Adding a new instance to a stackset trigger destroy and recreation of pre-existent instances

[marianoc84]

Terraform Version

Terraform version: 1.10.4
provider registry.terraform.io/hashicorp/aws v5.83.1

Terraform Configuration Files

There are two small files in this issue:

• main.tf
• stackset.yml

This is the first one main.tf:

# main.tf
# EDITABLE PARAMETERS
locals {
  name = "test-intersection-stack-set"
  root_ou_id = "<ID OF MY ROOT OU>"
  accounts_ids = [
    "<ID OF ACCOUNT A>", 
    "<ID OF ACCOUNT B>" 
]
  region = "<MY REGION>"
}

# DON'T DO ANY EDIT BELOW THIS LINE
resource "aws_cloudformation_stack_set" "terraform_state_stackset" {
  name = local.name

  template_body    = file("./stackset.yml")
  permission_model = "SERVICE_MANAGED"
  capabilities     = ["CAPABILITY_NAMED_IAM"]
  auto_deployment {
    enabled                          = true
    retain_stacks_on_account_removal = false
  }
}

resource "aws_cloudformation_stack_set_instance" "terraform_state_stackset_instance" {
  deployment_targets {
    organizational_unit_ids = [local.root_ou_id]
    account_filter_type     = "INTERSECTION"
    accounts                = local.accounts_ids
  }

  region         = local.region
  stack_set_name = aws_cloudformation_stack_set.terraform_state_stackset.name
}

and this is the second one stackset.yml

Resources:
  TerraformInitBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${AWS::AccountId}-${AWS::Region}-stackset-test

Debug Output

I can't post the output for internal policy.

Expected Behavior

Suppose I've deployed the stack set, and this has deployed a stackset's instance into the ACCOUNT A (i.e. inside the account A there's the bucket defined in the CloudFormation template.

Now suppose I want to add a second target for this stackset (i.e. the account B) and consider that CloudFormation template is exactly the same.

I expect that Stackset operation ignores ACCOUNT A and only deploys the S3 bucket into the new target.

Actual Behavior

Alas, the actual behaviour is different. The instance of Account A is attempting to be deleted and so the S3; but since the bucket contains a file (view the Steps to reproduce section), it can't be destroyed and here is where everything falls apart.

Error: waiting for CloudFormation StackSet Instance (test-intersection-stack-set,,) delete: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: Account (), Region (), FAILED: ResourceLogicalId:TerraformInitBucket, ResourceType:AWS::S3::Bucket, ResourceStatusReason:Resource handler returned message: "The bucket you tried to delete is not empty (Service: S3, Status Code: 409, Request ID: 56E...NGK, Extended Request ID: kdmOclPVRZdHa...kCEc=)" (RequestToken: bc2c5XXXX757f1f9, HandlerErrorCode: GeneralServiceException).

Steps to Reproduce

To reproduce this behaviour you need:

• the id of an organizational unit (OU);
• a management account in which to deploy the stackset;
• two accounts, part of the above organization, in which you want to target the stack set instances;

Once you have this information, you have to proceed in three stages.

Stage 1

Deploy the stack set and its first instance. To do this, you have to fill in these local parameters in your main.tf:

  root_ou_id = "<ID OF MY ROOT OU>"
  accounts_ids = [
    "<ID OF ACCOUNT A>", 
    # "<ID OF ACCOUNT B>" 
]
  region = "<MY REGION>"

It is important to notice that we are only targeting ACCOUNT A (ACCOUNT B, as you can see, is commented out).
At this point, you can run:

terraform init
terraform plan -out=tfplan
terraform apply tfplan

Stage 2

Go into ACCOUNT A, search for the newly created bucket and upload a random file in it.

Stage 3

Uncomment ACCOUNT B from your locals, so your main.tf will look like this:

  root_ou_id = "<ID OF MY ROOT OU>"
  accounts_ids = [
    "<ID OF ACCOUNT A>", 
    "<ID OF ACCOUNT B>" 
]
  region = "<MY REGION>"

then

terraform plan -out=tfplan
terraform apply tfplan

and the error should appear.

Additional Context

I have tried the same steps using the Cloudformation console and this problem never arose, so I thought it could be a bug somewhere.

References

No response

Generative AI / LLM assisted development?

No response

[crw]

Hello @marianoc84, this appears to be an issue or question with the AWS provider, not with Terraform itself. You can see existing issues and file a new one in their repository here: https://github.com/terraform-providers/terraform-provider-aws/issues. If you have questions about Terraform or the AWS provider, it's better to use the community forum where there are more people ready to help. The GitHub issues here are monitored only by a few core maintainers. Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.