KMS Keys are not getting the stacks default tags

[pplu]

Hi,

KMS keys don't get tagged with cloudformation default tags:

aws:cloudformation:logical-id
aws:cloudformation:stack-name
aws:cloudformation:stack-id

This was reported here: aws-cloudformation/cloudformation-coverage-roadmap#193, but was closed, when it seems that it is not so.

[ammokhov]

@pplu I dont think this resource support CloudFormation stack-level tags with the prefix aws::.

[pplu]

@ammokhov : I'm opening this as an issue because I was expecting the KMS cloudformation provider to tag the KMS keys it creates with the aws:clouformation tags, that help identify what stack created which KMS key.

[iainelder]

For example, the stack tags are propagated to S3 buckets and EC2 instances.

I just discovered today that the same is not true of KMS keys.

I don't see the resource provider code for those resources in the Github organization.

Do any of the published resource providers have an example of how to implement this?

[ammokhov]

Do any of the published resource providers have an example of how to implement this?

you mean aws prefixed tags or stack level tags? stack level tags are usually attached to stack and are provisioned to each individual resource that belongs to the stack (if supports tags) unless your execution role is missing correct permissions.

[rgoltz]

I'm adding here (again) the details for this issue of #33:

Issue Description

To find the right CloudFormation Stack, where a AWS resource is defined/maintained, aws:cloudformation:* built-in tags are needed. This is an important function in day-to-day business.

Expected Behavior

Resources with type AWS::KMS::Key, which are managed as CloudFormations Stacks, should automatically receive the aws:cloudformation:* built-in tags / automatic default CFN AutoTags.

Once support CloudFormation Drift-Detection will be added via aws-cloudformation/cloudformation-coverage-roadmap#1671, please handled by those automatic tags correctly (hence, aws:cloudformation:* tags are not a drift)

Observed Behavior

When you have an AWS::KMS::Key resource in your stack, it does not get the built-in tags assigned:

• aws:cloudformation:stack-name
• aws:cloudformation:logical-id
• aws:cloudformation:stack-id

Test Cases

Example Templates: Deploy this Stack in one Region:

Resources:
  EncryptionKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: TestKeyForTags
      EnableKeyRotation: true
      MultiRegion: true
      Enabled: true
      Tags:
        - Key: "Stack Name Not Default Tag"
          Value: !Ref AWS::StackName
      KeyPolicy:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
            Action:
              - 'kms:*'
            Resource: '*'

You will see on both Resources that aside from CloudFormation defined Tags, no other Tags are placed onto the Resources.
No tags aws:cloudformation:* are added to the resource (just the tags defined via Template-Resource-Level or via Stack-Level).

Links

• [AWS::KMS::Key] - [BUG] - resource don't receive the aws:cloudformation built-in tags / default service-managed auto-tags cloudformation-coverage-roadmap#2077