AWS::CloudFormation::StackSet
The AWS::CloudFormation::StackSet
resource enables you to provision stacks
into AWS accounts and across Regions by using a single CloudFormation template. In the stack set, you specify the template to use, in addition to any
parameters and capabilities that the template requires.
Important
Run deployments to nested StackSets from the parent stack, not directly through the StackSet API.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::CloudFormation::StackSet", "Properties" : { "AdministrationRoleARN" :
String
, "AutoDeployment" :AutoDeployment
, "CallAs" :String
, "Capabilities" :[ String, ... ]
, "Description" :String
, "ExecutionRoleName" :String
, "ManagedExecution" :ManagedExecution
, "OperationPreferences" :OperationPreferences
, "Parameters" :[ Parameter, ... ]
, "PermissionModel" :String
, "StackInstancesGroup" :[ StackInstances, ... ]
, "StackSetName" :String
, "Tags" :[ Tag, ... ]
, "TemplateBody" :String
, "TemplateURL" :String
} }
YAML
Type: AWS::CloudFormation::StackSet Properties: AdministrationRoleARN:
String
AutoDeployment:AutoDeployment
CallAs:String
Capabilities:- String
Description:String
ExecutionRoleName:String
ManagedExecution:ManagedExecution
OperationPreferences:OperationPreferences
Parameters:- Parameter
PermissionModel:String
StackInstancesGroup:- StackInstances
StackSetName:String
Tags:- Tag
TemplateBody:String
TemplateURL:String
Properties
AdministrationRoleARN
-
The Amazon Resource Number (ARN) of the IAM role to use to create this stack set. Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account.
Use customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account. For more information, see Grant self-managed permissions in the AWS CloudFormation User Guide.
Minimum:
20
Maximum:
2048
Required: No
Type: String
Minimum:
20
Maximum:
2048
Update requires: No interruption
AutoDeployment
-
[
Service-managed
permissions] Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU).Required: No
Type: AutoDeployment
Update requires: No interruption
CallAs
-
[Service-managed permissions] Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account.
By default,
SELF
is specified. UseSELF
for stack sets with self-managed permissions.-
To create a stack set with service-managed permissions while signed in to the management account, specify
SELF
. -
To create a stack set with service-managed permissions while signed in to a delegated administrator account, specify
DELEGATED_ADMIN
.Your AWS account must be registered as a delegated admin in the management account. For more information, see Register a delegated administrator in the AWS CloudFormation User Guide.
Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.
Valid Values:
SELF
|DELEGATED_ADMIN
Required: No
Type: String
Allowed values:
SELF | DELEGATED_ADMIN
Update requires: No interruption
-
Capabilities
-
The capabilities that are allowed in the stack set. Some stack set templates might include resources that can affect permissions in your AWS account—for example, by creating new IAM users. For more information, see Acknowledging IAM resources in CloudFormation templates in the AWS CloudFormation User Guide.
Required: No
Type: Array of String
Update requires: No interruption
Description
-
A description of the stack set.
Minimum:
1
Maximum:
1024
Required: No
Type: String
Minimum:
1
Maximum:
1024
Update requires: No interruption
ExecutionRoleName
-
The name of the IAM execution role to use to create the stack set. If you don't specify an execution role, CloudFormation uses the
AWSCloudFormationStackSetExecutionRole
role for the stack set operation.Minimum:
1
Maximum:
64
Pattern:
[a-zA-Z_0-9+=,.@-]+
Required: No
Type: String
Minimum:
1
Maximum:
64
Update requires: No interruption
ManagedExecution
-
Describes whether StackSets performs non-conflicting operations concurrently and queues conflicting operations.
When active, StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.
Note
If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.
You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.
When inactive (default), StackSets performs one operation at a time in request order.
Required: No
Type: ManagedExecution
Update requires: No interruption
OperationPreferences
-
The user-specified preferences for how CloudFormation performs a stack set operation.
Required: No
Type: OperationPreferences
Update requires: No interruption
Parameters
-
The input parameters for the stack set template.
Required: No
Type: Array of Parameter
Update requires: No interruption
PermissionModel
-
Describes how the IAM roles required for stack set operations are created.
