search

aws-cloudformation / aws-cloudformation-resource-providers-kms

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
https://aws.amazon.com/kms/
Apache License 2.0
14 stars 12 forks source link

KMS Keys are not getting the stacks default tags #33

Open pplu opened 3 years ago

pplu commented 3 years ago

Hi,

KMS keys don't get tagged with cloudformation default tags:

aws:cloudformation:logical-id
aws:cloudformation:stack-name
aws:cloudformation:stack-id

This was reported here: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/193, but was closed, when it seems that it is not so.

ammokhov commented 3 years ago

@pplu I dont think this resource support CloudFormation stack-level tags with the prefix aws::.

pplu commented 3 years ago

@ammokhov : I'm opening this as an issue because I was expecting the KMS cloudformation provider to tag the KMS keys it creates with the aws:clouformation tags, that help identify what stack created which KMS key.

iainelder commented 2 years ago

For example, the stack tags are propagated to S3 buckets and EC2 instances.

I just discovered today that the same is not true of KMS keys.

I don't see the resource provider code for those resources in the Github organization.

Do any of the published resource providers have an example of how to implement this?

ammokhov commented 2 years ago

Do any of the published resource providers have an example of how to implement this?

you mean aws prefixed tags or stack level tags? stack level tags are usually attached to stack and are provisioned to each individual resource that belongs to the stack (if supports tags) unless your execution role is missing correct permissions.

rgoltz commented 6 days ago

I'm adding here (again) the details for this issue of #33:

Issue Description

To find the right CloudFormation Stack, where a AWS resource is defined/maintained, **aws:cloudformation:*** built-in tags are needed. This is an important function in day-to-day business.

Expected Behavior

Resources with type AWS::KMS::Key, which are managed as CloudFormations Stacks, should automatically receive the aws:cloudformation:* built-in tags / automatic default CFN AutoTags.

Once support CloudFormation Drift-Detection will be added via https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1671, please handled by those automatic tags correctly (hence, aws:cloudformation:* tags are not a drift)

Observed Behavior

When you have an AWS::KMS::Key resource in your stack, it does not get the built-in tags assigned:

Test Cases

Example Templates: Deploy this Stack in one Region:

 Resources:
   EncryptionKey:
     Type: 'AWS::KMS::Key'
     Properties:
       Description: TestKeyForTags
       EnableKeyRotation: true
       MultiRegion: true
       Enabled: true
       Tags:
         - Key: "Stack Name Not Default Tag"
           Value: !Ref AWS::StackName
       KeyPolicy:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Principal:
               AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
             Action:
               - 'kms:*'
             Resource: '*'

You will see on both Resources that aside from CloudFormation defined Tags, no other Tags are placed onto the Resources. No tags aws:cloudformation:* are added to the resource (just the tags defined via Template-Resource-Level or via Stack-Level).

Links