aws-cdk/pipelines does not seem to apply tags to 'internal' resources shouldn't it?

[roskelleycj]

Question:

Should aws-cdk/pipelines create all resources (that can be tagged) w/ Tags from the Stack?

Details:

I work in an organization that requires all resources comply to a very specific tagging specification. No tags, no deployment. Using the following during application construction allows for such compliance:

    Tags tags = Tags.of(stack);
    tagsMap.forEach(tags::add);

Where the tagsMap has the require tags by the organization and the stack contains all of the objects to be deployed with the stack.

The approach has generally worked quite well, however, we are evaluating aws-cdk/pipelines (or aws-cdk-lib.pipelines) and those top level resources like CodePipeline add the Tags from the Stack to the CodePipeline and the IAM Role resources that are created. However, ShellStep creates 'internal' resources such as CodeBuild Project and IAM Role and these do not have any Tags from the Stack. Nor does there appear to be any means to acquire those internal resources to apply tags to them.

Question repeated: Shouldn't these 'internal' resources have the Tags from the Stack applied to them during synth?

Or is this a bug in aws-cdk-lib.pipelines? I do recall reading that aws-cdk-lib.pipelines is opinionated, but I would hope that Tags would be an opinion most CDK constructs apply. 😞