CloudFormation StackSet fails when no accounts are in target OU

[davidbailey]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

terraform -v
Terraform v1.0.11
on darwin_amd64

Your version of Terraform is out of date! The latest version
is 1.1.6. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

aws_cloudformation_stack_set_instance

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance

Terraform Configuration Files

resource "aws_cloudformation_stack_set_instance" "test" {
  deployment_targets {
    organizational_unit_ids = ["ou-abc123"]
  }

  region         = "us-west-2"
  stack_set_name = aws_cloudformation_stack_set.test.name
}

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

│ Error: unexpected format for ID (Test,,us-west-2), expected STACKSETNAME,ACCOUNDID,REGION

Panic Output

Expected Behavior

StackSet should be created.

Actual Behavior

StackSet is not created. Terraform State becomes corrupted.

Steps to Reproduce

1. terraform apply

Important Factoids

References

[par-texx]

This is an issue on Terraform v1.1.7 and provide 4.5.0 as well.

`Terraform v1.1.7
on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v4.5.0
• provider registry.terraform.io/hashicorp/vault v3.3.1`

│ Error: unexpected format for ID (VaultStackSet,,us-west-2), expected STACKSETNAME,ACCOUNDID,REGION │ │ with aws_cloudformation_stack_set_instance.vault_stack_set_instance["us-west-2"], │ on main.tf line 82, in resource "aws_cloudformation_stack_set_instance" "vault_stack_set_instance": │ 82: resource "aws_cloudformation_stack_set_instance" "vault_stack_set_instance" {

[sbutler]

I believe I'm seeing this same issue but I get a different error message. I'm also trying to deploy a bunch of stack set instances and the only ones that are failing are ones with no accounts in the OU:

Terraform v1.1.8
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.11.0

...

│ Error: error reading CloudFormation StackSet Instance (example,,us-west-1): ValidationError: 2 validation errors detected: Value '' at 'stackInstanceAccount' failed to satisfy constraint: Member must have length greater than or equal to 12; Value '' at 'stackInstanceAccount' failed to satisfy constraint: Member must satisfy regular expression pattern: ^[0-9]{12}$
│ 	status code: 400, request id: (removed)
│ 
│   with aws_cloudformation_stack_set_instance.main["example:us-west-1"],
│   on stacksets.tf line 58, in resource "aws_cloudformation_stack_set_instance" "main":
│   58: resource "aws_cloudformation_stack_set_instance" "main" {

[sbutler]

After digging into it, I think my issue relates to this part of the code:

terraform-provider-aws/internal/service/cloudformation/stack_set_instance.go

Lines 269 to 281 in 1fcfa97

	// Determine correct account ID for the Instance if created with deployment targets;
	// we only expect the accountID to be the organization root ID or organizational unit (OU) IDs
	// separated by a slash after creation.
	if regexp.MustCompile(`(ou-[a-z0-9]{4,32}-[a-z0-9]{8,32}|r-[a-z0-9]{4,32})`).MatchString(accountID) {
	orgIDs := strings.Split(accountID, "/")
	accountID, err = FindStackInstanceAccountIdByOrgIDs(conn, stackSetName, region, callAs, orgIDs)
	if err != nil {
	return fmt.Errorf("error finding CloudFormation StackSet Instance (%s) Account: %w", d.Id(), err)
	}
	d.SetId(StackSetInstanceCreateResourceID(stackSetName, accountID, region))
	}

There's a lot of odd things going on in there. I understand that the deployment_targets stack instances aren't a traditional AWS resource you lookup, so there's some pivot to an account to get additional attributes (like StackId). However...

• Now the resource ID is tied to a particular account in one of the deployment OU's, whereas it started out as containing the deployment targets. What if that account it's tied to get moved to another OU? I imagine it creates unnecessary plan/apply churn.
• This fails badly when there are no accounts in the OU, as we've seen. To fix this I had to not only move accounts into the OU, but also terraform state rm and then terraform import (to fix the missing AccountID element in the resource ID).

I feel like the correct thing is to not at all lookup accounts when deployment_targets are used and to leave attributes like stack_id and account_id empty.

[skurtEnd]

Produced the same issue with a different scenario:

• StackSet and StackSet instances created successfully although the terraform failed due to a different issue
• Deleted the StackSet instances and the StackSet manually (because of the failure in the previous step)
• Ran terraform again and got:
  - error finding CloudFormation StackSet Instance () Account: couldn't find resource

Because the StackSet and StackSet instances are already in the TF state, terraform is expecting the StackSet to exist so that it can remove the StackSet instance and re-create it but it's already hitting that error in the destroy step

Expected behaviour:
Terraform to remove the StackSet and StackSet instance resource from state when the StackSet doesn't exist

[vishal0511]

Hi,

Any update on this request.

[github-actions]

This functionality has been released in v5.9.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.