[Bug]: Add additional configuration parameters to resource:aws_cloudformation_stack_set_instance

[hhughes0]

Terraform Core Version

v1.2.9

AWS Provider Version

v4.31.0

Affected Resource(s)

aws_cloudformation_stack_set_instance

Expected Behavior

When creating an aws_cloudformation_stack_set_instance resource, I expect to be able to specify the AccountId parameter, whilst using the permission_model = "SERVICE_MANAGED".

Actual Behavior

When trying to deploy an aws_cloudformation_stack_set_instance resource, you are able to specify organizational_unit_ids as part of the deployment_targets configuration. However, you are not able to provide additional configuration items such as:

• AccountFilterType
• Or a combination of Organisational unit AND Account Id

The above are supported via cloudformation as per: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/create-stack-instances.html

When specifying only AccountId and using the SERVICE_MANAGED permission model, the terraform apply fails. The error message is also misleading as it is possible to target account ids AND use a SERVICE_MANAGED permission model. However the syntax for doing this requires the configuration items listed above.

Relevant Error/Panic Output Snippet

Error: error waiting for CloudFormation StackSet Instance () creation: error creating CloudFormation StackSet (iam-roles) Instance: ValidationError: StackSets with SERVICE_MANAGED permission model can only have OrganizationalUnit as target

### Terraform Configuration Files

resource "aws_cloudformation_stack_set" "iam-roles" {
  name                    = "iam-roles"
  capabilities = [
    "CAPABILITY_NAMED_IAM"
  ]
  permission_model = "SERVICE_MANAGED"
  
  auto_deployment {
    enabled = true
    retain_stacks_on_account_removal = false
  }
  
  operation_preferences {
    failure_tolerance_count = 1
  }
  
  template_url = var.TemplateUrl
}

resource "aws_cloudformation_stack_set_instance" "iam-roles-instance" {
  account_id     = var.AccountId
  region         = var.Region
  stack_set_name = var.StackSetName
  parameter_overrides = {
    "MonitoringId" = var.Monitoringid
  }
}

### Steps to Reproduce

terraform init
terraform plan
terraform apply

### Debug Output

_No response_

### Panic Output

_No response_

### Important Factoids

_No response_

### References

_No response_

### Would you like to implement a fix?

_No response_

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[soumyadipDe]

Following

[ewbankkit]

Closed via #37898.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.