CtrlK
BlogDocsLog inGet started
Tessl Logo

pantheon-ai/cfn-template-compare

Compares deployed CloudFormation templates with locally synthesized CDK templates to detect drift, validate changes, and ensure consistency before deployment. Use when the user wants to compare CDK output with a deployed stack, check for infrastructure drift, run a pre-deployment validation, audit IAM or security changes, investigate a failing deployment, or perform a 'cdk diff'-style review. Triggered by phrases like 'compare templates', 'check for drift', 'cfn drift', 'stack comparison', 'infrastructure drift detection', 'safe to deploy', or 'what changed in my CDK stack'.

Review100%

Does it follow best practices?

Evaluation100%

 1.09x

Agent success when using this tile

Validation11 / 11 Passed

Validation for skill structure

Overview
Skills
Evals
Files

markdown-report-example.mdreferences/

Example CloudFormation Comparison Report

This is an example of the markdown report generated by the compare-cfn-templates.sh script.

Sample Report Output

CloudFormation Template Comparison Report

Generated: 2026-02-18 15:30:45 UTC Deployed Stack: lct-monitoring-st Region: eu-west-1 Profile: ppl-sw-st Local Branch: feat-CC-990-clean-subscription-fix PPLAWS Reference: thoroc

Executive Summary

MetricDeployedLocalStatus
Total Resources5555
Common Resources4848
Added Resources07⚠️
Removed Resources70⚠️

Template Structure

Template structure matches - Both templates have identical top-level keys

Added Resources

The following 7 resource(s) exist in the local template but not in deployed:

  • lctmonitoringstthorocBeehiveAccessSecurityGroupfrom1... (AWS::EC2::SecurityGroupIngress)
  • lctmonitoringstthorocBeehiveAccessSecurityGroupfrom2... (AWS::EC2::SecurityGroupIngress)
  • lctmonitoringstthorocTicketBaseAnalyticsDailyRuleAllowEventRule... (AWS::Lambda::Permission)
  • lctmonitoringstthorocMonitoringMetadataDBFreeStorageSpace15Alarm (AWS::CloudWatch::Alarm)
  • lctmonitoringstthorocMonitoringMetadataDBFreeStorageSpace25Alarm (AWS::CloudWatch::Alarm)
  • lctmonitoringstthorocMonitoringMetadataDBFreeStorageSpace30Alarm (AWS::CloudWatch::Alarm)
  • lctmonitoringstthorocTaskSummaryAnalyticsDailyRuleAllowEventRule... (AWS::Lambda::Permission)

Removed Resources

The following 7 resource(s) exist in the deployed template but not in local:

  • lctmonitoringstBeehiveAccessSecurityGroupfrom1... (AWS::EC2::SecurityGroupIngress)
  • lctmonitoringstBeehiveAccessSecurityGroupfrom2... (AWS::EC2::SecurityGroupIngress)
  • lctmonitoringstTicketBaseAnalyticsDailyRuleAllowEventRule... (AWS::Lambda::Permission)
  • lctmonitoringstMonitoringMetadataDBFreeStorageSpace15Alarm (AWS::CloudWatch::Alarm)
  • lctmonitoringstMonitoringMetadataDBFreeStorageSpace25Alarm (AWS::CloudWatch::Alarm)
  • lctmonitoringstMonitoringMetadataDBFreeStorageSpace30Alarm (AWS::CloudWatch::Alarm)
  • lctmonitoringstTaskSummaryAnalyticsDailyRuleAllowEventRule... (AWS::Lambda::Permission)

Security Analysis

CDK Nag Suppressions

EnvironmentResources with Suppressions
Deployed54
Local54

CDK Nag suppressions are consistent

Resource Type Breakdown

Deployed Stack Resource Types

  • AWS::Lambda::Function: 12 resource(s)
  • AWS::IAM::Role: 8 resource(s)
  • AWS::RDS::DBInstance: 2 resource(s)
  • AWS::CloudWatch::Alarm: 8 resource(s)
  • AWS::EC2::SecurityGroup: 3 resource(s)
  • AWS::Lambda::Permission: 6 resource(s)
  • AWS::Events::Rule: 4 resource(s)

Local Template Resource Types

  • AWS::Lambda::Function: 12 resource(s)
  • AWS::IAM::Role: 8 resource(s)
  • AWS::RDS::DBInstance: 2 resource(s)
  • AWS::CloudWatch::Alarm: 8 resource(s)
  • AWS::EC2::SecurityGroup: 3 resource(s)
  • AWS::Lambda::Permission: 6 resource(s)
  • AWS::Events::Rule: 4 resource(s)

Deployment Recommendation

⚠️ REVIEW REQUIRED

Templates have differences that require careful review before deployment.

