Create CloudFormation StackSets with service-managed permissions - AWS CloudFormation
ConsiderationsCreate a stack set with service-managed permissions (console)Create a stack set with service-managed permissions (AWS CLI)

Create CloudFormation StackSets with service-managed permissions

With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. With this model, you don't need to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. You can also enable automatic deployments to accounts that are added to a target organization or organizational unit (OU) in the future. With automatic deployments enabled, StackSets automatically deletes stack instances from an account if it's removed from a target organization or OU. For more information, see Activate trusted access.

Considerations

Before you create a stack set with service-managed permissions, consider the following:

  • Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.

  • Your stack set can target your entire organization or specified organizational units (OUs). If your stack set targets your organization, it also targets all accounts in all OUs in the organization. If your stack set targets specified OUs, it also targets all accounts in those OUs.

  • If your stack set targets a parent OU, the stack set also targets any child OUs.

  • Multiple stack sets can target the same organization or OU.

  • Your stack set can't target accounts outside your organization.

  • Your stack set can't deploy nested stacks.

  • StackSets doesn't deploy stack instances to the organization's management account, even if the management account is in your organization or in an OU in your organization.

  • Automatic deployment is set at the stack set level. You can't adjust automatic deployments selectively for OUs, accounts, or Regions.

  • The permissions of the IAM principal entity (user, role, or group) that you use to sign in to the management account determine whether you are authorized to deploy with StackSets. For an example IAM policy that grants permissions to deploy to an organization, see Sample policy that grants service-managed stack set permissions.

  • Delegated administrators have full permissions to deploy to accounts in your organization. The management account can't limit delegated administrator permissions to deploy to specific OUs or to perform specific stack set operations.

Create a stack set with service-managed permissions (console)

  1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the navigation bar at the top of the screen, choose the AWS Region that you want to manage the stack set from.

  3. From the navigation pane, choose StackSets.

  4. From the top of the StackSets page, choose Create StackSet.

  5. Under Permissions, choose Service-managed permissions.

    Note

    If trusted access with AWS Organizations is disabled, a banner displays. Trusted access is required to create or update a stack set with service-managed permissions. Only the administrator in the organization's management account has permissions to Activate trusted access for stack sets with AWS Organizations.

  6. Under Prerequisite - Prepare template, choose Template is ready.

  7. Under Specify template, choose to either specify the URL for the S3 bucket that contains your stack template or upload a stack template file. Choose Next.

  8. On the Specify StackSet details page, provide a name for the stack set, specify any parameters, and then choose Next.

  9. On the Configure StackSet options page, under Tags, specify any tags to apply to resources in your stack.

  10. For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  11. Choose Next to proceed and to activate trusted access if not already activated.

  12. On the Set deployment options page, under Deployment targets, do one of the following:

    • To deploy to all accounts in your organization, choose Deploy to organization.

    • To deploy to all accounts in specific OUs, choose Deploy to organizational units (OUs). Choose Add an OU, and then paste the target OU ID in the text box. Repeat for each new target OU.

  13. Under Automatic deployment, choose whether StackSets will automatically deploy to accounts that are added to the target organization or OUs in the future.

  14. If you enabled automatic deployment, under Account removal behavior, choose whether stack resources are retained or deleted when an account is removed from a target organization or OU.

    Note

    With Retain stacks selected, stack instances are removed from your stack set, but the stacks and their associated resources are retained. The resources stay in their current state, but will no longer be part of the stack set.

  15. Under Specify regions, choose the Regions you want to deploy stack instances in.

  16. For Deployment options:

    • For Maximum concurrent accounts, configure the maximum concurrent accounts as needed.

    • For Failure tolerance, configure the failure tolerance as needed.

    • For Region concurrency, choose the region concurrency as needed.

    • For Concurrency mode, choose the concurrency mode as needed.

  17. Choose Next to continue.

  18. On the Review page, verify that StackSets will deploy to the correct accounts in the correct Regions, and then choose Create StackSet.

    The StackSet details page opens. You can view the progress and status of the creation of the stacks in your stack set.

Create a stack set with service-managed permissions (AWS CLI)

When you create stack sets using the AWS CLI, you run two separate commands. During create-stack-set, you upload your template, create the stack set container, and manage automatic deployments. During create-stack-instances, you create stack instances in specific target accounts.

When acting as a delegated administrator, you must set the --call-as option to DELEGATED_ADMIN each time you run a StackSets command.

--call-as DELEGATED_ADMIN

Stack sets created by a delegated administrator are created in the organization's management account.

  1. Use the create-stack-set CLI command.

    In the following example, we enable automatic deployments to allow StackSets to automatically deploy to accounts that are added to the target organization or OUs in the future. We retain stack resources when an account is removed from a target organization or OU. 

    aws cloudformation create-stack-set \
  --stack-set-name my-stackset \
  --template-url https://s3.us-west-2.amazonaws.com/cloudformation-templates-us-west-2/MyApp.template \
  --permission-model SERVICE_MANAGED \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true
    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  2. After your create-stack-set command is finished, run the list-stack-sets command to confirm that your stack set was created. Your new stack set is listed in the results.

    aws cloudformation list-stack-sets

    • If you set the --call-as option to DELEGATED_ADMIN while signed in to your member account, list-stack-sets returns all stack sets with service-managed permissions in the organization's management account.

    • If you set the --call-as option to SELF while signed in to your AWS account, list-stack-sets returns all self-managed stack sets in your AWS account.

    • If you set the --call-as option to SELF while signed in to the organization's management account, list-stack-sets returns all stack sets in the organization's management account.

  3. Use the create-stack-instances command to add stack instances to your stack set. For the --deployment-targets option, specify the organization root ID to deploy to all accounts in your organization, or specify OU IDs to deploy to all accounts in those OUs. In this example, we specify OUs with ou-rcuk-1x5j1lwo and ou-rcuk-slr5lh0a IDs.

    aws cloudformation create-stack-instances --stack-set-name my-stackset \
  --deployment-targets OrganizationalUnitIds='["ou-rcuk-1x5j1lwo", "ou-rcuk-slr5lh0a"]' \
  --regions '["us-west-2","us-east-1"]'
    Important

    Wait until an operation is complete before starting another one. You can run only one operation at a time.

  4. Using the operation-id that was returned as part of the create-stack-instances output, use the following describe-stack-set-operation command to verify that your stack instances were created successfully.

    aws cloudformation describe-stack-set-operation \
  --stack-set-name my-awsconfig-stackset \
  --operation-id operation_ID