangeSetId": null,
"Scope": [
"Properties"
],
"Details": [
{
"Target": {
"Attribute": "Properties",
"Name": "Timeout",
"RequiresRecreation": "Never"
},
"Evaluation": "Static",
"ChangeSource": "DirectModification"
}
]
}
}
],
"ChangeSetName": "my-nested-stack-change-set",
"ChangeSetId": "arn:aws:cloudformation:us-west-2:123456789012:changeSet/my-nested-stack-change-set/4eca1a01-e285-xmpl-8026-9a1967bfb4b0",
"StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/my-nested-stack/d0a825a0-e4cd-xmpl-b9fb-061c69e99205",
"ParentChangeSetId": "arn:aws:cloudformation:us-west-2:123456789012:changeSet/my-root-stack-change-set/4eca1a01-e285-xmpl-8026-9a1967bfb4b0",
"RootChangeSetId": "arn:aws:cloudformation:us-west-2:123456789012:changeSet/my-root-stack-change-set/4eca1a01-e285-xmpl-8026-9a1967bfb4b0",
"IncludeNestedStacks": true,
"StackName": "my-nested-stack",
"Description": null,
"Parameters": null,
"CreationTime": "2020-11-18T05:20:56.651Z",
"ExecutionStatus": "UNAVAILABLE",
"Status": "CREATE_COMPLETE",
"StatusReason": "Executable from root change set",
"NotificationARNs": [
],
"RollbackConfiguration": {
},
"Capabilities": [
"CAPABILITY_IAM"
],
"Tags": null
}
```
### execute-change-set
+ [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/execute-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/execute-change-set.html) – Creates or updates a stack using the input information that was provided when the specified change set was created. To create a change set for the entire stack hierarchy, you must specify the `–-include-nested-stacks` option during the **create-change-set** operation. For more information, see [Execute a change set for a CloudFormation stackStack Policies and Executing a Change Set](using-cfn-updating-stacks-changesets-execute.md).
**Note**
**execute-change-set** must be executed from the root change set and will apply the change set on the whole hierarchy of stacks.
The following AWS CLI example executes a change set for the specified root stack.
```
aws cloudformation execute-change-set \
--stack-name my-root-stack \
--change-set-name my-root-stack-change-set
```
### delete-change-set
+ [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-change-set.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-change-set.html) – Deletes the specified change set. Deleting change sets ensures that no one uses the wrong change set. Deleting change sets is asynchronous for change sets created with the `–-include-nested-stacks` option. For more information, see [Delete a change set for a CloudFormation stack](using-cfn-updating-stacks-changesets-delete.md).
**Note**
**delete-change-set** must be executed from the root change set and will delete the whole hierarchy of change sets. Nested stacks in the `REVIEW_IN_PROGRESS` status will also be deleted if they were created during the **create-change-set** operation.
The following AWS CLI example deletes the change set for the specified root stack.
```
aws cloudformation delete-change-set \
--stack-name my-root-stack \
--change-set-name my-root-stack-change-set
```