mrinaudo-aws
commented
1 year ago Hi @mgravlin!
Thank you for evaluating the resource-tags example hook, and for your feedback!
I think this could be done by adding another validation strategy, that combines resource-level and stack-level tags, and then only evaluates tag keys and tag values as a whole.
When I designed the resource-tags example hook, I only encompassed the two validation permutations you see today, i.e., resource-level tags (that I have set as the default strategy), and stack-level tags. For the latter, a consideration to make - not related to the implementation of this hook - is that stack-level tag propagation can vary by resource [1].
As per this example hook's behavior, that was your initial question, I think your request makes sense - let me look into the hook's code as time permits - changes I would think of making for this example hook will not, of course, change resource-specific propagation behaviors of stack-level tags [1], but only the way this example hook works.
Thank you again!
[1] "Propagation of stack-level tags to resources, including automatically created tags, can vary by resource. For example, tags aren't propagated to Amazon EBS volumes that are created from block device mappings." https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
mgravlin
I tested hooks/python-hooks/resource-tags and noticed the ValidationStrategy is either resource or stack. I want to fail cfn deployments if missing required tags, but in an environment where tags may be at the resource or stack level, it will always fail. Is this a limitation with cfn hooks or is there a way hooks/python-hooks/resource-tags can be updated to fail any cfn deployment missing required tags regardless if the tag exists at the stack or resource level?