aws-control-tower-customizations
aws-control-tower-customizations copied to clipboard
aws-solutions
defining duplicate stackset reference in manifest.yaml isnt detected
When defining a stackset resource in the manifest.yaml file, I have the following: manifest.yaml
- name: baseline-vpc
template_file: templates/network/vpc.yaml
parameter_file: parameters/network/oregon/vpc.json
deploy_method: stack_set
deploy_to_ou:
- NonProduction
- Production
deploy_to_account:
- 'xxxxxxxxx'
regions:
- us-west-2
which works as expected and deployed correctly.
After defining an additional stackset resource manifest.yaml
- name: baseline-vpc
template_file: templates/network/vpc.yaml
parameter_file: parameters/network/oregon/vpc.json
deploy_method: stack_set
deploy_to_ou:
- NonProduction
- Production
deploy_to_account:
- 'xxxxxxxxx'
regions:
- us-west-2
- name: baseline-vpc
template_file: templates/network/vpc.yaml
parameter_file: parameters/network/sydney/vpc.json
deploy_method: stack_set
deploy_to_ou:
- NonProduction
- Production
deploy_to_account:
- 'xxxxxxxxx'
regions:
- ap-southeast-2
the behaviour i experienced was a creation event in the ap-southeast-2 region for my additional stack instances, but then a subsequent Delete event for the region us-west-2 which was defined earlier by the same name as the new addition.
Can the manifest file be checked for duplicate resources or merge duplicate resources to be combined?
In my situation VPC resources were deleted in us-west-2 until a resource dependency was found and the stack instance threw a failure holting the remaining stack instances from being processed.
@adamcousins Thanks for bring this up. Detecting duplicate stack set names in the manifest seems to be a valid feature request. We have added this our backlog.
We have this need too. We normally us us-east-1 and us-east-2, but have a new workload that has to run in eu-west-1. As I see it, we are forced to deploy all of our baseline stacks to all three regions in all accounts, even though we only really need eu-west-1 in the Core OU plus the specific workload accounts.
It seems like we might be able to define new stack sets using the same template but different stack set names to get around this, but that seems overly complicated, and will likely the whole pipeline take longer to execute.
I just got bit by this today -- and on the same baseline IAM stackset copy pasta. Luckily we're not into production yet, but had this been, it would have been totally knocked out our accounts...
