terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Serviced Managed Stacksets Not Working

Open ifunky opened this issue 3 years ago • 7 comments

Hi,

I have a delegated admin account (security) and when I'm trying to create stacksets via aws_cloudformation_stack_set I receive the following error:

Error: error creating CloudFormation StackSet (Sec-Hub-SHARR-Members-Role): ValidationError: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set status code: 400,

Example Code

resource "aws_cloudformation_stack_set" "sec_hub_sharr_members_role" {
    name                    = "Sec-Hub-SHARR-Members-Role"

    permission_model = "SERVICE_MANAGED"
    auto_deployment {
        enabled = true
        retain_stacks_on_account_removal = false
    }

    template_url = "https://solutions-reference.s3.amazonaws.com/aws-security-hub-automated-response-and-remediation/latest/aws-sharr-member-roles.template"
}

If I create the exact same stack via the console it works.

Any ideas please?

Thanks

Dan

ifunky avatar Feb 01 '22 12:02 ifunky

Hey @ifunky 👋 Thank you for taking the time to raise this. If you feel this is a bug, can you update the issue description with the additional information requested in the bug template? Alternatively, if you don't feel that this is a bug, and is instead something that you just have a question on, the AWS Provider Discuss forum may also be a good place to ask.

justinretzolk avatar Feb 01 '22 19:02 justinretzolk

You will need this:

  • https://github.com/hashicorp/terraform-provider-aws/pull/22440 https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.1.0

albertorm95 avatar Feb 18 '22 15:02 albertorm95

Hey @ifunky 👋 Given the comment above, can you test this again with version 4.1.0 of the provider?

justinretzolk avatar Mar 01 '22 18:03 justinretzolk

Hi @justinretzolk, I use aws v4.25.0 and still have the issue Kind regards Michael

michael-ullrich-1010 avatar Aug 31 '22 08:08 michael-ullrich-1010

Hello,

Sorry for the delay @justinretzolk !

I'm using the latest as of today (v4.31.0) and still receive the same error.

Thanks

Dan

ifunky avatar Sep 16 '22 09:09 ifunky

Hi @ifunky , this setting worked for me: auto_deployment { enabled = true }
permission_model = "SERVICE_MANAGED" call_as = "DELEGATED_ADMIN"

Regards Michael

michael-ullrich-1010 avatar Sep 20 '22 08:09 michael-ullrich-1010

Hey @ifunky, no worries! After upgrading, did you add the new call_as argument set to DELEGATED_ADMIN, as was mentioned above?

justinretzolk avatar Sep 21 '22 19:09 justinretzolk

Good Afternoon,

Thanks @michael-ullrich-1010 and @justinretzolk the stacks are running now from the delegated admin account :-)

Cheers

Dan

ifunky avatar Sep 27 '22 14:09 ifunky

Hi @justinretzolk,

Actually I thought the delegated functionality was working but it's not, if you take the example below it runs from my management account but not from my delegated security account:

resource "aws_cloudformation_stack_set" "enable_guardduty" {
    name                    = "Enable-Guardduty"

    permission_model = "SERVICE_MANAGED"
    call_as          = "DELEGATED_ADMIN"  # SELF

    auto_deployment {
        enabled = true
        retain_stacks_on_account_removal = false
    }

    capabilities = ["CAPABILITY_NAMED_IAM"]

    parameters     = {
      MasterId = "123456789012"
    }

    template_url = "https://cloudformation-stackset-sample-templates-us-east-1.s3.us-east-1.amazonaws.com/EnableAWSGuardDuty.yml"
}


resource "aws_cloudformation_stack_set_instance" "enable_guardduty" {
  deployment_targets {
    organizational_unit_ids = ["r-sk85"]
  }

  region         = var.region
  stack_set_name = aws_cloudformation_stack_set.enable_guardduty.name
}

ERROR Error: error waiting for CloudFormation StackSet Instance () creation: error creating CloudFormation StackSet (Enable-Guardduty) Instance: StackSetNotFoundException: StackSet Enable-Guardduty not found │ status code: 404, request id: b36b194f-ac7f-4721-be01-7ed541f52ffc │ │ with aws_cloudformation_stack_set_instance.enable_guardduty, │ on cf_stackset_enable_guardduty.tf line 24, in resource "aws_cloudformation_stack_set_instance" "enable_guardduty": │ 24: resource "aws_cloudformation_stack_set_instance" "enable_guardduty" {

Thanks

Dan

ifunky avatar Oct 03 '22 10:10 ifunky

@ifunky Try including call_as = "DELEGATED_ADMIN" parameter to the aws_cloudformation_stack_set_instance. enable_guardduty resource. For me this helped.

aleksk24 avatar Dec 12 '22 14:12 aleksk24

Hi! I ran into the same problem. Tried with call_as = "DELEGATED_ADMIN" and it didn't help. When deployed manually the same template works perfectly in the account that is the delegated admin. Unfortunately, we had to deploy from the root account which solved the problem, but is not a desired solution. I hope there is going to be a solution to this soon :)

popsicleslayer avatar Jul 14 '23 09:07 popsicleslayer