Support StackSet instances for StackSets that use the SERVICE_MANAGED permission model

[srikanthchelluri]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

If/when the aws_cloudformation_stack_set resource supports SERVICE_MANAGED permissions (tracked by #12422), the aws_cloudformation_stack_set_instance should support targeting organizational units so that it can be used to provision resources across an AWS Organization.

Currently, the resource identifies itself so that it is particular to the 3-tuple of a StackSet, account, and region. This means one instance of the resource can't be used to manage StackSet instances across multiple regions or organizations dynamically (and I'm not sure if it really should). But in any case, this design makes it incompatible when targeting organizational units (which is required when referring to a StackSet that is using a SERVICE_MANAGED permission model).

New or Affected Resource(s)

• aws_cloudformation_stack_set_instance

Potential Terraform Configuration

resource "aws_cloudformation_stack_set_instance" "organization_accept-guardduty" {
  provider = aws.us-east-1

  organizational_unit_ids = [aws_organizations_organization.this.roots.0.id]
  regions                 = ["us-east-1", "us-east-2"]
  stack_set_name          = aws_cloudformation_stack_set.accept_guardduty.name
}

References

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html
• https://docs.aws.amazon.com/sdk-for-go/api/service/cloudformation/#CreateStackInstancesInput

[sean-kang]

This is much needed. We currently frankenstein'd CloudFormation and Terraform due to the lack of this feature. It will be very nice once we have this.

[piersf]

Hello there,

Are there any updates on this? It seems that there are several issues opened for the same need which goes to show that people are really wanting this feature.

Thank you in advance!

[chrisjaimon2012]

Awaiting support from terraform for this. Much needed

[zachsis]

+1 need this functionality.

[ghost]

I think I'm a little confused by how this interacts with the changes from #12423. Those changes don't seem to have actually added support for creating a Service Managed StackSet that deploys to a targeted OU, so while we "now support Service Managed StackSets", I'm not sure that the current setup would actually result in stack instances being deployed? So is this still blocked? Or is this supposed to be the improvement that would have us target which OUs to put instances in?

EDIT: It seems to be the latter, which represents a difference between how you deploy/manage ServiceManaged Stacksets via the API vs. with Cloudformation. I suppose the pattern with the API is to do a CreateStackSet call that sets up the StackSet, but doesn't configure it with any targeted accounts or OUs. In order to actually have any StackInstances created, you need to make a separate CreateStackInstances call, which is what would be handled in this ticket.

[aldegoeij]

Why would one release #12423 if it is unusable because aws_cloudformation_stack_set_instance does not support it yet ?!? :(

[oscarwest]

We'd love the option to specify AWS ORG OU's for CF stacksets as well. As some people have mentioned, this param is only available when updating the stackset, not on creation:
https://github.com/aws/aws-sdk-go/blob/f3fff59ed604046c720d9054ba6e34f7970f966f/service/cloudformation/api.go#L21165

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.