Build fails if OU has no accounts - please reopen

[drew-marumoto]

Filing another report for previously closed issue, Build fails if OU has no accounts #37.

I have the identical issue as described in #37, but I think you are missing a valid use case. We are performing a greenfield deployment for a customer, and they want to define all of their newly created OUs within the CFCT manifest file even though they are empty, this way as new accounts are provisioned via Account Factory they will automatically receive the customizations.

With the current issue around empty OUs the customer will be forced to deploy a first account into an OU which will not receive the customizations, then edit the manifest file to add the OU. This hurts the usefulness of allowing users to deploy their own accounts via Service Catalog because they still need to involve an Administrator to edit the manifest if this is a new or empty OU.

any workarounds for this use case?

[groverlalit]

@budgreen619 Thanks for sharing your use case with us. If any of the OUs have at least 1 valid account ID other than the Org master account the pipeline should succeed (workaround). The reason we raise this exception to avoid pipeline to fail after the stack set API will fail since there will be no valid account ids in the API call. Note: Version 1.2 only support self-managed stack sets.

Would it be acceptable to execute the pipeline successfully if there are no accounts in the OU and stack set state machine will not be executed?

[drew-marumoto]

@groverlalit thanks very much for the response. yes, for my use case it would be perfectly fine to skip any cloudformation resources in manifest.yaml which have OUs without any accounts in them, and not executing the state machine for that specific resource. this would also cover the scenario where a customer might be retiring accounts or moving accounts around which could result in a situation where a there could be empty OUs and thus break the whole pipeline.

my customer will always use CodePipeline as the first location to view the status of CFCT, if the pipeline fails, then they would start drilling down into CodeBuild history, Step Functions, and Cloudformation for further details.

[groverlalit]

@budgreen619 Thanks for the confirmation. We have added this to our backlog and will review before the next release. Appreciate the feedback.

[trevorlatson]

We are also experiencing this issue. Since Control Tower does not allow for nested OU's we have to create a new OU for each customer, and in order to apply guardrails in a timely fashion they need to be applied to the empty OU before the account is placed in there.

At any rate, having an empty OU is a common use case. Please fix

[groverlalit]

v2.0.0 now supports adding the OU name that does not contain any accounts in the manifest.yaml for the stack set resource.