runbooks 0.7.0__py3-none-any.whl → 0.7.6__py3-none-any.whl

runbooks/inventory/update_cfn_stacksets.py

@@ -1,1215 +0,0 @@
-#!/usr/bin/env python3
-
-import logging
-import sys
-from queue import Queue
-from threading import Thread
-from time import sleep, time
-
-from account_class import aws_acct_access
-from ArgumentsClass import CommonArguments
-from botocore.exceptions import ClientError
-from colorama import Fore, Style, init
-from Inventory_Modules import (
-    check_stack_set_status3,
-    delete_stack_instances3,
-    delete_stackset3,
-    find_stack_instances3,
-    find_stacksets3,
-    get_child_access3,
-    get_ec2_regions3,
-    get_regions3,
-    random_string,
-)
-from tqdm.auto import tqdm
-
-"""
-	- There are four possible use-cases when trying to modify or remove a stack instance from a stack set:
-		- The stack exists as an association within the stackset AND it exists within the child account (typical)
-			- We should remove the stackset-association with "--RetainStacks=False" and that will remove the child stack in the child account.
-		- The stack exists as an association within the stackset, but has been manually deleted within the child account
-			- If we remove the stackset-association with "--RetainStacks=False", it won't error, even when the stack doesn't exist within the child.
-			- There is a special use case here where the child account has been deleted or suspended. This is a difficult use-case to test12.
-		- The stack doesn't exist within the stackset association, but DOES exist within the child account (because its association was removed from the stackset)
-			- The only way to remove this is to remove the stack from the child account. This would have to be done after having found the stack within the child account. This will be a ToDo for later...
-		- The stack doesn't exist within the child account, nor within the stack-set
-			- Nothing to do here
-			
-TODO:
-	- Pythonize the whole thing
-	- More Commenting throughout script
-	- Make deleting multiple closed accounts easier - needs a parameter that comprises "+delete +force -A -check" all in one - to remove all closed accounts at one time... 
-	- Add a stackset status, instead of just the status for the instances
-	- Add a "tail" option, so it runs over and over until the stackset is finished
-	- Make sure that the part where it removes stack instances and WAITS till they're done it working... 
-"""
-
-init()
-
-__version__ = "2024.05.31"
-ERASE_LINE = "\x1b[2K"
-begin_time = time()
-sleep_interval = 5
-# Seems low, but this fits under the API threshold. Make it too high and it will not.
-DefaultMaxWorkerThreads = 5
-
-
-###################
-def parse_args(f_arguments: object):
-    """
-    Description: Parses the arguments passed into the script
-    @param f_arguments: args represents the list of arguments passed in
-    @return: returns an object namespace that contains the individualized parameters passed in
-    """
-    parser = CommonArguments()
-    parser.singleprofile()
-    parser.singleregion()
-    # This next parameter includes picking a specific account, ignoring specific accounts or profiles
-    parser.extendedargs()
-    parser.fragment()
-    parser.roletouse()
-    # parser.save_to_file()
-    parser.confirm()
-    parser.timing()
-    parser.verbosity()
-    parser.version(__version__)
-    operation_group = parser.my_parser.add_mutually_exclusive_group()
-    operation_group.add_argument(
-        "+refresh",
-        help="Use this parameter is you want to re-run the same stackset, over again",
-        action="store_true",
-        dest="Refresh",
-    )
-    operation_group.add_argument(
-        "+add",
-        help="If this parameter is specified, we'll add the specified accounts to the specified stacksets.",
-        action="store_true",
-        dest="AddNew",
-    )
-    operation_group.add_argument(
-        "+delete",
-        "+remove",
-        help="If this parameter is specified, we'll delete stacksets we find, with no additional confirmation.",
-        action="store_true",
-        dest="DryRun",
-    )
-    parser.my_parser.add_argument(
-        "-R",
-        "--ModifyRegion",
-        help="The region(s) you want to either remove from or add to all the specified stacksets.",
-        default=None,
-        nargs="*",
-        metavar="region-name",
-        dest="pRegionModifyList",
-    )
-    parser.my_parser.add_argument(
-        "-c",
-        "-check",
-        "--check",
-        help="Do a comparison of the accounts found in the stacksets to the accounts found in the Organization and list out any that have been closed or suspended, but never removed from the stacksets.",
-        action="store_true",
-        dest="AccountCheck",
-    )
-    parser.my_parser.add_argument(
-        "--date",
-        help="Provide this flag if you want the date of the last operation included with the detailed stack instance output",
-        action="store_true",
-        dest="OperationDate",
-    )
-    parser.my_parser.add_argument(
-        "--retain",
-        "--disassociate",
-        help="Remove the stack instances from the stackset, but retain the resources. You must also specify '+delete' to use this parameter",
-        action="store_true",
-        dest="Retain",
-    )
-    return parser.my_parser.parse_args(f_arguments)
-
-
-def setup_auth_and_regions(fProfile: str) -> (aws_acct_access, list):
-    """
-    Description: This function takes in a profile, and returns the account object and the regions valid for this account / org.
-    @param fProfile: A string representing the profile provided by the user. If nothing, then use the default profile or credentials
-    @return:
-            - an object of the type "aws_acct_access"
-            - a list of regions valid for this particular profile/ account.
-    """
-    try:
-        aws_acct = aws_acct_access(fProfile)
-    except ConnectionError as my_Error:
-        logging.error(f"Exiting due to error: {my_Error}")
-        sys.exit(8)
-
-    AllRegions = get_ec2_regions3(aws_acct)
-
-    if pRegion.lower() not in AllRegions:
-        print()
-        print(
-            f"{Fore.RED}You specified '{pRegion}' as the region, but this script only works with a single region.\n"
-            f"Please run the command again and specify only a single, valid region{Fore.RESET}"
-        )
-        print()
-        sys.exit(9)
-
-    print()
-    if pdelete:
-        action = "and delete"
-    elif pAddNew:
-        action = "and add to"
-    elif pRefresh:
-        action = "and refresh"
-    else:
-        action = "but not modify"
-    print(f"You asked me to find ({action}) stacksets that match the following:")
-    print(f"\t\tIn the {aws_acct.AccountType} account {aws_acct.acct_number}")
-    print(f"\t\tIn this Region: {pRegion}")
-
-    RegionList = get_regions3(aws_acct, pRegionModifyList)
-
-    if pRegionModifyList is None:
-        print(f"\t\tFor stack instances across all enabled Regions")
-    else:
-        print(f"\t\tLimiting instance targets to Region{'s' if len(RegionList) > 1 else ''}: {RegionList}")
-
-    if pExact:
-        print(f"\t\tFor stacksets that {Fore.RED}exactly match{Fore.RESET}: {pStackfrag}")
-    else:
-        print(
-            f"\t\tFor stacksets that contain th{'is fragment' if len(pStackfrag) == 1 else 'ese fragments'}: {pStackfrag}"
-        )
-
-    if pAccountModifyList is None:
-        print(f"\t\tFor stack instances across all accounts")
-    else:
-        print(
-            f"\t\tSpecifically to find th{'ese' if len(pAccountModifyList) > 1 else 'is'} account number{'s' if len(pAccountModifyList) > 1 else ''}: {pAccountModifyList}"
-        )
-    # print(f"\t\tSpecifically to find th{'ese' if len(pRegionModifyList) > 1 else 'is'} region{'s' if len(pRegionModifyList) > 1 else ''}: {pRegionModifyList}") if pRegionModifyList is not None else ""
-    print(
-        f"\t\tWe'll also display those accounts in the stacksets that are no longer part of the organization"
-    ) if pCheckAccount else ""
-    print(f"\t\tWe'll refresh the stackset with fragments {pStackfrag}") if pRefresh else ""
-    print()
-    return aws_acct, RegionList
-
-
-def _find_stack_set_instances(fStackSetNames: dict, fRegion: str) -> list:
-    """
-    Note that this function takes a list of stack set names and finds the stack instances within them
-    fStackSetNames - This is a list of stackset names to look for. The reserved word "all" will return everything
-    fRegion - This is a string containing the region in which to look for stacksets.
