Aws-cdk: [cdk-pipelines] stacks cannot be tagged
It does not appear that pipeline applies aspects properly. Ideally, it should apply the aspects to itself and stages. stage appears to apply aspects that are added directly, but do not apply tagging aspects.
Reproduction Steps
See #9256 and #9259 for the initial steps. In that both of these cases showed higher level issues.
First I attempted to solve the PermissionsBoundary issue. I used the App.node.applyAspects(...) and received success for the initial pipeline stack. I.e., all roles created in the pipeline stack had the PermissionsBoundary from the aspect applied.
Problem solved, right? Well, then I continued with the tutorial and when I added a 'stage' the issue re-appeared. In that the stack associated with the Stage did not have the PermissionsBoundary aspect applied. So I did the next level pipeline.node.applyAspects(...) and still no result. So I did the next level stage.node.applyAspects(...) and successfully the PermissionsBoundary aspect was applied to all IAM Roles in the Stage/Stack.
At this point I noticed that the Tags had been lost. I traced that back to the first update after the create of the Pipeline STack. So I started the same adventure, only this time I figured that the PermissionsBoundary aspect was a clue and so I did not apply at each level, but started at the two points that I had found to work. I.e., Tags.add(stage, "key", "value") and sure enough it did not work. So I had to go down the next level to the 'stack' itself that the stage was composed of. And success as the tags were resources. However, the tags are missing on the stack itself.
Ideally, if tags are specified at the App they should be applied at each component. And because Tagging is an aspect this leads to the next issue of consistency.
Ideally, if an aspect is specified at the App it should be applied to all components, including the pipeline/stage/stacks/resources.
Error Log
Observed missing aspects.
Environment
- CLI Version : 1.54.0 (build c01b9b9)
- Framework Version:
- Node.js Version: v12.18.3
- OS : osx 10.15.6
- Language (Version): all
Other
I have a private git repo with the tutorial on it and each commit I made to discover the issues described above. I can provide that if it would be of interest or help.
This is :bug: Bug Report
roskelleycj
All 7 comments
Unfortunately this works as intended. There are practical reasons why we can not propagate tags across Stage boundaries.
I will agree that this leads to unintuitive behavior. I will have a think on relaxing the restrictions somewhat or signaling the failure better. In the mean time, you need to apply the aspects to every stage individually.
Can you describe your use case a little? What are you trying to achieve?
rix0rrr
on 4 Aug 2020
So I belong to an organization that requires a very specific tagging specification be applied to all AWS deployed resources. And AWS has, for several years, been making tagging a critical aspect of all resources. I.e., roadmap for AWS at large Obviously you are familiar with tags and their purpose. My organization is using them primarily as for cost tracking. The secondary purpose, someday?, will be security, as that appears to be another roadmap item.
So when you use CDK and you specify tags from the command-line one would expect that ALL stacks that are created would receive the tags that are provided. Looking at the architecture it appears that this is an aspect. And generally aspects are intended to be applied across a large number of constructs.
Ideally, the command-line should allow for 'include tags' and 'exclude tags', but alas it does not. Making it very hard to determine what the rule should be about tags that are not present in the request and the tags currently present on the resource. That is rather an unfortunate design flaw.
I'm assuming that since cdk-pipelines is in preview that this kind of item is something that should be addressed. It seems reasonable to me to confer with others in the CDK space to determine if the Tagging aspect is intended to be applied to all children. If not, then the deficiency of the Aspects should be documented in such away as to clarify any future misunderstandings.
roskelleycj
on 4 Aug 2020
I've run into the issue he mentions where the stack [in the stage] itself is not tagged. I tried adding the tags using applyAspect on the stage and the stack and the stack was still not tagged. I am able to get resources within the stack tagged but not the stack itself. Is there anything I am overlooking?
wsoula
on 5 Aug 2020
Ditto re: the stack [in the stage] itself not getting tagged
eikeon
on 4 Sep 2020
Had the same issue (in combination with CDK-pipelines + stages).
Additionally, verified it with @udondan that the tags argument on a pure stack (without cdk-pipelines involved) isn't putting tags on the CF resources of the stack itself. Using v1.63.0.
michaelfecher
on 21 Sep 2020
This is also causing issues for me, as in my case the pipeline cant create change sets that dont have tags for the stacks in the stage due to condition restrictions. when using pipeline.addApplicationStage(x) it fails "not authorized to perform: cloudformation:CreateChangeSet" when deploying the application stage in pipeline.
Are there any workarounds?
Will it be needed to expose the TemplateConfiguration of the changeset action as described here:
CloudFormation configuration properties and allow setting the tags with a Template configuration file (perhaps a asset?)
as described here: Template configuration file
nbaillie
on 22 Sep 2020
I have implemented a workaround for now.
Added the TemplateConfiguration Json file to the Synth Output like this :
const actionConfig = new AssetStaging(this, 'actionConfig', {
sourcePath: 'lib/configuration.template.json'
})
Create the Pipeline then type it to cfnPipeline:
const pipeline = new CdkPipeline(,,{});
const cfnPipeline = pipeline.codePipeline.node.defaultChild as CfnPipeline
Then addPropertyOverride based on the number of stages at the point where the application Stage is added.
Note - Create Change set will always be an Action with an Even Number when used with addApplicationStage and in this case.
// Add ApplicationStage stages
```
const someStage = new SomeStage(this, 'SomeStage', someStageProps);
pipeline.addApplicationStage(someStage);
const someStageNumber = pipeline.codePipeline.stageCount - 2
// Fix Tags by Override
```
cfnPipeline.addPropertyOverride(`Stages.${devStageNumber}.Actions.0.Configuration.TemplateConfiguration`,
`Artifact_Build_Synth::${actionConfig.stagedPath}`
); #
Related issues
cybergoof
路
3Comments
vgribok
路
3Comments
peterdeme
路
3Comments
slipdexic
路
3Comments
sudoforge
路
3Comments
Most helpful comment
I've run into the issue he mentions where the stack [in the stage] itself is not tagged. I tried adding the tags using
applyAspecton the stage and the stack and the stack was still not tagged. I am able to get resources within the stack tagged but not the stack itself. Is there anything I am overlooking?