CfCT Deletes StackSets when using individual accounts in the manifest file

[bigjimmynz]

Describe the bug If an AWS account is enrolled in Control Tower but does not have an entry in the AWSControlTowerBP-Baseline-CONFIG stackset (enrolled with existing Config resources). And you try and use the Account ID in the manifest file, it won't deploy a stack instance. And if once exists it will remove it.

To Reproduce Have an existing AWS Account in an Org but not enrolled in Control Tower Make a support request to whitelist the Account so we can keep existing AWS Config resources Enroll the account in Control Tower. Try and deploy a customization using Account ID

Expected behavior When creating resources in the manifest file, and using a specified individual account list. The accounts that don't appear in the StackSet AWSControlTowerBP-BASELINE-CONFIG get removed from the list

Please complete the following information about the solution:

• [ 2.2.0 ] Version: [e.g. v1.0.0]

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0089) - customizations-for-aws-control-tower Solution. Version: v1.0.0". You can also find the version from releases

• [ us-east-1 ] Region: [e.g. us-east-1]
• [ No ] Was the solution modified from the version published on this repository?
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [ yes ] Have you checked your service quotas for the sevices this solution uses?
• [ no ] Were there any errors in the CloudWatch Logs?

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Control Tower provides a new way of enrolling accounts when they already have AWS Config resources. This involves creating a support request to "whitelist" accounts so they can be enrolled successfully.

This seems to cause the result, that the Account ID of the enrolled account does not get added to the Control Tower StackSet "AWSControlTowerBP-BASELINE-CONFIG". CfCT seems to use this StackSet as validation for the Account list.

When creating resources in the manifest file, and using a specified individual account list. The accounts that don't appear in the above StackSet get removed from the list. If the stackset has an instance relating to that account, it gets deleted.

The stackset may already exist, as we (ProServe) have migration patterns moving from the AWS landing Zone or other scenarios where we may migrate stacks between Landing Zone and Customizations StackSets.

Also with that new Config "whitelist" process this may create issues for other customers.

[snebhu3]

@bigjimmynz thank you for highlighting the issue. We have created a backlog to address this.