Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serviced Managed Stacksets Not Working #22867

Open
ifunky opened this issue Feb 1, 2022 · 11 comments
Open

Serviced Managed Stacksets Not Working #22867

ifunky opened this issue Feb 1, 2022 · 11 comments
Labels
bug Addresses a defect in current functionality. service/cloudformation Issues and PRs that pertain to the cloudformation service.

Comments

@ifunky
Copy link

ifunky commented Feb 1, 2022

Hi,

I have a delegated admin account (security) and when I'm trying to create stacksets via aws_cloudformation_stack_set I receive the following error:

Error: error creating CloudFormation StackSet (Sec-Hub-SHARR-Members-Role): ValidationError: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set status code: 400,

Example Code

resource "aws_cloudformation_stack_set" "sec_hub_sharr_members_role" {
    name                    = "Sec-Hub-SHARR-Members-Role"

    permission_model = "SERVICE_MANAGED"
    auto_deployment {
        enabled = true
        retain_stacks_on_account_removal = false
    }

    template_url = "https://solutions-reference.s3.amazonaws.com/aws-security-hub-automated-response-and-remediation/latest/aws-sharr-member-roles.template"
}

If I create the exact same stack via the console it works.

Any ideas please?

Thanks

Dan
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/cloudformation Issues and PRs that pertain to the cloudformation service. labels Feb 1, 2022
@justinretzolk
Copy link
Member

Hey @ifunky 👋 Thank you for taking the time to raise this. If you feel this is a bug, can you update the issue description with the additional information requested in the bug template? Alternatively, if you don't feel that this is a bug, and is instead something that you just have a question on, the AWS Provider Discuss forum may also be a good place to ask.

@justinretzolk justinretzolk added waiting-response Maintainers are waiting on response from community or contributor. and removed needs-triage Waiting for first response or review from a maintainer. labels Feb 1, 2022
@albertorm95
Copy link
Contributor

albertorm95 commented Feb 18, 2022
edited
Loading

You will need this:

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Feb 18, 2022
@justinretzolk justinretzolk added the bug Addresses a defect in current functionality. label Mar 1, 2022
@justinretzolk
Copy link
Member

Hey @ifunky 👋 Given the comment above, can you test this again with version 4.1.0 of the provider?

@michael-ullrich-1010
Copy link

michael-ullrich-1010 commented Aug 31, 2022
edited
Loading

Hi @justinretzolk,
I use aws v4.25.0 and still have the issue
Kind regards
Michael

@ifunky
Copy link
Author

ifunky commented Sep 16, 2022

Hello,

Sorry for the delay @justinretzolk !

I'm using the latest as of today (v4.31.0) and still receive the same error.

Thanks

Dan

@michael-ullrich-1010
Copy link

Hi @ifunky ,
this setting worked for me:
auto_deployment {
enabled = true
}
permission_model = "SERVICE_MANAGED"
call_as = "DELEGATED_ADMIN"

Regards
Michael

@justinretzolk
Copy link
Member

Hey @ifunky, no worries! After upgrading, did you add the new call_as argument set to DELEGATED_ADMIN, as was mentioned above?

@justinretzolk justinretzolk added the waiting-response Maintainers are waiting on response from community or contributor. label Sep 21, 2022
@ifunky
Copy link
Author

ifunky commented Sep 27, 2022

Good Afternoon,

Thanks @michael-ullrich-1010 and @justinretzolk the stacks are running now from the delegated admin account :-)

Cheers

Dan

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Sep 27, 2022
@ifunky
Copy link
Author

ifunky commented Oct 3, 2022

Hi @justinretzolk,

Actually I thought the delegated functionality was working but it's not, if you take the example below it runs from my management account but not from my delegated security account:

resource "aws_cloudformation_stack_set" "enable_guardduty" {
    name                    = "Enable-Guardduty"

    permission_model = "SERVICE_MANAGED"
    call_as          = "DELEGATED_ADMIN"  # SELF

    auto_deployment {
        enabled = true
        retain_stacks_on_account_removal = false
    }

    capabilities = ["CAPABILITY_NAMED_IAM"]

    parameters     = {
      MasterId = "123456789012"
    }

    template_url = "https://cloudformation-stackset-sample-templates-us-east-1.s3.us-east-1.amazonaws.com/EnableAWSGuardDuty.yml"
}


resource "aws_cloudformation_stack_set_instance" "enable_guardduty" {
  deployment_targets {
    organizational_unit_ids = ["r-sk85"]
  }

  region         = var.region
  stack_set_name = aws_cloudformation_stack_set.enable_guardduty.name
}

ERROR
Error: error waiting for CloudFormation StackSet Instance () creation: error creating CloudFormation StackSet (Enable-Guardduty) Instance: StackSetNotFoundException: StackSet Enable-Guardduty not found
│ status code: 404, request id: b36b194f-ac7f-4721-be01-7ed541f52ffc

│ with aws_cloudformation_stack_set_instance.enable_guardduty,
│ on cf_stackset_enable_guardduty.tf line 24, in resource "aws_cloudformation_stack_set_instance" "enable_guardduty":
│ 24: resource "aws_cloudformation_stack_set_instance" "enable_guardduty" {

Thanks

Dan

@aleksk24
Copy link

@ifunky Try including call_as = "DELEGATED_ADMIN" parameter to the aws_cloudformation_stack_set_instance. enable_guardduty resource. For me this helped.

@popsicleslayer
Copy link

Hi!
I ran into the same problem.
Tried with call_as = "DELEGATED_ADMIN" and it didn't help. When deployed manually the same template works perfectly in the account that is the delegated admin. Unfortunately, we had to deploy from the root account which solved the problem, but is not a desired solution. I hope there is going to be a solution to this soon :)

@popsicleslayer popsicleslayer mentioned this issue Jul 20, 2023
Closed
@ewbankkit ewbankkit mentioned this issue Mar 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ifunky @albertorm95 @justinretzolk @popsicleslayer @michael-ullrich-1010 @aleksk24