Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the SERVICE_MANAGED permission model for CloudFormation StackSets #12422

Closed
srikanthchelluri opened this issue Mar 17, 2020 · 6 comments · Fixed by #12423
Closed

Support the SERVICE_MANAGED permission model for CloudFormation StackSets #12422

srikanthchelluri opened this issue Mar 17, 2020 · 6 comments · Fixed by #12423
Assignees
@bflad
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Milestone
v3.35.0

Comments

@srikanthchelluri
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, only the SELF_MANAGED permission model is supported by the aws_cloudformation_stack_set resource (it is the default). However, the SERVICE_MANAGED permission model is helpful when using StackSets to manage resources across an AWS Organization since it allows StackSet instances to target organizational units. But before changing the aws_cloudformation_stack_set_instance resource, the aws_cloudformation_stack_set resource needs to be updated to support the SERVICE_MANAGED permission model and configure AutoDeployment parameters.

New or Affected Resource(s)

  • aws_cloudformation_stack_set

Potential Terraform Configuration

resource "aws_cloudformation_stack_set" "accept_guardduty" {
  provider = aws.us-east-1

  name             = "AcceptGuardDuty"
  description      = "Creates an AWS::GuardDuty::Detector resource and optionally an AWS::GuardDuty::Master resource in a set of accounts and regions."
  permission_model = "SERVICE_MANAGED"
  template_body    = local.stack_set_accept_guardduty_template_body

  auto_deployment {
    enabled                          = true
    retain_stacks_on_account_removal = false
  }

  parameters = {
    MasterId = local.infosec_aws_account_id
  }
}

References
@srikanthchelluri srikanthchelluri added the enhancement Requests to existing resources that expand the functionality or scope. label Mar 17, 2020
@ghost ghost added the service/cloudformation Issues and PRs that pertain to the cloudformation service. label Mar 17, 2020
@srikanthchelluri srikanthchelluri mentioned this issue Mar 17, 2020
Merged
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Mar 17, 2020
@srikanthchelluri srikanthchelluri mentioned this issue Mar 17, 2020
Closed
@bdwyertech bdwyertech mentioned this issue Mar 24, 2020
Closed
@srikanthchelluri srikanthchelluri mentioned this issue Aug 27, 2020
Closed
@bflad bflad mentioned this issue Oct 14, 2020
Closed
@bflad bflad removed the needs-triage Waiting for first response or review from a maintainer. label Oct 14, 2020
@gespinoza22
Copy link

any word on when someone will get assigned to this?

@piersf
Copy link

piersf commented Oct 30, 2020

@gespinoza22 CloudFormation released support for this last month if you happen to use also CloudFormation.

@chrisjaimon2012
Copy link

Any updates on this?

@rclark
Copy link

rclark commented Mar 2, 2021
edited
Loading

I found a workaround that helps while there's not direct terraform support: Use terraform to create a cloudformation stack in the organization's management account (terraform docs). This stack defines an AWS::CloudFormation::StackSet with SERVICE_MANAGED permissions model (cloudformation docs).

This launches the stack set indirectly via terraform apply, using only credentials in the management account, without the need for concern over how #12423 would need additional modification of the aws_cloudformation_stack_set_instance terraform resource.

@bflad bflad self-assigned this Mar 31, 2021
@github-actions github-actions bot added this to the v3.35.0 milestone Mar 31, 2021
@ghost
Copy link

ghost commented Apr 1, 2021

This has been released in version 3.35.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented May 1, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators May 1, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
enhancement Requests to existing resources that expand the functionality or scope. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Projects
None yet
Milestone
v3.35.0
6 participants
@bflad @rclark @srikanthchelluri @piersf @gespinoza22 @chrisjaimon2012