Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cdk-toolkit: cdk diff failed to create a ChangeSet due to missing tagging #33316

Closed
1 task
yukinakanaka opened this issue Feb 6, 2025 · 3 comments · Fixed by #33340
Closed
1 task

cdk-toolkit: cdk diff failed to create a ChangeSet due to missing tagging #33316

yukinakanaka opened this issue Feb 6, 2025 · 3 comments · Fixed by #33340
Assignees
@otaviomacedo
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p1 package/tools Related to AWS CDK Tools or CLI

Comments

@yukinakanaka
Copy link

Describe the bug

Since #28336 was merged, cdk diff now creates a ChangeSet to provide more accurate diffs, rather than simply comparing templates.

However, cdk diff is unable to create a ChangeSet if the IAM Role is not permitted to create a ChangeSet without tags.

Example

cdk diff stack-foo -v

[17:41:12] Attempting to create ChangeSet with name cdk-diff-change-set for stack stack-foo
[17:41:13] User: arn:aws:sts::AWS_ACCOUNT_ID:assumed-role/DeployRole is not authorized to perform: cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:us-east-1:AWS_ACCOUNT_ID:stack/stack-foo/xxxx with an explicit deny in an identity-based policy

Could not create a change set, will base the diff on template differences (run again with -v to see the reason)

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

cdk diff can create a ChangeSet and show diff.

Current Behavior

cdk diff cannot create a ChangeSet and it show diffs on template differences.

Reproduction Steps

  • Add a deny statement to the DeployRole.
  {
    Sid: `DenyCfnActionsWithoutFooTag`,
    Effect: 'Deny',
    Action: [
      'cloudformation:CreateChangeSet',
      'cloudformation:CreateStack',
      'cloudformation:UpdateStack'
    ],
    Resource: '*',
    Condition: {
      'ForAllValues:StringNotEquals': {
        'aws:TagKeys': 'Foo'
      }
    }
  }
  • Add a tag to a stack
const stack = new Stack(app, 'MyStack', {
  tags: {
    'Foo': 'tag-value',
  },
});
  • Run cdk diff
cdk diff stack-foo -v

Possible Solution

Add Tags options here.

aws-cdk/packages/aws-cdk/lib/api/deployments/cloudformation.ts

Lines 470 to 482 in 20176e6

const changeSet = await options.cfn.createChangeSet({
StackName: options.stack.stackName,
ChangeSetName: options.changeSetName,
ChangeSetType: options.resourcesToImport ? 'IMPORT' : options.exists ? 'UPDATE' : 'CREATE',
Description: `CDK Changeset for diff ${options.uuid}`,
ClientToken: `diff${options.uuid}`,
TemplateURL: options.bodyParameter.TemplateURL,
TemplateBody: options.bodyParameter.TemplateBody,
Parameters: stackParams.apiParameters,
ResourcesToImport: options.resourcesToImport,
RoleARN: options.role,
Capabilities: ['CAPABILITY_IAM', 'CAPABILITY_NAMED_IAM', 'CAPABILITY_AUTO_EXPAND'],
});

Additional Information/Context

cdk deploy stack-foo --no-execute can create a ChangeSet because it uses Tags option.

aws-cdk/packages/aws-cdk/lib/api/deployments/deploy-stack.ts

Lines 483 to 492 in 20176e6

const changeSet = await this.cfn.createChangeSet({
StackName: this.stackName,
ChangeSetName: changeSetName,
ChangeSetType: this.options.resourcesToImport ? 'IMPORT' : this.update ? 'UPDATE' : 'CREATE',
ResourcesToImport: this.options.resourcesToImport,
Description: `CDK Changeset for execution ${this.uuid}`,
ClientToken: `create${this.uuid}`,
ImportExistingResources: importExistingResources,
...this.commonPrepareOptions(),
});

aws-cdk/packages/aws-cdk/lib/api/deployments/deploy-stack.ts

Lines 633 to 643 in 20176e6

private commonPrepareOptions(): Partial<Pick<UpdateStackCommandInput, CommonPrepareOptions>> {
return {
Capabilities: ['CAPABILITY_IAM', 'CAPABILITY_NAMED_IAM', 'CAPABILITY_AUTO_EXPAND'],
NotificationARNs: this.options.notificationArns,
Parameters: this.stackParams.apiParameters,
RoleARN: this.options.roleArn,
TemplateBody: this.bodyParameter.TemplateBody,
TemplateURL: this.bodyParameter.TemplateURL,
Tags: this.options.tags,
};
}

CDK CLI Version

cdk version 2.177.0 (build b396961)

Framework Version

No response

Node.js Version

v22.3.0

OS

MacOS

Language

TypeScript

Language Version

TypeScript(~5.6.3)

Other information

No response
@yukinakanaka yukinakanaka added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 6, 2025
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Feb 6, 2025
@yukinakanaka yukinakanaka changed the title cdk-toolkit: cdk diff failed to create a ChangeSet due to missing tagging. cdk-toolkit: cdk diff failed to create a ChangeSet due to missing tagging Feb 6, 2025
@pahud pahud self-assigned this Feb 6, 2025
@pahud
Copy link
Contributor

pahud commented Feb 6, 2025

Thank you for your detailed feedback. I'm making this a p1 and we'll look into it immediately.

@pahud pahud added p1 effort/medium Medium work item – several days of effort labels Feb 6, 2025
@pahud pahud removed their assignment Feb 6, 2025
@pahud pahud removed the needs-triage This issue or PR still needs to be triaged. label Feb 6, 2025
@otaviomacedo otaviomacedo mentioned this issue Feb 7, 2025
Merged
@mergify mergify bot closed this as completed in #33340 Feb 7, 2025
@mergify mergify bot closed this as completed in f1d9a7d Feb 7, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 7, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@otaviomacedo otaviomacedo

Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): cdk diff fails when deploy role requires tags aws/aws-cdk
3 participants
@pahud @otaviomacedo @yukinakanaka