pedrofenix19 commented 1 year ago

Terraform Core Version

1.3.0

AWS Provider Version

4.53.0

Affected Resource(s)

Hi,

I am trying to import a Cloudformation Stackset which has been created with DELEGATED_ADMIN permissions and, when I am running the terraform import command, I get a Error: Cannot import non-existent remote object.

This is what I've gathered about the issue:

I am trying to import the Stackset from the delegated administrator account in which it was created.

As stated in the AWS Documentation: Stack sets with service-managed permissions are created in the management account, including stack sets created by delegated administrators. This means that the stack itself is not in the delegated administrator account but in the organization management account. Even more, the ARN of the Stackset includes the account id of the organization account (arn:aws:cloudformation:::stackset/)

According to the AWS provider cloudformation_stack_set resource documentation, The id of the resource is the name of the Stackset, and since the terraform init command only accepts the id of the resource to be imported, it cannot find it in the delegated administrator account.

Is there any workaround to import a Stackset created with DELEGATED_ADMIN permissions?

I hope I had made my point clearly, please let me now otherwise.

Thanks

Expected Behavior

The stackset should have been imported

Actual Behavior

It is not being imported since the terraform import command does not find the Stackset just by name. This is due to the fact that StackSets created with SELF_MANAGED permissions are created in the organization management account and not in the delegated administrator account.

Relevant Error/Panic Output Snippet

Error: Cannot import non-existent remote object

Terraform Configuration Files

The provider.tf file looks like this

provider "aws" { region = "eu-central-1"

assume_role { role_arn = "arn:aws:iam::${var.account_id}:role/${var.iam_role}" session_name = "ar-region_exception_sec_services" } }

Configure S3 backend

terraform { backend "s3" { bucket = "bucket" key = "app/terraform.tfstate" region = "eu-central-1" acl = "bucket-owner-full-control" role_arn = "arn:aws:iam::account_id:role/deployment_role" } }

Steps to Reproduce

A preexisting Stackset named created with service-managed permissions on account 111111111111, which is a delegated administrator for Cloudformation. Note that the ARN of this stackset is arn:aws:cloudformation:::stackset/stackset-name.

A main.tf file with this resource resource "aws_cloudformation_stack_set" "example" { name = "stackset-name" }

Then execute: terraform import resource.aws_cloudformation_stack_set.example stackset-name

Debug Output

No response

Panic Output

╷ │ Error: Cannot import non-existent remote object │ │ While attempting to import an existing object to │ "aws_cloudformation_stack_set.sec_services_deployment_stackset", the │ provider detected that no object exists with the given id. Only │ pre-existing objects can be imported; check that the id is correct and that │ it is associated with the provider's configured region or endpoint, or use │ "terraform apply" to create a new remote object for this resource. ╵

Important Factoids

No response

References

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

cedricbastin commented 1 year ago

Same issue here, some more info. My aws_cloudformation_stack_set got created with permission_model = "SERVICE_MANAGED" and call_as = "DELEGATED_ADMIN"

I believe this creates an issue during the import, which can already been see with the AWS CLI.

aws cloudformation list-stack-sets
{
  "Summaries": []
}

The CLI requires the --call-as flag

aws cloudformation list-stack-sets --call-as DELEGATED_ADMIN
{
  "Summaries": [
    {
      "StackSetName": "MyStackSet",
      "StackSetId": "MyStackSetId",
      "Description": "description"
      "Status": "ACTIVE",
      "AutoDeployment": {
        "Enabled": false
      },
      "PermissionModel": "SERVICE_MANAGED",
      "DriftStatus": "NOT_CHECKED"
    }
  ]
}

I believe Terraform doesn't use the StackSet call_as flag when running the import and this cannot see the resource at all.

EDIT: I ended up manually manipulating the state file to move the CloudFormation StackSet from one account to another.

Source Account

terraform state pull > state-pull.json
# use text editor to copy resource JSON for StackSet and StackSet instance
terraform state rm aws_cloudformation_stack_set.my_stack_set
terraform state rm aws_cloudformation_stack_set_instance.my_stack_set_instance["ou-xxxx-xxxxxxxx"]

Destination Account

terraform state pull > state-pull.json
# use text editor to add the resource JSON for StackSet and StackSet instance
 terraform state push state-pull.json

Note: If you use S3 to store you state files you can copy it locally and reconfigure your terraform to test your state file before pushing it.

framirezcruz commented 1 year ago

I am having the same issue trying to import a service managed stackset, is there a fix for this?

Kraygit commented 1 year ago

Having this issue as well. @cedricbastin has a great workaround, but would still be nice to not have to muck around in the actual state file for this one.