search

aws-cloudformation / aws-cloudformation-resource-providers-cloudformation

The CloudFormation Resource Provider Package For AWS CloudFormation
https://aws.amazon.com/cloudformation/
Apache License 2.0
48 stars 35 forks source link

Extend StackSet to support CallAs property #56

Closed gergo-dryrun closed 3 years ago

gergo-dryrun commented 3 years ago

Hello,

Since Delegate administrator feature for CloudFormation StackSets has been added, it would be great to extend the StackSet resource to support the CallAs property as to be able to create SERVICE_MANAGED StackSets from delegated admin account.

Without the CallAs field present, the resource creation fails with:

You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set (Service: CloudFormation, Status Code: 400, Request ID: b9771de4-b4df-4851-9eeb-<#####>, Extended Request ID: null)

When trying to set it to CallAs: DELEGATED_ADMIN , the resource creation fails (as expected) with:

Properties validation failed for resource DemoServiceManagedStackSets with message: #: #: only 1 subschema matches out of 2 #: extraneous key [CallAs] is not permitted

I'm not a Java developer, but my initial idea was to try and follow along the line of PermissionModel attribute and extend the aws-cloudformation-stackset.json schema definition and ResourceModelBuilder.java .

However, looking at the CloudFormation StackSet relevant APIs which accept CallAs as optional parameter, it seems to be all of them, and I'm not sure if those changes would be enough, or how best to extend support for this field.

Thoughts?

Cheers, Gergo

gergo-dryrun commented 3 years ago

Seems to have been added in https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-cloudformation/pull/61 , closing this issue.