resource/aws_cloudformation_stack_set: Add support for SERVICE_MANAGED permission model #12423
Conversation
ghost
added
size/L
srikanthchelluri
force-pushed
the
stacksets-permissions
branch
from
005e193
to
966cf04
Compare
|
Forced pushed a change to remove computed fields that I added since it was preventing updating StackSets that were already created. |
srikanthchelluri
force-pushed
the
stacksets-permissions
branch
from
966cf04
to
2f8d823
Compare
srikanthchelluri
changed the title
|
Currently hashing out issues with computed fields - will remove |
…D permission model
srikanthchelluri
force-pushed
the
stacksets-permissions
branch
from
2f8d823
to
675b02a
Compare
srikanthchelluri
changed the title
|
Fixed the issue - see inline comment on |
|
@bflad Hey Brian - tagging you since you're pretty active in this repo. Any chance I can get a code review on this? Thanks! |
|
@appilon seems to be active too 😬 🙏 I'd like to contribute to aws_cloudformation_stack_set_instance, and this PR is a prereq. |
|
Hello there, Are there any updates on this? It seems that there are several issues opened for the same need which goes to show that people are really wanting this feature. Thank you in advance! |
|
Hi @bflad could you review and/or approve this? Would be super helpful to have! |
|
This and the SSO work going on right now both feel super important as everyone's trying to adopt the AWS tooling to make multi-account less awful. Could this be prioritized @bflad ? |
|
Any news on what's the hold-up on this commit? I just started looking at this myself and came across this now year-old pull request that looks like exactly what I was considering writing. Will want to pair this with a PR for #12425 since service-managed stack set instances will go along with service-managed stack sets. |
|
bump |
|
Also bump @bflad or anyone else This is a real blocker for some POC work were doing |
|
@myoung34 see #12422 (comment) if it works for you |
|
@piersf Thats what were currently doing but its extremely kludgey |
|
@myoung34 what do you find kludgy about it? We're using it to deploy a baseline configuration to every new account as they are added to their respective OU, by using the SERVICE_MANAGED permission model with auto-deployment enabled. The only thing that I've seen missing from CloudFormation StackSets so far is the ability to cherry-pick stack instances to remove from a stack set resource and the fact that you can't configure an SNS Topic in stack instances(like you can for a normal stack resource). The latter can't be solved by Terraform either as the API itself does not support this. |
bflad
added
enhancement
There was a problem hiding this comment.
Hi @srikanthchelluri 👋 Thank you for submitting this. It looks pretty good, with just some minor adjustments due to some newer CI checks we have in place. We also need to adjust the new test to work only in Organizations administrative accounts, but that is outside the scope of what we would typically would expect from a community contribution. To speed up everything here, we will apply these changes on merge now so this can be included in this week's release. Thank you again and apologies for the delayed review.
Output from acceptance testing:
=== CONT TestAccAWSCloudFormationStackSet_PermissionModel_ServiceManaged
resource_aws_cloudformation_stack_set_test.go:465: Step 1/2 error: Error running apply: exit status 1
Error: error creating CloudFormation StackSet: ValidationError: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set
status code: 400, request id: 0578577e-948d-4fa3-b856-68e8d90a77f3
on terraform_plugin_test.tf line 2, in resource "aws_cloudformation_stack_set" "test":
2: resource "aws_cloudformation_stack_set" "test" {
--- FAIL: TestAccAWSCloudFormationStackSet_PermissionModel_ServiceManaged (20.32s)
--- PASS: TestAccAWSCloudFormationStackSet_disappears (29.55s)
--- PASS: TestAccAWSCloudFormationStackSet_basic (37.19s)
--- PASS: TestAccAWSCloudFormationStackSet_ExecutionRoleName (52.08s)
--- PASS: TestAccAWSCloudFormationStackSet_Description (52.94s)
--- PASS: TestAccAWSCloudFormationStackSet_TemplateBody (56.51s)
--- PASS: TestAccAWSCloudFormationStackSet_Name (60.38s)
--- PASS: TestAccAWSCloudFormationStackSet_TemplateUrl (76.66s)
--- PASS: TestAccAWSCloudFormationStackSet_Tags (86.81s)
--- PASS: TestAccAWSCloudFormationStackSet_Parameters (88.40s)
--- PASS: TestAccAWSCloudFormationStackSet_AdministrationRoleArn (89.54s)
| ValidateFunc: validation.StringInSlice([]string{ | ||
| cloudformation.PermissionModelsServiceManaged, | ||
| cloudformation.PermissionModelsSelfManaged, | ||
| }, false), |
There was a problem hiding this comment.
Nit: Since this pull request was originally introduced, the AWS SDK Go created functions to retrieve all (modeled) enumeration values. See also: #14601
| ValidateFunc: validation.StringInSlice([]string{ | |
| cloudformation.PermissionModelsServiceManaged, | |
| cloudformation.PermissionModelsSelfManaged, | |
| }, false), | |
| ValidateFunc: validation.StringInSlice(cloudformation.PermissionModels_Values(), false), |
| PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSCloudFormationStackSet(t) }, | ||
| Providers: testAccProviders, | ||
| CheckDestroy: testAccCheckAWSCloudFormationStackSetDestroy, |
There was a problem hiding this comment.
Newer linter since this pull request was introduced:
| PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSCloudFormationStackSet(t) }, | |
| Providers: testAccProviders, | |
| CheckDestroy: testAccCheckAWSCloudFormationStackSetDestroy, | |
| PreCheck: func() { testAccPreCheck(t); testAccPreCheckAWSCloudFormationStackSet(t) }, | |
| ErrorCheck: testAccErrorCheck(t, cloudformation.EndpointsID), | |
| Providers: testAccProviders, | |
| CheckDestroy: testAccCheckAWSCloudFormationStackSetDestroy, |
| enabled = true | ||
| retain_stacks_on_account_removal = false |
There was a problem hiding this comment.
Newer linter since this pull request was introduced:
| enabled = true | |
| retain_stacks_on_account_removal = false | |
| enabled = true | |
| retain_stacks_on_account_removal = false |
| * `enabled` - Whether or not auto-deployment is enabled. | ||
| * `retain_stacks_on_account_removal` - Whether or not to retain stacks when the account is removed. |
There was a problem hiding this comment.
Newer linter since this pull request was introduced:
| * `enabled` - Whether or not auto-deployment is enabled. | |
| * `retain_stacks_on_account_removal` - Whether or not to retain stacks when the account is removed. | |
| * `enabled` - (Optional) Whether or not auto-deployment is enabled. | |
| * `retain_stacks_on_account_removal` - (Optional) Whether or not to retain stacks when the account is removed. |
|
thanks for merging and taking care of the minor changes, @bflad! |
|
This has been released in version 3.35.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
ghost
mentioned this pull request
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked as resolved and limited conversation to collaborators
This updates the
aws_cloudformation_stack_setresource to support theSERVICE_MANAGEDpermission model. This is helpful if a consumer intends to use CloudFormation StackSets to manage resources across an AWS Organization.Community Note
Closes #12422.
Release note for CHANGELOG:
Output from acceptance testing: