-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tags: should error for duplicate tag keys #26253
Comments
Reporting the same issue here. |
Related to #15343 |
Official docs on tagging states that tagging is case sensitive If a service is not accepting tags that only vary in casing, then that should be a bug with the service |
So... this is actually worse then. I thought it was just a newly exposed edge case around Cfn, but instead it looks like this sounds like it's actually a CDK specific bug. From the above linked doc:
|
@pahud As far as this being a P2? AWS encourages enterprise customers to use ABAC based resource policies to manage access to resources. It is rare to see ABAC that doesn't focus around tags. This bug has caused 2 weeks of havoc just for us. I'm glad we contained it before it affected prod, but... the blast radius here is "every customer who uses ABAC", which is to say "every enterprise customer". @TheRealAmazonKendra FYI this is what we were talking about earlier today. |
Please correct me if I'm not following properly, but I don't think CDK is doing anything wrong here - and instead you encountered a nasty bug with IAM / the CloudFormation implementation of If I perform the exact steps with instead lets say, a Lambda Function, then everything works and deploys exactly as expected. I can deploy both tags at once, or one at a time, and I can remove them in any order and the tags will always reflect what I defined in my CDK stack. |
IAM documentation also states that tags are case sensitive. It would seem that the bug, if true, lives in CFN (assuming that IAM's service behavior is correctly documented). |
Whaddaya know, my assumption that the service would be correctly documented is wrong:
|
Created a support case with IAM. Internal reference D88398323. |
Yup, it's IAM. |
So... where does the "Please note that Tag keys are case insensitive." message come from? Because it runs without erroring when I just tweak the role (this is what blew us up). |
@ahammond it errors out if you deploy both tags at once. But it doesn't if you add them one at a time |
The behavior by IAM is documented. Not at the top of the page, but somewhere in the middle of the page:
That makes it a CloudFormation issue since the |
@rix0rrr this is the only case I know of where tag keys aren't case sensitive. If there are others, it might be worth building some kind of safety net into CDK. IDK how hard that would be (have the Tags code detect and warn when someone publishes two tags which would collide if case was ignored. Possibly limit this to only If there AREN'T others, I'd love to see pressure on the IAM team to conform their behaviour with the Rest of AWS. Because, OMG is this ever nasty. |
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html#id_tags_rules: |
@ahammond - assuming we are not changing the current behaviour of IAM (escalated that to the relevant service team at AWS) and CDK is not validating tags on the client side (see my previous comment), do you believe that surfacing that via CDK (warning message, for example) will be beneficial for AWS customers?
|
@evgenyka any kind of warning would really help. Cdk is in a great position to protect customers from an otherwise pretty rough experience. |
@evgenyka It looks like your previous comment only covers inconsistent behaviour for tag keys in IAM. What about other AWS services? For the rest of this conversation, I'm going to call "case sensitive key values" "normal" since that's what anyone reading the docs is likely to assume. For other services, are there any which aren't "normal"? |
Honestly I don't think it's at all realistic to expect us to handle this. That requires somehow tracking and always keeping up to date exactly how each service implements tagging, and somehow applying that knowledge to all CfnResources with tagging. This should be up to CloudFormation and the implementation of CloudFormation resources to get right if the tagging for a resource differs from what the standard should be |
Describe the bug
"Please note that Tag keys are case insensitive." We have developers who discovered the inconsistency around tag key case insensitivity the hard way.
Expected Behavior
Cdk should have error out and refused in cases where tag names are only differentiated by case. Cfn should probably do this, too, but... protecting the user from the stupidity of Cfn is basically why Cdk exists.
Current Behavior
CDK will happily put tags all over the place. Your Cfn run will do different things depending on the resources involved. So you'll go and remove the duplicate tags, and Cdk will happily build the Cfn and then blammo, you don't have a tag. Hope you weren't doing ABAC or anything...
Reproduction Steps
https:/ahammond/repro-tag-collision-cdk
Possible Solution
Error when name collisions are detected.
Additional Information/Context
No response
CDK CLI Version
2.86.0 (build 1130fab)
Framework Version
same
Node.js Version
v16.20.0
OS
MacOS
Language
Typescript
Language Version
4.9.5
Other information
No response
The text was updated successfully, but these errors were encountered: