fix(bootstrap): KMS keys cannot be tagged (#21975)

adrianmace · web-flow · commit 0e552dbb63a9 · 2023-01-11T11:01:13.000Z
This change allows IAM users and roles within the account to update and replace the tags on the provided KMS key. If the bootstrap command is run and custom tags are specified, these are added to the KMS key. If the command is run additional times with different tags, the key policy needs to allow the replacing / updating of these tags so that it succeeds. Fixes #21281 **Note for reviewer:** Due to performance limitations of my current device, I have been unable to test these changes. I welcome edits by maintainers as necessary. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -123,6 +123,8 @@ Resources:
               - kms:ScheduleKeyDeletion
               - kms:CancelKeyDeletion
               - kms:GenerateDataKey
+              - kms:TagResource
+              - kms:UntagResource
             Effect: Allow
             Principal:
               AWS:
diff --git a/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts b/packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts
@@ -255,6 +255,29 @@ integTest('add tags, left alone on re-bootstrap', withDefaultFixture(async (fixt
   ]);
 }));
 
+integTest('can add tags then update tags during re-bootstrap', withDefaultFixture(async (fixture) => {
+  const bootstrapStackName = fixture.bootstrapStackName;
+
+  await fixture.cdkBootstrapModern({
+    verbose: true,
+    toolkitStackName: bootstrapStackName,
+    tags: 'Foo=Bar',
+    cfnExecutionPolicy: 'arn:aws:iam::aws:policy/AdministratorAccess',
+  });
+  await fixture.cdkBootstrapModern({
+    verbose: true,
+    toolkitStackName: bootstrapStackName,
+    tags: 'Foo=BarBaz',
+    cfnExecutionPolicy: 'arn:aws:iam::aws:policy/AdministratorAccess',
+    force: true,
+  });
+
+  const response = await fixture.aws.cloudFormation('describeStacks', { StackName: bootstrapStackName });
+  expect(response.Stacks?.[0].Tags).toEqual([
+    { Key: 'Foo', Value: 'BarBaz' },
+  ]);
+}));
+
 integTest('can deploy modern-synthesized stack even if bootstrap stack name is unknown', withDefaultFixture(async (fixture) => {
   const bootstrapStackName = fixture.bootstrapStackName;
 
