aws_signer: Adding tags to stack containing signing profile causes errors on deployment

[cjhelloletsgo]

Describe the bug

Deploying a stack with a signing profile then adding a tag to the stack will cause the deployment to fail with an internal error

Expected Behavior

The stack to deploy and tag the resource

Current Behavior

EthicsStack: deploying... [1/1]
EthicsStack: creating CloudFormation changeset...
10:59:26 AM | UPDATE_FAILED | AWS::Signer::SigningProfile | SigningProfile39EF76F3
Resource handler returned message: "null" (RequestToken: 1f53d8b0-de7b-c9a4-85ab-1d9754840f0f, HandlerErrorCode: InternalFailure)

❌ EthicsStack failed: Error: The stack named EthicsStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "null" (RequestToken: 1f53d8b0-de7b-c9a4-85ab-1d9754840f0f, HandlerErrorCode: InternalFailure)
at FullCloudFormationDeployment.monitorDeployment (/home/colton/.nvm/versions/node/v20.12.2/lib/node_modules/aws-cdk/lib/index.js:433:10568)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.deployStack2 [as deployStack] (/home/colton/.nvm/versions/node/v20.12.2/lib/node_modules/aws-cdk/lib/index.js:436:199619)
at async /home/colton/.nvm/versions/node/v20.12.2/lib/node_modules/aws-cdk/lib/index.js:436:181341

❌ Deployment failed: Error: The stack named EthicsStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "null" (RequestToken: 1f53d8b0-de7b-c9a4-85ab-1d9754840f0f, HandlerErrorCode: InternalFailure)
at FullCloudFormationDeployment.monitorDeployment (/home/colton/.nvm/versions/node/v20.12.2/lib/node_modules/aws-cdk/lib/index.js:433:10568)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.deployStack2 [as deployStack] (/home/colton/.nvm/versions/node/v20.12.2/lib/node_modules/aws-cdk/lib/index.js:436:199619)
at async /home/colton/.nvm/versions/node/v20.12.2/lib/node_modules/aws-cdk/lib/index.js:436:181341

The stack named EthicsStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "null" (RequestToken: 1f53d8b0-de7b-c9a4-85ab-1d9754840f0f, HandlerErrorCode: InternalFailure)

Reproduction Steps

Deploy a stack which contains a signing profile, then add a tag to the stack. The stack will fail to deploy with the above error.

from aws_cdk import (
    Stack,
)
from aws_cdk import aws_lambda as lambda_
from aws_cdk import (
    aws_signer as signer,
)
from constructs import Construct


class EthicsStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        signing_profile = signer.SigningProfile(
            self,
            "Signing Profile",
            platform=signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
        )

        code_signing_config = lambda_.CodeSigningConfig(
            self,
            "Code Signing Config",
            signing_profiles=[
                signing_profile,
            ],
            description=f"CDK Signing Config for {Stack.of(self).stack_name}",
            untrusted_artifact_on_deployment=lambda_.UntrustedArtifactOnDeployment.WARN,
        )


### Possible Solution

Handle adding tag on update to resource

### Additional Information/Context

_No response_

### CDK CLI Version

2.139.1

### Framework Version

_No response_

### Node.js Version

v20.12.2

### OS

Ubuntu 24.04

### Language

Python

### Language Version

Python 3.12

### Other information

_No response_

[khushail]

@cjhelloletsgo , thanks for reporting this. I am able to repro the error.

I also tried adding tags to existing bucket , to check if this is an issue with tags propagation but it worked fine and tags were added succesfully

Marking this issue as appropriate for further action.

[cjhelloletsgo]

It is 100% able to be reproduced. Here is a link to a github repo i set up: https://github.com/cjhelloletsgo/cdk_signing_profile_issue

Just clone and deploy the stack. After it is deployed look in app.py and I put a comment where you need to uncomment and perform a second deployment. It will fail with this error:

[cjhelloletsgo]

I just realized I lack reading comprehension and you wrote you could reproduce rather than couldn't. So my last comment can be ignored. My bad.

[cjhelloletsgo]

This error seems to be resolved with newer CDK version 2.157.0 (build 7315a59)

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.