Jump to content

Automate CloudFormation StackSets with CloudFormation

cloudonaut
 Share

Recommended Posts

cloudonaut Newbie

cloudonaut

Posted
Posted

CloudFormation StackSets rollout CloudFormation stacks to all or some of your AWS accounts. Also, stack sets allow you to deploy stacks to multiple regions. Therefore, CloudFormation stack sets are a great way to deploy baseline configurations to multiple accounts and regions. For example, we use CloudFormation stack sets to roll out baseline monitoring to all accounts belonging to our AWS organization. But how do you maintain CloudFormation stack sets? Amazingly, AWS announced a CloudFormation resource to manage CloudFormation stack sets recently.

/images/2022/05/donuts.jpg

The following CloudFormation template defines a stack set that deploys one of our open-source CloudFormation templates to configure a password policy in all AWS accounts of an organization.

Remember to enable stack sets for your organization before you proceed.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  AccountPasswordPolicy:
    Type: 'AWS::CloudFormation::StackSet'
    Properties:
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: false
      # CallAs: DELEGATED_ADMIN # TODO uncomment line if you use an delegated administrator account to manage stack sets in your organization
      Capabilities:
      - 'CAPABILITY_IAM'
      PermissionModel: SERVICE_MANAGED
      StackInstancesGroup:
      - DeploymentTargets:
          OrganizationalUnitIds:
          - 'r-xxxx' # TODO replace with your organization id or unit id ou-xxxx-xxxxxxxx
        Regions:
        - 'us-east-1'
      StackSetName: 'account-password-policy'
      TemplateURL: !Sub 'https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v13.23.0/security/account-password-policy.yaml'

Just deploy a stack based on the above template in your organization’s management account (or delegated admin account), and that’s it.

Things that I like about the approach:

  • Whenever you add a new account to your organization, the stack set will deploy the CloudFormation stack automatically.
  • The CloudFormation template lets me easily update all stack sets and stacks by bumping the version in the TemplateURL.
  • Existing stack sets can be imported into CloudFormation to migrate manually managed stack sets.

View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...