How do I modify my CloudFormation template tags so that they match my resource tags?

Resolution

Check the affected stacks for drift

Complete the following steps:

1. Open the AWS Health Dashboard to get your affected resource's data.
2. Detect drift on your CloudFormation stack, and review the drift results.
   Note: For more information about drift detection, see Resource type support and Detect drift on individual stack resources.
3. If your resource's drift status is MODIFIED, then select the resource and choose View drift details to review the differences.

Match resource tags for resources that support drift detection

For resources that support drift detection, you can match template tags with your resource tags in the following scenarios:

• A resource's drift status is MODIFIED and the resource supports drift detection.
• Resources have tag changes with the REMOVE difference-type status code.
• A resource has a tag change that isn't labeled REMOVE, and each tag key in Actual is within Expected.

Important: The following steps temporarily remove stack-level tags from other resources. If your services rely on stack-level tags, then modify the tags on the resource.

To match your resources tags, complete the following steps:

1. Save a copy of your original CloudFormation template.
2. In the copied CloudFormation template, delete resource-level tags that have the REMOVE label.
3. Update the stack with the new template, and then delete stack-level tags that have the REMOVE label.
   Important: Make sure that you reapply the tags that failed.
4. Change back to the original template, and then redeploy the template with the stack-level tags added.

Modify the tags on the resource

You can modify the tags on a resource in the following scenarios:

• A resource has a tag change that's labeled REMOVE. The resource's tag change shows that the tag keys in the Expected state aren't in the Actual state.
• A resource has a tag change that isn't labeled REMOVE. The tag keys are in both the Expected and Actual states but with different values.

Based on the drift detection details, take the following actions on the resource:

• Add each tag key and value that's listed under Expected and missing from Actual.
• Remove each tag key that's listed under Actual and missing under Expected.
• For each tag key that's listed under Expected and Actual and has a different value, update the tags to Expected.

To modify the tags on the resource, complete the following steps:

1. Open the CloudFormation console.
2. In the navigation pane, choose Stacks, and then select your stack.
3. Choose Resources, and then choose the Physical ID link of the affected resource.
4. In the resource's Tags section, manually add, remove, or update each tag. The tags must match the state that's listed under Expected in the drift details.
5. Choose Save.

To verify that the stack and resources match, it's a best practice to perform the drift detection operations again.

Match the resource tags for resources that don't support drift detection

Note: The following update reapplies the tags that failed to apply when you didn't have sufficient permissions.

If your resources don't support drift detection, then compare a copy of your CloudFormation template with your deployed resources.

If there are no tags in your resource but there are tags in the CloudFormation template, then complete the following steps:

1. Remove all tags from the CloudFormation template.
2. Apply the copied CloudFormation template to update the stack. Then, remove stack-level tags.
3. Change back to the original CloudFormation template, and then redeploy the template with all the stack-level tags added back.

If the tags in the resource don't match the tags in the stack, then complete the following steps:

1. Remove the stack-level tags to update the stack.
2. In the CloudFormation template, modify the tags so that they match the tags in the resource.
3. Update the stack with the new CloudFormation template. Make sure that you add back the stack-level tags.