-
-    """
-
-    class FindStackSets(Thread):
-        def __init__(self, queue):
-            Thread.__init__(self)
-            self.queue = queue
-
-        def run(self):
-            """
-            Description: This function simply multi-threads the calls to the Inventory_Scripts function called "find_stack_instances3"
-            @return: This returns a list with the stackset instance information...
-            """
-            while True:
-                # Get the work from the queue and expand the tuple
-                c_stacksetname, c_region, c_stackset_info, c_PlaceCount = self.queue.get()
-                logging.info(f"De-queued info for stack set name {c_stacksetname}")
-                try:
-                    # Now go through those stacksets and determine the instances, made up of accounts and regions
-                    # Most time spent in this loop
-                    # for i in range(len(fStackSetNames['StackSets'])):
-                    logging.info(
-                        f"{ERASE_LINE}Looking through {c_PlaceCount} of {len(fStackSetNames)} stacksets found with '{pStackfrag}' string in them"
-                    )
-                    # TODO: Creating the list to delete this way prohibits this script from including stacksets that are already empty. This should be fixed.
-                    StackInstances = find_stack_instances3(aws_acct, c_region, c_stacksetname)
-                    logging.warning(
-                        f"Found {len(StackInstances)} Stack Instances within the StackSet {c_stacksetname}, without filtering on the specific accounts we were looking for"
-                    )
-                    if len(StackInstances) == 0 and pAccountModifyList is None and pRegionModifyList is None:
-                        # logging.warning(f"While we didn't find any stack instances within {fStackSetNames['StackSets'][i]['StackSetName']}, we assume you want to delete it, even when it's empty")
-                        logging.warning(
-                            f"While we didn't find any stack instances within {c_stacksetname}, we assume you want to include it, even when it's empty"
-                        )
-                        f_combined_stack_set_instances.append(
-                            {
-                                "ParentAccountNumber": aws_acct.acct_number,
-                                "ChildAccount": None,
-                                "ChildRegion": None,
-                                "StackStatus": None,
-                                "DetailedStatus": None,
-                                "StatusReason": None,
-                                "OrganizationalUnitId": None,
-                                "PermissionModel": c_stackset_info["PermissionModel"]
-                                if "PermissionModel" in c_stackset_info
-                                else "SELF_MANAGED",
-                                "StackSetName": c_stacksetname,
-                                "LastOperationId": None,
-                            }
-                        )
-                    for StackInstance in StackInstances:
-                        if "StackId" not in StackInstance.keys():
-                            logging.info(
-                                f"The stack instance found {StackInstance} doesn't have a stackid associated. Which means it's never been deployed and probably OUTDATED"
-                            )
-                            pass
-                        if pAccountModifyList is None or StackInstance["Account"] in pAccountModifyList:
-                            # This stack instance will be reported if it matches the account they provided,
-                            # or reported on if they didn't provide an account list at all.
-                            # or - it will be removed if they also provided the "+delete" parameter,
-                            # or it will be included since they're trying to ADD accounts to this stackset...
-                            logging.debug(f"This is Instance #: {str(StackInstance)}")
-                            logging.debug(f"This is instance status: {str(StackInstance['Status'])}")
-                            logging.debug(f"This is ChildAccount: {StackInstance['Account']}")
-                            logging.debug(f"This is ChildRegion: {StackInstance['Region']}")
-                            # logging.debug("This is StackId: %s", str(StackInstance['StackId']))
-
-                            if pRegionModifyList is None or (StackInstance["Region"] in RegionList) or ChangesRequested:
-                                f_combined_stack_set_instances.append(
-                                    {
-                                        "ParentAccountNumber": aws_acct.acct_number,
-                                        "ChildAccount": StackInstance["Account"],
-                                        "ChildRegion": StackInstance["Region"],
-                                        "StackStatus": StackInstance["Status"],
-                                        "DetailedStatus": StackInstance["StackInstanceStatus"]["DetailedStatus"]
-                                        if "DetailedStatus" in StackInstance["StackInstanceStatus"]
-                                        else None,
-                                        "StatusReason": StackInstance["StatusReason"]
-                                        if "StatusReason" in StackInstance
-                                        else None,
-                                        "OrganizationalUnitId": StackInstance["OrganizationalUnitId"]
-                                        if "OrganizationalUnitId" in StackInstance
-                                        else None,
-                                        "PermissionModel": c_stackset_info["PermissionModel"]
-                                        if "PermissionModel" in c_stackset_info
-                                        else "SELF_MANAGED",
-                                        "StackSetName": c_stacksetname,
-                                        "LastOperationId": StackInstance["LastOperationId"],
-                                    }
-                                )
-                        elif not (StackInstance["Account"] in pAccountModifyList):
-                            # If the user only wants to remove the stack instances associated with specific accounts,
-                            # then we only want to capture those stack instances where the account number shows up.
-                            # The following code captures this scenario
-                            logging.debug(
-                                f"Found a stack instance, but the account didn't match {pAccountModifyList}... exiting"
-                            )
-                            continue
-                except KeyError as my_Error:
-                    logging.error(f"Account Access failed - trying to access {c_stacksetname}")
-                    logging.info(f"Actual Error: {my_Error}")
-                    pass
-                except AttributeError as my_Error:
-                    logging.error(f"Error: Likely that one of the supplied profiles was wrong")
-                    logging.info(f"Actual Error: {my_Error}")
-                    continue
-                except ClientError as my_Error:
-                    logging.error(f"Error: Likely throttling errors from too much activity")
-                    logging.info(f"Actual Error: {my_Error}")
-                    logging.debug(
-                        f"Operations name: {my_Error.operation_name} | Response: {my_Error.response} | MSG TEMPLATE: {my_Error.MSG_TEMPLATE}"
-                    )
-                    continue
-                finally:
-                    logging.info(
-                        f"{ERASE_LINE}Finished finding stack instances in stackset {c_stacksetname} in region {c_region} - {c_PlaceCount} / {len(fStackSetNames)}"
-                    )
-                    pbar.update()
-                    self.queue.task_done()
-
-    ###########
-
-    if fRegion is None:
-        fRegion = "us-east-1"
-    checkqueue = Queue()
-
-    f_combined_stack_set_instances = []
-    PlaceCount = 0
-    WorkerThreads = min(len(fStackSetNames), DefaultMaxWorkerThreads)
-
-    pbar = tqdm(
-        desc=f"Finding instances from {len(fStackSetNames)} stacksets", total=len(fStackSetNames), unit=" stacksets"
-    )
-
-    for x in range(WorkerThreads):
-        worker = FindStackSets(checkqueue)
-        # Setting daemon to True will let the main thread exit even though the workers are blocking
-        worker.daemon = True
-        worker.start()
-
-    for stackset_name, stackset_data in fStackSetNames.items():
-        logging.debug(f"Beginning to queue data - starting with {stackset_name}")
-        try:
-            # I don't know why - but double parens are necessary below. If you remove them, only the first parameter is queued.
