To find the right CloudFormation Stack, where a AWS resource is defined/maintained **aws:cloudformation:*** built-in tags are needed. This is an important function in day-to-day business.
Expected Behavior
Resources with type AWS::KMS::ReplicaKey, which are managed as CloudFormations Stacks, should automatically receive the aws:cloudformation:* built-in tags / automatic default CFN AutoTags.
Furthermore those aws:cloudformation: built-in tags must be handled by CloudFormation Drift-Detection correctly (hence, aws:cloudformation: tags are not a drift)
Observed Behavior
When you have an AWS::KMS::ReplicaKey resource in your stack, it does not get the built-in tags assigned: aws:cloudformation:stack-name, aws:cloudformation:logical-id and aws:cloudformation:stack-id
Test Cases
Example Templates: Deploy this Stack in one Region:
Deploy this Stack in a Replica Region. please take note of the IAM Roles and replace with your own:
Parameters:
ReplicaKeyArn:
Type: String
Description: This is R E Q U I R E D
Resources:
myReplicaKey:
Type: 'AWS::KMS::ReplicaKey'
Properties:
PrimaryKeyArn: !Ref ReplicaKeyArn
Tags:
- Key: "Stack Name"
Value: !Ref AWS::StackName
Description: Example replica key
PendingWindowInDays: 7
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: 'arn:aws:iam::1234567819:root'
Action: 'kms:*'
Resource: '*'
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: 'arn:aws:iam::1234567819:role/role'
Action:
- 'kms:Create*'
- 'kms:Delete*'
- 'kms:Disable*'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:Get*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Revoke*'
- 'kms:UpdateAlias'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: 'arn:aws:iam::1234567819:role/role'
Action:
- 'kms:DescribeKey'
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey'
- 'kms:GenerateDataKeyWithoutPlaintext'
Resource: '*'
You will see on both Resources that aside from CloudFormation defined Tags, no other Tags are placed onto the Resources.
No tags aws:cloudformation:* are added to the resource (just the tags defined via Template-Resource-Level or via Stack-Level).
Name of the resource
AWS::KMS::ReplicaKey
Resource Name
No response
Issue Description
To find the right CloudFormation Stack, where a AWS resource is defined/maintained **aws:cloudformation:*** built-in tags are needed. This is an important function in day-to-day business.
Expected Behavior
Resources with type
AWS::KMS::ReplicaKey, which are managed as CloudFormations Stacks, should automatically receive theaws:cloudformation:*built-in tags / automatic default CFN AutoTags.Furthermore those aws:cloudformation: built-in tags must be handled by CloudFormation Drift-Detection correctly (hence, aws:cloudformation: tags are not a drift)
Observed Behavior
When you have an
AWS::KMS::ReplicaKeyresource in your stack, it does not get the built-in tags assigned:aws:cloudformation:stack-name,aws:cloudformation:logical-idandaws:cloudformation:stack-idTest Cases
Example Templates: Deploy this Stack in one Region:
Deploy this Stack in a Replica Region. please take note of the IAM Roles and replace with your own:
You will see on both Resources that aside from CloudFormation defined Tags, no other Tags are placed onto the Resources. No tags
aws:cloudformation:*are added to the resource (just the tags defined via Template-Resource-Level or via Stack-Level).Other Details
We re-addressing this issue here as new github-issue, since (due to a mistake of the cfn-github-issues-bot last year) the other issues were closed without fix/implementation. I'm going to reference the old issues here as well: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1528 https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1572