AWS::CloudFormation::StackSet does not support AccountFilterType of UNION

Question

AWS::CloudFormation::StackSet does not support AccountFilterType of UNION

Opened this issue 2 years ago · 2 comments

When defining an AWS::CloudFormation::StackSet resource with a PermissionModel of SERVICE_MANAGED and the following StackInstancesGroup:

        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Ref OrganizationRoot
          Regions:
            - us-east-1

everything works as expected - stack instances are created in every account within the specified OU. Now if I want to include other accounts, as described here, I update that to the following lines:

        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Ref OrganizationRoot
            AccountFilterType: UNION
            Accounts:
              - !Ref AWS::AccountId
          Regions:
            - us-east-1

But that throws an error that UNION is not a valid AccountFilterType, even though there's documentation (and raw API calls) supporting otherwise

Answer 1 · 2024-01-16T20:20:49.000Z

We seem to be getting a very similar error to this with SERVICE_MANAGED - we set accountFilterType in cdk to UNION, when it deploys with any value with the Cloudformation where we include both Accounts and OrganizationUnits, we get the error :

Resource handler returned message: "Invalid request provided: AccountFilterType should be specified when both OrganizationalUnitIds and Accounts are provided" even though it exists in our template or should default to Union - AccountFilterType with UNION does not seem to be working properly

Answer 2 · 2024-05-23T19:56:19.000Z

I am getting this on one org, but not another. Really strange.