How to add tags with sam deploy

[ajithkumar999]

Hello, we are using SAM to deploy our cloud formation template, we are passing --tags along with the SAM deploy command to add tags for all the resources present in the template in one go. I noticed a few tags were missing on the API gateway resource level, I want to reassign the tags through SAM deploy only, I added a new tag in the SAM deploy command, but it added only that particular tag. it didn’t add the old tags. my sam deploy command: sam deploy \ --template-file template.yml \ --stack-name $ENV_NAME-$APP_NAME \ --capabilities CAPABILITY_NAMED_IAM \ --region $AWS_REGION \ --role-arn $CFN_ROLE_ARN \ --parameter-overrides Env=$ENV_NAME BuildArtifactName=$GO_PIPELINE_LABEL Application=$APP_NAME LogLevel=$log_level \ --s3-bucket <bucket_name> \ --s3-prefix $APP_NAME \ --no-fail-on-empty-changeset \ --tags \ env=$ENV_NAME \ dept=abc \ squad=abc \ product=abc \ audience=abc \ client_code=abc \ sensitive_data=true \ Application=$APP_NAME \ team=abc --> added newly but only a few tags were present currently, I want to re-add all these tags back to the resource

[hawflau]

Hi @ajithkumar999 thanks for raising the issue.

Did you include all your existing tags and new tags in the --tags flag? In my experiment, when I only added new tags and didn't keep any existing tags under --tags, the deployed result is existing tags got removed. If I keep existing tags under --tags and add new tags, the deployed resource contains both existing tags and new tags.

Aside, I'd suggest you to use samconfig to keep your tags. You can define tags as a list instead of a concatenated string and also be able to your existing tags in the config file

example:

[default.deploy.parameters]
capabilities = "CAPABILITY_IAM"
confirm_changeset = true
resolve_s3 = true
tags = [
    "aaa=ddd",
    "bbb=ccc",
]

[ajithkumar999]

Hi @hawflau, thanks for looking into this issue Here my concern is somehow my old tags were missing from the resources, I want to add them back again to the resources, if I add a new tag in the --tags param, it only adds the new tag to the resource, it's not adding the old tags Please check the below image, only 3 tags were present for the resource, but my sam deploy command has 9 tags init, the team tag which I added newly, how can I add my old tags to the resource?

Thanks

[mndeveci]

@ajithkumar999

I've tried to reproduce the issue you mentioned. I've created stack with a=1 and b=2 tags. And then I've added c=3 and d=4 tags. After the second deployment I can see all the tags which I've added there. Can you provide more details of your issue?

[ajithkumar999]

Hello @mndeveci Thanks for looking into this let's say the stack has lambda and API gateway resources with these tags a=1 b=2 c=3 and d=4. I've manually deleted the tags c=3 and d=4 in the API gateway resource, and lambda has all the required tags. If I try to re-deploy the stack with the same tags using SAM it's not adding back, if I've modified the tag in the SAM deploy command like d=5 then it will add it back but lambda tags also will get affected. How can I add the deleted tags back to the resources without affecting the other resources in the stack with the sam deploy command?

[lucashuy]

Hi, just want to reiterate to make sure I'm not getting anything wrong; if I had had deployed tags a=1, b=2, and I go and delete a=1 from a resource in my stack, I want SAM CLI to be able to deploy the same tags again if I run the exact same sam deploy command with the same tag argument?

This currently isn't possible since the difference in tags is compared in Cloudformation, not the underlying deployed resources. Since the tags were never modified in the Cloudformation stack, Cloudformation reports that there is nothing to do. The behaviour you see when you update a tag (eg. d=5 in your comment) will update the rest of the resources as expected as the tag comparison is made against the stack, which will have a different d tag.

You could utilize the AWS CLI or the AWS SDK in the language of your choice to update tags for individual resources, but getting Cloudformation to "reapply" tags won't be possible.

[lucashuy]

Closing issue as Cloudformation doesn't actually check tags in the underlying resources when updating. Feel free to create a new issue for anything else you might discover.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[ajithkumar999]

Hi @lucashuy, can you please reopen this issue

if I had deployed tags a=1, b=2, and I go and delete a=1 from a resource in my stack, I want SAM CLI to be able to deploy the same tags again if I run the exact same sam deploy command with the same tag argument?

Sorry, I should have been more specific in my previous reply. Here’s the exact scenario of what I am facing. (Note: deployment is through sam deploy, and tags are managed through the --tags flag.)

Day 1: Deploy stack with tags a=1, b=2. Expectation: all supported resources in the stack have a=1 and b=2 tags. Result: as expected.

Day 2: Manually delete b=2 from one of the resources in the stack, say a lambda function. Expectations: all resources continue to have a=1 and b=2 tags. The lambda function for which we deleted tags only has a=1 tag. Result: as expected.

Day 3: add c=3 alongside a=1 and b=2 in the --tags flag for sam deploy. Expectations: all supported resources in the stack have a=1, b=2, and c=3 tags including the lambda function for which we earlier deleted the tag. Result: all resources have a=1, b=2, and c=3 tags. The lambda function only has a=1 and c=3 tag, and b=2 is missing. Because the tag argument is now modified, and there’s a diff, it should update the tags.

[lucashuy]

This would still be Cloudformation specific behaviour that you'd unfortunately come across. Cloudformation won't reapply any tags since it won't do any comparisons against the underlying resources in a stack.

While its true that Lambda does not have b=2, Cloudformation doesn't care since the stack resource still has b=2.

[ajithkumar999]

Hi @lucashuy,

So just to confirm, cloudformation only requests new tag additions for underlying resources. That is, since c=3 was added, stack resource now has a diff and will assign just c=3 to the stack and all resources, and not send the complete list of tags (a=1, b=2 and c=3) to all resources?

[ajithkumar999]

Hello @lucashuy is there any update on this? https://github.com/aws/aws-sam-cli/issues/7050#issuecomment-2136638436

[lucashuy]

Hi, sorry about the delay and back and forth. It looks like the behaviour is that if anything is to change on the stack's tags, all the tags are going to be applied to each of the resources in the stack. So in the previous example that you've noted with the new c=3, all the tags are going to be reapplied to each resource.

Checking with a sample app shows that all tags are reapplied on any difference, whether that be a new tag or updated tag.