cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

[AWS::KMS::Key] - [BUG] - resource don't receive the `aws:cloudformation` built-in tags / default service-managed auto-tags

Open rgoltz opened this issue 1 year ago • 0 comments

Name of the resource

AWS::KMS::Key

Resource Name

No response

Issue Description

To find the right CloudFormation Stack, where a AWS resource is defined/maintained aws:cloudformation:* built-in tags are needed. This is an important function in day-to-day business.

Expected Behavior

Resources with type AWS::KMS::Key, which are managed as CloudFormations Stacks, should automatically receive the aws:cloudformation:* built-in tags / automatic default CFN AutoTags.

Once support CloudFormation Drift-Detection will be added via https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1671, please handled by those automatic tags correctly (hence, aws:cloudformation:* tags are not a drift)

Observed Behavior

When you have an AWS::KMS::Key resource in your stack, it does not get the built-in tags assigned: aws:cloudformation:stack-name, aws:cloudformation:logical-id and aws:cloudformation:stack-id

Test Cases

Example Templates: Deploy this Stack in one Region:

Resources:
  EncryptionKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: TestKeyForTags
      EnableKeyRotation: true
      MultiRegion: true
      Enabled: true
      Tags:
        - Key: "Stack Name Not Default Tag"
          Value: !Ref AWS::StackName
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
            Action:
              - 'kms:*'
            Resource: '*'

You will see on both Resources that aside from CloudFormation defined Tags, no other Tags are placed onto the Resources. No tags aws:cloudformation:* are added to the resource (just the tags defined via Template-Resource-Level or via Stack-Level).

Other Details

We re-addressing this issue here as new github-issue, since (due to a mistake of the cfn-github-issues-bot last year) the other issues were closed without fix/implementation. I'm going to reference the old issues here as well: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1522 https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1572

rgoltz avatar Jun 26 '24 17:06 rgoltz