[Bug]: Stackset module not respecting failure_tolerance_count/failure_tolerance_percentage

[soumyadipDe]

Terraform Core Version

v1.2.4

AWS Provider Version

v4.39.0

Affected Resource(s)

aws_cloudformation_stack_set

Expected Behavior

failure_tolerance_count or failure_tolerance_percentage should be configured in Stackset resources once given as part of operation_preferences.

Actual Behavior

failure_tolerance_count or failure_tolerance_percentage is showing 0 in AWS console and stack instances getting cancelled if a region is failed.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

data "local_file" "aws-config-stackset" {
  filename = "aws-config-stackset.yaml"
}
locals {
  aws_regions = [
    "eu-north-1",
    "ap-south-1",
    "eu-west-3",
    "eu-west-2",
    "eu-west-1",
    "ap-northeast-3",
    "ap-northeast-2",
    "ap-northeast-1",
    "sa-east-1",
    "ca-central-1",
    "ap-southeast-1",
    "ap-southeast-2",
    "eu-central-1",
    #"us-east-1",
    "us-east-2",
    "us-west-1",
    #"us-west-2"
  ]
}
resource "aws_cloudformation_stack_set" "ENABLE-AWS-CONFIG-MULTI-ACCOUNT-MULTI-REGION" {
  name             = "ENABLE-AWS-CONFIG-MULTI-ACCOUNT-MULTI-REGION"
  capabilities     = ["CAPABILITY_IAM"]
  permission_model = "SERVICE_MANAGED"

  operation_preferences {
    region_concurrency_type = "PARALLEL"
    max_concurrent_count = 100
    failure_tolerance_count = 999
  }
  parameters = {
    Frequency                  = "6hours"
    AllSupported               = "true"
    DeliveryChannelName        = "<Generated>"
    IncludeGlobalResourceTypes = "true"
    NotificationEmail          = "<None>"
    ResourceTypes              = "<All>"
    "TopicArn"                 = "<New Topic>"
  }

  template_body = data.local_file.aws-config-stackset.content

  auto_deployment {
    enabled                          = true
    retain_stacks_on_account_removal = false
  }

  timeouts {}
}

resource "aws_cloudformation_stack_set_instance" "ENABLE-AWS-CONFIG-MULTI-ACCOUNT-MULTI-REGION-INSTANCE" {
  stack_set_name = aws_cloudformation_stack_set.ENABLE-AWS-CONFIG-MULTI-ACCOUNT-MULTI-REGION.name
  deployment_targets {
    organizational_unit_ids = [
       "ou-something"
    ]
  }
  for_each = toset(local.aws_regions)
  region       = each.value
}

Steps to Reproduce

Deploying the stackset. It would not respect the failure tolerance value.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[JorisBoelen-TomTom]

I was experiencing some issues with this as well, but after some investigation I noticed that the operation_preferences argument can be set on both the aws_cloudformation_stack_set_instance and aws_cloudformation_stack_set resource types.

On the aws_cloudformation_stack_set_instance it applies to any modifications to the deployment targets (OUs, accounts, regions) On the aws_cloudformation_stack_set it applies to any modifications to the stack (template, parameters, tags)

When applied to both resources types it works for me as expected. Perhaps this is not a bug but just a confusing implementation?

[aries1980]

@JorisBoelen-TomTom : to me it is doesn't apply it on the stack set level either. It is like the whole operation_preferences gets ignored. See my comment on: https://github.com/hashicorp/terraform-provider-aws/issues/30806#issuecomment-1535460672

[podon]

I believe this is an issue with the AWS UI. After manually adjusting the tolerance count in the UI to 100, repeating the process shows a default of 1 again.