aws-ssm: update Parameter Store Tags without overwriting the values

[adam-nielsen]

Describe the bug

If you change tags for a Parameter Store entry via CDK, the current value gets overwritten with the original value. This causes any passwords etc. that have been entered into Parameter Store entries to be lost.

If you perform the same tag change via the AWS CLI or AWS Console, the value is left unchanged and no data is lost.

Expected Behavior

The Parameter Store value should be left unchanged when it is not being modified in the CDK stack.

Current Behavior

The Parameter Store value is changed back to whatever is specified in the CDK template. It is not possible to omit it from the CDK template as it is mandatory.

Reproduction Steps

const param = new ssm.StringParameter(this, `ssm`, {
	parameterName: `/example`,
	stringValue: 'TODO',
	tier: ssm.ParameterTier.STANDARD,
});
tags.of(scope).add('SampleTag', 'SampleValue');

Deploy that, and a Parameter Store value will be created called /example with the value TODO.

Go into the AWS Console and change the value from TODO to something else, as you would normally do once you are given a password etc. for the system to use.

Then change the CDK template, to modify SampleValue to SampleValue2. This should update the tag, without changing the actual Parameter Store entry.

Observe that after deploying the updated stack, the value has returned to TODO, causing the value you entered earlier to be lost.

Possible Solution

Since the AWS Console can modify tags without disrupting the current value, CDK should use the same method to deploy updates to tags without changing the current value of the Parameter Store entry.

Additional Information/Context

No response

CDK CLI Version

2.83.0 (build 0fd7f2b)

Framework Version

No response

Node.js Version

Any

OS

Linux

Language

Typescript

Language Version

Any

Other information

No response

[pahud]

This is because when you update the Tags property of the secret, cloudformation trigger resource update for you and it will fix the drift if you previously modify its value from CLI or console after initial deployment. When you modify Tags in AWS console it literally update the Tags value through the SDK and other properties will be untouched.

I think it's an expected behavior of how cloudformation works. If we really need to update Tags with everything else untouched we probably need to implement a custom resource or something like hotswap that just update the Tags and bypass the cloudformation deployment.

[peterwoodworth]

Yeah this is just how deploying CloudFormation templates works - they are deterministic, so if you specify your StringParameter to be this way, then it will be this way after deployment.

@pahud I don't think we'll offer a way to work around this, since you probably shouldn't be planning to introduce drift in your app.

@adam-nielsen if you have further concerns, please open a discussion

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[adam-nielsen]

Discussion opened: #26033