Deleting Cloudformation Stackset doesn't work because it can't be found

[pierskarsenbarg]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

Resource can't be found when running an update or deletion

From support ticket:

I am using the AWS Native Provider (0.11.0) from the CloudFormation delegate administrator account to create a StackSet that uses SERVICE_MANAGED permissions. The initial creation of the StackSet succeeds, however updates and deletes fail to locate the StackSet that was created.

My strong suspicion is that the call_as is not being sent on the subsequent operations, resulting in the failure to locate the StackSet upon which to operated. When viewing the StackSet resource on the Pulumi App, all the other properties I set are present but not call_as.

Logs:

I0209 09:23:28.553237   49107 provider_plugin.go:1533] provider received rpc error `Unknown`: `operation DELETE failed with "GeneralServiceException": StackSet GitHubActionsOIDC:97076830-f550-4b45-a4fe-474650bd480d not found (Service: CloudFormation, Status Code: 404, Request ID: b94740bb-3507-457f-b900-e0faf0228647, Extended Request ID: null)`

Steps to reproduce

Following code works:

import typing

import pulumi
import pulumi_aws_native as aws

_CFN_TEMPLATE = """
AWSTemplateFormatVersion: 2010-09-09
Description: Stack Set to be applied once per AWS account, not per region

Resources:
  GitHubActionsOIDCProvider:
    Type: AWS::IAM::OIDCProvider
    Properties:
      ClientIdList:
        - sts.amazonaws.com
      ThumbprintList:
        - a031c46782e6e6c662c2c87c76da9aa62ccabd8e
      Url: https://token.actions.githubusercontent.com
"""

template_body = _CFN_TEMPLATE
stack_set = aws.cloudformation.StackSet(
    "gha",
    aws.cloudformation.StackSetArgs(
        stack_set_name="ghaoidc",
        description="GHA",
        permission_model=aws.cloudformation.StackSetPermissionModel.SERVICE_MANAGED,
        call_as=aws.cloudformation.StackSetCallAs.DELEGATED_ADMIN,
        auto_deployment=aws.cloudformation.StackSetAutoDeploymentArgs(enabled=False),
        stack_instances_group=[
            aws.cloudformation.StackSetStackInstancesArgs(
                deployment_targets=aws.cloudformation.StackSetDeploymentTargetsArgs(
                    organizational_unit_ids=["org-id"]
                ),
                regions=["us-east-1"],
            )
        ],
        template_body=template_body,
    ),
)

Once the resource has been deployed, try to delete it, but it shouldn't work.

Expected: Resource is destroyed
Actual: Error saying that the resource can't be found

[pierskarsenbarg]

Looking at the logs that have been generated, one of the lines that sticks out is this one:

I0209 09:23:26.556226 49107 rpc.go:74] Marshaling property for RPC[Provider[aws-native, 0x140016ba060].Delete(urn:pulumi:global::aws-controller::rstudio:controller/GitHubActionsOIDC:GitHubActionsOIDC$aws-native:cloudformation:StackSet::gha-oidc-ss,GitHubActionsOIDC:97076830-f550-4b45-a4fe-474650bd480d)]: callAs={}

It looks like the callAs value isn't being set properly before being sent to AWS

[jspiewak]

FWIW, this issue also occurs when updating the StackSet, e.g. altering the template body.

[jspiewak]

Any update on this issue? If the underlying problem is with AWS Cloud Control, is there a place I can track their progress on addressing this?

[mjeffryes]

I believe this bug is fixed by #1395. The "CallAs" parameter is a "Write-only property" that needs to be resent with all updates, but prior to the above change, this provider was only including modified properties in the PATCH, so write-only properties like CallAs were often not resent, resulting in update failure.