Set operation_preferences and add failure_tolerance var

modules/services/agentless-scanning/organizational.tf

@@ -138,9 +138,9 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
     organizational_unit_ids = local.organizational_unit_ids
   }
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     // Roles are not regional and hence do not need regional parallelism
   }
 
@@ -222,9 +222,9 @@ resource "aws_cloudformation_stack_set_instance" "mgmt_acc_stackset_instance" {
 
   stack_set_name = aws_cloudformation_stack_set.mgmt_acc_resources_stackset[0].name
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     region_concurrency_type      = "PARALLEL"
   }
 
@@ -314,9 +314,9 @@ resource "aws_cloudformation_stack_set_instance" "ou_stackset_instance" {
     organizational_unit_ids = local.organizational_unit_ids
   }
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     region_concurrency_type      = "PARALLEL"
   }
 

modules/services/agentless-scanning/variables.tf

@@ -79,4 +79,10 @@ variable "mgt_stackset" {
   description = "(Optional) Indicates if the management stackset should be deployed"
   type        = bool
   default     = true
+}
+
+variable "failure_tolerance_percentage" {
+  type        = number
+  description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+  default     = 90
 }

modules/services/event-bridge/organizational.tf

@@ -133,9 +133,9 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
     organizational_unit_ids = local.organizational_unit_ids
   }
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     region_concurrency_type      = "PARALLEL"
   }
 
@@ -153,9 +153,9 @@ resource "aws_cloudformation_stack_set_instance" "mgmt_acc_stackset_instance" {
   stack_set_name = aws_cloudformation_stack_set.mgmt-stackset[0].name
 
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     region_concurrency_type      = "PARALLEL"
   }
 
@@ -175,9 +175,9 @@ resource "aws_cloudformation_stack_set_instance" "eb_role_stackset_instance" {
     organizational_unit_ids = local.organizational_unit_ids
   }
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     // Roles are not regional and hence do not need regional parallelism
   }
 

modules/services/event-bridge/variables.tf

@@ -104,4 +104,10 @@ variable "mgt_stackset" {
   description = "(Optional) Indicates if the management stackset should be deployed"
   type        = bool
   default     = true
+}
+
+variable "failure_tolerance_percentage" {
+  type        = number
+  description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+  default     = 90
 }

modules/services/trust-relationship/main.tf

@@ -206,9 +206,9 @@ resource "aws_cloudformation_stack_set_instance" "stackset_instance" {
     organizational_unit_ids = local.org_units_to_deploy
   }
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     // Roles are not regional and hence do not need regional parallelism
   }
 

modules/services/trust-relationship/variables.tf

@@ -49,4 +49,10 @@ variable "timeout" {
   type        = string
   description = "Default timeout values for create, update, and delete operations"
   default     = "30m"
+}
+
+variable "failure_tolerance_percentage" {
+  type        = number
+  description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+  default     = 90
 }

modules/services/workload-scanning/organizational.tf

@@ -87,9 +87,9 @@ resource "aws_cloudformation_stack_set_instance" "scanning_role_stackset_instanc
     organizational_unit_ids = local.organizational_unit_ids
   }
   operation_preferences {
-    #    max_concurrent_count    = 10
     max_concurrent_percentage    = 100
-    failure_tolerance_percentage = 100
+    failure_tolerance_percentage = var.failure_tolerance_percentage
+    concurrency_mode             = "SOFT_FAILURE_TOLERANCE"
     // Roles are not regional and hence do not need regional parallelism
   }
 

modules/services/workload-scanning/variables.tf

@@ -51,4 +51,10 @@ variable "timeout" {
   type        = string
   description = "Default timeout values for create, update, and delete operations"
   default     = "30m"
+}
+
+variable "failure_tolerance_percentage" {
+  type        = number
+  description = "The percentage of accounts, per Region, for which stack operations can fail before AWS CloudFormation stops the operation in that Region"
+  default     = 90
 }