search

aws-cloudformation / aws-cloudformation-resource-providers-cloudformation

The CloudFormation Resource Provider Package For AWS CloudFormation
https://aws.amazon.com/cloudformation/
Apache License 2.0
48 stars 35 forks source link

AWS::CloudFormation::StackSet schema restricts tag values #15

Closed wayne-folkes closed 3 years ago

wayne-folkes commented 3 years ago

I am trying to create a stackset with the new StackSet resource but tags i want to apply to the stackset cause validation errors

According to the schema a valid tag and it's value must adhere to the following "^(?!aws:.*)[a-z0-9\s\_\.\/\=\+\-]+$"

This makes it impossible to use intrinsic functions or even Tags with capital letters in it's value

When trying to create a tag with the following Key, Value pair 

      -
        Key: "Source"
        Value: !Ref Source

I get the following error

Model validation failed (#: #: only 1 subschema matches out of 2) #/Tags/0/Key: failed validation constraint for keyword [pattern] (#/Tags/0/Key)

Here is a sample of the template I am working with

AWSTemplateFormatVersion: "2010-09-09"
Description: Stackset for SSM Parameters
Parameters:
  MasterAccountId:
    Description: ID of the Organization Master Account
    Type: String
    Default: 123456789012
  OrganizationID:
    Description: AWS OrganizationId
    Type: String
    Default: o-123456789
  OrganizationRootID:
    Description: AWS Organization Root Id
    Type: String
    Default: r-r1234
  GitHubSource:
    Description: Repo where this template is located
    Type: String

Resources:
    SSMStackSet:
      Type: AWS::CloudFormation::StackSet
      Properties:
        Tags:
          -
            Key: Source
            Value: !Ref Source
        Description: Common SSM Parameters
        AutoDeployment:
          Enabled: True
          RetainStacksOnAccountRemoval: False
        PermissionModel: SERVICE_MANAGED
        Parameters:
          - ParameterKey: MasterAccountId
            ParameterValue: !Ref MasterAccountId
          - ParameterKey: OrgID
            ParameterValue: !Ref OrganizationID
        StackInstancesGroup:
          - DeploymentTargets:
              OrganizationalUnitIds:
                - !Ref OrganizationRootID
            Regions:
              - us-east-1
        StackSetName: common-parameters
        TemplateBody: |
          AWSTemplateFormatVersion: "2010-09-09"
          Parameters:
            MasterAccountId:
              Description: ID of the Organization Master Account
              Type: String
            OrgID:
              Description: ID of the Organization Master Account
              Type: String
          Description: Common SSM Parameters
          Resources:
            MasterAccount:
              Type: "AWS::SSM::Parameter"
              Properties:
                Name: MasterAccountId
                Description: AWS Organization Master AccountId
                Type: String
                Value: !Ref MasterAccountId
            OrganizationID:
              Type: "AWS::SSM::Parameter"
              Properties:
                Name: OrganizationID
                Description: AWS OrganizationId
                Type: String
                Value: !Ref OrgID
citrusoft commented 3 years ago

I can understand AWS motivation to prevent Tag-Keys from beginning with "aws" but why no uppercase letters. I suspect the current regex is a "left-over" from AWS internal standards that needs to be relaxed for the general public.

Bottom-line: If you want clients to leverage this valuable contribution then you need to loosen up the tagging regular expressions.

xiwhuang commented 3 years ago

Thanks a lot for your feedback, after internal discussion. We will address this and release the restriction for uppercase letters.

xiwhuang commented 3 years ago

Please track #23

citrusoft commented 3 years ago

Thanks @xiwhuang and @wayne-folkes, the issue has been resolved and deployed to production. Can you please close this issue?