AWS CloudFormation StackSets is a service that allows you to create, update, or delete stacks across multiple accounts and regions with a single AWS CloudFormation template. It's a solution for managing resources across an AWS organization, to enable you to create stacks in AWS accounts across regions.
Here are some key aspects of AWS CloudFormation StackSets:
Centralized Management: AWS CloudFormation StackSets allows you to manage your stacks from a central AWS account. You create, update, or delete CloudFormation stacks in multiple accounts and regions in a single operation.
Consistency Across Accounts/Regions: CloudFormation StackSets enables you to maintain consistency across AWS accounts and regions. You can use it to create a set of resources with the same configurations. This is very useful when you need to set up a baseline environment for multiple AWS accounts or maintain compliance with company standards.
Account and Organizational Units (OU) Management: StackSets allows you to define which AWS accounts will have the stack set deployed to them. You can specify AWS accounts individually, or if you are using AWS Organizations, you can specify an Organizational Unit (OU).
Automatic Deployments: If your AWS accounts are managed through AWS Organizations, StackSets allows you to deploy stacks to any new accounts that are added to a designated OU automatically.
Permission Management: AWS CloudFormation StackSets requires specific IAM roles to carry out operations. The administration role is used in the management account to execute operations, and the execution role is used in target accounts to deploy the stacks.
Stack Instance: Each stack that is created, updated, or deleted in an account and region is referred to as a stack instance.
Remember, AWS CloudFormation StackSets extend the functionality of stacks, which represents a unit of deployment managed by AWS CloudFormation. While a stack is constrained to a single AWS account and region, a stack set enables you to create, update, or delete stacks across multiple accounts and regions in a single operation.
Hands-On Lab: Deploy SG into regions
In this hands-on lab, we will look at how to deploy a simple security group that allows SSH access from a specific IP address. This SG will be deployed into two regions (London and Paris) from one AWS account.
- Before deploying the StackSet we need to give our AWS account special administrative and execution roles. To add these roles create these two CloudFormation templates and deploy them from Frankfurt region:
AWSCloudFormationStackSetAdministrationRole.yml
AWSTemplateFormatVersion: 2010-09-09
Description: Configure the AWSCloudFormationStackSetAdministrationRole to enable use of AWS CloudFormation StackSets.
Resources:
AdministrationRole:
Type: AWS::IAM::Role
Properties:
RoleName: AWSCloudFormationStackSetAdministrationRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: AssumeRole-AWSCloudFormationStackSetExecutionRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- "arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole"
AWSCloudFormationStackSetExecutionRole.yml
AWSTemplateFormatVersion: 2010-09-09
Description: Configure the AWSCloudFormationStackSetExecutionRole to enable use of your account as a target account in AWS CloudFormation StackSets.
Parameters:
AdministratorAccountId:
Type: String
Description: AWS Account Id of the administrator account (the account in which StackSets will be created).
MaxLength: 12
MinLength: 12
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: AWSCloudFormationStackSetExecutionRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref AdministratorAccountId
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess
During AWSCloudFormationStackSetExecutionRole.yml deployment specify your AWS account ID:
After a successful deployment of the permission roles, you will have two stacks that create the necessary IAM roles:
Now is the time to create a StackSet. Go to the Frankfurt region, choose CloudFormation and press the "Create StackSet" button:
Upload the following template that creates a Security Group to allow SSH access from the specific IP address:
--- AWSTemplateFormatVersion: '2010-09-09' Description: AWS CloudFormation Template for creating a security group Resources: MySecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Security Group for allowing SSH access SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 6.72.124.58/32 # Put your public IP address here
In Stack details specify your AWS Account ID and London, Paris regions for deployment:
To speed up the process of deployment we can choose Parallel deployment option:
Deployment of the StackSet will create two SG in London and Paris regions:
To delete the StackSet you need first to delete the stacks from StackSets:
During deletion specify the Account ID and regions to delete from:
After the stacks are deleted, now you can delete the StackSet itself: