Create stack set instances using a single operation on the stack set

[abelmokadem]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently there is a resource_aws_cloudformation_stack_set_instance resource. The problem with this resource is that it can only create a stack set instance in one account at a time. The next problem is that stack set can only handle one operation at a time. This means that if you need to create 5 stack set instances using the same stack set, that you will have to disable parallelism for your entire terraform project. Or add dependencies between the stack set instances. Both are not desirable, we have over 30 accounts.

The AWS API, however, supports multiple account ids when creating stack set instances. I'm a bit confused as to why this was implemented with a single account id and not multiple account ids.

New or Affected Resource(s)

Allow the use of multiple account ids with the resource_aws_cloudformation_stack_set_instance resource or create a new resource resource_aws_cloudformation_stack_set_instances.

• resource_aws_cloudformation_stack_set_instance

Potential Terraform Configuration

resource "aws_cloudformation_stack_set_instance" "backupplan_setup_stack" {
  account_ids     = ["123141241", "123124214", "35235234"]
  stack_set_name = var.aws_backupplan_setup_stack_set_name
  region         = "eu-west-1"
}

References

• Retry Cloudformation StackSet Create when the service is busy #10969

[john-bakker]

An additional idea would be to support Organizational Units as well, as this is being supported in the AWS api as well.

[jonshern]

I would be good with just the organization unit support

[arundeepkurni]

There is way, you can use "for_each" for multiple accounts

resource "aws_cloudformation_stack_set_instance" "config_instance"{
for_each = local.aws_accounts
account_id = each.value
region = "us-east-1"
stack_set_name = aws_cloudformation_stack_set.config.name
}

[justinretzolk]

Hi @abelmokadem 👋 Thank you for taking the time to file this issue! It looks like this functionality was added in the v3.62.0 release of the provider, specifically with this pull request.

Can you confirm whether this does indeed resolve the issue you were previously running into?

[iamgeef]

Suppporting multiple regions should also be included - through console and API I can add a stack instance to multiple regions, seems that the [cloudformation_stack_set_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) resource only supports a single region.

[Entr04y]

The PR doesn't appear to address the use case of deploying stack sets to multiple accounts that are not neatly grouped under an OU. OU boundaries don't always align with stack deployment needs, so it would be good to be able to specify a simple list of account ID's to deploy the stack to. The for each solution runs the stack instances serially and therefore takes a very long time to complete ( a test run with a single role across eight AWS accounts took over 13 minutes to deploy )

[Fennerr]

To follow up on @Entr04y's comment on how OU boundaries not always aligning with stack deployment needs - I would like to define a locals variable like this

locals {
  all_accounts = data.aws_organizations_organization.current_org.accounts
  excluded_accounts = ["excluded_account_id_1", "excluded_account_id_2"]
  included_accounts = [for account in local.all_accounts : account.id if !contains(local.excluded_accounts, account.id)]
}

And then deploy into the included_accounts like so:

resource "aws_cloudformation_stack_set_instance" "stack_set_instance" {
  deployment_targets {
      account_ids = local.included_accounts
    }

  region         = var.region
  stack_set_name = aws_cloudformation_stack_set.organization_stack_set.name
}

Is there any update on this?