CloudFormation StackSets

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed drift detection in CloudFormation.

https://cloudaffaire.com/cloudformation-drift-detection/

In this blog post, we are going to discuss StackSets in cloudformation.

CloudFormation StackSets:

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.

StackSets Components:

Administrator and target accounts:

An administrator account is the AWS account in which you create stack sets. A target account is the account into which you create, update, or delete one or more stacks in your stack set. Before you can use a stack set to create stacks in a target account, you must set up a trust relationship between the administrator and target accounts through IAM roles. The role in your administrator account must be named AWSCloudFormationStackSetAdministrationRole and the role in each of your target accounts must be named AWSCloudFormationStackSetExecutionRole.

Stack sets:

A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation template. All the resources included in each stack are defined by the stack set’s AWS CloudFormation template. As you create the stack set, you specify the template to use, as well as any parameters and capabilities that template requires.

Stack instances:

A stack instance is a reference to a stack in a target account within a region.

Next, we are going to create a StackSets in CloudFormation.

Prerequisite for this demo:

Two AWS accounts (Administrator and target accounts) with one of them have root privilege.

Step 1: Login to AWS console using administrator account (root user) and create an IAM role named. ‘AWSCloudFormationStackSetAdministrationRole’ with inline policy named ‘AssumeRole-AWSCloudFormationStackSetExecutionRole’ having below policy

{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"sts:AssumeRole"],
"Resource": [
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"],
"Effect": "Allow"}]}

{

"Version": "2012-10-17",

"Statement": [{

"Action": [

"sts:AssumeRole"],

"Resource": [

"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"],

"Effect": "Allow"}]}

And below trust relation

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"},
"Action": "sts:AssumeRole"
}]}

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Principal": {

"Service": "cloudformation.amazonaws.com"},

"Action": "sts:AssumeRole"

}]}

Or you can use AWSCloudFormationStackSetAdministrationRole.yaml cloudformation template to create the role, policy and trust relation automatically for your administrative account.

https://github.com/CloudAffaire/CloudFormation

Step 2: Login to target account and create an IAM role named ‘AWSCloudFormationStackSetExecutionRole’ with AdministratorAccess policy attached and below trust relationship.

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_administrative_account_id>:root"},
"Action": "sts:AssumeRole"
}]}

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam:::root"},

"Action": "sts:AssumeRole"

}]}

Note: In this demo, we are providing admin access to the IAM user in target account so that it can create and deploy any stack. You can have a more restrictive approach.

You can also use AWSCloudFormationStackSetExecutionRole.yaml cloudformation template to create the role, attach policy and trust relation automatically for your target account.

https://github.com/CloudAffaire/CloudFormation

Next, we are going to create a StackSets in our administrative account.

Step 3: Login to AWS console using the administrative account and navigate to ‘CloudFormation’.

CloudFormation StackSets

Step 4: Navigate to ‘StackSets’ and click ‘Create StackSet’.

CloudFormation StackSets

Step 5: Upload stacksets_demo.yaml and click ‘Next’.

CloudFormation StackSets

You can download stacksets_demo.yaml from below GitHub repo.

https://github.com/CloudAffaire/CloudFormation

Step 6: Provide stackset name and description and click ‘Next’.

CloudFormation StackSets

Step 7: Select the IAM role created in step 1 and click ‘Next’.

CloudFormation StackSets

Step 8: Provide the target account number and region where you want to deploy the stack and click ‘Next’. Review the StackSets and click ‘Submit’.

CloudFormation StackSets

Note: This will also deploy the stack in target account ‘Mumbai’ region.

StackSets successfully created in Administrative account.

CloudFormation StackSets

You can also login to the target account to check the stack status.

CloudFormation StackSets

Step 9: Cleanup.

Login to your administrative account and navigate to StackSets located under CloudFormation. Select the stacksets that you want to delete and from ‘Actions’ click ‘Delete stacks from StackSet’.

CloudFormation StackSets

Note: This will also delete the underlying resources from the target account.

And finally delete the StackSets once it’s empty.

CloudFormation StackSets

Hope you have enjoyed this article. In the next blog post, we will discuss how to share information between stacks using stack export.

To get more details on CloudFormation, please refer below AWS documentation

https://docs.aws.amazon.com/cloudformation/index.html