Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFormation.Stackset - Plan Requires AdministrationRoleARN while Apply says "not supported" #12125

Closed
crispyblock opened this issue Feb 21, 2020 · 7 comments
Closed

CloudFormation.Stackset - Plan Requires AdministrationRoleARN while Apply says "not supported" #12125

crispyblock opened this issue Feb 21, 2020 · 7 comments
Assignees
@bflad
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Milestone
v3.35.0

Comments

@crispyblock
Copy link

crispyblock commented Feb 21, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version 12.21

Downloading plugin for provider "aws" (hashicorp/aws) 2.49.0...

Affected Resource(s)

  • aws_cloudformation_stack_set
    Specifically, the administration_role_arn is acting inconsistently

Terraform Configuration Files

resource "aws_cloudformation_stack_set" "tgrc_platform_owner_account_access" {
  administration_role_arn = data.aws_iam_role.AWSCloudFormationStackSetsOrgAdminRole.arn
  name                    = "platform-owner-account-access"
  description             = "AWS CloudFormation IAM Role for Platform Owner Pivot access. It creates a single role granting assume access to the TrustedEntityArn parameter. "
  depends_on              = [aws_organizations_organization.org, ]
  #   permissions_model = SERVICE_MANAGED
  execution_role_name = "stacksets-exec-423b171060aaf4602fdc308b77d46dd8"
  parameters = {
    AuthorizedAssumerRoleArn = var.RoleArn
  }
  capabilities = [
    "CAPABILITY_NAMED_IAM",
  ]
  tags = merge(
    var.common_tags,
    {
      Name           = "Account Bootstrap Automation",
      AppName        = "Platform-Bootstrap",
      AppEnvironment = local.environment
    },
  )
  template_body = data.local_file.account-access-cloudformation-body.content
}

Debug Output

Expected Behavior

Apply Succeeds

Actual Behavior

Case Having Attribute - Validation Error during Apply

Case Without Attribute - Error: Missing required argument. During Plan

Steps to Reproduce

Case Having Attribute

  1. terraform plan - Indicates no changes are being made to these attributes...
442 | administration_role_arn = "arn:aws:iam::913701052451:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin"
443 | arn                     = "arn:aws:cloudformation:us-east-1:xxxxxxxxxxx:stackset/tgrc-platform-owner-account-access:b9b11041-6539-4676-afca-89a46c3bca88"
444 | capabilities            = [
445 | "CAPABILITY_NAMED_IAM",
446 | ]
447 | description             = "AWS CloudFormation IAM Role for Platform Owner Pivot access."
448 | execution_role_name     = "stacksets-exec-423b171060aaf4602fdc308b77d46dd8"
449 | id                      = "tgrc-platform-owner-account-access"
450 | name                    = "tgrc-platform-owner-account-access"
  1. terraform apply - Throws this validation error
Error: error updating CloudFormation Stack Set (tgrc-platform-owner-account-access): ValidationError: AdministrationRoleARN not supported
--
143 | status code: 400

Case Without Attribute

  1. This time I comment out the attribute from the resource (coded above)
resource "aws_cloudformation_stack_set" "tgrc_platform_owner_account_access" {
  # administration_role_arn = data.aws_iam_role.AWSCloudFormationStackSetsOrgAdminRole.arn
  name                    = "platform-owner-account-access"
blah, blah
  1. During terraform Plan I receive this error.
Error: Missing required argument
101 |  
102 | on cloudformation_stackset.tf line 45, in resource "aws_cloudformation_stack_set" "tgrc_platform_owner_account_access":
103 | 45: resource "aws_cloudformation_stack_set" "tgrc_platform_owner_account_access" {
104 |  
105 | The argument "administration_role_arn" is required, but no definition was
106 | found.

Important Factoids

This is being applied to an organizational master account.
thus the permissions_model = SERVICE_MANAGED is set up.

References

  • #0000
@ghost ghost added the service/cloudformation Issues and PRs that pertain to the cloudformation service. label Feb 21, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 21, 2020
@jonshern
Copy link

Looks like it is required. But may need to set to optional.

--administration-role-arn (string)

The Amazon Resource Number (ARN) of the IAM role to use to update this stack set.
Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account. For more information, see Granting Permissions for Stack Set Operations in the AWS CloudFormation User Guide .
If you specified a customized administrator role when you created the stack set, you must specify a customized administrator role, even if it is the same customized administrator role used with this stack set previously.

The terraform indicates it is required.

"administration_role_arn": { Type: schema.TypeString, Required: true, ValidateFunc: validateArn,
https://github.com/terraform-providers/terraform-provider-aws/blob/ef098db34234c4f533be2a3f5063bf609e960337/aws/resource_aws_cloudformation_stack_set.go#L32

@marcelboettcher
Copy link

marcelboettcher commented Feb 26, 2020
edited
Loading

@jonshern yes, it is not required anymore with the integration into aws organizations.

@bdwyertech
Copy link

aws/aws-sdk-go@de8dd8e

@bdwyertech
Copy link

bdwyertech commented Mar 24, 2020
edited
Loading

Related: #12422 #12423 #12425

@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Mar 31, 2021
@bflad bflad self-assigned this Mar 31, 2021
@bflad bflad added this to the v3.35.0 milestone Mar 31, 2021
@bflad
Copy link
Contributor

bflad commented Mar 31, 2021

Support for SERVICE_MANAGED CloudFormation Stack Sets has been merged as part of #12422 and will release with version 3.35.0 of the Terraform AWS Provider later this week. 👍

@bflad bflad closed this as completed Mar 31, 2021
@ghost
Copy link

ghost commented Apr 1, 2021

This has been released in version 3.35.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented May 1, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators May 1, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
enhancement Requests to existing resources that expand the functionality or scope. service/cloudformation Issues and PRs that pertain to the cloudformation service.
Projects
None yet
Milestone
v3.35.0
Development

No branches or pull requests
5 participants
@bflad @jonshern @bdwyertech @marcelboettcher @crispyblock