Open pplu opened 3 years ago
@pplu I dont think this resource support CloudFormation stack-level tags with the prefix aws::
.
@ammokhov : I'm opening this as an issue because I was expecting the KMS cloudformation provider to tag the KMS keys it creates with the aws:clouformation
tags, that help identify what stack created which KMS key.
For example, the stack tags are propagated to S3 buckets and EC2 instances.
I just discovered today that the same is not true of KMS keys.
I don't see the resource provider code for those resources in the Github organization.
Do any of the published resource providers have an example of how to implement this?
Do any of the published resource providers have an example of how to implement this?
you mean aws prefixed tags or stack level tags? stack level tags are usually attached to stack and are provisioned to each individual resource that belongs to the stack (if supports tags) unless your execution role is missing correct permissions.
I'm adding here (again) the details for this issue of #33:
To find the right CloudFormation Stack, where a AWS resource is defined/maintained, **aws:cloudformation:*** built-in tags are needed. This is an important function in day-to-day business.
Resources with type AWS::KMS::Key
, which are managed as CloudFormations Stacks, should automatically receive the aws:cloudformation:*
built-in tags / automatic default CFN AutoTags.
Once support CloudFormation Drift-Detection will be added via https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1671, please handled by those automatic tags correctly (hence, aws:cloudformation:* tags are not a drift)
When you have an AWS::KMS::Key
resource in your stack, it does not get the built-in tags assigned:
aws:cloudformation:stack-name
aws:cloudformation:logical-id
aws:cloudformation:stack-id
Example Templates: Deploy this Stack in one Region:
Resources:
EncryptionKey:
Type: 'AWS::KMS::Key'
Properties:
Description: TestKeyForTags
EnableKeyRotation: true
MultiRegion: true
Enabled: true
Tags:
- Key: "Stack Name Not Default Tag"
Value: !Ref AWS::StackName
KeyPolicy:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
Action:
- 'kms:*'
Resource: '*'
You will see on both Resources that aside from CloudFormation defined Tags, no other Tags are placed onto the Resources.
No tags aws:cloudformation:*
are added to the resource (just the tags defined via Template-Resource-Level or via Stack-Level).
Hi,
KMS keys don't get tagged with cloudformation default tags:
This was reported here: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/193, but was closed, when it seems that it is not so.