AWS::CloudFormation::StackSet - AWS CloudFormation

AWS::CloudFormation::StackSet

The AWS::CloudFormation::StackSet resource enables you to provision stacks into AWS accounts and across Regions by using a single CloudFormation template. In the stack set, you specify the template to use, in addition to any parameters and capabilities that the template requires.

Important

Run deployments to nested StackSets from the parent stack, not directly through the StackSet API.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::CloudFormation::StackSet", "Properties" : { "AdministrationRoleARN" : String, "AutoDeployment" : AutoDeployment, "CallAs" : String, "Capabilities" : [ String, ... ], "Description" : String, "ExecutionRoleName" : String, "ManagedExecution" : ManagedExecution, "OperationPreferences" : OperationPreferences, "Parameters" : [ Parameter, ... ], "PermissionModel" : String, "StackInstancesGroup" : [ StackInstances, ... ], "StackSetName" : String, "Tags" : [ Tag, ... ], "TemplateBody" : String, "TemplateURL" : String } }

Properties

AdministrationRoleARN

The Amazon Resource Number (ARN) of the IAM role to use to create this stack set. Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account.

Use customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account. For more information, see Grant self-managed permissions in the AWS CloudFormation User Guide.

Minimum: 20

Maximum: 2048

Required: No

Type: String

Minimum: 20

Maximum: 2048

Update requires: No interruption

AutoDeployment

[Service-managed permissions] Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU).

Required: No

Type: AutoDeployment

Update requires: No interruption

CallAs

[Service-managed permissions] Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account.

By default, SELF is specified. Use SELF for stack sets with self-managed permissions.

  • To create a stack set with service-managed permissions while signed in to the management account, specify SELF.

  • To create a stack set with service-managed permissions while signed in to a delegated administrator account, specify DELEGATED_ADMIN.

    Your AWS account must be registered as a delegated admin in the management account. For more information, see Register a delegated administrator in the AWS CloudFormation User Guide.

Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.

Valid Values: SELF | DELEGATED_ADMIN

Required: No

Type: String

Allowed values: SELF | DELEGATED_ADMIN

Update requires: No interruption

Capabilities

The capabilities that are allowed in the stack set. Some stack set templates might include resources that can affect permissions in your AWS account—for example, by creating new IAM users. For more information, see Acknowledging IAM resources in CloudFormation templates in the AWS CloudFormation User Guide.

Required: No

Type: Array of String

Update requires: No interruption

Description

A description of the stack set.

Minimum: 1

Maximum: 1024

Required: No

Type: String

Minimum: 1

Maximum: 1024

Update requires: No interruption

ExecutionRoleName

The name of the IAM execution role to use to create the stack set. If you don't specify an execution role, CloudFormation uses the AWSCloudFormationStackSetExecutionRole role for the stack set operation.

Minimum: 1

Maximum: 64

Pattern: [a-zA-Z_0-9+=,.@-]+

Required: No

Type: String

Minimum: 1

Maximum: 64

Update requires: No interruption

ManagedExecution

Describes whether StackSets performs non-conflicting operations concurrently and queues conflicting operations.

When active, StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

Note

If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

When inactive (default), StackSets performs one operation at a time in request order.

Required: No

Type: ManagedExecution

Update requires: No interruption

OperationPreferences

The user-specified preferences for how CloudFormation performs a stack set operation.

Required: No

Type: OperationPreferences

Update requires: No interruption

Parameters

The input parameters for the stack set template.

Required: No

Type: Array of Parameter

Update requires: No interruption

PermissionModel

Describes how the IAM roles required for stack set operations are created.

  • With SELF_MANAGED permissions, you must create the administrator and execution roles required to deploy to target accounts. For more information, see Grant self-managed permissions in the AWS CloudFormation User Guide.

