search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 54 forks source link

AWS::IAM::Role resources don’t receive the aws:cloudformation built-in tags #1159

Open bogdanb opened 2 years ago

bogdanb commented 2 years ago

Name of the resource

AWS::IAM::Role

Issue Description

When you have an AWS::IAM::Role resource in your stack, it does not get assigned the built-in tags: aws:cloudformation:stack-name, aws:cloudformation:logical-id and aws:cloudformation:stack-id

This happens both for roles specified directly in the template and in roles added by the AWS::Serverless transform.

Expected Behavior

All stack resources should automatically receive the aws:cloudformation:* built-in tags.

Observed Behavior

No tags are added automatically to AWS::IAM::Role resources.

Test Cases

AWSTemplateFormatVersion: '2010-09-09'
Resources:
    BasicLambdaFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
        - arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess
        - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
rgoltz commented 2 years ago

Linking https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1066 (for common tracking)

glb commented 1 year ago

See also #277 from 2019.

reidca commented 1 year ago

This is making writing SCPs to protect resources created by CloudFormation from deletion very difficult