Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow CodePipeline to deploy SERVICE_MANAGED StackSets in non-root accounts via Delegated Administrator #796

Open
farrantch opened this issue Mar 1, 2021 · 19 comments
Open

Allow CodePipeline to deploy SERVICE_MANAGED StackSets in non-root accounts via Delegated Administrator #796

farrantch opened this issue Mar 1, 2021 · 19 comments
Labels
enhancement New feature or request

Comments

@farrantch
Copy link

farrantch commented Mar 1, 2021
edited
Loading

Allow CodePipeline to deploy SERVICE_MANAGED StackSets in non-root accounts via Delegated Administrator

Scope of request

CloudFormation recently added support do deploy StackSets via Delegated Administrator. However when deploying via CodePipeline, the following error is given (despite having already delegated access):

An API call to CloudFormation.CreateStackSet returned a ValidationError error: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set

This prevents us from managing our organization's StackSets from a non-root account.

Expected behavior

CodePipeline is successfully able to deploy a SERVICE_MANAGED StackSet from a non-root account.

Helpful Links

CodePipeline StackSet deployment documentation: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-StackSets.html#action-reference-StackSet

CloudFormation Delegated Administrator announcement: https://aws.amazon.com/blogs/mt/cloudformation-stacksets-delegated-administration/

Categories

Management - CloudFormation StackSets
Developer Tools - CodePipeline
@farrantch farrantch changed the title Allow CodePipeline to deploy SERVICE_MANAGED StackSets in non-root account via Delegated Administrator Allow CodePipeline to deploy SERVICE_MANAGED StackSets in non-root accounts via Delegated Administrator Mar 1, 2021
@jfoy
Copy link

jfoy commented Apr 13, 2021

Maybe related to #799

@PCIS-Paul
Copy link

Has anyone verified if #799 being implemented has also enabled this functionality?

@PCIS-Paul PCIS-Paul mentioned this issue May 20, 2021
Closed
@cdsnaps
Copy link

cdsnaps commented Jun 9, 2021

This one needs to be re-opened, as #799 did not address the issue.

@laurentleonard
Copy link

Our organization is more than interested by this functionality. We are managing more than 500 accounts and we have to deploy different resources in different OUs. And we do not want to automate that work directly in the organization account.

@dannyburke1
Copy link

dannyburke1 commented Jun 17, 2021
edited
Loading

I got around this with:

   stackSetName: `cdkCodeBuildTest`,
        permissionModel: 'SERVICE_MANAGED',
        callAs: 'DELEGATED_ADMIN',

Also bumping the permissions of the execution role running this stack in.

@PCIS-Paul
Copy link

@dannyburke1 are you saying the CallAs configuration parameter is accepted in the CodePipeline Cloudformation StackSet deploy action type? It is not in the docs.
Or are you referring to the CallAs attribute added to the StackSet cloudformation resource, which was the resolution of #799 ?

@dannyburke1
Copy link

@PCIS-Paul its the CDK CloudFormation StackSet resource. I don't think you can use the action type in CDK yet.

@afllanos
Copy link

Hi, at our company we are interested in this issue. Please, provide support in CodePipeline for StackSet execution in delegated administration accounts

@brianterry brianterry added the enhancement New feature or request label Jun 21, 2021
@bpal410
Copy link

bpal410 commented Nov 16, 2021

Very interested in status of this. Would like to set up pipelines to push StackSets to OUs without developing in root/org account.

@akshay0808
Copy link

Any updates on this issue? Showstopper for us

@niklas-palm
Copy link

Is this being worked on at the moment?

@cmaxwellau
Copy link

cmaxwellau commented Oct 30, 2022
edited
Loading

BUMP! any update @brianterry? My workaround is to wrap the stackset definition in a cloudformation template and then use the cloudformation deploy action instead.

@ronan-cunningham
Copy link

PLEASE, PLEASE, PLEASE fix this issue.

@nojokebucko
Copy link

It's frustrating that this issue is still not fixed. It's been two years

@bsnyder74
Copy link

I am experiencing this issue as well. Requiring customers to deploy stack sets via Code Pipeline from the management account is poor form, and does not follow a well-architected solution in my opinion. As the last person mentioned, this is still an issue and it has now been almost 2.5 years. I even opened a new support case today to discuss this issue.
At this point, can we get any commitment that this critical item will be prioritized and resolved soon?

@ronan-cunningham
Copy link

Still no update on this?

@mdgm88
Copy link

mdgm88 commented Apr 29, 2024
edited
Loading

Any update on this? Needing to get the pipeline to deploy a CF stack which then deploys the StackSets shouldn't be necessary, and it's bad practice to deploy more than necessary directly in the organisation account.

@niklodeb
Copy link

Anyone working on this? It's essentially unusable without this feature. There is no way we're deploying anything using the management account. Also, please change the label. This is not an enhancement, it's a missing feature.

@ronan-cunningham
Copy link

?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests