Include Organizational unit IDs in cloudformation describe-stack-set

[jduchon-sonarsource]

Describe the feature

The output of the describe-stack-set could include a list of OU IDs used as deployment targets.

Use Case

I'm trying to automate the deletion of temporary (dev) stack set instances and stack sets deployed with SERVICE_MANAGED permissions in an AWS Organizations.

My initial approach was to specify --deployment-targets with Accounts:${account_ids} like this

account_ids=$(aws cloudformation list-stack-instances --stack-set-name $stackset_name --query "Summaries[*].Account" --output text --region ${aws_region})
account_ids=$(echo $account_ids | tr ' ' ',') # Transform to a comma-delimited list
  
echo "The delete-stack-instances call executed for the stackset $stackset_name"
aws cloudformation delete-stack-instances --stack-set-name $stackset_name --deployment-targets Accounts=${account_ids} --regions ${aws_region} --no-retain-stacks --region ${aws_region}

but this throws the following error:

An error occurred (ValidationError) when calling the DeleteStackInstances operation: StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target

From the error message, I understood that the only way to delete stack instances deployed with SERVICE_MANAGED model is to specify OU IDs. With the --deployment-targets OrganizationalUnitIds=${ou_ids}, one must use the exact OU IDs used as deployment targets (instead of e.g., simply specifying the root OU ID).

It would be very helpful to get the list of OUs used as deployment targets in the output of the describe-stack-set command.

Proposed Solution

target_ou_ids=$(aws cloudformation list-stack-instances --stack-set-name $stackset_name --query "Summaries[*].TargetOrganizationalUnitIds" --output text --region ${aws_region})

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CLI version used

aws-cli/2.13.5

Environment details (OS name and version, etc.)

Ubuntu 20, Python 3.11

[tim-finnigan]

Hi @jduchon-virtuability thanks for reaching out. The describe-stack-set command corresponds to the CloudFormation DescribeStackSet (and DeploymentTargets) APIs. Therefore requests to update the API behavior should go to the CloudFormation team. (If you have a support plan we recommend submitting requests like this one through AWS Support, otherwise we can forward them on your behalf.)

I saw OrganizationalUnitIds referenced here in the command documentation:

Could you elaborate more on your use case and how it is not supported with the current behavior?

[jduchon-sonarsource]

Hello @tim-finnigan, thanks for the prompt answer. I don't know how I overlooked the OrganizationalUnitIds in the describe-stack-set documentation page. That's exactly what I need. I assumed it's not available and that's why I opened the issue. I'm closing the issue. Thanks again.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.