Stack: Tag propagation

[YuriGal]

Describe the bug

When Tags are applied at a stack level - they propagate to all children, which is fine, but in some case some children must be excluded. E.g. some resources may not be taggable in Govcloud, attempt to tag them will throw an exception. Or adding tags will force resource to delete an re-create, which is not desirable.

Using props excludeResourceTypes while adding tags, or includeResaourceTypes while removing has no effect when applied at stack level. Neither does addPropertyDeletionOverride('Tags') at the resource level. By "no effect" I mean tags are removed from the resource in synthesized template, but will still appear in the deployed resource.

Is there any way to skip some resources from being tagged when tags are applied at the stack level?

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.178.1

Expected Behavior

Specified resource should not be tagged when tags are applied at stack level.

Current Behavior

All stack's resources are tagged when tags are applied at stack level.

Reproduction Steps

Try something like

Tags.of(stack).add('key', 'value, {
      excludeResourceTypes: ['AWS::S3::Bucket']
 });

on a stack that has buckets. Tag will be applied anyway.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.178.1 (build ae342cb)

Framework Version

No response

Node.js Version

v20.12.2

OS

MacOS Sonoma 14.7.3

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

PoC

From my test using the following code, Tags.of(stack) would enable the CFN stack-level tagging which implicitly propagate to all child resources regardless excludeResourceTypes.

import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as sqs from 'aws-cdk-lib/aws-sqs';
import { Construct } from 'constructs';
import { Tags } from 'aws-cdk-lib';

export class TagTestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Create an S3 bucket
    const bucket = new s3.Bucket(this, 'TestBucket', {
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      autoDeleteObjects: true,
    });

    // Create an SQS queue
    const queue = new sqs.Queue(this, 'TestQueue');

    // Add a tag to the stack with S3 bucket exclusion
    Tags.of(this).add('key', 'value', {
      excludeResourceTypes: ['AWS::S3::Bucket']
    });
  }
}

Affected Source Code

In aws-cdk-cli/packages/aws-cdk/lib/cli/cdk-toolkit.ts

// Inside the deployStack function within the CdkToolkit class:

let tags = options.tags; // Tags from --tags CLI argument
if (!tags || tags.length === 0) {
  // If no CLI tags, fallback to tags from the stack artifact
  tags = tagsForStack(stack); // tagsForStack reads stack.tags (populated by Tags.of(stack))
}

// ... later in the function ...

// Pass the collected 'tags' to the deployment engine
const r = await this.props.deployments.deployStack({
  stack,
  // ... other parameters ...
  tags, // <-- These become stack-level tags in CloudFormation
  // ... other parameters ...
});

This code explicitly shows that if no tags are provided via the --tags CLI option, the CDK CLI uses tagsForStack(stack) to get tags associated with the stack artifact (which includes those added via Tags.of(stack)). These tags are then passed to the deployment engine and applied as stack-level tags to CloudFormation. This triggers CloudFormation's automatic tag propagation, overriding any excludeResourceTypes defined in the CDK code, thus explaining the behavior observed in this issue.

Reflection

I think we need to clarify:

1. In CDK, which behaviors would enable the CFN stack-level tagging and invoke the CloudFormation SDK call from CDK CLI on cdk deploy.
2. From the investigation and test above, Tags.of(stack) would enable stack-level tagging as well. Is this expected? If yes, we should specify this explicitly in Tags document.
3. When stack-level tagging is enabled, does excludeResourceTypes still work? From my test above, it doesn't work anymore. Should CDK throw an error?

[YuriGal]

Thank you for detailed clarification, this really helps. So, automatic tag propagation happens because CDK tool passes tags to CloudFormation, and CloudFormation propagates them to all stack's resources.

Is there a way to override this behavior in the tool? If there is we can use CDK aspects to granularly apply tags to actual resources in the template - this would give us a greater degree of control.

[pahud]

Is there a way to override this behavior in the tool? If there is we can use CDK aspects to granularly apply tags to actual resources in the template - this would give us a greater degree of control.

Yes the team is aware of this issue and should propose a workaround as well as solution. I've requested input for this issue from the team and marked this issue as p1. Thank you for bringing this up to our attention.