-            PlaceCount += 1
-            checkqueue.put((stackset_name, fRegion, stackset_data, PlaceCount))
-        except ClientError as my_Error:
-            if "AuthFailure" in str(my_Error):
-                logging.error(f"Authorization Failure accessing stack set {stackset_name} in {fRegion} region")
-                logging.warning(f"It's possible that the region {fRegion} hasn't been opted-into")
-                pass
-    checkqueue.join()
-    pbar.close()
-    return f_combined_stack_set_instances
-
-
-def display_stack_set_health(StackSet_Dict: dict, Account_Dict: dict):
-    """
-    Description: This function shows off the health of the stacksets at the end of the script
-    @param StackSet_Dict: Dictionary containing the stacksets that were updated
-    @param Account_Dict: Dictionary containing the accounts that were used
-    @return: Nothing - just writes to the screen
-
-    TODO: Since it refers to "combined_stack_set_instances",
-            there's a edge-case where it skips stacksets that don't appear to have the instance, if it failed to be added.
-    """
-    combined_stack_set_instances = StackSet_Dict["combined_stack_set_instances"]
-    RemovedAccounts = Account_Dict["RemovedAccounts"] if pCheckAccount else None
-    InaccessibleAccounts = Account_Dict["InaccessibleAccounts"] if pCheckAccount else None
-    StackSetNames = StackSet_Dict["StackSetNames"]["StackSets"]
-    summary = {}
-    stack_set_permission_models = dict()
-    for record in combined_stack_set_instances:
-        stack_set_name = record["StackSetName"]
-        stack_status = record["StackStatus"]
-        # stackset_status = StackSetNames[stack_set_name]['Status']
-        # stackset_status_reason = StackSetNames[stack_set_name]['Reason']
-        detailed_status = record["DetailedStatus"]
-        status_reason = record["StatusReason"]
-        stack_region = record["ChildRegion"]
-        last_operation = record["LastOperationId"]
-        ou = record["OrganizationalUnitId"]
-        stack_set_permission_models.update({stack_set_name: record["PermissionModel"]})
-        if stack_set_name not in summary:
-            summary[stack_set_name] = {}
-        if stack_status not in summary[stack_set_name]:
-            summary[stack_set_name][stack_status] = []
-        summary[stack_set_name][stack_status].append(
-            {
-                "Account": record["ChildAccount"],
-                "Region": stack_region,
-                "DetailedStatus": detailed_status,
-                "StatusReason": status_reason,
-                "LastOperation": last_operation,
-                "OrganizationalUnitId": ou,
-            }
-        )
-        summary[stack_set_name]["Status"] = StackSetNames[stack_set_name]["Status"]
-
-    # Print the summary
-    sorted_summary = dict(sorted(summary.items()))
-    print()
-    for stack_set_name, status_counts in sorted_summary.items():
-        print(
-            f"{stack_set_name} ({stack_set_permission_models[stack_set_name]}) | Last Operation {sorted_summary[stack_set_name]['Status']}:"
-        )
-        for stack_status, instances in status_counts.items():
-            if stack_status is None:
-                print(f"\t{Fore.RED}--Empty stackset--{Fore.RESET}")
-            elif stack_status == "Status":
-                continue
-            else:
-                print(
-                    f"\t{Fore.RED if stack_status not in ['CURRENT'] else ''}{stack_status}: {len(instances)} instances {Fore.RESET}"
-                )
-            if verbose < 50:
-                stack_instances = {}
-                for stack_instance in instances:
-                    if stack_instance["Account"] not in stack_instances.keys():
-                        stack_instances[stack_instance["Account"]] = {
-                            "Region": [],
-                            "DetailedStatus": stack_instance["DetailedStatus"],
-                            "StatusReason": stack_instance["StatusReason"],
-                            "OperationId": stack_instance["LastOperation"],
-                        }
-                    stack_instances[stack_instance["Account"]]["Region"].append(stack_instance["Region"])
-                for k, v in stack_instances.items():
-                    if pCheckAccount and k in RemovedAccounts:
-                        print(
-                            f"{Style.BRIGHT}{Fore.MAGENTA}\t\t{k}: {v['Region']}\t <----- Look here for orphaned accounts!{Style.RESET_ALL}"
-                        )
-                    else:
-                        print(f"\t\t{k}: {v['Region']}")
-                    if verbose <= 30 and pOperationDate:
-                        last_stackset_operation = v["OperationId"]
-                        cfn_client = aws_acct.session.client("cloudformation")
-                        last_operation_date = cfn_client.describe_stack_set_operation(
-                            StackSetName=stack_set_name, OperationId=last_stackset_operation
-                        )["StackSetOperation"]["EndTimestamp"]
-                        logging.info(f"Account: {k} | Region: {v['Region']}\n")
-                        print(
-                            f"\t\t\t{Fore.RED if v['DetailedStatus'] != 'SUCCEEDED' else ''}Detailed Status: {v['DetailedStatus']}{Fore.RESET}\n"
-                            f"\t\t\tCompleted: {last_operation_date}\n"
-                            f"\t\t\tStatus Reason: {v['StatusReason']}"
-                        )
-                    elif verbose <= 30 and stack_status != "CURRENT":
-                        logging.info(f"\t\t\tAccount: {k}\n\t\t\tRegion: {v['Region']}\n")
-                        print(
-                            f"\t\t\t{Fore.RED}Detailed Status: {v['DetailedStatus']}{Fore.RESET}\n"
-                            f"\t\t\tStatus Reason: {v['StatusReason']}"
-                        )
-                        pass
-    if verbose < 50:
-        print()
-        print(f"Found {len(StackSetNames)} matching stackset{'' if len(StackSetNames) == 1 else 's'}")
-        print(
-            f"Found a total of {len(combined_stack_set_instances)} matching stack instance{'' if len(combined_stack_set_instances) == 1 else 's'}"
-        )
-        # print(f"Found {len(summary)} unique stackset names within the Stack Instances")
-        print()
-
-    # Print the summary of any accounts that were found in the StackSets, but not in the Org.
