Create CloudFormation StackSets with self-managed permissions
With self-managed
permissions, you can deploy stack instances to specific
AWS accounts in specific Regions. To do this, you must first create the necessary
IAM roles to establish a trusted relationship between the account you're administering
the stack set from and the account you're deploying stack instances to. For more
information, see Grant self-managed
permissions.
Note
Before you complete one of the following procedures, verify that the IAM roles
AWSCloudFormationStackSetExecutionRole
and
AWSCloudFormationStackSetAdministrationRole
exist in your
administrator account. To launch stacks in accounts other than your administrator
account, verify that the IAM role
AWSCloudFormationStackSetExecutionRole
exists in the target
accounts.
The template referenced in this topic enables AWS Config in a target account within the
US West (Oregon) Region (us-west-2
) and US East (N. Virginia) Region (us-east-1
). The
Enable AWS Config template is located in the following S3 bucket:
https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSConfig.yml
Topics
Create a stack set with self-managed permissions (console)
Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation
. -
On the navigation bar at the top of the screen, choose the AWS Region that you want to manage the stack set from.
-
From the navigation pane, choose StackSets.
-
From the top of the StackSets page, choose Create StackSet.
-
Skip Permissions to use the IAM roles named
AWSCloudFormationStackSetExecutionRole
andAWSCloudFormationStackSetAdministrationRole
that you created previously. -
Under Prerequisite - Prepare template, choose Use a sample template.
-
Under Select a sample template, from the drop-down menu choose the Enable AWS Config template. Then, choose Next.
-
On the Specify StackSet details page, for StackSet name, provide a name for the stack set. Stack set names must begin with an alphabetical character, and contain only letters, numbers, and hyphens. In this walkthrough, we use the name
my-awsconfig-stackset
. -
For StackSet description, provide a description for the stack set.
-
For Parameters, review the template parameters that are used by AWS Config.
Note
For the purposes of this walkthrough, you can use the default settings in this section.
-
For Recorder Configuration, review the default values. For more information about these parameters, see Setting up AWS Config with the console in the AWS Config Developer Guide.
-
(Optional) For Delivery Channel Configuration, review the default values for the delivery channel for updates and notifications. For more information about the delivery channel in AWS Config, see Managing the delivery channel in the AWS Config Developer Guide.
-
(Optional) For Delivery Notifications, review the default configuration for the Amazon Simple Notification Service (SNS) notifications.
-
-
Choose Next to continue.
-
On the Configure StackSet options page, add a tag by specifying a key and value pair. In this walkthrough, we create a tag called Stage, with a value of Test. Tags that you apply to stack sets are applied to all resources that are created by your stacks. For more information about how tags are used in AWS, see Organizing and tracking costs using AWS cost allocation tags in the AWS Billing and Cost Management User Guide.
-
For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.
Note
If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.
You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.
-
If your template contains IAM resources, for Capabilities, choose I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template. For more information, see Acknowledging IAM resources in CloudFormation templates.
-
Choose Next.
-
On the Set deployment options page, for Add stacks to stack set, choose Deploy new stacks.
-
For Accounts, choose Deploy stacks in accounts. Paste your target AWS account numbers in the text box, separating multiple numbers with commas.
-
For Specify regions, choose US East (N. Virginia) Region. Repeat for the US West (Oregon) Region. Select the up arrow next to US West (Oregon) Region to move it to be the first entry in the list. The order of the Regions under Specify regions determines their deployment order.
By default, CloudFormation will deploy stacks in the specified accounts within the first Region, then moves on to the next, and so on, as long as a Region's deployment failures do not exceed a specified failure tolerance.
-
For Deployment options:
-
For Maximum concurrent accounts, keep the defaults of Number and 1.
This means that CloudFormation deploys your stack in only one account at one time.
-
For Failure tolerance, keep the defaults of Number and 0.
This means that a maximum of one stack deployment can fail in one of your specified Regions before CloudFormation stops deployment in the current Region, and cancels deployment in remaining Regions.
-
For Region concurrency, select Sequential or Parallel to determine StackSets deployment order for specified Regions. By default, Sequential is selected.
-
For Concurrency mode, update the Concurrency mode as needed, or skip to the next step.
-
-
Choose Next.
-
On the Review page, review your choices. To make changes, choose Edit on the related section.
-
When you are ready to create your stack set, choose Submit.
CloudFormation starts creating your stack set. View the progress and status of the creation of the stacks in your stack set in the stack set details page that opens when you choose Submit.
Create a stack set with self-managed permissions (AWS CLI)
When you create stack sets by using AWS CLI commands, you run two separate commands: create-stack-set to upload your template and create the stack set container, and create-stack-instances to create the stacks within your stack set.
-
Start by running the following create-stack-set command to upload the sample template that enables AWS Config. For the
--template-url
option, provide the URL of the Amazon S3 bucket where your template is located. In this example, we usemy-awsconfig-stackset
as the value of the--stack-set-name
option.aws cloudformation create-stack-set \ --stack-set-name
my-awsconfig-stackset
\ --template-urlhttps://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSConfig.yml
Note
If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.
You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.
-
After your create-stack-set command is finished, run the list-stack-sets command to see that your stack set has been created. You should see your new stack set in the results.
aws cloudformation list-stack-sets
-
Use the create-stack-instances command to add stack instances to your stack set. In this walkthrough, we use
us-west-2
andus-east-1
as the values of the--regions
option.aws cloudformation create-stack-instances \ --stack-set-name
my-awsconfig-stackset
\ --accounts'["account_ID_1","account_ID_2"]'
\ --regions'["us-west-2","us-east-1"]'
To specify your preferences for how CloudFormation performs this stack set operation, specify the
--operation-preferences
option, as in the following example. For the purposes of this example, we're using count, not percentage. To apply percentages instead, useFailureTolerancePercentage
orMaxConcurrentPercentage
.--operation-preferences
FailureToleranceCount=0,MaxConcurrentCount=1
Note
The value of
MaxConcurrentCount
is dependent on the value ofFailureToleranceCount
.MaxConcurrentCount
is at most one more thanFailureToleranceCount
.Important
Wait until an operation is complete before starting another one. You can run only one operation at a time.
-
Using the
operation-id
that was returned as part of the create-stack-instances output, use the following describe-stack-set-operation command to verify that your stack instances were created successfully.aws cloudformation describe-stack-set-operation \ --stack-set-name
my-awsconfig-stackset
\ --operation-idoperation_ID