search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

(AWS::EC2::SecurityGroup) Option to toggle ServiceCatalog's AutoTags from being included in drift detection #1218

Open greg5123334 opened 2 years ago

greg5123334 commented 2 years ago

Name of the resource

AWS::EC2::SecurityGroup

Resource name

No response

Description

Service Catalog automatically adds service-managed tags to provisioned resources, called [AutoTags}(https://docs.aws.amazon.com/servicecatalog/latest/adminguide/autotags.html). These tags are distinguishable by their aws:-* prefix. and cannot be deleted.

There has been an edge case whereby Cloudformation now detects these AutoTags as drift on the resource (in this case AWS::EC2::SecurityGroup. In this particular use-case, adding the AutoTags to the templates to bring the stack in-sync with the provisioned resources is not an option, and as the AutoTags are service-managed and therefore cannot be deleted, there seems to be no way to resolve the drift on the stacks.

It would be nice if Cloudformation would detect tags with the reserved aws-* prefix as ServiceCatalog AutoTags and ignore them during drift detection. Might as well make this toggle-able while we're at it.

Please let me know if i can elaborate or clarify

Other Details

No response

kanitkah commented 2 years ago

This issue should be fixed. Please retry this scenario and let us know if this is still an issue.