[Guidance] Stack_set deployment to OUs not deploying

[sbrown-tecracer]

Stack_set deployment to OUs using the CustomControlTower-sra-account-alternate-contacts-main-ssm not deploying

Deplying stack_set to OU's under an CfCT einvornment giving following error -

Error: ResourceLogicalId:rAccountAlternateContactsConfigurationIAMRoleStackSet, ResourceType:AWS::CloudFormation::StackSet, ResourceStatusReason:Resource handler returned message: "You must be the management account or delegated admin account of an organization before operating a SERVICE_MANAGED stack set (Service: CloudFormation, Status Code: 400, Request ID: 2933e127-b71d-4937-b63a-29ff1e3e1c39)" (RequestToken: e8857ad8-3d1b-d8d9-6c96-9fcf734eb13f, HandlerErrorCode: InvalidRequest).

Could someone point me to the required Role? Assuming this needs updating?

Environment

CfCT2.6.0/SRA1.3/Solution-AlteranteContacts1.1

Other information

[liamschn]

Hi @sbrown-tecracer, Are you by chance specifying organizational_units as the deployment_targets in your manifest file instead of accounts? If so, that is probably the source of your issue. You must specify the management account under accounts to deploy SRA solutions via CfCT (it will not deploy any other way).

.
.
.
    deployment_targets:
      accounts:
        - REPLACE_ME_ORG_MANAGEMENT_ACCOUNT_NAME

(You can use the management account name or Account Id here)

[sbrown-tecracer]

Hi @liamschn , Perfect, thankyou.

As this is a "big bang" approach, omitting accounts / OU's to be deployed would need to be defined in the StackSets themselves?

[liamschn]

Closing; to recap, deploy via CFCT using the management account in the deployment target. OUs is a feature request we are considering (and of course how to do this).