[Resource Type] - [Enhancement] - Allow CloudFormation Stackset to Queue Conflicting Operations When Accounts Are Moved from One OU to Another #2427
Description
Name of the resource
AWS::CloudFormation::StackSet
Resource name
No response
Description
When using AWS CloudFormation StackSets with service-managed permissions and automatic deployment enabled, moving accounts between organizational units (OUs) triggers both DELETE operations in the source OU and CREATE operations in the destination OU. In some edge cases(moving the same account quickly from destination OU back to source OU), these operations occur simultaneously, causing failures when the same-named IAM roles or resources are being deployed across multiple StackSets. The CREATE operations fail with "already exists" errors because the DELETE operations from the previous OU haven't completed yet.
Other Details
Current Workaround:
Users have to use a time-consuming two-step process. They first move accounts to a temporary "staging" OU and wait for all the DELETE operations to finish. Only then can they move these accounts to their actual target OU to trigger the CREATE operations. This workaround is especially frustrating when moving multiple accounts at once, as it adds unnecessary steps and management overhead to what should be a straightforward process.