fix(stack): stack tags are separate from other tags (under feature flag) #31443
Conversation
Stacks are considered taggable, and so `Tags.of(this).add('key',
'value')` used to add tags to Stacks in scope. Usually this happens if
`this` is an instance of `Stack`, which it commonly is in user code.
Since `Tags.of(...)` walks the construct tree, it will add tags to the
stack *and* to all the resources in the stack. Then, come deploy time,
CloudFormation will also try and apply all the stack tags to the
resources again. This is silly and unnecessary.
In #28017, someone tries to use a CloudFormation intrisinc in a tag
applied using `Tags.of(this)`; that will work for resources as the tags
are rendered into the template, but it will not work for the stack
tags as those are passed via an API call, and intrinsics don't work
there.
IN THIS CHANGE
The *correct* solution to tagging all resources with an intrinsic
would be to tag each of them individually, as tagging a Stack
with an intrinsic is not possible. That's a poor user experience.
Resolve both the silly duplicate work as well as the "tagging with
an intrinsic" use case as follows:
- Stacks no longer participate in the hierarchical `Tags.of(...)`
tagging.
- Instead, only tags explicitly applied at the stack level (using
the `tags` constructor property) are renderd as stack tags.
This requires a user to make a conscious decision between resource-level
and stack-level tagging: either apply tags to the stack, which will
apply it to all resources; or apply tags to (groups of) resources inside
the template.
github-actions
bot
added
bug
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
rix0rrr
changed the title
rix0rrr
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
I think this makes a lot of sense and it's the right think to address the fundamental flaw. My concern is the implementation is using a feature flag and otherwise sticks to the very cool but also super vague We could instead take this as an opportunity to deprecate the current aspect (and maybe add a warning/error to catch the unsupported use case) and implement the new feature as |
I considered this and was a bit worried about it. Under the new behavior, I suppose we could deprecate |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
There's two other options:
I agree; it seems the only time you don't want it is when that tag contains a Token, so dropping the unresolved tokens would be nice; is that too much behavior hidden from users though? I don't think the |
I think silently ignoring what the user asks for is not great behavior.
Exactly 😉 |
|
As I thought, this would be harder to close. So I split off the most important bit to another PR: #31457 |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
Stacks are considered taggable, and so
Tags.of(this).add('key', 'value')used to add tags to Stacks in scope. Usually this happens ifthisis an instance ofStack, which it commonly is in user code.Since
Tags.of(...)walks the construct tree, it will add tags to the stack and to all the resources in the stack. Then, come deploy time, CloudFormation will also try and apply all the stack tags to the resources again. This is silly and unnecessary.In #28017, someone tries to use a CloudFormation intrisinc in a tag applied using
Tags.of(this); that will work for resources as the tags are rendered into the template, but it will not work for the stack tags as those are passed via an API call, and intrinsics don't work there.In this change
The correct solution to tagging all resources with an intrinsic would be to tag each of them individually, as tagging a Stack with an intrinsic is not possible. That's a poor user experience.
Resolve both the silly duplicate work as well as the "tagging with an intrinsic" use case as follows:
Tags.of(...)tagging.tagsconstructor property) are rendered as stack tags.This requires a user to make a conscious decision between resource-level and stack-level tagging: either apply tags to the stack, which will apply it to all resources; or apply tags to (groups of) resources inside the template.
Another benefit is that for tags applied at the stack level, this will resolve the following issue: #15947, as resources "becoming" taggable all of a sudden will not affect the template anymore.
This change is under a feature flag,
@aws-cdk/core:explicitStackTags.Interested in thoughts
The duality of Stack tags vs resource tags, and the fact that we effectively try and tag all resources twice, has been a thorn in my side for a while. I took this issue as a chance to address that long-standing design flaw.
I can be convinced that it's too messy to explain, and not worth fixing (we haven't had complaints about this explicitly broken behavior in over 5 years), and we should just error out on the unresolvable tag and that's it.
Closes #28017.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license