core: Order difference in Tags property is highlighted in cdk deploy --method=prepare-change-set

[wongni]

Describe the bug

I am converting an existing CFN stack into CDK. The original stack template has Tags property in a resource.

      "Tags":
      - "Key": "Name"
        "Value":
          "Fn::Sub": "${AWS::StackName} preview ALB"
      - "Key": "alb-fips-enabled"
        "Value": "fips"

I wrote a CDK code like this to match the keys/values and their order.

            tags: [
                {
                    key: "Name",
                    value: cdk.Fn.sub("${AWS::StackName} ELB SecurityGroup"),
                },
                {
                    key: "alb-fips-enabled",
                    value: "fips",
                },
            ],

I ran cdk deploy --method=prepare-change-set command to check if my code does not modify any resources in the existing stack. However, I got this diff entry in the change set.

[
  {
    "resourceChange": {
      "logicalResourceId": "ELBSecurityGroup",
      "action": "Modify",
      "physicalResourceId": "sg-08ca30bb0788c6ad5",
      "resourceType": "AWS::EC2::SecurityGroup",
      "replacement": "False",
      "moduleInfo": null,
      "details": [
        {
          "target": {
            "name": null,
            "requiresRecreation": "Never",
            "attribute": "Tags"
          },
          "causingEntity": null,
          "evaluation": "Static",
          "changeSource": "DirectModification"
        }
      ],
      "changeSetId": null,
      "scope": [
        "Tags"
      ]
    },
    "hookInvocationCount": null,
    "type": "Resource"
  }
]

I checked the generated template from the CDK code.

      Tags:
        - Key: alb-fips-enabled
          Value: fips
        - Key: Name
          Value:
            Fn::Sub: ${AWS::StackName} ELB SecurityGroup

The keys and values are the same but the order is different from the order in the code. I guess CDK synth automatically sorts the keys alphabetically.

Expected Behavior

One of either options;

1. cdk synth keeps the order of the key/value pairs when generating Tags property.
2. Or cdk deploy --method=prepare-change-set and cdk diffdoes not highlight the order difference in Tags property.

Current Behavior

The change set created by cdk deploy --method=prepare-change-set command shows the resource with the same tags as Modify resource.

cdk diff also shows this

Resources
[~] AWS::EC2::SecurityGroup ELBSecurityGroup ELBSecurityGroup 
 └─ [~] Tags
     └─ @@ -1,12 +1,12 @@
        [ ] [
        [ ]   {
        [+]     "Key": "alb-fips-enabled",
        [+]     "Value": "fips"
        [+]   },
        [+]   {
        [ ]     "Key": "Name",
        [ ]     "Value": {
        [ ]       "Fn::Sub": "${AWS::StackName} ELB SecurityGroup"
        [ ]     }
        [-]   },
        [-]   {
        [-]     "Key": "alb-fips-enabled",
        [-]     "Value": "fips"
        [ ]   }
        [ ] ]

Reproduction Steps

1. Create a CFN stack in the console with the following template.

"AWSTemplateFormatVersion": "2010-09-09"

"Resources":
  "ELBSecurityGroup":
    "Metadata":
      "Comment": ""
    "Properties":
      "GroupDescription": "Allow inbound port HTTP, outbound to Invoke fleet"
      "SecurityGroupEgress":
      - "CidrIp": "0.0.0.0/0"
        "FromPort": !!int "0"
        "IpProtocol": "tcp"
        "ToPort": !!int "65535"
      - "CidrIp": "0.0.0.0/0"
        "IpProtocol": "41"
      "Tags":
      - "Key": "Name"
        "Value":
          "Fn::Sub": "${AWS::StackName} ELB SecurityGroup"
      - "Key": "alb-fips-enabled"
        "Value": "fips"
      "VpcId": "vpc-[REDACTED]"
    "Type": "AWS::EC2::SecurityGroup"

2. Run cdk deploy --method=prepare-change-set command with the following CDK code

import { DeploymentStackProps, DeploymentStack } from "@amzn/pipelines";
import * as cdk from "aws-cdk-lib";
import * as ec2 from "aws-cdk-lib/aws-ec2";

export interface NoctStackProps extends DeploymentStackProps {
    /**
     * @default 443
     */
    readonly lbExternalPort?: number;
    /**
     * @default "true"
     */
    readonly createExternalLb?: string;
}

export class NoctStack extends DeploymentStack {
    public constructor(scope: cdk.App, id: string, props: NoctStackProps) {
        super(scope, id, props);

        // Resources
        const elbSecurityGroup = new ec2.CfnSecurityGroup(this, "ELBSecurityGroup", {
            groupDescription: "Allow inbound port HTTP, outbound to Invoke fleet",
            securityGroupEgress: [
                {
                    cidrIp: "0.0.0.0/0",
                    fromPort: 0,
                    ipProtocol: "tcp",
                    toPort: 65535,
                },
                {
                    cidrIp: "0.0.0.0/0",
                    ipProtocol: "41",
                },
            ],
            tags: [
                {
                    key: "Name",
                    value: cdk.Fn.sub("${AWS::StackName} ELB SecurityGroup"),
                },
                {
                    key: "alb-fips-enabled",
                    value: "fips",
                },
            ],
            vpcId: "vpc-[REDACTED]",
        });
        elbSecurityGroup.cfnOptions.metadata = {
            Comment: "",
        };
    }
}

3. Check the created change set in CFN console.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.85.0 and 2.87.0

Framework Version

No response

Node.js Version

v18.16.0

OS

Linux and MacOS (M1)

Language

Typescript

Language Version

Typescript(5.1.3)

Other information

No response

[pahud]

Yes the new template will be sorted according to this

aws-cdk/packages/@aws-cdk/cloudformation-diff/lib/diff-template.ts

Line 99 in a93bc54

for (const key of unionOf(Object.keys(currentTemplate), Object.keys(newTemplate)).sort()) {

Sorting the old template probably is an option but I don't think we should do that.

I am not sure if we can improve this in this function.

[rmjwilbur]

I'm encountering this using cdk diff with Tags on lambda functions. It's definitely annoying noise. Changing the order of the tags in my CfnFunctionProps has no effect.

For me, the order of the tags is not important and I don't want to see it flagged as a difference. Does anyone know of a workaround for this?

Edit: I'm in the process of migrating to CDK, so my pain relates to comparing with the existing stacks. I sorted the tags and redeployed one using my old deployment method. Now cdk diff isn't reporting any differences on Tags for that stack.