-    if pCheckAccount:
-        print("Displaying accounts within the stacksets that aren't a part of the Organization")
-        print()
-        # TODO: Adding together these two lists - which are likely full of the same accounts gives an incorrect number
-        logging.info(f"Found {len(InaccessibleAccounts) + len(RemovedAccounts)} accounts that don't belong")
-        print(
-            f"There were {len(RemovedAccounts)} accounts in the {len(StackSetNames)} Stacksets we looked through, that are not a part of the Organization"
-        )
-        for item in RemovedAccounts:
-            print(f"Account {item} is not in the Organization")
-        print()
-        print(f"There are {len(InaccessibleAccounts)} accounts that appear inaccessible, using typical role names")
-        for item in InaccessibleAccounts:
-            print(f"Account {item['AccountId']} is unreachable using these roles:\n\t\t{item['RolesTried']}")
-        print()
-
-
-def get_stack_set_deployment_target_info(
-    faws_acct: aws_acct_access, fRegion: str, fStackSetName: str, fAccountRemovalList: list = None
-):
-    """
-    Required Parameters:
-    faws_acct - the object containing the account credentials and such
-    fRegion - the region we're looking to make changes in
-    fStackSetName - the stackset we're removing stack instances from
-    fAccountRemvalList - The list of accounts they may have provided to limit the deletion to
-    """
-    return_result = {"Success": False, "ErrorMessage": None, "Results": None}
-    if fAccountRemovalList is None:
-        deployment_results = find_stack_instances3(faws_acct, fRegion, fStackSetName)
-        identified_ous = list(set([x["OrganizationalUnitId"] for x in deployment_results]))
-        DeploymentTargets = {
-            # 'Accounts'             : [
-            # 	'string',
-            # ],
-            # 'AccountsUrl'          : 'string',
-            "OrganizationalUnitIds": identified_ous
-            # 'AccountFilterType'    : 'NONE' | 'INTERSECTION' | 'DIFFERENCE' | 'UNION'
-        }
-    else:
-        DeploymentTargets = {
-            "Accounts": fAccountRemovalList,
-            # 'AccountsUrl'          : 'string',
-            # 'OrganizationalUnitIds': identified_ous
-            # 'AccountFilterType'    : 'NONE' | 'INTERSECTION' | 'DIFFERENCE' | 'UNION'
-        }
-    return_result.update({"Success": True, "ErrorMessage": None, "Results": DeploymentTargets})
-    return return_result
-
-
-def collect_cfnstacksets(faws_acct: aws_acct_access, fRegion: str) -> dict:
-    """
-    Description: This function collects the information about existing stacksets
-    @param faws_acct: Account Object of type "aws_acct_access"
-    @param fRegion: String for the region in which to collect the stacksets
-    @return:
-            - dict of lists, containing:
-             1) Aggregate list of all stack instances found
-             2) list of stackset names found
-             3) list of stacksets that are in-scope for this script
-             4) list of stackset instances that may be acted upon
-             5) dict of Accounts found within the applicable stacksets
-             6) dict of Regions found within the applicable stacksets
-    """
-    # TODO: Wrap in try... except to capture errors here, and when we do - stop using this as a dict!!.
-    # Get the StackSet names from the Management Account
-    StackSetNames = find_stacksets3(faws_acct, fRegion, pStackfrag, pExact, fGetHealth=True)
-    if not StackSetNames["Success"]:
-        error_message = (
-            "Something went wrong with the AWS connection. Please check the parameters supplied and try again."
-        )
-        sys.exit(error_message)
-    logging.info(f"Found {len(StackSetNames['StackSets'])} StackSetNames that matched your fragment")
-
-    # This finds ALL stack_set_instances in *all* stack_sets that matched the NAME...
-    combined_stack_set_instances = _find_stack_set_instances(StackSetNames["StackSets"], fRegion)
-
-    print(ERASE_LINE)
-    logging.info(f"Found {len(combined_stack_set_instances)} stack instances, filtered on specific accounts.")
-
-    # Assumes that all stacksets found are "Applicable"
-    ApplicableStackSetsList = sorted(list(set([stackset_name for stackset_name in StackSetNames["StackSets"].keys()])))
-    # The checks for None below are required in case the stackset has no instances.
-    FoundAccountList = sorted(
-        list(set([item["ChildAccount"] for item in combined_stack_set_instances if item["ChildAccount"] is not None]))
-    )
-    FoundRegionList = sorted(
-        list(set([item["ChildRegion"] for item in combined_stack_set_instances if item["ChildRegion"] is not None]))
-    )
-    # If no accounts specified, but regions were specified
-    if pAccountModifyList is None and pRegionModifyList is not None:
-        ApplicableStackSetInstancesList = list(
-            filter(lambda n: (n["ChildRegion"] in pRegionModifyList), combined_stack_set_instances)
-        )
-    # If accounts were specified, but regions were not specified
-    elif pAccountModifyList is not None and pRegionModifyList is None:
-        ApplicableStackSetInstancesList = list(
-            filter(lambda n: (n["ChildAccount"] in pAccountModifyList), combined_stack_set_instances)
-        )
-    # If accounts were specified and regions were specified
-    elif pAccountModifyList is not None and pRegionModifyList is not None:
-        ApplicableStackSetInstancesList = list(
-            filter(
-                lambda n: (n["ChildAccount"] in pAccountModifyList and n["ChildRegion"] in pRegionModifyList),
-                combined_stack_set_instances,
-            )
-        )
-    # If no accounts or regions were provided, then apply to everything...
-    else:
-        ApplicableStackSetInstancesList = combined_stack_set_instances
-
-    if pAddNew:
-        # This exists, in case there are EMPTY stacksets, which the user is adding to, which wouldn't have shown up within the combined_stack_set_instances above
-        ApplicableStackSetsList = [stackset_name for stackset_name in StackSetNames["StackSets"].keys()]
-
-    stackset_instance_count = {}
-    for _stackset_name in ApplicableStackSetsList:
-        stackset_instance_count[_stackset_name] = len(
-            [n["StackSetName"] for n in combined_stack_set_instances if n["StackSetName"] == _stackset_name]
-        )
-    for stackset_name, stackset_data in StackSetNames["StackSets"].items():
-        stackset_data["InstanceCount"] = stackset_instance_count[stackset_name]
-    """
-	Within StackSet_Dict, there are six lists:
-		1. combined_stack_set_instances: which is a list of all stackset instances from all stacksets that matched the name
-		2. StackSetNames: which is a list of the stackset names that matched
-		3. ApplicableStackSetsList: which is a list of all stacksets (and their attributes) which matched the name
-		4. ApplicableStackSetInstances: which is a list of only those stackset instances which matched the name, account, region to be modified
-		5. FoundAccountList is a list of accounts found in all the stackset instances that matched
-		6. FoundRegionList is a list of regions found in all the stackset instances that matched
-	"""
-    StackSet_Dict = {
-        "combined_stack_set_instances": combined_stack_set_instances,
-        "StackSetNames": StackSetNames,
-        "ApplicableStackSetsList": ApplicableStackSetsList,
-        "ApplicableStackSetInstancesList": ApplicableStackSetInstancesList,
-        "FoundAccountList": FoundAccountList,
-        "FoundRegionList": FoundRegionList,
-    }
-    return StackSet_Dict
-
-
-def check_accounts(faws_acct: aws_acct_access, AccountList: list):
-    Account_Dict = {}
-    InaccessibleAccounts = []
-    OrgAccountList = [i["AccountId"] for i in faws_acct.ChildAccounts]
-    logging.info(
-        f"There are {len(OrgAccountList)} accounts in the Org, and {len(AccountList)} unique accounts in all stacksets found"
-    )
-    RemovedAccounts = list(set(AccountList) - set(OrgAccountList))
-    # TODO: Wrap in Try...Except
-    for accountnum in AccountList:
-        logging.info(f"{ERASE_LINE}Trying to gain access to account number {accountnum}")
-        my_creds = get_child_access3(faws_acct, accountnum)
-        if my_creds["AccessError"]:
-            InaccessibleAccounts.append(
-                {"AccountId": accountnum, "Success": my_creds["Success"], "RolesTried": my_creds["RolesTried"]}
-            )
-    Account_Dict.update(
-        {"InaccessibleAccounts": InaccessibleAccounts, "RemovedAccounts": RemovedAccounts, "AccountList": AccountList}
-    )
-    return Account_Dict
-
-
-def check_on_stackset_operations(OpsList: list, f_cfn_client):
-    """
-    Description: Showing the health and status of the stacksets operated on within this script.
