CloudFormation limitations

[errordeveloper]

This issue is for tracking well-known limitation of CloudFormation that has affected eksctl in some way.

Long-standing:

• cannot tag IAM resources (ref ServiceRole and NodeInstanceRole missing tags #750)
• cannot tag EIP resources (ref ENI tagging #751)
• cannot change main VPC route table (ref Private/public subnet association with VPC routing tables #605)
• cannot tag EBS root volumes (ref tag node root volumes properly #1030)

Present:

• EKS logging (Add config file options to enable EKS control plane logging to CloudWatch #704) (using API)
• EKS endpoints (Support Private/Public Endpoints #649)
• EKS upgrade bugs (see [EKS] Cloudformation support for cluster upgrades aws/containers-roadmap#115 (comment))

Past:

• EKS cluster version updates

[whereisaaron]

There’s an excellent roadmap project AWS is sharing to track the lagging support between AWS API changes and CF support.
https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap

[whereisaaron]

• VPC main route table: no issue raised on CF coverage roadmap?

• IAM tags: AWS::IAM::Role (add tagging support) aws-cloudformation/cloudformation-coverage-roadmap#19

• EBS root volume tags: AWS::EC2::instance (specify TagSpecification in EBS BlockDeviceMapping) aws-cloudformation/cloudformation-coverage-roadmap#133

• EIP tags: AWS::EC2::EIP - support tagging aws-cloudformation/cloudformation-coverage-roadmap#84

• EKS tags: AWS::EKS::Cluster Tags aws-cloudformation/cloudformation-coverage-roadmap#200

• EKS logs: AWS::EKS::Cluster ClusterLogging aws-cloudformation/cloudformation-coverage-roadmap#208

• EKS endpoints: AWS::EKS::Cluster - ResourcesVpcConfig-endpointPrivateAccess aws-cloudformation/cloudformation-coverage-roadmap#118

• EKS upgrade bugs: [EKS] [bug]: CloudFormation Version upgrades can deadlock your stack aws/containers-roadmap#497

[whereisaaron]

It looks like IAM roles can now be tagged, is that all we need? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags

Type: AWS::IAM::Role
Properties: 
  AssumeRolePolicyDocument: Json
  Description: String
  ManagedPolicyArns: 
    - String
  MaxSessionDuration: Integer
  Path: String
  PermissionsBoundary: String
  Policies: 
    - Policy
  RoleName: String
  Tags: 
    - Tag

[errordeveloper]

@whereisaaron yes, that would help, do they propagate stack tags also or only when explicitly set?

[whereisaaron]

@errordeveloper stack tag should propagate I think, if the docs are correct, but I have not tested.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
"All stack-level tags, including automatically created tags, are propagated to resources that AWS CloudFormation supports. Currently, tags are not propagated to Amazon EBS volumes that are created from block device mappings."

[jimsmith]

Hello,

Having deployed CF template using the IAM Roles 'tags' https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags

I have found that the !Ref is not being honored.

This below works when it's hardcoded

Tags:
        - 
          Key: "keyname1"
          Value: "value1"
        - 
          Key: "keyname2"
          Value: "value2"

This below is not working and the same Parameter works for EC2 and Lambda resources.

Tags:
        - Key: Application
          Value: !Ref 'Application'
        - Key: Application
          Value: !Ref 'Application'

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.

[duckie]

It appears that CloudFormaton cannot tag EKS control planes either. It is overlooked because worked around as a post creation task. Still, it is definitely a limitation.

aws/containers-roadmap#506