Cloudformation-coverage-roadmap: AWS::EC2::EIP Adding tags to existing EIP is forcing ec2:disassociateAddress behavior

Created on 18 Dec 2019  路  1Comment  路  Source: aws-cloudformation/cloudformation-coverage-roadmap

1. Title

Updating an existing AWS::EC2::EIP with new tags should require no interruption and not force a replacement.

2. Scope of request

We have been creating EIPs in a separate CloudFormation template so that they are not part of the typical application deployment lifecycle and we avoid the risk of loosing the IP addresses. With the recent addition of being able to add tagging to an EIP via CloudFormation, we attempted to introduce tags on these EIP resources. We adding tags to an existing AWS::EC2::EIP, Cloudformation will fail while performing a ec2:disassociateAddress and not update the EIP resource.

3. Expected behavior

Per the documentation for EIP tags, this operation should cause no interruption. With CloudFormation, it seems to always attempt a replacement rather than an update. If I add a tag to an existing EIP that is in use via the console or aws cli, it succeeds with no problem.

4. Suggest specific test cases

In our initial template, we declare the EIP like so:

  SomeEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc

We added tags to the EIP resource this:

  SomeEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: "Some EIP for App X"

When we make this change via Cloudformation via the AWS CLI, we get the following error:

UPDATE_FAILED: API: ec2:disassociateAddress You do not have permission to access the specified resource.

It should be noted that we are performing the deployment with admin privileges. Thus, it seems that merely adding tags are attempting force a drop and replace of the EIP rather than simply adding the tags to an existing EIP. Again, adding the tag via the console does not exhibit this behavior.

5. Helpful Links to speed up research and evaluation

According to the documentation for EIP tags, this operation should cause no interruption. This behavior appears to be forcing a replacement of the EIP.

6. Category

Compute (EC2, ECS, EKS, Lambda...)

bug? compute enhancement
Source
picture damnhandy
👍43

Most helpful comment

this is actually breaking our deployments after upgrading CDK version, that now adds the "Name" tag to an EIP resource.
how is this not labeled as a bug @luiseduardocolon?
As a temp workaround, adding the following as offered here, stops the tag from being added:

    cdk.Tag.remove(this.vpc, "Name", {
      includeResourceTypes: ["AWS::EC2::EIP"]
    });
picture Norbinsh on 25 Jan 2020
👍8

>All comments

this is actually breaking our deployments after upgrading CDK version, that now adds the "Name" tag to an EIP resource.
how is this not labeled as a bug @luiseduardocolon?
As a temp workaround, adding the following as offered here, stops the tag from being added:

    cdk.Tag.remove(this.vpc, "Name", {
      includeResourceTypes: ["AWS::EC2::EIP"]
    });
Norbinsh picture Norbinsh on 25 Jan 2020
👍8
Was this page helpful?
0 / 5 - 0 ratings

Related issues

baxang picture baxang  路  3Comments
rjpereira picture rjpereira  路  4Comments
mildebrandt picture mildebrandt  路  3Comments
san-san picture san-san  路  3Comments
JohnPreston picture JohnPreston  路  3Comments