### Terraform Version ```shell Terraform version: 1.10.4 provider registry.terraform.io/hashicorp/aws v5.83.1 ``` ### Terraform Configuration Files There are two small files in this issue: - main.tf - stackset.yml This is the first one `main.tf`: ``` # main.tf # EDITABLE PARAMETERS locals { name = "test-intersection-stack-set" root_ou_id = "" accounts_ids = [ "", "" ] region = "" } # DON'T DO ANY EDIT BELOW THIS LINE resource "aws_cloudformation_stack_set" "terraform_state_stackset" { name = local.name template_body = file("./stackset.yml") permission_model = "SERVICE_MANAGED" capabilities = ["CAPABILITY_NAMED_IAM"] auto_deployment { enabled = true retain_stacks_on_account_removal = false } } resource "aws_cloudformation_stack_set_instance" "terraform_state_stackset_instance" { deployment_targets { organizational_unit_ids = [local.root_ou_id] account_filter_type = "INTERSECTION" accounts = local.accounts_ids } region = local.region stack_set_name = aws_cloudformation_stack_set.terraform_state_stackset.name } ``` and this is the second one `stackset.yml` ``` Resources: TerraformInitBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${AWS::AccountId}-${AWS::Region}-stackset-test ``` ### Debug Output I can't post the output for internal policy. ### Expected Behavior Suppose I've deployed the stack set, and this has deployed a stackset's instance into the ACCOUNT A (i.e. inside the account A there's the bucket defined in the CloudFormation template. Now suppose I want to add a second target for this stackset (i.e. the account B) and consider that CloudFormation template is exactly the same. I expect that Stackset operation ignores ACCOUNT A and only deploys the S3 bucket into the new target. ### Actual Behavior Alas, the actual behaviour is different. The instance of Account A is attempting to be deleted and so the S3; but since the bucket contains a file (view the Steps to reproduce section), it can't be destroyed and here is where everything falls apart. > Error: waiting for CloudFormation StackSet Instance (test-intersection-stack-set,,) delete: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: Account (), Region (), FAILED: ResourceLogicalId:TerraformInitBucket, ResourceType:AWS::S3::Bucket, ResourceStatusReason:Resource handler returned message: "The bucket you tried to delete is not empty (Service: S3, Status Code: 409, Request ID: 56E...NGK, Extended Request ID: kdmOclPVRZdHa...kCEc=)" (RequestToken: bc2c5XXXX757f1f9, HandlerErrorCode: GeneralServiceException). ### Steps to Reproduce To reproduce this behaviour you need: - the id of an organizational unit (OU); - a management account in which to deploy the stackset; - two accounts, part of the above organization, in which you want to target the stack set instances; Once you have this information, you have to proceed in three stages. ### Stage 1 Deploy the stack set and its first instance. To do this, you have to fill in these local parameters in your main.tf: ``` root_ou_id = "" accounts_ids = [ "", # "" ] region = "" ``` It is important to notice that we are only targeting ACCOUNT A (ACCOUNT B, as you can see, is commented out). At this point, you can run: ``` terraform init terraform plan -out=tfplan terraform apply tfplan ``` ### Stage 2 Go into ACCOUNT A, search for the newly created bucket and upload a random file in it. ### Stage 3 Uncomment ACCOUNT B from your locals, so your main.tf will look like this: ``` root_ou_id = "" accounts_ids = [ "", "" ] region = "" ``` then ``` terraform plan -out=tfplan terraform apply tfplan ``` and the error should appear. ### Additional Context I have tried the same steps using the Cloudformation console and this problem never arose, so I thought it could be a bug somewhere. ### References _No response_ ### Generative AI / LLM assisted development? _No response_