-    @param OpsList: Ths list of stacksets that were modified
-    @param f_cfn_client: The boto client used within the operation, just we don't need to open another
-    @return: Nothing. Just writes to the screen.
-    """
-    print(
-        f"If this status checking is annoying, you can Ctrl-C to quit out, since the stackset operations are working in the background."
-    )
-    StillRunning = True
-    stackset_results = {}
-    while StillRunning:
-        Success = True
-        StillRunning = False
-        for operation in OpsList:
-            print(f"Checking on operations... ")
-            StackSetStatus = f_cfn_client.describe_stack_set_operation(
-                StackSetName=operation["StackSetName"], OperationId=operation["OperationId"]
-            )
-            print(f"StackSet: {operation['StackSetName']} | Status: {StackSetStatus['StackSetOperation']['Status']}")
-            # Allows this to run until *all* stacksets are complete - whether successfully or not
-            StillRunning = StillRunning or StackSetStatus["StackSetOperation"]["Status"] == "RUNNING"
-            Success = Success and StackSetStatus["StackSetOperation"]["Status"] == "SUCCEEDED"
-            stackset_results.update({operation["StackSetName"]: StackSetStatus["StackSetOperation"]["Status"]})
-            stackset_results.update({operation["StackSetName"]: StackSetStatus["StackSetOperation"]["Status"]})
-        if StillRunning:
-            print(f"Waiting {sleep_interval} seconds before checking all stacksets again... ")
-            print()
-            sleep(sleep_interval)
-    return stackset_results
-
-
-def _modify_stacksets(StackSet_Dict: dict) -> dict:
-    applicable_stack_set_instances = StackSet_Dict["ApplicableStackSetInstancesList"]
-    StackSets: dict = StackSet_Dict["StackSetNames"]["StackSets"]
-    ApplicableStackSetsList = StackSet_Dict["ApplicableStackSetsList"]
-    AccountList = StackSet_Dict["FoundAccountList"]
-    FoundRegionList = StackSet_Dict["FoundRegionList"]
-    # RemovedAccounts = Account_Dict['RemovedAccounts']
-
-    # If we *are* deleting stack instances, and there's anything to delete...
-    if pdelete and len(applicable_stack_set_instances) > 0:
-        ReallyDelete = False
-        print()
-        print(
-            f"Removing {len(applicable_stack_set_instances)} stack instances from the {len(StackSets)} StackSets found"
-        )
-        StackInstanceItem = 0
-        results = dict()
-        # We need to use the StackSet Data dictionary, since only that dictionary tells us whether this is a SELF_MANAGED or SERVICE_MANAGED stackset
-        for StackSetName, StackSetData in StackSets.items():
-            StackSetResult = {"StackSetName": StackSetName, "Success": False, "ErrorMessage": "Haven't started yet..."}
-            StackInstanceItem += 1
-            print(
-                f"About to start deleting stackset instances in {StackSetName}. Beginning {StackInstanceItem} of {len(ApplicableStackSetsList)}"
-            )
-            # TODO: This needs to be wrapped in a try...except
-            # Determine what kind of stackset this is - Self-Managed, or Service-Managed.
-            # We need to check to see if the 'PermissionModel' key in in the dictionary, since it's only in the dictionary if the permission is 'service_managed',
-            # but I'm not willing to be it stats that way...
-            if "PermissionModel" in StackSetData.keys() and StackSetData["PermissionModel"] == "SERVICE_MANAGED":
-                """
-				If the StackSet is SERVICE-MANAGED, we need to find more information about the stackset than is returned in the "list-stack-set" call from above
-				"""
-                if pAccountModifyList is None:
-                    DeploymentTargets = get_stack_set_deployment_target_info(aws_acct, pRegion, StackSetName)
-                else:
-                    DeploymentTargets = get_stack_set_deployment_target_info(
-                        aws_acct, pRegion, StackSetName, pAccountModifyList
-                    )
-                if FoundRegionList is None:
-                    print(f"There appear to be no stack instances for this stack-set")
-                    continue
-                # TODO:
-                #  Have to rethink this part - since we have to be careful how we remove specific accounts or OUs in Service-Managed Stacks
-                if pAccountModifyList is None:  # Remove all instances from the stackset
-                    if pRegionModifyList is not None:
-                        print(
-                            f"About to update stackset {StackSetName} to remove all accounts within {str(FoundRegionList)}"
-                        )
-                        RemoveStackSet = False
-                    else:
-                        print(f"About to update stackset {StackSetName} to remove ALL accounts from all regions")
-                        RemoveStackSet = True
-                # RemoveStackInstanceResult = _delete_stack_instances(aws_acct, pRegion, AccountList, FoundRegionList, StackSetName, pForce)
-                else:
-                    print(
-                        f"About to remove account {pAccountModifyList} from stackset {StackSetName} in regions {str(FoundRegionList)}"
-                    )
-                    RemoveStackSet = False
-                RemoveStackInstanceResult = _delete_stack_instances(
-                    aws_acct,
-                    pRegion,
-                    StackSetName,
-                    pRetain,
-                    AccountList,
-                    FoundRegionList,
-                    StackSetData["PermissionModel"],
-                    DeploymentTargets["Results"],
-                )
-            # Section that handles the deletion for the "SELF_MANAGED" type of stackset
-            else:
-                # There were no regions found in the stackset, which means there are no instances, which means there's nothing to delete
-                if StackSetData["Status"] == "Never Run":
-                    print(f"There appear to be no stack instances for this stack-set")
-                    StackSetResult = {"Success": True}
-                    continue
-                # If the user didn't supply any accounts to be deleted (which means *all* accounts)
-                if pAccountModifyList is None:
-                    # If they supplied specific regions to be deleted
-                    if pRegionModifyList is not None:
-                        print(
-                            f"About to update stackset {StackSetName} to remove all instances with {str(pRegionModifyList)} "
-                            f"region{'' if len(pRegionModifyList) == 1 else 's'}"
-                        )
-                        RegionsToDelete = pRegionModifyList
-                        RemoveStackSet = False
-                    # If they *didn't* supply specific regions to be deleted - which means all regions.
