Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: aws_cloudformation_stack_set_instance operation error when targeting OU #40675

Open
nomeelnoj opened this issue Dec 22, 2024 · 1 comment
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/cloudformation Issues and PRs that pertain to the cloudformation service.

Comments

@nomeelnoj
Copy link

Terraform Core Version

1.9.8

AWS Provider Version

5.82.2

Affected Resource(s)

  • aws_cloudformation_stack_set_instance

Expected Behavior

When updating parameters in the resource with deployment_targets set to an OU rather than an account, it should succeed to update.

Actual Behavior

If deployment_targets is set only to an OU and not an account, there is a validation error as the provider is sending the OU ID through as an account ID.

Relevant Error/Panic Output Snippet

aws_cloudformation_stack_set_instance.default: Modifying... [id=TestStackSet,ou-1abc-abcdefg1,us-east-1]
╷
│ Error: updating CloudFormation StackSet Instance (TestStackSet,ou-1abc-abcdefg1,us-east-1): operation error CloudFormation: UpdateStackInstances, https response error StatusCode: 400, RequestID: fa70f28e-........, api error ValidationError: 1 validation error detected: Value '[ou-1abc-abcdefg1]' at 'accounts' failed to satisfy constraint: Member must satisfy constraint: [Member must have length less than or equal to 12, Member must have length greater than or equal to 12, Member must satisfy regular expression pattern: ^[0-9]{12}$]
│
│   with aws_cloudformation_stack_set_instance.default,
│   on cf.tf line 63, in resource "aws_cloudformation_stack_set_instance" "default":
│   63: resource "aws_cloudformation_stack_set_instance" "default" {
│
╵

Terraform Configuration Files

resource "aws_cloudformation_stack_set" "default" {
  name        = "TestStackSet"
  description = "Testing"

  permission_model = "SERVICE_MANAGED"

  capabilities = [
    "CAPABILITY_NAMED_IAM"
  ]

  auto_deployment {
    enabled                          = true
    retain_stacks_on_account_removal = false
  }

  managed_execution {
    active = true
  }

  tags = {
    Name       = "TestStackSet"
  }

  lifecycle {
    ignore_changes = [
      administration_role_arn
    ]
  }

  template_body = jsonencode(
    {
      AWSTemplateFormatVersion = "2010-09-09"
      Description              = "Testing"
      Resources = {
        Role = {
          Type = "AWS::IAM::Role"
          Properties = {
            RoleName = "TestRole"
            AssumeRolePolicyDocument = jsonencode(
              {
                Statement = [
                  {
                    Sid    = "Foobar"
                    Action = "sts:AssumeRole"
                    Effect = "Allow"
                    Principal = {
                      Service = "ec2.amazonaws.com"
                    }
                  }
                ]
              }
            )
          }
        }
      }
    }
  )
}


resource "aws_cloudformation_stack_set_instance" "default" {
  deployment_targets {
    organizational_unit_ids = [
      "ou-1abc-abcdefg1"
    ]
  }

  operation_preferences {
    failure_tolerance_percentage = 100
    max_concurrent_percentage    = 100
    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
    region_concurrency_type      = "PARALLEL"
  }

  region         = local.region
  stack_set_name = aws_cloudformation_stack_set.default.name
}

Steps to Reproduce

  1. Create a state with the above code, commenting out the operation_preferences section of the stack_set_instance
  2. Make sure to target an OU, NOT an account!
  3. Run terraform apply to create the stack set and stack set instance
  4. Uncomment the operation_preferences (or make any other change to the stack_set_instance)
  5. Run terraform apply
  6. See error message in account validation

Debug Output

No response

Panic Output

No response

Important Factoids

This appears to be an issue with the resourceStackSetInstanceUpdate function in the code, as the only option is to pass in Accounts: https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/cloudformation/stack_set_instance.go#L418-L424

The value getting passed into accounts is being pulled from the resource ID, but if you target an OU or two, the resource ID does not have an account in it.

Based on the golang spec, it appears that simply changing from Accounts to DeploymentTargets should suffice.

Part of me wonders if there is a larger issue with how the resource ID is being created and used to figure out the targets, as it assumes that there will only ever be 1 value passed into the input, but if more than one account or OU is provided, the object includes them / separated, but the input validation does not split them back into a list.

References

No response

Would you like to implement a fix?

Yes

@nomeelnoj nomeelnoj added the bug Addresses a defect in current functionality. label Dec 22, 2024
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/cloudformation Issues and PRs that pertain to the cloudformation service. needs-triage Waiting for first response or review from a maintainer. labels Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Projects
None yet
Development

No branches or pull requests

1 participant