search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 57 forks source link

AWS::EC2::SecurityGroup - Tagging-OnCreate #714

Open mderoquefeuil opened 3 years ago

mderoquefeuil commented 3 years ago

Scope of request

AWS::EC2::SecurityGroup - when I have an IAM deny statement to create a security group without a specifig tag (aws:RequestTags), I can create resource via API, but not via CloudFormation.

Expected behavior

When I create a security group with an IAM policy to enforce tagging, I should be able to create the resource through API or CloudFormation the same way. So far :

Suggest specific test cases

Prerequisites

IAM deny policy should be as follow : 

- Effect: "Deny"
  Action: 
    - "ec2:CreateSecurityGroup"
  Resource: 
    - "arn:aws:ec2:*:*:security-group/*"
  Condition: 
    "StringNotLike":
    "aws:RequestTag/project":
      - "?*"

User should use the Administrator Policy.

Test case success

CFN Template should be just creating a SG with the tag "project" set to any value with 1 or more character. When running, the template should be successful.

Test case failure

CFN Template should be just creating a SG with no tag "project" set. When running, the template should be failing because of a lack of rights.

Category

Networking & Content : Security Group

Cushdrive commented 3 years ago

I looked at Cloudtrail and, at least in my case, CloudFormation is creating the resource and then tagging it in a separate operation. It's messing up my whole template because DependsOn doesn't wait for the tags to be created.

MrSakhs commented 2 years ago

Is there any update on this?

diogomelodantas commented 2 years ago

Any update? I'm having the same problema here, but using CDK.

BDeus commented 2 years ago

Same here, do not deploy tag at creation is really painfull when play with iam tag restriction