  • With SERVICE_MANAGED permissions, StackSets automatically creates the IAM roles required to deploy to accounts managed by AWS Organizations. For more information, see Activate trusted access for stack sets with AWS Organizations in the AWS CloudFormation User Guide.

Required: Yes

Type: String

Allowed values: SERVICE_MANAGED | SELF_MANAGED

Update requires: Replacement

StackInstancesGroup

A group of stack instances with parameters in some specific accounts and Regions.

Required: No

Type: Array of StackInstances

Update requires: No interruption

StackSetName

The name to associate with the stack set. The name must be unique in the Region where you create your stack set.

Note

The StackSetName property is required.

Required: Yes

Type: String

Pattern: ^[a-zA-Z][a-zA-Z0-9\-]{0,127}$

Maximum: 128

Update requires: Replacement

Tags

Key-value pairs to associate with this stack. CloudFormation also propagates these tags to supported resources in the stack. You can specify a maximum number of 50 tags.

If you don't specify this parameter, CloudFormation doesn't modify the stack's tags. If you specify an empty value, CloudFormation removes all associated tags.

Required: No

Type: Array of Tag

Maximum: 50

Update requires: No interruption

TemplateBody

The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.

You must include either TemplateURL or TemplateBody in a StackSet, but you can't use both. Dynamic references in the TemplateBody may not work correctly in all cases. It's recommended to pass templates containing dynamic references through TemplateUrl instead.

Required: Conditional

Type: String

Minimum: 1

Maximum: 51200

Update requires: No interruption

TemplateURL

The URL of a file containing the template body. The URL must point to a template (max size: 1 MB) that's located in an Amazon S3 bucket or a Systems Manager document. The location for an Amazon S3 bucket must start with https://.

Conditional: You must specify only one of the following parameters: TemplateBody, TemplateURL.

Required: Conditional

Type: String

Minimum: 1

Maximum: 5120

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the StackSetId.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

StackSetId

The ID of the stack that you're creating.

Examples

Activate managed execution for your stack set

The following example creates a stack set and specifies ManagedExecution. With managed execution activated, StackSets performs non-conflicting operations concurrently and queues conflicting operations.

JSON

{ "TestStackSet1": { "Type": "AWS::CloudFormation::StackSet", "DeletionPolicy": "Retain", "Properties": { "StackSetName": "TestStackSet12345", "Description": "Updatedescription1", "PermissionModel": "SELF_MANAGED", "ManagedExecution": { "Active": true }, "Tags": [ { "Key": "tag1", "Value": "value1" } ], "TemplateBody": "{\n \"AWSTemplateFormatVersion\": \"2010-09-09\",\n \"Resources\": {\n \"testWaitHandle\": {\n \"Type\": \"AWS::CloudFormation::WaitConditionHandle\"\n }\n }\n}\n" } } }

YAML

TestStackSet1: Type: 'AWS::CloudFormation::StackSet' DeletionPolicy: Retain Properties: StackSetName: TestStackSet12345 Description: Updatedescription1 PermissionModel: SELF_MANAGED ManagedExecution: Active: true Tags: - Key: tag1 Value: value1 TemplateBody: | { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "testWaitHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" } } }

Specifying Secrets Manager secrets in CloudFormation

When using the TemplateBody property, if the template intends to resolve secrets from Secrets Manager secret's through an ARN and !Join is used to construct Secrets Manager's dynamic reference, secret's resolution needs to be avoided at stack level so that it will only be performed upon stack instance creation.

In the following example, secret's resolution are avoided at stack level by providing {{ and resolve:secretsmanager: as separate strings to !Join instead of {{resolve:secretsmanager: being provided as a single string:

JSON

{ "Fn::Join": [ "", [ "{{", "resolve:secretsmanager:", { "Fn::Sub": "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my-secret" }, "::my-secret-key::}}" ] ] }

YAML

!Join - '' - - '{{' - 'resolve:secretsmanager:' - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my-secret' - '::my-secret-key::}}'

See also