aws-sso CfnPermissionSet: Stack-level tags applied through stack props do not apply to resource

[rwmason]

Describe the bug

There is currently an issue that I have been able to reproduce multiple times where stack-level tags being applied to the CfnPermissionSet resource will not apply if the stack-level tags are set through the stack props.

Tagging the resource individually through its 'tags' property works as expected.

Adding stack level tags using Tags.of(ssoStack).add(...) also works

Adding tags through the stack props does not work as the tags are not applied to the resource. They are being set as stack tags as the tags do show in the CFN console when viewing the stack and they are applied to other resources, just not the permission set resource.

Expected Behavior

When adding tags to the stack in the stack props, they should be propagated to the CfnPermissionSet resource

Current Behavior

The actual behavior is that is the tags are specified in the stack props, they do not get applied to this resource type.

Reproduction Steps

Create a stack in CDK that creates a CfnPermissionSet resource, and add stack-level tags through the stack props. When the stack creates, the stack tags will show in the stack's info page in the CFN console, but will not show on the actual resource in the SSO console

Sample code:

In my cdk-sso-test/bin/cdk-sso-test.ts file:

import * as cdk from 'aws-cdk-lib';
import { CdkSsoTestStack } from '../lib/cdk-sso-test-stack';

const app = new cdk.App();
const ssoStack = new CdkSsoTestStack(app, 'CdkSsoTestStack', {
    tags: {
        'StackTag1': 'StackTag1'
    }
});

And in my cdk-sso-test/lib/cdk-sso-test-stack.ts file:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as sso from 'aws-cdk-lib/aws-sso'

export class CdkSsoTestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const myInlinePolicy =  {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
            "iam:Create*",
            "iam:Delete*",
            "iam:Update*",
            "iam:Put*",
            "sts:Assume*"
          ],
          "Resource": "*"
        }
      ]
    }

    const cfnPermissionSet = new sso.CfnPermissionSet(this, 'Perms', {
      instanceArn: <redacted>
      description: 'Test cdk permission set',
      sessionDuration: 'PT2H',
      name: 'CdkPermissionSet',
      managedPolicies: ['arn:aws:iam::aws:policy/AdministratorAccess'],
      inlinePolicy: myInlinePolicy,
    });

Possible Solution

Currently there is a workaround which is to use the Tags.Of(...).add(...) to add the stack-level tags instead.

For example, this works fine and tags are added:

In cdk-sso-test/bin/cdk-sso-test.ts file:

import * as cdk from 'aws-cdk-lib';
import { CdkSsoTestStack } from '../lib/cdk-sso-test-stack';

const app = new cdk.App();
const ssoStack = new CdkSsoTestStack(app, 'CdkSsoTestStack', {});
cdk.Tags.of(ssoStack).add('StackTag1', 'StackTag1');

As for the cause of this, I suspect that it may be related in some way to a similar issue I have opened on the CFN GitHub page here.

Using the CFN console to instead create the stack, stack-level tags are also not applying to the AWS::SSO::PermissionSet resource type.

Additional Information/Context

No response

CDK CLI Version

2.44

Framework Version

No response

Node.js Version

16.17.1

OS

MacOS 12.6

Language

Typescript

Language Version

No response

Other information

No response

[peterwoodworth]

I can reproduce this, thanks for reporting.

I've found you can use the Tags class to add tags to the resource, I recommend using this aspect for now.

Alternatively, in your particular use case you can pass in this.tags.renderedTags to the tags prop in CfnPermissionSet.