-                    elif pRegionModifyList is None:
-                        print(f"About to update stackset {StackSetName} to remove ALL accounts from all regions")
-                        RegionsToDelete = FoundRegionList
-                        # Only delete the stackset, if they didn't specify "retain"
-                        RemoveStackSet = True and not pRetain
-                # If the user *did* supply a list of accounts to be deleted
-                elif pAccountModifyList is not None:
-                    # If the user specified the regions to be deleted
-                    if pRegionModifyList is not None:
-                        print(
-                            f"About to update stackset {StackSetName} to remove all instances with {str(pRegionModifyList)} "
-                            f"region{'' if len(pRegionModifyList) == 1 else 's'}"
-                        )
-                        RegionsToDelete = pRegionModifyList
-                        RemoveStackSet = False
-                    # If the user *didn't* specify a list of regions (which means *all* regions)
-                    else:
-                        print(f"About to remove ALL instances from stackset {StackSetName}")
-                        RegionsToDelete = FoundRegionList
-                        # Only delete the stackset, if they didn't specify "retain"
-                        RemoveStackSet = True and not pRetain
-                    logging.info(
-                        f"About to remove account {pAccountModifyList} from stackset {StackSetName} in regions {str(RegionsToDelete)}"
-                    )
-                ReallyDelete = False
-                # If they didn't specify any accounts
-                if pAccountModifyList is None:
-                    # AND they didn't specify any regions
-                    if pRegionModifyList is None:
-                        # Assume they meant ALL instances
-                        instances_to_modify = list(
-                            filter(lambda n: n["StackSetName"] == StackSetName, applicable_stack_set_instances)
-                        )
-                    elif len(pRegionModifyList) > 0:  # They *did* specify some regions
-                        # Assume they meant, all instances with those regions
-                        instances_to_modify = list(
-                            filter(
-                                lambda n: (n["ChildRegion"] in pRegionModifyList and n["StackSetName"] == StackSetName),
-                                applicable_stack_set_instances,
-                            )
-                        )
-                # They *did* specify some accounts,
-                elif pRegionModifyList is None:  # But they didn't specify a region
-                    instances_to_modify = list(
-                        filter(
-                            lambda n: (n["ChildAccount"] in pAccountModifyList and n["StackSetName"] == StackSetName),
-                            applicable_stack_set_instances,
-                        )
-                    )
-                elif len(pRegionModifyList) > 0:  # And they specified regions
-                    instances_to_modify = list(
-                        filter(
-                            lambda n: (
-                                n["ChildAccount"] in pAccountModifyList
-                                and n["ChildRegion"] in pRegionModifyList
-                                and n["StackSetName"] == StackSetName
-                            ),
-                            applicable_stack_set_instances,
-                        )
-                    )
-                else:  # Empty list
-                    instances_to_modify = []
-
-                if not pConfirm:
-                    ReallyDelete = input(
-                        f"{Fore.RED}Removing {len(instances_to_modify)} instances within {StackSetName}...{Fore.RESET}\n"
-                        f"Are you still sure? (y/n): "
-                    ) in ["y", "Y"]
-                if pConfirm or ReallyDelete:
-                    RemoveStackInstanceResult = _delete_stack_instances(
-                        aws_acct, pRegion, StackSetName, pRetain, AccountList, RegionsToDelete
-                    )
-                else:
-                    RemoveStackInstanceResult = {
-                        "Success": False,
-                        "ErrorMessage": "Customer decided not to delete stack instances",
-                    }
-
-            if RemoveStackInstanceResult["Success"]:
-                Instances = [item for item in applicable_stack_set_instances if item["StackSetName"] == StackSetName]
-                print(
-                    f"{ERASE_LINE}Successfully initiated removal of {len(Instances)} instance{'' if len(Instances) == 1 else 's'} from StackSet {StackSetName}"
-                )
-            elif RemoveStackInstanceResult["ErrorMessage"] == "Failed-ForceIt" and pRetain:
-                print("We tried to force the deletion, but some other problem happened.")
-            elif RemoveStackInstanceResult["ErrorMessage"] == "Failed-ForceIt" and not pRetain:
-                Decision = input(
-                    "Deletion of Stack Instances failed, but might work if we force it. Shall we force it? (y/n): "
-                ) in ["y", "Y"]
-                if Decision:
-                    RemoveStackInstanceResult = _delete_stack_instances(
-                        aws_acct, pRegion, StackSetName, True, AccountList, RegionsToDelete
-                    )  # Try it again, forcing it this time
-                    if RemoveStackInstanceResult["Success"]:
-                        print(f"{ERASE_LINE}Successfully retried StackSet {StackSetName}")
-                    elif pRetain is True and RemoveStackInstanceResult["ErrorMessage"] == "Failed-ForceIt":
-                        print(f"{ERASE_LINE}Some other problem happened on the retry.")
-                    elif RemoveStackInstanceResult["ErrorMessage"] == "Failed-Other":
-                        print(f"{ERASE_LINE}Something else failed on the retry... Please report the error received.")
-            elif str(RemoveStackInstanceResult["ErrorMessage"]).find("OperationInProgressException") > 0:
-                print(
-                    f"{Fore.RED}Another operation is running on this StackSet... Please wait for that operation to end and re-run this script{Fore.RESET}"
-                )
-                sys.exit(RemoveStackInstanceResult["ErrorMessage"])
-            elif not ReallyDelete and not pConfirm:
-                sys.exit(RemoveStackInstanceResult["ErrorMessage"])
-            else:
-                print(f"{Fore.RED}Something else failed... Please report the error below{Fore.RESET}")
-                logging.critical(f"{RemoveStackInstanceResult['ErrorMessage']}")
-                sys.exit(RemoveStackInstanceResult["ErrorMessage"])
-            if RemoveStackSet:
-                logging.info(f"Instances have received the deletion command, continuing to remove the stackset too")
-                # If there were no Instances to be deleted
-                if Instances[0]["ChildAccount"] is None:
-                    # skip the check to see if stack instances are gone
-                    RemoveStackInstanceResult["OperationId"] = None
-                    StackInstancesAreGone = dict()
-                    StackInstancesAreGone["Success"] = True
-                    StackInstancesAreGone["OperationId"] = None
-                    StackInstancesAreGone["StackSetStatus"] = "Not yet assigned"
-                # else if there WERE child stacks that were deleted
-                else:
-                    StackInstancesAreGone = check_stack_set_status3(
-                        aws_acct, StackSetName, RemoveStackInstanceResult["OperationId"]
-                    )
-                    logging.debug(
-                        f"The operation id {RemoveStackInstanceResult['OperationId']} is {StackInstancesAreGone['StackSetStatus']}"
-                    )
-                if not StackInstancesAreGone["Success"]:
-                    logging.critical(
-                        f"There was a problem with removing the stack instances from stackset {StackSetName}."
-                        f"Moving to the next stackset in the list"
-                    )
-                    break
-                intervals_waited = 1
-                while StackInstancesAreGone["StackSetStatus"] in ["RUNNING"]:
-                    print(
-                        f"Waiting for operation {RemoveStackInstanceResult['OperationId']} to finish",
-                        f"{sleep_interval * intervals_waited} seconds waited so far",
-                        end="\r",
-                    )
-                    sleep(sleep_interval)
-                    intervals_waited += 1
-                    StackInstancesAreGone = check_stack_set_status3(
-                        aws_acct, StackSetName, RemoveStackInstanceResult["OperationId"]
-                    )
-                    if not StackInstancesAreGone["Success"]:
-                        logging.critical(
-                            f"There was a problem with removing the stack instances from stackset {StackSetName}."
-                        )
-                StackSetResult = delete_stackset3(aws_acct, pRegion, StackSetName)
-                if StackSetResult["Success"]:
-                    print(
-                        f"{ERASE_LINE}Removal of stackset {StackSetName} took {sleep_interval * intervals_waited} seconds"
-                    )
-                else:
-                    print(
-                        f"{ERASE_LINE}{Fore.RED}Removal of stackset {StackSetName} {Style.BRIGHT}failed{Style.NORMAL} due to:\n\t{StackSetResult['ErrorMessage']}.{Fore.RESET}"
-                    )
-            results.update({StackSetName: StackSetResult})
-        results["ChangesMade"] = True
-        return results
-    # If we're supposed to be adding more instances to the existing stacksets
-    elif pAddNew:
-        print()
-        print(f"Adding instances into the specified stacksets")
-        # Sometimes the user will provide the accounts they want to add, with no additional regions...
