bplessis-swi
commented
1 year ago They must be working on this because now, tags update on a AWS::EC2::TransitGatewayRouteTable basicaly result in "Internal Failure".
Open oliott opened 2 years ago
bplessis-swi
commented
1 year ago They must be working on this because now, tags update on a AWS::EC2::TransitGatewayRouteTable basicaly result in "Internal Failure".
bplessis-swi
commented
1 year ago Oh no it's weirder, "cloudformation deploy" trigger an "Internal Failure", "cloudformation update-stack" trigger a resource replacement ...
reaperharvest
commented
6 months ago We just had an outage because of this unexpected behavior. Yes the docs clearly display on the cloudformation resource page that an update to tags would cause a replacement, but who would realistically look at every cloudformation resource doc when you are just trying to tag your resources for cost tracking purposes? Tagging should absolutely not be causing replacement of resources. Shame on AWS for not even responding/assigning this request. I'll probably open another just to see if we can get traction.
jk2l
commented
3 months ago i also accidentally trigger this error. doing a cost tagging update via CDK. and it caused update fail due to transit gateway tag update require replacement. oddly the cfn return a message that don't really mean anything. i run a cdk diff and review it to see only tag update.
Resource handler returned message: "The request must contain one or more of AddSubnetIds, RemoveSubnetIds, DnsSupport, Ipv6Support, ApplianceModeSupport (Service: Ec2, Status Code: 400, Request ID: 854c24a7-eaec-44b4-b97e-efeb18dfcb3b)" (RequestToken: 3a15b7b5-52e8-834b-cb52-43a8adc9932f, HandlerErrorCode: InvalidRequest)
abatkin
commented
3 months ago @prerna-p I disagree that this is an enhancement and not a bug. At least according to the documentation, the underlying TGW Route Table resource can be re-tagged without disruption. More importantly, many AWS customers will be associating things with the Route Table outside of CloudFormation (due to complications with how CloudFormation works and just because that's the nature of network configuration) which means that modifying tags here is a guarantee that things will break (resulting in a serious outage) for all of those customers. So yes it's a change in behavior, but only because the current behavior guarantees an outage.
(in the meantime, it would have been better if this resource simply rejected tag updates so it could fail-fast)
bplessis-swi
commented
3 months ago @prerna-p I disagree that this is an enhancement and not a bug.
Didn't you mis-read the label change, they removed the enhancement part and indeed flagged this as a bug
abatkin
commented
3 months ago @prerna-p I disagree that this is an enhancement and not a bug.
Didn't you mis-read the label change, they removed the enhancement part and indeed flagged this as a bug
Sorry, you are correct, it is marked as a bug now, my apologies.
Name of the resource
AWS::EC2::TransitGatewayRouteTable
Resource name
No response
Description
Adding or changing tags on a AWS::EC2::TransitGatewayRouteTable, causes replacement. Using the console and cli calls works fine. However cloudformation does not seem to handle it. This means that changing a tag in a Cloudformation template or CDK code could potential break entire networks or halt updates.
Expected behavior: Altering Tags definitions for a AWS::EC2::TransitGatewayRouteTable resource should trigger an in-place change, not replacement of the RouteTable.
Other Details
AWS::EC2::TransitGatewayRouteTable and AWS::EC2::TransitGatewayAttachment have the same issue as reported in: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/531