Skip to content

fix(core): ensure CloudFormation ChangeSets receive tags with explicitStackTags flag #35212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(core): ensure CloudFormation ChangeSets receive tags with explicitStackTags flag #35212

wants to merge 1 commit into from

Conversation

AkitoAndo
Copy link

Issue # (if applicable)

Closes #35137.

Reason for this change

A regression was introduced in v2.205.0 where CloudFormation ChangeSets stopped receiving tags when
the @aws-cdk/core:explicitStackTags feature flag is enabled. This breaks deployments in
environments with SCP (Service Control Policy) policies that require specific tags to be present on
ChangeSets for compliance and governance purposes.

Description of changes

Root Cause:
The explicitStackTags feature flag automatically adds aws:cdk:stack to the excludeResourceTypes
array when using Tags.of(stack).add(), which prevents tags from being applied to the stack itself.
While this correctly prevents duplicate tagging of resources, it also prevents ChangeSets from
receiving the necessary tags.

Solution:

  1. Added new applyToChangeSets property to TagProps interface (default: true)

    • Allows explicit control over whether tags should be applied to ChangeSets
    • Maintains backward compatibility by defaulting to true

  2. Enhanced Tags.of(stack).add() method to handle ChangeSet tagging

    • When explicitStackTags is enabled and applyToChangeSets is true (default), tags are
      applied directly to the stack using addStackTag()
    • This ensures ChangeSets receive the required tags while still preventing resource duplication
    • Users can set applyToChangeSets: false to disable this behavior if needed

  3. Added comprehensive unit tests to verify the fix works correctly in all scenarios

Design Decisions:

  • Opt-out approach: applyToChangeSets defaults to true to maintain existing behavior and fix
    the regression automatically
  • Minimal API surface: Only one new optional property added to existing interface
  • Backward compatibility: Existing code continues to work without changes
  • Explicit control: Advanced users can disable ChangeSet tagging if needed

Alternatives considered and rejected:

  • Modifying the feature flag behavior: Would break the intended separation of stack vs resource
    tags
  • Automatic detection of SCP policies: Too complex and environment-dependent
  • Always including aws:cdk:stack in includeResourceTypes: Would re-introduce the duplicate
    tagging problem

Describe any new or updated permissions being added

No new IAM permissions are required. This change only affects how existing tags are applied to
CloudFormation ChangeSets.

Description of how you validated changes

Unit Tests Added:

  • Verified tags are applied to ChangeSets when explicitStackTags is enabled
  • Tested applyToChangeSets: false explicitly disables ChangeSet tagging
  • Confirmed legacy behavior is maintained when explicitStackTags is disabled
  • Verified direct stack tagging with addStackTag() continues to work
  • Tested mixed tagging approaches work together correctly
  • Added test for token handling in tags with appropriate warnings

Manual Testing:

  • Tested with CDK apps using the explicitStackTags feature flag
  • Verified ChangeSets receive proper tags in the CloudFormation console
  • Confirmed resources don't receive duplicate tags from both template and stack propagation

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the
Apache-2.0 license

@AkitoAndo AkitoAndo requested a review from a team as a code owner August 12, 2025 02:40
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Aug 12, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team August 12, 2025 02:40
@github-actions github-actions bot added bug This issue is a bug. p2 labels Aug 12, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Aug 12, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@AkitoAndo AkitoAndo force-pushed the fix/changeset-tagging-regression branch from 51ef95b to c5741d2 Compare August 12, 2025 02:50
fix(core): ensure CloudFormation ChangeSets receive tags with explici…
fc7663b 
…tStackTags flag

When the @aws-cdk/core:explicitStackTags feature flag was introduced in v2.205.0,
it inadvertently caused CloudFormation ChangeSets to not receive stack tags,
breaking deployments with SCP policies requiring tags on ChangeSets.

This fix adds a new property 'applyToChangeSets' to TagProps (default: true) that
ensures tags are still applied to the stack for ChangeSet purposes, while maintaining
the correct behavior of not duplicating tags on resources.

Fixes regression introduced in v2.205.0 where ChangeSets lost their tags.
@AkitoAndo AkitoAndo force-pushed the fix/changeset-tagging-regression branch from c5741d2 to fc7663b Compare August 12, 2025 03:24
@aws-cdk-automation aws-cdk-automation dismissed their stale review August 12, 2025 03:25

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aws-cdk-automation aws-cdk-automation Awaiting requested review from aws-cdk-automation

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

v2.205.0: unable to create changeset that requires tags
2 participants
@AkitoAndo @aws-cdk-automation