[Bug]: Deployment options of stack sets are not respected

[JulianAWS]

Terraform Core Version

1.4.5 on darwin_arm64

AWS Provider Version

4.58.0

Affected Resource(s)

• aws_cloudformation_stack_set
• aws_cloudformation_stack_set_instance

Expected Behavior

The deployment options of the stack set are as stated in the state file / terraform code

Actual Behavior

The deployment options of the stack set remain at default after terraform apply

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cloudformation_stack_set" "default_iam_roles" {
    administration_role_arn = "arn:aws:iam::**********:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin"
    arn                     = "arn:aws:cloudformation:us-east-1:*********:stackset/default-iam-roles:*********************"
    call_as                 = "SELF"
    capabilities            = [
        "CAPABILITY_IAM",
        "CAPABILITY_NAMED_IAM",
    ]
    execution_role_name     = "stacksets-exec-*********************"
    id                      = "default-iam-roles"
    name                    = "default-iam-roles"
    parameters              = {
        "pIdpUrl" = "*********************"
    }
    permission_model        = "SERVICE_MANAGED"
    stack_set_id            = "default-iam-roles:*********************"
    tags                    = {}
    template_body           = <<-EOT
       ....
    EOT

    auto_deployment {
        enabled                          = true
        retain_stacks_on_account_removal = false
    }

    operation_preferences {
        failure_tolerance_count      = 0
        failure_tolerance_percentage = 10
        max_concurrent_count         = 0
        max_concurrent_percentage    = 100
        region_order                 = []
    }
}

resource "aws_cloudformation_stack_set_instance" "default_iam_roles" {
    account_id             = "*********************"
    call_as                = "SELF"
    id                     = "default-iam-roles,*********************,<aws-region>"
    organizational_unit_id = "*********************"
    region                 = "<aws-region>"
    retain_stack           = false
    stack_id               = "arn:aws:cloudformation:<aws-region>:*********************:stack/StackSet-default-iam-roles--*********************"
    stack_set_name         = "default-iam-roles"

    deployment_targets {
        organizational_unit_ids = [
            "*********************",
        ]
    }

    operation_preferences {
        failure_tolerance_count      = 0
        failure_tolerance_percentage = 10
        max_concurrent_count         = 0
        max_concurrent_percentage    = 100
        region_concurrency_type      = "PARALLEL"
    }
}

Steps to Reproduce

terraform init terraform apply

Debug Output

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.

Panic Output

No response

Important Factoids

No response

References

• 25210

• 27764

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[evantlueck]

My answer here may give some insight. I also ran into this issue: https://github.com/hashicorp/terraform-provider-aws/issues/33170#issuecomment-1780259530

[ohookins]

Not sure if it's the same issue I'm seeing, but I'm finding that service-managed stacksets continually attempt to remove the administration_role_arn parameter on the stack set. But of course, this is unnecessary if it's a service-managed stackset (as opposed to self managed).

  # module.xxxx[0].aws_cloudformation_stack_set.xxxx[0] will be updated in-place
  ~ resource "aws_cloudformation_stack_set" "xxxx" {
      - administration_role_arn = "arn:aws:iam::000000000000:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin" -> null
        id                      = "xxxx"
        name                    = "xxxx"
      ~ parameters              = {
          ~ "Region"               = (sensitive value)
            # (6 unchanged elements hidden)
        }
        tags                    = {}
        # (10 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

[michalz-rely]

@ohookins it's not, you can simply ignore that changes with lifecycle lifecycle { ignore_changes = [ administration_role_arn ] }

[CorinneVerheyde]

I encounter the same issue as @ohookins . @michalz-rely : why is this necessary to add a lifecycle / ignore_change on this administration_role_arn ? This will inideed fix the loop issue, but why is this happening ? Is there any other issue opened on this topic ?