Required Actions:

  1. Review all added and removed resources
  2. Verify changes are intentional
  3. Assess impact on running services
  4. Get stakeholder approval for significant changes
  5. Update documentation if needed
  6. Re-run comparison after addressing issues

Impact Assessment:

  • Resource Changes: 7 added, 7 removed
  • Security Impact: None
  • Risk Level: MEDIUM (resources will be added)

Artifacts

The following files are available in this directory for detailed analysis:

  • deployed.json - Complete CloudFormation template from deployed stack
  • local.json - Complete CloudFormation template from local synthesis
  • deployed-resources.txt - List of deployed resource logical IDs
  • local-resources.txt - List of local resource logical IDs
  • deployed-keys.txt - Deployed template top-level keys
  • local-keys.txt - Local template top-level keys

Commands for Further Analysis

Compare specific resources

jq '.Resources["<ResourceLogicalId>"]' deployed.json
jq '.Resources["<ResourceLogicalId>"]' local.json

Find resources by type

jq -r '.Resources | to_entries[] | select(.value.Type == "AWS::Lambda::Function") | .key' local.json

Compare IAM policies

jq '.Resources | to_entries[] | select(.value.Type == "AWS::IAM::Role")' deployed.json > deployed-iam.json
jq '.Resources | to_entries[] | select(.value.Type == "AWS::IAM::Role")' local.json > local-iam.json
diff deployed-iam.json local-iam.json

Report Generated by: cfn-template-compare skill
Timestamp: 2026-02-18T15:30:45Z

Use Cases for Reports

1. Deployment Review Meetings

Share the markdown report with stakeholders before deployments to review changes and assess risks.

Example workflow:

  • Generate report before scheduled deployment
  • Share with tech lead and product owner
  • Review differences in team meeting
  • Approve or reject deployment based on findings

2. Change Management Tickets

Attach the report to change management tickets for approval workflows.

Example:

JIRA Ticket: INFRA-1234
Subject: Deploy LCT Monitoring Stack Updates
Attachment: 2026-02-18-153045_deployed-main_local-feat-CC-990_ref-thoroc/comparison-report.md

Change Summary:
- 7 resources will be renamed due to PPLAWS_REFERENCE change
- No functional changes
- Security suppressions remain consistent

3. Audit Trail

Preserve reports as part of compliance and audit documentation showing infrastructure changes over time.

Example structure:

audit-artifacts/
  2026-Q1/
    2026-02-18-153045_deployed-main_local-feat-CC-990_ref-thoroc/
    2026-02-15-091230_deployed-main_local-main_ref-st/
  2026-Q2/
    ...

4. Troubleshooting

Compare historical reports to identify when specific changes were introduced that may have caused issues.

Example: "When did the CloudWatch alarm threshold change from 80% to 90%?"

  • Review historical comparison reports
  • Find report showing threshold change
  • Correlate with deployment date and incident timeline

5. Multi-Environment Comparison

Generate reports for ST, AT, and PR environments to ensure consistency across deployment pipeline.

Example workflow:

# Compare ST environment
bash compare-cfn-templates.sh lct-monitoring-st eu-west-1 ppl-sw-st

# Compare AT environment
bash compare-cfn-templates.sh lct-monitoring-at eu-west-1 ppl-sw-at

# Compare PR environment
bash compare-cfn-templates.sh lct-monitoring-pr eu-west-1 ppl-sw-pr

# Review all reports to ensure consistency
ls -l cfn-compare-results/

Report Interpretation Guide

Executive Summary Table

IconMeaning
No differences, safe
⚠️Differences detected, review needed

Deployment Recommendations

✅ SAFE TO DEPLOY:

  • No functional differences detected
  • Only environmental variations (tags, naming)
  • Proceed with deployment

⚠️ REVIEW REQUIRED:

  • Resource additions or removals detected
  • Security configuration changes
  • Requires stakeholder review before proceeding

Risk Levels

  • LOW: Cosmetic changes, display names, tags
  • MEDIUM: Resource additions, alarm threshold changes
  • HIGH: Resource removals, IAM policy changes, encryption settings

Customizing Report Generation

Environment Variables

Control report generation behavior with environment variables:

# Disable artifact preservation (cleanup after comparison)
PRESERVE_ARTIFACTS=false bash compare-cfn-templates.sh lct-monitoring-st eu-west-1 ppl-sw-st

# Keep artifacts (default behavior)
PRESERVE_ARTIFACTS=true bash compare-cfn-templates.sh lct-monitoring-st eu-west-1 ppl-sw-st

Cleaning Old Reports

Manage disk space by removing old comparison reports:

# Keep only last 10 comparison runs
cd cfn-compare-results
ls -t | tail -n +11 | xargs rm -rf

# Remove reports older than 30 days
find cfn-compare-results -type d -mtime +30 -exec rm -rf {} +

# Remove all comparison artifacts
rm -rf cfn-compare-results/

Install with Tessl CLI

npx tessl i pantheon-ai/cfn-template-compare

references

compare-cfn-templates.md

markdown-report-example.md

SKILL.md

tile.json