search

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html
Apache License 2.0
362 stars 205 forks source link

defining duplicate stackset reference in manifest.yaml isnt detected #26

Open adamcousins opened 4 years ago

adamcousins commented 4 years ago

When defining a stackset resource in the manifest.yaml file, I have the following: manifest.yaml

  - name: baseline-vpc
    template_file: templates/network/vpc.yaml
    parameter_file: parameters/network/oregon/vpc.json
    deploy_method: stack_set
    deploy_to_ou: 
      - NonProduction
      - Production
    deploy_to_account: 
      - 'xxxxxxxxx' 
    regions:
    - us-west-2

which works as expected and deployed correctly.

After defining an additional stackset resource manifest.yaml

  - name: baseline-vpc
    template_file: templates/network/vpc.yaml
    parameter_file: parameters/network/oregon/vpc.json
    deploy_method: stack_set
    deploy_to_ou: 
      - NonProduction
      - Production
    deploy_to_account: 
      - 'xxxxxxxxx' 
    regions:
    - us-west-2

  - name: baseline-vpc 
    template_file: templates/network/vpc.yaml
    parameter_file: parameters/network/sydney/vpc.json
    deploy_method: stack_set
    deploy_to_ou: 
      - NonProduction
      - Production
    deploy_to_account: 
      - 'xxxxxxxxx' 
    regions:
    - ap-southeast-2

the behaviour i experienced was a creation event in the ap-southeast-2 region for my additional stack instances, but then a subsequent Delete event for the region us-west-2 which was defined earlier by the same name as the new addition.

Can the manifest file be checked for duplicate resources or merge duplicate resources to be combined?

In my situation VPC resources were deleted in us-west-2 until a resource dependency was found and the stack instance threw a failure holting the remaining stack instances from being processed.

groverlalit commented 4 years ago

@adamcousins Thanks for bring this up. Detecting duplicate stack set names in the manifest seems to be a valid feature request. We have added this our backlog.

mcripps9 commented 3 years ago

We have this need too. We normally us us-east-1 and us-east-2, but have a new workload that has to run in eu-west-1. As I see it, we are forced to deploy all of our baseline stacks to all three regions in all accounts, even though we only really need eu-west-1 in the Core OU plus the specific workload accounts.

It seems like we might be able to define new stack sets using the same template but different stack set names to get around this, but that seems overly complicated, and will likely the whole pipeline take longer to execute.

cacack commented 3 years ago

I just got bit by this today -- and on the same baseline IAM stackset copy pasta. Luckily we're not into production yet, but had this been, it would have been totally knocked out our accounts...

cacack commented 3 years ago

I would phrase this as a serious bug...