-        if pAccountModifyList is not None and pRegionModifyList is None:
-            operation_result = _add_instances_to_stacksets(StackSet_Dict, pAccountModifyList)
-        # Sometimes they want to add a region, but not change the existing accounts...
-        elif pAccountModifyList is None and pRegionModifyList is not None:
-            operation_result = _add_instances_to_stacksets(StackSet_Dict, AccountList, pRegionModifyList)
-        # They want to change both the accounts AND the regions
-        elif pAccountModifyList is not None and pRegionModifyList is not None:
-            operation_result = _add_instances_to_stacksets(StackSet_Dict, pAccountModifyList, pRegionModifyList)
-        # They provided the "+add" parameter, but didn't specify any accounts or regions to add
-        else:
-            logging.error(
-                f"You specified to '+add', but didn't specify any new accounts or regions to add... exiting... "
-            )
-            sys.exit(95)
-        operation_result["ChangesMade"] = True
-        return operation_result
-    # If we are just refreshing the specific stacksets (within the "ApplicableStackSetsList")
-    elif pRefresh and len(applicable_stack_set_instances) > 0:
-        operation_result = _refresh_stacksets(StackSet_Dict)
-        operation_result["ChangesMade"] = True
-        return operation_result
-    # No matching stacksets, or no matching stackset instances
-    else:
-        print(
-            f"{Fore.RED}You asked us to make a change, but there are no matching stacksets or stackset instances to modify...{Fore.RESET}"
-        )
-        operation_result = dict()
-        operation_result["ChangesMade"] = False
-        for stackset_name, stackset_data in StackSets.items():
-            operation_result[stackset_name] = stackset_data["Status"]
-        return operation_result
-
-
-def _delete_stack_instances(
-    faws_acct: aws_acct_access,
-    fRegion: str,
-    fStackSetName: str,
-    fRetain: bool,
-    fAccountList: list = None,
-    fRegionList: list = None,
-    fPermissionModel="SELF_MANAGED",
-    fDeploymentTargets=None,
-) -> dict:
-    """
-    Required Parameters:
-    faws_acct - the object containing the account credentials and such
-    fRegion - the region we're looking to make changes in
-    fAccountList - this is the listing of accounts that were FOUND to be within stack instances
-    fRegionList - The list of regions within the stackset to remove as well
-    fStackSetName - the stackset we're removing stack instances from
-    fRetain - By passing a "True" here, the API will pass on "RetainStacks" to the child stack - which will allow the stackset to be deleted more easily,
-            but also leaves a remnant in the child account to clean up later..
-    fPermissionModel - Whether the StackSet is using SELF_MANAGED or SERVICE_MANAGED permission model (associating the stack with individual accounts, or with an OU itself)
-    fDeploymentTargets - When fPermissionModel is 'SELF_MANAGED', this should be None.
-                                            When fPermissionModel is 'SERVICE_MANAGED', this is a dictionary specifying which OUs, or accounts should be impacted"
-    """
-    logging.info(f"Removing instances from {fStackSetName} StackSet")
-    StackSetOpId = f"DeleteInstances-{random_string(5)}"
-    if ((fAccountList is None or fAccountList == []) and fPermissionModel.upper() == "SELF_MANAGED") or (
-        fRegionList is None or fRegionList == []
-    ):
-        logging.error(f"AccountList and RegionList cannot be null")
-        logging.warning(f"AccountList: {fAccountList}")
-        logging.warning(f"RegionList: {fRegionList}")
-        # Note: The "Success" is True below to show that the calling function can move forward, even though the Account / Regions are null
-        return_response = {"Success": True, "ErrorMessage": "Failed - Account List or Region List was null"}
-        return return_response
-    elif fPermissionModel == "SERVICE_MANAGED" and fDeploymentTargets is None:
-        logging.error(
-            f"You can't provide a stackset that is self-managed, and not supply the deployment targets it's supposed to delete"
-        )
-        # Note: The "Success" is True below to show that the calling function can move forward, even though the Account / Regions are null
-        return_response = {
-            "Success": False,
-            "ErrorMessage": "Failed - StackSet is 'Service_Managed' but no deployment target was provided",
-        }
-        return return_response
-    try:
-        delete_stack_instance_response = delete_stack_instances3(
-            faws_acct,
-            fRegion,
-            fRegionList,
-            fStackSetName,
-            fRetain,
-            StackSetOpId,
-            fAccountList,
-            fPermissionModel,
-            fDeploymentTargets,
-        )
-        if delete_stack_instance_response["Success"]:
-            return_response = {"Success": True, "OperationId": delete_stack_instance_response["OperationId"]}
-        else:
-            return_response = {"Success": False, "ErrorMessage": delete_stack_instance_response["ErrorMessage"]}
-        return return_response
-    except Exception as my_Error:
-        logging.error(f"Error: {my_Error}")
-        if my_Error.response["Error"]["Code"] == "StackSetNotFoundException":
-            logging.info("Caught exception 'StackSetNotFoundException', ignoring the exception...")
-            return_response = {"Success": False, "ErrorMessage": "Failed - StackSet not found"}
-            return return_response
-        else:
-            print("Failure to run: ", my_Error)
-            return_response = {"Success": False, "ErrorMessage": "Failed-Other"}
-            return return_response
-
-
-def _refresh_stacksets(StackSet_Dict: dict) -> dict:
-    ApplicableStackSetsList = StackSet_Dict["ApplicableStackSetsList"]
-    RefreshOpsList = []
-    cfn_client = aws_acct.session.client("cloudformation")
-    print(f"Found {len(ApplicableStackSetsList)} stacksets that matched {pStackfrag}")
-    print()
-    for stackset in ApplicableStackSetsList:
-        print(f"Beginning to refresh stackset {Fore.RED}{stackset}{Fore.RESET} as you requested...")
-        # Get current attributes for the stacksets we've found...
-        stacksetAttributes = cfn_client.describe_stack_set(StackSetName=stackset)
-        # Then re-run those same stacksets, supplying the same information back to them -
-        ReallyRefresh = (
-            (
-                input(
-                    f"Refresh of {Fore.RED}{stackset}{Fore.RESET} has been requested.\n"
-                    f"Drift Status of the stackset is: {stacksetAttributes['StackSet']['StackSetDriftDetectionDetails']['DriftStatus']}\n"
-                    f"Are you still sure? (y/n): "
-                )
-                in ["y", "Y"]
-            )
-            if not pRetain
-            else False
-        )
-        if ReallyRefresh or pRetain:
-            # WE have to separate the use-cases here, since the "Service Managed" update operation won't accept a "AdministrationRoleArn",
-            # but the "Self Managed" *requires* it.
