pantheon-ai/cfn-template-compare
Compares deployed CloudFormation templates with locally synthesized CDK templates to detect drift, validate changes, and ensure consistency before deployment. Use when the user wants to compare CDK output with a deployed stack, check for infrastructure drift, run a pre-deployment validation, audit IAM or security changes, investigate a failing deployment, or perform a 'cdk diff'-style review. Triggered by phrases like 'compare templates', 'check for drift', 'cfn drift', 'stack comparison', 'infrastructure drift detection', 'safe to deploy', or 'what changed in my CDK stack'.
95
93%
Does it follow best practices?
Impact
100%
1.08xAverage score across 5 eval scenarios
Passed
No known issues
Evaluation results
100%
12%Compare Deployed Stack with Local CDK Changes
Complete template comparison workflow
aws get-template command
100%
100%
Output to JSON file
100%
100%
make synth command
100%
100%
Copy synthesized template
100%
100%
Structure comparison
60%
100%
Resource count check
60%
100%
Added/removed resources
70%
100%
Timestamped artifacts
100%
100%
Report template structure
100%
100%
Resource counts in summary
87%
100%
Status indicator
100%
100%
100%
11%Pre-flight Checks for Template Comparison
Prerequisites validation and error handling
AWS credential check
100%
100%
Profile flag usage
100%
100%
Stack existence check
100%
100%
StackStatus query
100%
100%
CDK synth validation
66%
100%
JSON validation
60%
100%
Error messages present
100%
100%
Credential error fix
100%
100%
Stack not found fix
100%
100%
Synth failure fix
71%
100%
100%
1%Detailed Security and IAM Analysis
Hierarchical comparison and security analysis
Structure comparison first
100%
100%
Resource count check
100%
100%
Added/removed check
100%
100%
Process substitution
100%
100%
Sorted resource lists
100%
100%
CDK Nag extraction
100%
100%
IAM resource filter
93%
100%
Hierarchical order explained
100%
100%
CDK Nag interpretation
100%
100%
IAM policy analysis
100%
100%
100%
12%Categorize Template Differences by Risk Level
Risk categorization and deployment decision
Risk categories defined
100%
100%
GitRef as expected
100%
100%
Alarm threshold as medium
0%
100%
IAM policy as high risk
100%
100%
CDK Nag suppression as critical
100%
100%
Resource changes assessed
100%
100%
Deployment decision present
100%
100%
Decision matches risk
100%
100%
Required actions listed
100%
100%
100%
3%Handle Very Large Template Comparison
Large template handling optimization
Problem threshold identified
100%
100%
Hierarchical approach recommended
100%
100%
Structure comparison first
100%
100%
Resource count comparison
100%
100%
Added/removed resources
100%
100%
Avoid line diff
100%
100%
Summarized output
100%
100%
Decision criteria clear
100%
100%
Security focused subset
62%
100%
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6