aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

(aws_iam): (Creating a new iam role with tags, but after deployment the tags are in the stack but missing on the resource)

Open RobertoTorino opened this issue 1 year ago • 2 comments

Describe the bug

I create a new iam role with tags on that resource. If I do a cdk synth the tags are visible in the cloudformation template in the cdk.out folder. But when I deploy the stack to my AWS account with cdk deploy and I look at the finished Cloudformation template in the console, the tags are indeed in the cloudformation template but NOT on the resource. So i end up with a drifted stack. I tried 2 methods both failed. Method 1:

export const addTags = (stack: Stack, environment: Environment) => {
    Tags.of(stack).add('Application', construct, {
        applyToLaunchedInstances: true,
        includeResourceTypes: [],
    });
    Tags.of(stack).add('Stage', environment, {
        applyToLaunchedInstances: true,
        includeResourceTypes: [],
    });
};

And then in my stack I call this const:

export const sopsDevRoleStack = new SopsDevRole(app, 'SopsDevRoleStack', {
    stackName: 'SopsDevRoleStack',
    description: 'Stack for the sops dev role',
    env,
});
addTags(sopsDevRoleStack, Environment.dev);

Method 2:

export class SopsDevRole extends cdk.Stack {
    constructor (scope: cdk.App, id: string, props?: cdk.StackProps) {
        super(scope, id, props);

        Tags.of(this).add('Stage', Environment.dev, {
            includeResourceTypes: [],
        });

Snippet of my cloudformation template:
{
 "Description": "Stack for the sops dev role",
 "Resources": {
  "sopsdevroleD8522D2D": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "AWS": "arn:aws:iam:::root"
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "RoleName": "sops-dev-role",
    "Tags": [
     {
      "Key": "Stage",
      "Value": "dev"
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "SopsDevRoleStack/sops-dev-role/Resource"
   }
  },

Expected Behavior

Resource should be deployed with tags visible on the resource.

Current Behavior

There was not a single error reported, the deployed Cloudformation stack in the console has the tags inside, but they are not set on the resource itself, therefore the Cloudformation template is in a drifted state.

Reproduction Steps

index.ts

#!/usr/bin/env node
import { App } from 'aws-cdk-lib';
import 'source-map-support/register';
import { SopsDevRole } from '../lib/sops-role';

const app = new App();

export const construct = 'renovate';

const addTags = (stack: Stack, environment: Environment) => {
    Tags.of(stack).add('Application', construct, {
        applyToLaunchedInstances: true,
        includeResourceTypes: [],
    });
    Tags.of(stack).add('Stage', environment, {
        applyToLaunchedInstances: true,
        includeResourceTypes: [],
    });
};

export enum Environment {
    dev = 'dev'
}

export const env = {
    account: process.env.CDK_SYNTH_ACCOUNT || process.env.CDK_DEFAULT_ACCOUNT,
    region: process.env.CDK_SYNTH_REGION || process.env.CDK_DEFAULT_REGION,
};

export const sopsDevRoleStack = new SopsDevRole(app, 'SopsDevRoleStack', {
    stackName: 'SopsDevRoleStack',
    description: 'Stack for the sops dev role',
    env,
});
addTags(sopsDevRoleStack, Environment.dev);

sops-role-ts

import * as cdk from 'aws-cdk-lib';
import { aws_iam, Tags } from 'aws-cdk-lib';
import { Effect } from 'aws-cdk-lib/aws-iam';
import { Environment } from './utilities/variables';


export class SopsDevRole extends cdk.Stack {
    constructor (scope: cdk.App, id: string, props?: cdk.StackProps) {
        super(scope, id, props);

        const renovateSopsDevRole = new aws_iam.Role(this, 'sops-dev-role', {
            roleName: 'sops-dev-role',
            assumedBy: new aws_iam.AccountPrincipal(this.account),
        });

        Tags.of(this).add('Stage', Environment.dev, {
            includeResourceTypes: [],
        });

        renovateSopsDevRole.addToPolicy(new aws_iam.PolicyStatement({
            sid: 'SOPSDevActions',
            effect: Effect.ALLOW,
            actions: [
                'kms:Encrypt',
                'kms:Decrypt',
                'kms:ReEncrypt*',
                'kms:GenerateDataKey*',
                'kms:DescribeKey'
            ],
            resources: [
                '*'
            ],
        }));
    }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.128.0 (build d995261)

Framework Version

No response

Node.js Version

v18.19.1

OS

macOS

Language

TypeScript

Language Version

5.3.3

Other information

No response

RobertoTorino avatar Feb 19 '24 01:02 RobertoTorino

This should not happen. I just created a test role like this and apply the tag on it.

export class DummyStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    new iam.Role(this, 'DummyRole', {
      assumedBy: new iam.AccountRootPrincipal(),
    })

    Tags.of(this).add('foo', 'bar');
  }
}

I can confirm the tag exists in the iam console:

image

Can you try my snippet above and check if it works for you?

pahud avatar Feb 20 '24 17:02 pahud

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

github-actions[bot] avatar Feb 22 '24 20:02 github-actions[bot]