cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

AWS::SSM::Parameter - Drift Detection doesn't work for Tags (+ UX issue for aws:cloudformation:* in Console)

Open rgoltz opened this issue 1 year ago • 1 comments

Name of the resource

AWS::SSM::Parameter

Resource Name

No response

Issue Description

The resource AWS::SSM::Parameter is listed as support for CloudFormation Drift Detection. Drift Detection is a great feature to detect out-of-bound changes (e.g. via Console in case of an hotfix, etc.).

Expected Behavior

Drift Detection is able to report and display changes of Tags for AWS::SSM::Parameter. Within the Drift Detection Details, we expect Tags under "Expected" and "Actual" as part of the "View drift results".

Observed Behavior

Drift Detection is not checking Tags for AWS::SSM::Parameter and Drift Detection does not report changed or added tags via out of the CFN stack.

Test Cases

step 1:

Create a stack using following example template:

---
AWSTemplateFormatVersion: '2010-09-09'
Description: CFN Drift detection bug - AWS::SSM::Parameter - Tags - AWS-case

Resources:
  BasicParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /robert/github/example/1
      Type: String
      Value: PleaseFixTheDriftDetection
      Tier: Standard
      Description: Example for SSM Parameter with Tags deployed via CFN.
      Tags:
        Environment: DEV

step 2:

Once the stack is successfully created, please: Check the newly created SSM Parameter for the defined tags. Tags has been added as expected. + Run the Drift Detection. The the result - Stack is in state IN_SYNC. 01_TagsAfterDeploy-OK 01_DriftCheck

step 3:

Change the tag and/or Add a new tag to the SSM Parameter via Console: (In this example the value for Tag "Environment" changed from DEV to PRD. Futhermore there is new Tag TestTagViaConsole added.) 02_TagsChangedViaConsole 02_DriftCheckAgain

step 4:

Run the Drift Detection again. Drift Detection is not able to report the out-of-bound change. Stack is still reported as IN_SYNC 🤨 - This is not correct.

Other Details

Furthermore, there is a general bad UX behavior in the AWS Console. The Tags aws:cloudformation:stack-name, aws:cloudformation:logical-id and aws:cloudformation:stack-id are (useful) CloudFormation built-in tags / default service-managed auto-tags. The Console reporting them as "Cannot start with aws:" (see above). Once you click on "Save tags" in Console, the Tags are saved, but there is no "saved successfully" in Console. It happens nothing. That's bad as well.

This happens for all SSM Parameter resources deployed as CloudFormation Stack 😟

rgoltz avatar Jan 06 '24 16:01 rgoltz

An additional (strange) aspect - This only applies if you using Stack-Level-Tags:

Here is an example as a follow-up of the example above:

  • Create a Stack with AWS::SSM::Parameter and add a Stack-Level-Tag (like CDK do) and check via Systems Manager SSM Parameter Console the Tags: update_StackWithTagsAndCheckViaConsole
  • Go ahead and change the value of the SSM Parameter: update_ChangeValueOutOfCFN
  • Now, I run Drift Detection again – It’s reporting the Value and new Tags for Expected (only) … update_RunDriftDetectionAgain

So, if you have a drift [NOT_EQUAL] on an other property of AWS::SSM::Parameter, like Value (in template defined "-", but it's changed to "1" outside of CFN) and you combined this with Stack-Level-Tags (here: TagOnStackLevel): You can see "Expected" those Stack-Level-Tags. The Tags added within the Template are not shown at all (here: Environment).

rgoltz avatar Jan 06 '24 16:01 rgoltz