search

aws-cloudformation / aws-cloudformation-resource-providers-kms

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
https://aws.amazon.com/kms/
Apache License 2.0
14 stars 12 forks source link

[AWS::KMS::Key] add CFN default `aws:cloudformation:stack-name`, `aws:cloudformation:logical-id` and `aws:cloudformation:stack-id` tags #68

Closed rgoltz closed 1 week ago

rgoltz commented 1 week ago

Issue Description

To find the right CloudFormation Stack, where a AWS resource is defined/maintained, **aws:cloudformation:*** built-in tags are needed. This is an important function in day-to-day business.

Expected Behavior

Resources with type AWS::KMS::Key, which are managed as CloudFormations Stacks, should automatically receive the aws:cloudformation:* built-in tags / automatic default CFN AutoTags.

Once support CloudFormation Drift-Detection will be added via https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1671, please handled by those automatic tags correctly (hence, aws:cloudformation:* tags are not a drift)

Observed Behavior

When you have an AWS::KMS::Key resource in your stack, it does not get the built-in tags assigned:

Test Cases

Example Templates: Deploy this Stack in one Region:

 Resources:
   EncryptionKey:
     Type: 'AWS::KMS::Key'
     Properties:
       Description: TestKeyForTags
       EnableKeyRotation: true
       MultiRegion: true
       Enabled: true
       Tags:
         - Key: "Stack Name Not Default Tag"
           Value: !Ref AWS::StackName
       KeyPolicy:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Principal:
               AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
             Action:
               - 'kms:*'
             Resource: '*'

You will see on both Resources that aside from CloudFormation defined Tags, no other Tags are placed onto the Resources. No tags aws:cloudformation:* are added to the resource (just the tags defined via Template-Resource-Level or via Stack-Level).

Links

rgoltz commented 1 week ago

It's already here, since 2021: https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-kms/issues/33