cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

AWS::RDS::DBCluster resources don’t receive the aws:cloudformation built-in tags

Open bogdanb opened this issue 2 years ago • 2 comments

Name of the resource

AWS::RDS::DBCluster

Issue Description

When you have an AWS::RDS::DBCluster resource in your stack, it does not get assigned the built-in tags: aws:cloudformation:stack-name, aws:cloudformation:logical-id and aws:cloudformation:stack-id

Note that AWS::RDS::DBInstance resources do get these tags.

Expected Behavior

All stack resources should automatically receive the aws:cloudformation:* built-in tags.

Observed Behavior

No tags are added automatically to AWS::RDS::DBCluster resources.

Test Cases

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  DatabaseCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      Engine: aurora-mysql
      EngineMode: provisioned
      MasterUsername: admin
      MasterUserPassword: password

bogdanb avatar May 03 '22 12:05 bogdanb

This issue seem to be affecting AWS::ElastiCache::ReplicationGroup as well.

tommydongaws avatar Jul 02 '22 22:07 tommydongaws

@tommydongaws also occurs with AWS::Elasticsearch::Domain and AWS::OpenSearchService::Domain

londonc avatar Jul 07 '22 15:07 londonc

@bogdanb RDS DBInstance and RDS DBCluster should have achieved a complete parity on the tagging functionality by now.

The only reasonable explanation why this could be happening is tag create soft-failing. AWS RDS DBInstance and DBCluster resource handlers will attempt to create a new resource with system and stack-level tags. If this attempt fails with a permission denied error, the corresponding handler will repeat this attempt with no tags at all.

Could you please check if the IAM role in use permits tagging (see https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-rds/blob/master/aws-rds-dbcluster/resource-role.yaml#L36 for the full list of permissions that are required). Would you please try to create a new stack with a DBCluster and share the results? I'm quite sure it must be there if the permissions are in place.

osdrv avatar Oct 24 '22 14:10 osdrv

@osdrv Hello! I confirm a cluster newly created today in the eu-west-1 region does have the tags, at least, thank you!

It didn’t when I created the issue. I have a cluster with Created time Mon May 30 2022 22:01:31 GMT+0200 which does not have the tags.

Is there any way to get the tags added on existing resources, without just re-creating them? I assume if the stack goes through any change that requires resource replacement, the replacements will get the tags, at least, right?

@tommydongaws @londonc You might want to add separate issues about your other resource types (if they haven’t been fixed in the meantime), this one was specifically about AWS::RDS::DBCluster, so I’m closing it now.

bogdanb avatar Oct 26 '22 12:10 bogdanb

@bogdanb many thanks for checking! Much appreciated!

Re stack-level taggs: could you please try to perform a minimal update? If this won't help, then it's down to a re-create, I'm afraid.

osdrv avatar Oct 31 '22 15:10 osdrv

@osdrv My pleasure, thanks for fixing the bug and keeping us updated!

I don’t have access anymore to any stack where I could perform a minimal update. The only one still without the tags is our production stack, which can only be updated automatically, during new release deployments.

That said, we had to do a restore-from-snapshot on our staging stack just now, which replaces the cluster, and I can at least confirm that the restored cluster also got the tags.

bogdanb avatar Nov 01 '22 13:11 bogdanb