-
With
SELF_MANAGED
permissions, you must create the administrator and execution roles required to deploy to target accounts. For more information, see Grant self-managed permissions in the AWS CloudFormation User Guide. -
With
SERVICE_MANAGED
permissions, StackSets automatically creates the IAM roles required to deploy to accounts managed by AWS Organizations. For more information, see Activate trusted access for stack sets with AWS Organizations in the AWS CloudFormation User Guide.
Required: Yes
Type: String
Allowed values:
SERVICE_MANAGED | SELF_MANAGED
Update requires: Replacement
-
StackInstancesGroup
-
A group of stack instances with parameters in some specific accounts and Regions.
Required: No
Type: Array of StackInstances
Update requires: No interruption
StackSetName
-
The name to associate with the stack set. The name must be unique in the Region where you create your stack set.
Note
The
StackSetName
property is required.Required: Yes
Type: String
Pattern:
^[a-zA-Z][a-zA-Z0-9\-]{0,127}$
Maximum:
128
Update requires: Replacement
-
Key-value pairs to associate with this stack. CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.
If you don't specify this parameter, CloudFormation doesn't modify the stack's tags. If you specify an empty value, CloudFormation removes all associated tags.
Required: No
Type: Array of Tag
Maximum:
50
Update requires: No interruption
TemplateBody
-
The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.
You must include either
TemplateURL
orTemplateBody
in a StackSet, but you can't use both. Dynamic references in theTemplateBody
may not work correctly in all cases. It's recommended to pass templates containing dynamic references throughTemplateUrl
instead.Required: Conditional
Type: String
Minimum:
1
Maximum:
51200
Update requires: No interruption
TemplateURL
-
The URL of a file containing the template body. The URL must point to a template (max size: 1 MB) that's located in an Amazon S3 bucket or a Systems Manager document. The location for an Amazon S3 bucket must start with
https://
.Conditional: You must specify only one of the following parameters:
TemplateBody
,TemplateURL
.Required: Conditional
Type: String
Minimum:
1
Maximum:
5120
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the StackSetId
.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt
.
StackSetId
-
The ID of the stack that you're creating.
Examples
Activate managed execution for your stack set
The following example creates a stack set and specifies
ManagedExecution
. With managed execution activated, StackSets
performs non-conflicting operations concurrently and queues conflicting
operations.
JSON
{ "TestStackSet1": { "Type": "AWS::CloudFormation::StackSet", "DeletionPolicy": "Retain", "Properties": { "StackSetName": "TestStackSet12345", "Description": "Updatedescription1", "PermissionModel": "SELF_MANAGED", "ManagedExecution": { "Active": true }, "Tags": [ { "Key": "tag1", "Value": "value1" } ], "TemplateBody": "{\n \"AWSTemplateFormatVersion\": \"2010-09-09\",\n \"Resources\": {\n \"testWaitHandle\": {\n \"Type\": \"AWS::CloudFormation::WaitConditionHandle\"\n }\n }\n}\n" } } }
YAML
TestStackSet1: Type: 'AWS::CloudFormation::StackSet' DeletionPolicy: Retain Properties: StackSetName: TestStackSet12345 Description: Updatedescription1 PermissionModel: SELF_MANAGED ManagedExecution: Active: true Tags: - Key: tag1 Value: value1 TemplateBody: | { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "testWaitHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" } } }
Specifying Secrets Manager secrets in CloudFormation
When using the TemplateBody
property, if the template intends to
resolve secrets from Secrets Manager secret's through an ARN
and
!Join
is used to construct Secrets Manager's dynamic reference,
secret's resolution needs to be avoided at stack level so that it will only be
performed upon stack instance creation.
In the following example, secret's resolution are avoided at stack level by
providing {{
and resolve:secretsmanager:
as separate
strings to !Join instead of {{resolve:secretsmanager:
being provided as
a single string:
JSON
{ "Fn::Join": [ "", [ "{{", "resolve:secretsmanager:", { "Fn::Sub": "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my-secret" }, "::my-secret-key::}}" ] ] }
YAML
!Join - '' - - '{{' - 'resolve:secretsmanager:' - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my-secret' - '::my-secret-key::}}'
See also
-
AWS CloudFormation StackSets sample templates in the AWS CloudFormation User Guide