-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack set instance remains when an OU is removed in organizational_unit_ids #25253
Comments
I found that upon removal of an OU, the Terraform recognize that there is an OU removal. The state file removes the deleted OU as well. ~ deployment_targets {
~ organizational_unit_ids = [
- "my-ou-id-2",
# (1 unchanged element hidden)
]
} Then I did a query against the AWS cli and found the following:
There is a disconnect between the Terraform state versus what is actually in stack set itself. |
I ran the terraform apply in the debugging mode. It seems Terraform does a stack update AWS api call when the OU that is subject for removal is removed. In order to delete, Terraform needs to call stackset deletion API instead. |
Having this issue as well. I noticed in the state for the stackset_instance resource it shows the AWS account ID of the first stack that was created with the resource stackset_instance. It's not the account of ID of the stackset's account but just the first stack instance. If I remove an OU or even try to destroy the whole stackset it only deletes the 1st stackset instance in the account_id listed "123456789012"
I'm working around this by creating separate instances for each OU. If there are multiple accounts in that particular OU we still end up with the same issue when removing stacks. |
Hitting the same issue. Starting to develop a module to manage our stack sets. Assigning multiple OUs to each "aws_cloudformation_stack_set_instance" and a destroy only removes the first stack in the first account in the first OU. I see the account number in the state. When a destroy is run, I have to then manually log in and remove the stack set instances that are not destroy before I can destroy the stack set itself. main.tf
variables.tf
terraform.auto.tfvars
This will create two stack sets and two stack set instances. The stack does apply to the entire OU, including accounts in all sub-OUs. The first stack set instance has an account ID of the first account the stack set instance encounters in the OU tree. When a destroy is run, only the stack instance that was deployed to that account is removed, any subsequent accounts remain, so the destroy can't remove the stack set resources. Adding or removing OUs from the list per stack_set results in error, an OU that has no accounts results in error, and destroy fails because stack set instances remain post destroy. If I run: This does destroy a resource, but only the in that first account in the OU tree it found. Subsequently running: I'd expect it to destroy the stack set targeted. It seems to want to destroy both stack set resources for some reason, not just the targeted (even though it does warn that it was targeted), and it does. It is really hard to judge the behavior of what will happen after adding or removing OUs, and what will actually get pushed or not. I haven't run through all scenarios yet, but there is definitely something amiss with managing stack sets though. Currently it looks like the only way to manage the stacks is to apply them to specific accounts, but we're working with hundreds, which becomes unfeasible like this. We'll have to develop something externally that pulls accounts from OUs and feeds terraform. |
I'm encountering a similar behavior when attempting to delete the base stackset itself as well - the delete of the stackset doesn't happen because I'm guessing the individuals stacks distributed to our accounts aren't getting cleaned up as expected, resulting in terraform yielding:
|
I had some thought on it and this behavior makes sense. It is like an ASG -- Terraform can create it, create the launch config, and stuff happens, but AWS ultimately manages the state of the machines in there based on the asg/launch config params. This is similar, terraform can create the stack set, and apply the parameters around where the stacks are to be deployed, but AWS ultimately is managing the state of the stacks inside of it. I'm not sure there is a solution that can be done in terraform at all regarding this since the stack set is stack state tracking concept. Our roadmap will be dismantling stack sets and deploying individual stacks to accounts during build, shifting the state responsibility to terraform. All the same functionality, just state managed in terraform like we want! |
Warning This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
This functionality has been released in v5.58.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
Debug Output
Panic Output
Expected Behavior
When removing an OU from a set of OUs using organizational_unit_ids inside the deployment_targets block, the stack set instance of the removed OU should be deleted.
Actual Behavior
When removing an OU from a set of OUs using organizational_unit_ids inside the deployment_targets block, the stack set instance of the removed OU remains.
Important Factoids
References
The text was updated successfully, but these errors were encountered: