cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

Transform: AWS::Serverless-2016-10-31 CreateStackSet Not supported in SERVICE_MANAGED permission model

Open jewelsjacobs opened this issue 4 years ago • 10 comments

Summary

As mentioned in https://aws.amazon.com/about-aws/whats-new/2021/04/deploy-cloudformation-stacks-concurrently-across-multiple-aws-regions-using-aws-cloudformation-stacksets/ I figured I would convert an existing Cloudformation template Im using in a stackset to use SAM transform Resources.

Current Behavior

sam build --config-env ${DEPLOYMENT_ENV} - successful sam package --config-env ${DEPLOYMENT_ENV} - successful sam deploy --config-env ${DEPLOYMENT_ENV} - successful as stack

 aws cloudformation create-stack-set \
  --stack-set-name "${APP}" \
  --template-body file://packaged.yaml \
  --permission-model SERVICE_MANAGED \
  --region us-east-1 \
  --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
  --parameters "ParameterKey=Environment,ParameterValue=${DEPLOYMENT_ENV}" \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true

Error: An error occurred (ValidationError) when calling the CreateStackSet operation: Transform is not supported in SERVICE_MANAGED permission model

Expected Behavior

CreateStackSet operation performs successfully using AWS::Serverless-2016-10-31 Transform

jewelsjacobs avatar Apr 19 '21 19:04 jewelsjacobs

left https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/207 open due to this. StackSets team said this seems like an unnecessary undersight

PatMyron avatar Apr 20 '21 18:04 PatMyron

Any news on this? Still a real POP (Point Of Pain) 🤕 🤣

jewelsjacobs avatar Jul 29 '21 14:07 jewelsjacobs

I second this.

PeterBengtson avatar Jun 17 '22 20:06 PeterBengtson

Yet another limitation to CloudFormation... I'm hoping for a fix here. Templates will be non-standard and ugly if we need to inline our lambdas in StackSets. :(

gomibushi avatar Feb 24 '23 14:02 gomibushi

Any new on this :(

dalbirmonga avatar Aug 24 '23 01:08 dalbirmonga

The workaround is to deploy the stack on a test account, then download the processed template without any Transform statement. You can download the processed template like this:

aws cloudformation get-template -stack-name your-stack-name --template-stage Processed --query TemplateBody

galquezar avatar Nov 06 '23 07:11 galquezar

I wanted to also add my support for adding transform support to stacksets. We're trying to use the AWS::LanguageExtensions transform to use the enhanced !FindInMap function, as described here. For this transform, the work-around is not as trivial as deploying the stack and downloading the processed template. We'll need to use a host of nested !If functions as an alternative, which makes our template far less readable and cluttered 😭

n-tucker avatar Nov 19 '23 22:11 n-tucker

I'm uisng this method: https://github.com/aws/serverless-application-model/blob/develop/bin/sam-translate.py

nascit avatar Apr 25 '24 11:04 nascit

This is still a source of frustration - I don't really want to work around the problem as we need to be able to test what is being deployed as part of an automated pipeline.

TobySaundersGDS avatar Jul 30 '24 14:07 TobySaundersGDS

My workaround which is not really a workaround for all issues is to create a deployment bucket that is shared with read access to the org id. This way my functions in all my accounts get created because the source zip is available across the org. It is of course not SAM, but it lets you get your function code out of the CFN YAML.

gomibushi avatar Jul 30 '24 14:07 gomibushi