Terraform-provider-aws: Support StackSet instances for StackSets that use the SERVICE_MANAGED permission model

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

If/when the aws_cloudformation_stack_set resource supports SERVICE_MANAGED permissions (tracked by #12422), the aws_cloudformation_stack_set_instance should support targeting organizational units so that it can be used to provision resources across an AWS Organization.

Currently, the resource identifies itself so that it is particular to the 3-tuple of a StackSet, account, and region. This means one instance of the resource can't be used to manage StackSet instances across multiple regions or organizations dynamically (and I'm not sure if it really should). But in any case, this design makes it incompatible when targeting organizational units (which is required when referring to a StackSet that is using a SERVICE_MANAGED permission model).

New or Affected Resource(s)

• aws_cloudformation_stack_set_instance

Potential Terraform Configuration

resource "aws_cloudformation_stack_set_instance" "organization_accept-guardduty" {
  provider = aws.us-east-1

  organizational_unit_ids = [aws_organizations_organization.this.roots.0.id]
  regions                 = ["us-east-1", "us-east-2"]
  stack_set_name          = aws_cloudformation_stack_set.accept_guardduty.name
}

References