aws-backup: BackupSelection uses ListOfTags (OR logic), missing support for StringLike/StringNotEquals/StringNotLike

[emfrab]

This issue description was created using Claude code

🐛 aws-backup: BackupSelection uses ListOfTags instead of Conditions, breaking AND logic and limiting tag operations

Labels: bug, needs-triage

---

Describe the bug

BackupSelection generates ListOfTags in CloudFormation instead of the newer Conditions property. This has two consequences:

• Wrong logic: ListOfTags uses OR across conditions; Conditions uses AND. Multiple fromTag() calls silently back up more resources than intended.
• Limited operations: TagOperation only exposes STRING_EQUALS and a non-functional DUMMY = 'dummy' placeholder. Conditions supports StringLike, StringNotEquals, and StringNotLike — none of which are accessible.

Expected Behavior

"BackupSelection": {
  "Conditions": {
    "StringEquals": [
      { "ConditionKey": "aws:ResourceTag/Environment", "ConditionValue": "prod" },
      { "ConditionKey": "aws:ResourceTag/Backup", "ConditionValue": "enabled" }
    ]
  }
}

Current Behavior

"BackupSelection": {
  "ListOfTags": [
    { "ConditionKey": "aws:ResourceTag/Environment", "ConditionType": "STRINGEQUALS", "ConditionValue": "prod" },
    { "ConditionKey": "aws:ResourceTag/Backup", "ConditionType": "STRINGEQUALS", "ConditionValue": "enabled" }
  ]
}

Reproduction Steps

new BackupSelection(stack, 'Selection', {
  backupPlan: plan,
  resources: [
    BackupResource.fromTag('aws:ResourceTag/Environment', 'prod'),
    BackupResource.fromTag('aws:ResourceTag/Backup', 'enabled'),
  ],
});

cdk synth produces ListOfTags (OR). Both conditions must be met — AND is required.

Possible Solution

• In selection.ts: replace listOfTags with conditions, grouping by operation type into StringEquals/StringLike/StringNotEquals/StringNotLike.
• In resource.ts: replace DUMMY = 'dummy' with the three missing TagOperation members.
• Note: conditions is typed any in CfnBackupSelection.BackupSelectionResourceTypeProperty, so keys must be constructed in PascalCase explicitly (no camelCase→PascalCase transform is applied).

This is a behavior change (OR → AND) but is the correct semantic for tag-based selection and matches what the AWS console produces.

Environment

aws-cdk-lib	2.250.0
CDK CLI	2.1112.0 (build 48e9b5d)
Node.js	v24.11.1
OS	macOS
Language	TypeScript

[related-issues-bot-for-aws]

Hi @emfrab,

Thanks for reporting! While a member of the CDK team reviews this, we've identified this as a potential duplicate.

Potential Duplicate Issues

• (aws-backup): BackupResource with TagCondition is not intuitive #18911: Both issues report the same root cause: aws-backup's BackupSelection generates CloudFormation using the ListOfTags property instead of the Conditions property, resulting in OR logic when AND logic is needed for multiple tag conditions. Both issues request switching to the Conditions property in the generated CloudFormation output. The current issue's additional concern about missing StringLike/StringNotEquals/StringNotLike operations is a direct consequence of using ListOfTags, which only supports StringEquals — the shared fix of switching to Conditions would resolve both the logic semantics and the missing operations. Same module (aws-backup), same construct (BackupSelection), same underlying CloudFormation property issue.

This message was generated automatically to help connect related conversations and improve discoverability.

Please react with 👍 or 👎 to let us know if this response was helpful!

Thank you for helping improve CDK! 🙌