Skip to content

fix(core): ensure CloudFormation ChangeSets receive tags with explicitStackTags flag#35212

Closed
AkitoAndo wants to merge 2 commits intoaws:mainfrom
AkitoAndo:fix/changeset-tagging-regression
Closed

fix(core): ensure CloudFormation ChangeSets receive tags with explicitStackTags flag#35212
AkitoAndo wants to merge 2 commits intoaws:mainfrom
AkitoAndo:fix/changeset-tagging-regression

Conversation

@AkitoAndo
Copy link
Copy Markdown

@AkitoAndo AkitoAndo commented Aug 12, 2025

Issue # (if applicable)

Closes #35137.

Reason for this change

A regression was introduced in v2.205.0 where CloudFormation ChangeSets stopped receiving tags when
the @aws-cdk/core:explicitStackTags feature flag is enabled. This breaks deployments in
environments with SCP (Service Control Policy) policies that require specific tags to be present on
ChangeSets for compliance and governance purposes.

Description of changes

Root Cause:
The explicitStackTags feature flag automatically adds aws:cdk:stack to the excludeResourceTypes
array when using Tags.of(stack).add(), which prevents tags from being applied to the stack itself.
While this correctly prevents duplicate tagging of resources, it also prevents ChangeSets from
receiving the necessary tags.

Solution:

  1. Added new applyToChangeSets property to TagProps interface (default: true)

    • Allows explicit control over whether tags should be applied to ChangeSets
    • Maintains backward compatibility by defaulting to true

  2. Enhanced Tags.of(stack).add() method to handle ChangeSet tagging

    • When explicitStackTags is enabled and applyToChangeSets is true (default), tags are
      applied directly to the stack using addStackTag()
    • This ensures ChangeSets receive the required tags while still preventing resource duplication
    • Users can set applyToChangeSets: false to disable this behavior if needed

  3. Added comprehensive unit tests to verify the fix works correctly in all scenarios

Design Decisions:

  • Opt-out approach: applyToChangeSets defaults to true to maintain existing behavior and fix
    the regression automatically
  • Minimal API surface: Only one new optional property added to existing interface
  • Backward compatibility: Existing code continues to work without changes
  • Explicit control: Advanced users can disable ChangeSet tagging if needed

Alternatives considered and rejected:

  • Modifying the feature flag behavior: Would break the intended separation of stack vs resource
    tags
  • Automatic detection of SCP policies: Too complex and environment-dependent
  • Always including aws:cdk:stack in includeResourceTypes: Would re-introduce the duplicate
    tagging problem

Describe any new or updated permissions being added

No new IAM permissions are required. This change only affects how existing tags are applied to
CloudFormation ChangeSets.

Description of how you validated changes

Unit Tests Added:

  • Verified tags are applied to ChangeSets when explicitStackTags is enabled
  • Tested applyToChangeSets: false explicitly disables ChangeSet tagging
  • Confirmed legacy behavior is maintained when explicitStackTags is disabled
  • Verified direct stack tagging with addStackTag() continues to work
  • Tested mixed tagging approaches work together correctly
  • Added test for token handling in tags with appropriate warnings

Manual Testing:

  • Tested with CDK apps using the explicitStackTags feature flag
  • Verified ChangeSets receive proper tags in the CloudFormation console
  • Confirmed resources don't receive duplicate tags from both template and stack propagation

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the
Apache-2.0 license

@AkitoAndo AkitoAndo requested a review from a team as a code owner August 12, 2025 02:40
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Aug 12, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team August 12, 2025 02:40
@github-actions github-actions bot added bug This issue is a bug. p2 labels Aug 12, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Aug 12, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@AkitoAndo AkitoAndo force-pushed the fix/changeset-tagging-regression branch from 51ef95b to c5741d2 Compare August 12, 2025 02:50
fix(core): ensure CloudFormation ChangeSets receive tags with explici…
fc7663b 
…tStackTags flag

When the @aws-cdk/core:explicitStackTags feature flag was introduced in v2.205.0,
it inadvertently caused CloudFormation ChangeSets to not receive stack tags,
breaking deployments with SCP policies requiring tags on ChangeSets.

This fix adds a new property 'applyToChangeSets' to TagProps (default: true) that
ensures tags are still applied to the stack for ChangeSet purposes, while maintaining
the correct behavior of not duplicating tags on resources.

Fixes regression introduced in v2.205.0 where ChangeSets lost their tags.
@AkitoAndo AkitoAndo force-pushed the fix/changeset-tagging-regression branch from c5741d2 to fc7663b Compare August 12, 2025 03:24
@aws-cdk-automation aws-cdk-automation dismissed their stale review August 12, 2025 03:25

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Closed
rix0rrr
rix0rrr requested changes Nov 11, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@rix0rrr rix0rrr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, the diagnosis is:

  • When the feature flag is set, we don't apply resource tags to Stacks. Instead, you need to set the Stack tags explicitly.

And the proposed remedy is:

  • We add another flag to apply resource tags to stacks again.
  • But we name it to be about "change sets" instead of about stacks.

Apart from the poor naming of the flag, this is all against the purpose of explicit stack tags.

The point of explicit stack tags, is that if you want to apply a tag to the Stack, you do it explicitly using the tags argument of the Stack properties:

new Stack(this, 'Stack', {
  // Explicitly set the stack tags
  tags: {
    MyTag: 'MyValue',
  }
});

So there isn't really a problem, the old effect can still be achieved.

And if you really want the old behavior where resource tags are implicitly applied to stacks as well, set the feature flag to false (although this would not be my recommended solution).

@rix0rrr rix0rrr closed this Nov 11, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Nov 11, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 11, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rix0rrr rix0rrr rix0rrr requested changes

@aws-cdk-automation aws-cdk-automation Awaiting requested review from aws-cdk-automation

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

v2.205.0: unable to create changeset that requires tags

5 participants

@AkitoAndo @rix0rrr @aws-cdk-automation @Abogical @pahud