-            if (
-                "PermissionModel" in stacksetAttributes["StackSet"].keys()
-                and stacksetAttributes["StackSet"]["PermissionModel"] == "SERVICE_MANAGED"
-            ):
-                refresh_stack_set = cfn_client.update_stack_set(
-                    StackSetName=stacksetAttributes["StackSet"]["StackSetName"],
-                    UsePreviousTemplate=True,
-                    Capabilities=stacksetAttributes["StackSet"]["Capabilities"],
-                    OperationPreferences={
-                        "RegionConcurrencyType": "PARALLEL",
-                        "FailureToleranceCount": 0,
-                        "MaxConcurrentPercentage": 100,
-                    },
-                )
-            else:
-                refresh_stack_set = cfn_client.update_stack_set(
-                    StackSetName=stacksetAttributes["StackSet"]["StackSetName"],
-                    UsePreviousTemplate=True,
-                    Capabilities=stacksetAttributes["StackSet"]["Capabilities"],
-                    OperationPreferences={
-                        "RegionConcurrencyType": "PARALLEL",
-                        "FailureToleranceCount": 0,
-                        "MaxConcurrentPercentage": 100,
-                    },
-                    AdministrationRoleARN=stacksetAttributes["StackSet"]["AdministrationRoleARN"],
-                )
-            RefreshOpsList.append({"StackSetName": stackset, "OperationId": refresh_stack_set["OperationId"]})
-    OperationResult = check_on_stackset_operations(RefreshOpsList, cfn_client)
-    return OperationResult
-
-
-def _add_instances_to_stacksets(StackSet_Dict: dict, accounts_to_add: list, regions_to_add: list = None) -> dict:
-    ApplicableStackSetsList = StackSet_Dict["ApplicableStackSetsList"]
-    AddStacksList = []
-    cfn_client = aws_acct.session.client("cloudformation")
-    print(f"Found {len(ApplicableStackSetsList)} stacksets that matched {pStackfrag}")
-    print()
-    instances_to_add = (len(accounts_to_add) if accounts_to_add is not None else 1) * (
-        len(regions_to_add) if regions_to_add is not None else 1
-    )
-    for stackset in ApplicableStackSetsList:
-        ReallyAdd = False
-        if not pConfirm:
-            ReallyAdd = input(
-                f"{Fore.RED}Adding {instances_to_add} instances to {stackset}...{Fore.RESET}\n"
-                f"Are you still sure? (y/n): "
-            ) in ["y", "Y"]
-        if pConfirm or ReallyAdd:
-            OperationId = "Add-Instances--" + random_string(6)
-            # This is not wrapped in a try/except, because the "create_stack_instances" operation doesn't actually return anything useful.
-            stackset_add = cfn_client.create_stack_instances(
-                StackSetName=stackset,
-                Accounts=accounts_to_add,
-                Regions=RegionList,
-                OperationPreferences={
-                    "RegionConcurrencyType": "PARALLEL",
-                    "MaxConcurrentPercentage": 100,
-                    "FailureToleranceCount": 0,
-                },
-                OperationId=OperationId,
-                CallAs="SELF",
-            )
-            AddStacksList.append({"StackSetName": stackset, "OperationId": OperationId})
-        else:
-            print(f"{Fore.RED}Skipping {stackset}...{Fore.RESET}")
-    OperationResult = check_on_stackset_operations(AddStacksList, cfn_client)
-    return OperationResult
-
-
-##########################
-
-if __name__ == "__main__":
-    args = parse_args(sys.argv[1:])
-    pProfile = args.Profile
-    pRegion = args.Region
-    pStackfrag = args.Fragments
-    pExact = args.Exact
-    pTiming = args.Time
-    pAccountModifyList = args.Accounts
-    verbose = args.loglevel
-    pCheckAccount = args.AccountCheck
-    pRole = args.AccessRole
-    pdelete = args.DryRun
-    pAddNew = args.AddNew
-    pRetain = args.Retain
-    pOperationDate = args.OperationDate
-    pRegionModifyList = args.pRegionModifyList
-    pRefresh = args.Refresh
-    pConfirm = args.Confirm
-    ChangesRequested = pdelete or pAddNew or pRefresh
-    # pSaveFilename = args.Filename
-    logging.basicConfig(level=verbose, format="[%(filename)s:%(lineno)s - %(funcName)20s() ] %(message)s")
-    logging.getLogger("boto3").setLevel(logging.CRITICAL)
-    logging.getLogger("botocore").setLevel(logging.CRITICAL)
-    logging.getLogger("s3transfer").setLevel(logging.CRITICAL)
-    logging.getLogger("urllib3").setLevel(logging.CRITICAL)
-
-    # Setup the aws_acct object
-    aws_acct, RegionList = setup_auth_and_regions(pProfile)
-    # Collect the stacksets, AccountList and RegionList involved
-    # StackSets, Accounts, Regions = collect_cfnstacksets(aws_acct, pRegion)
-    StackSet_Info = collect_cfnstacksets(aws_acct, pRegion)
-    # Once we have all the stacksets found, determine what to do with them...
-    if ChangesRequested:
-        operation_result = _modify_stacksets(StackSet_Info)
-        ChangesMade = operation_result["ChangesMade"]
-    else:
-        ChangesMade = False
-    # Handle the checking of accounts to see if there any that don't belong in the Org.
-    Account_Dict = {}
-    if pCheckAccount:
-        Account_Dict = check_accounts(aws_acct, StackSet_Info["FoundAccountList"])
-    # If we changed anything, get a refreshed view before we display health of stacksets
-    if ChangesRequested and ChangesMade:
-        print()
-        print(
-            f"{Fore.RED}Since changes were requested, we're getting the updated view of the environment (post-changes){Fore.RESET}"
-        )
-        print()
-        StackSet_Info = collect_cfnstacksets(aws_acct, pRegion)
-    # Display results
-    # If the stacksets were found, but the account number they provided isn't in any of the stacksets found
-    if (
-        len(StackSet_Info["ApplicableStackSetInstancesList"]) == 0
-        and len(StackSet_Info["StackSetNames"]["StackSets"]) > 0
-    ):
-        # print()
-        print(
-            f"While we found {len(StackSet_Info['ApplicableStackSetsList'])} stackset{'' if len(StackSet_Info['StackSetNames']['StackSets']) == 1 else 's'} that matched your request, "
-            f"we found no instances matching your criteria - {pRegionModifyList} - in them"
-        )
-        ChangesMade = False
-    # If the stacksets were not found...
-    elif len(StackSet_Info["ApplicableStackSetsList"]) == 0:
-        print()
-        print(f"We found no stacksets that matched your request... ")
-        ChangesMade = False
-    # If there is is nothing to display, the function below will print nothing, so it's safe to run it anyway...
-    display_stack_set_health(StackSet_Info, Account_Dict)
-
-    if ChangesRequested:
-        if pAddNew:
-            operation = "add"
-        elif pdelete:
-            operation = "delete"
-        elif pRefresh:
-            operation = "refresh"
-        if ChangesMade:
-            print(
-                f"Results of {operation} operation on {len(operation_result) - 1} stackset{'' if len(operation_result) == 1 else 's'} found with {pStackfrag} fragment:"
-            )
-            for k, v in operation_result.items():
-                if k == "ChangesMade":
-                    continue
-                else:
-                    print(f"\t{Fore.RED if v == 'FAILED' else ''}{k}: {v} {Fore.RESET}")
-        else:
-            print(
-                f"While a {Fore.RED}{operation}{Fore.RESET} was requested, no stacksets were found matching your naming criteria {Fore.RED}{pStackfrag}{Fore.RESET}, "
-                f"the accounts you wanted {Fore.RED}{'[all]' if pAccountModifyList is None else pAccountModifyList}{Fore.RESET} and the regions you specified "
-                f"{Fore.RED}{'[all]' if pRegionModifyList is None else pRegionModifyList}{Fore.RESET}, so no changes were made."
-            )
-        print()
-
-    if pTiming:
-        print(ERASE_LINE)
-        print(f"{Fore.GREEN}This script took {time() - begin_time:.2f} seconds{Fore.RESET}")
-
-print()
-print("Thanks for using this script...")
-print()