Add CallAs: DELEGATED_ADMIN support for AWS StackSets organization deployment

Customer Feedback

Customer reported on a call that they use a delegated admin account for StackSets and our current implementation does not support it:

"We use a delegated admin account for stacksets, the following would need to be added to your stack as an option to support: CallAs: DELEGATED_ADMIN otherwise you will get stack failures"

Customer also noted our implementation is "shell games" - a Stack that calls a StackSet (accurate observation of our architecture).

Current Architecture ("Shell Games")

Our CloudFormation template uses a nested structure:

1. Outer Stack (what customer deploys)
2. ChariotStackSet resource inside (conditional on Targets parameter)
3. Embedded TemplateBody inside StackSet with IAM role definition
4. Member account stacks created by StackSet

Outer Stack -> ChariotStackSet -> TemplateBody -> Member Account Roles

The Problem

When deploying from a delegated admin account with SERVICEMANAGED permission model, AWS requires CallAs: DELEGATEDADMIN parameter. Without it, deployment fails with:

Error: "You must be the management account or delegated admin account of an organization before operating a SERVICE_MANAGED stack set."

Files Requiring Changes

1. CloudFormation Template

File: modules/chariot/backend/pkg/handler/handlers/account/cloud/templates/cloudformation.yaml

Add parameter and property - CallAsMode parameter with SELF/DELEGATED_ADMIN values, and CallAs: !Ref CallAsMode in ChariotStackSet properties.

2. Terraform Template

File: modules/chariot/backend/pkg/handler/handlers/account/cloud/templates/aws.tf.tmpl

Add callas variable and property to BOTH awscloudformationstackset AND awscloudformationstacksetinstance (common mistake to forget the instance resource).

3. Go Handler

File: modules/chariot/backend/pkg/handler/handlers/account/cloud/cloud.go

Add CallAs field to CloudInitializeRequest and CallAsParameter to TemplateData structs.

4. AWS Methods

File: modules/chariot/backend/pkg/handler/handlers/account/cloud/aws_methods.go

Populate CallAsParameter in PopulateTemplateData method.

5. Tests

File: modules/chariot/backend/pkg/handler/handlers/account/cloud/templates_test.go

Add test cases for delegated admin mode.

Technical Details

CallAs Values:

• Management account: SELF (default) - Works without specifying
• Delegated admin account: DELEGATED_ADMIN - Required, fails without

Prerequisites for Customer:

1. Enable trusted access: aws organizations enable-aws-service-access --service-principal stacksets.cloudformation.amazonaws.com
2. Register delegated admin: aws organizations register-delegated-administrator --service-principal=member.org.stacksets.cloudformation.amazonaws.com --account-id="ID"

AWS Documentation:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stackset.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html

Terraform Provider: Minimum v5.47.0 (fixes from issues #32536, #23378)

Acceptance Criteria

• [ ] CloudFormation template accepts CallAsMode parameter
• [ ] Terraform template accepts callas variable on both stackset and stacksetinstance
• [ ] API accepts call_as field in CloudInitializeRequest
• [ ] Default value is "SELF" (backward compatible)
• [ ] Tests cover both SELF and DELEGATED_ADMIN modes
• [ ] Documentation updated (skill already updated)

Related

• Skill updated: integrating-with-aws now has references/stacksets-organization-deployment.md
• New Nov 2025 feature: AutoDeployment.DependsOn for deployment ordering (consider adding)