I deployed a CloudFormation StackSet to an organizational unit (OU) expecting all member accounts to receive the stack. Some accounts got it, but others didn’t. New accounts added to the OU weren’t receiving the stack either. I realized the StackSet wasn’t configured for auto-deployment, and some accounts were in nested OUs that the deployment targets didn’t include. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
CloudFormation StackSet targeting an OU shows incomplete deployment:
StackSet deployment missing accounts in the OU
Stack instances in OUTDATED status for some accounts
New accounts added to OU aren't getting the stack
Some accounts show FAILED status with no clear reason
Typical issues:
| Issue | Description |
|---|---|
| Partial deployment | Only some accounts in the OU have stacks |
| Auto-deployment disabled | New accounts aren’t automatically receiving stacks |
| Nested OU accounts ignored | Accounts in child OUs not included in deployment |
| Self-managed StackSet | Account list doesn’t include all target accounts |
| Status filtering | Accounts are deployed but showing OUTDATED, not CURRENT |
Why Does This Happen?
- Auto-deployment not enabled — By default, service-managed StackSets don’t automatically deploy to new accounts. You must enable
AutoDeployment.Enabled=truefor new accounts to receive stacks. - Deployment targets don’t include nested OUs — When targeting an OU, StackSets by default include only direct members. Child OUs require explicit inclusion via
--deployment-targets OrganizationalUnitIds. - Accounts in nested OUs missed — You target parent OU but forgot that some accounts are in child OUs. The deployment only reaches the parent’s direct members.
- Self-managed StackSets — Unlike service-managed, self-managed StackSets don’t support OU targeting at all. You must explicitly list each account ID.
- Deployment operation timed out or failed — The deployment to some accounts failed silently, leaving them in a partial state.
- New accounts added after StackSet creation — If auto-deployment is disabled, new accounts must be targeted manually.
The Fix
Option 1: Enable Auto-Deployment for Service-Managed StackSets
For service-managed StackSets, enable auto-deployment so new accounts automatically receive stacks:
# Update StackSet to enable auto-deployment
aws cloudformation update-stack-set \
--stack-set-name my-stackset \
--auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false
# Verify auto-deployment is enabled
aws cloudformation describe-stack-set \
--stack-set-name my-stackset \
--query "StackSet.[PermissionModel,AutoDeployment]" \
--output table
This ensures:
- New accounts added to the OU automatically receive the stack
- Accounts removed from the OU have their stack automatically deleted (
RetainStacksOnAccountRemoval=false)
Option 2: Deploy to All Accounts in OU (Including Nested OUs)
If targeting an OU with nested OUs, explicitly list all OU IDs:
# Create stack instances for all accounts in parent OU and child OUs
aws cloudformation create-stack-instances \
--stack-set-name my-stackset \
--deployment-targets \
OrganizationalUnitIds=ou-xxxx-yyyy,ou-aaaa-bbbb,ou-cccc-dddd \
--regions us-east-1 us-west-2
# Or target an OU by root to include all accounts and nested OUs
aws cloudformation create-stack-instances \
--stack-set-name my-stackset \
--deployment-targets \
OrganizationalUnitIds=r-xxxx \
--regions us-east-1
Option 3: Check Coverage and Identify Missing Accounts
List all stack instances to find accounts missing the stack:
# List all stack instances and their status
aws cloudformation list-stack-instances \
--stack-set-name my-stackset \
--query "Summaries[].[Account,Region,Status,StatusReason]" \
--output table
# Find instances NOT in CURRENT status
aws cloudformation list-stack-instances \
--stack-set-name my-stackset \
--query "Summaries[?Status!='CURRENT'].[Account,Region,Status]" \
--output table
# Get detailed failure reasons
aws cloudformation describe-stack-resource-drifts \
--stack-name "arn:aws:cloudformation:us-east-1:ACCOUNT:stack/STACKSET_NAME/xyz" \
--query "StackResourceDrifts[?DriftStatus=='MODIFIED']"
Option 4: Deploy to Explicitly Missing Accounts
If you find accounts missing the stack, deploy to them directly:
# Deploy to specific missing accounts
aws cloudformation create-stack-instances \
--stack-set-name my-stackset \
--accounts 123456789012 210987654321 \
--regions us-east-1 us-west-2
# Or update existing instances to CURRENT status
aws cloudformation update-stack-instances \
--stack-set-name my-stackset \
--accounts 123456789012 \
--regions us-east-1
Option 5: For Self-Managed StackSets, Use Account Numbers
Self-managed StackSets don’t support OU targeting. You must list accounts explicitly:
# Create self-managed StackSet (no OU support)
aws cloudformation create-stack-set \
--stack-set-name my-stackset \
--permission-model SELF_MANAGED \
--template-body file://template.yaml
# Create stack instances for specific accounts
aws cloudformation create-stack-instances \
--stack-set-name my-stackset \
--accounts 111111111111 222222222222 333333333333 \
--regions us-east-1
# Create instances for all known production accounts
for account in $(cat account-list.txt); do
aws cloudformation create-stack-instances \
--stack-set-name my-stackset \
--accounts $account \
--regions us-east-1
done
Option 6: Debug Deployment Failures
If some accounts show FAILED status, diagnose the issue:
# Get StackSet operation details
aws cloudformation describe-stack-set-operation \
--stack-set-name my-stackset \
--operation-id 1234abcd-5678-efgh-ijkl-9876mnopqrst \
--query "StackSetOperation.[OperationId,Status,StatusReason,CreationTimestamp]"
# Check individual account stack status
aws cloudformation describe-stacks \
--stack-name arn:aws:cloudformation:us-east-1:ACCOUNT:stack/STACKSET-INSTANCE/xyz \
--query "Stacks[0].[StackStatus,StackStatusReason]"
How to Run This
- Verify StackSet type:
aws cloudformation describe-stack-set --stack-set-name my-stackset --query "StackSet.PermissionModel" - For service-managed: enable auto-deployment:
aws cloudformation update-stack-set --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false - List all OU IDs in your organization:
aws organizations list-organizational-units-for-parent --parent-id r-xxxx - Deploy to all OUs:
aws cloudformation create-stack-instances --deployment-targets OrganizationalUnitIds=ou1,ou2,ou3 --regions us-east-1 - Verify coverage:
aws cloudformation list-stack-instances --query "Summaries[?Status!='CURRENT']"
Is This Safe?
Yes. Enabling auto-deployment and explicitly targeting OUs ensures complete, consistent coverage. The default behavior of retaining stacks on account removal (RetainStacksOnAccountRemoval=false) cleans up automatically.
Key Takeaway
StackSet deployments miss accounts when auto-deployment is disabled, nested OUs aren’t included, or self-managed StackSets don’t explicitly list accounts. Enable auto-deployment for service-managed StackSets, explicitly target all OUs including children, and verify coverage by checking stack instance status.
Have questions or ran into a different CloudFormation issue? Connect with me on LinkedIn or X.