Open pedrofenix19 opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Same issue here, some more info. My aws_cloudformation_stack_set
got created with permission_model = "SERVICE_MANAGED"
and call_as = "DELEGATED_ADMIN"
I believe this creates an issue during the import, which can already been see with the AWS CLI.
aws cloudformation list-stack-sets
{
"Summaries": []
}
The CLI requires the --call-as
flag
aws cloudformation list-stack-sets --call-as DELEGATED_ADMIN
{
"Summaries": [
{
"StackSetName": "MyStackSet",
"StackSetId": "MyStackSetId",
"Description": "description"
"Status": "ACTIVE",
"AutoDeployment": {
"Enabled": false
},
"PermissionModel": "SERVICE_MANAGED",
"DriftStatus": "NOT_CHECKED"
}
]
}
I believe Terraform doesn't use the StackSet call_as
flag when running the import and this cannot see the resource at all.
EDIT: I ended up manually manipulating the state file to move the CloudFormation StackSet from one account to another.
Source Account
terraform state pull > state-pull.json
# use text editor to copy resource JSON for StackSet and StackSet instance
terraform state rm aws_cloudformation_stack_set.my_stack_set
terraform state rm aws_cloudformation_stack_set_instance.my_stack_set_instance["ou-xxxx-xxxxxxxx"]
Destination Account
terraform state pull > state-pull.json
# use text editor to add the resource JSON for StackSet and StackSet instance
terraform state push state-pull.json
Note: If you use S3 to store you state files you can copy it locally and reconfigure your terraform to test your state file before pushing it.
I am having the same issue trying to import a service managed stackset, is there a fix for this?
Having this issue as well. @cedricbastin has a great workaround, but would still be nice to not have to muck around in the actual state file for this one.
@Kraygit - I submitted a terraform support ticket and i received this news today, Hope it brings you happiness. They have fixed this and it will be available in the v5.15.0 AWS provider told me it would be released in the next 24 hours
@framirezcruz - That is great news! The update is much appreciated.
Terraform Core Version
1.3.0
AWS Provider Version
4.53.0
Affected Resource(s)
Hi,
I am trying to import a Cloudformation Stackset which has been created with DELEGATED_ADMIN permissions and, when I am running the terraform import command, I get a Error: Cannot import non-existent remote object.
This is what I've gathered about the issue:
I am trying to import the Stackset from the delegated administrator account in which it was created.
As stated in the AWS Documentation: Stack sets with service-managed permissions are created in the management account, including stack sets created by delegated administrators. This means that the stack itself is not in the delegated administrator account but in the organization management account. Even more, the ARN of the Stackset includes the account id of the organization account (arn:aws:cloudformation:::stackset/)
According to the AWS provider cloudformation_stack_set resource documentation, The id of the resource is the name of the Stackset, and since the terraform init command only accepts the id of the resource to be imported, it cannot find it in the delegated administrator account.
Is there any workaround to import a Stackset created with DELEGATED_ADMIN permissions?
I hope I had made my point clearly, please let me now otherwise.
Thanks
Expected Behavior
The stackset should have been imported
Actual Behavior
It is not being imported since the terraform import command does not find the Stackset just by name. This is due to the fact that StackSets created with SELF_MANAGED permissions are created in the organization management account and not in the delegated administrator account.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
The provider.tf file looks like this
provider "aws" { region = "eu-central-1"
assume_role { role_arn = "arn:aws:iam::${var.account_id}:role/${var.iam_role}" session_name = "ar-region_exception_sec_services" } }
Configure S3 backend
terraform { backend "s3" { bucket = "bucket" key = "app/terraform.tfstate" region = "eu-central-1" acl = "bucket-owner-full-control" role_arn = "arn:aws:iam::account_id:role/deployment_role" } }
Steps to Reproduce
A preexisting Stackset named created with service-managed permissions on account 111111111111, which is a delegated administrator for Cloudformation. Note that the ARN of this stackset is arn:aws:cloudformation:::stackset/stackset-name.
A main.tf file with this resource resource "aws_cloudformation_stack_set" "example" { name = "stackset-name" }
Then execute: terraform import resource.aws_cloudformation_stack_set.example stackset-name
Debug Output
No response
Panic Output
╷ │ Error: Cannot import non-existent remote object │ │ While attempting to import an existing object to │ "aws_cloudformation_stack_set.sec_services_deployment_stackset", the │ provider detected that no object exists with the given id. Only │ pre-existing objects can be imported; check that the id is correct and that │ it is associated with the provider's configured region or endpoint, or use │ "terraform apply" to create a new remote object for this resource. ╵
Important Factoids
No response
References
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html
Would you like to implement a fix?
None