Automate CloudFormation StackSets with CloudFormation

Andreas Wittig – 13 May 2022

CloudFormation StackSets rollout CloudFormation stacks to all or some of your AWS accounts. Also, stack sets allow you to deploy stacks to multiple regions. Therefore, CloudFormation stack sets are a great way to deploy baseline configurations to multiple accounts and regions. For example, we use CloudFormation stack sets to roll out baseline monitoring to all accounts belonging to our AWS organization. But how do you maintain CloudFormation stack sets? Amazingly, AWS announced a CloudFormation resource to manage CloudFormation stack sets recently.

Manage CloudFormation stack sets in CloudFormation

The following CloudFormation template defines a stack set that deploys one of our open-source CloudFormation templates to configure a password policy in all AWS accounts of an organization.


Looking for a new challenge?

  • tecRacer

    Cloud Consultant • AWS Migrations

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Portugal, and Switzerland
    Assessment Transformation Change Management
  • DEMICON

    Senior Lead Full Stack Developer

    DEMICON • AWS Advanced Consulting Partner • Remote
    AWS JavaScript/TypeScript Angular React

Remember to enable stack sets for your organization before you proceed.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
AccountPasswordPolicy:
Type: 'AWS::CloudFormation::StackSet'
Properties:
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: false
# CallAs: DELEGATED_ADMIN # TODO uncomment line if you use an delegated administrator account to manage stack sets in your organization
Capabilities:
- 'CAPABILITY_IAM'
PermissionModel: SERVICE_MANAGED
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds:
- 'r-xxxx' # TODO replace with your organization id or unit id ou-xxxx-xxxxxxxx
Regions:
- 'us-east-1'
StackSetName: 'account-password-policy'
TemplateURL: !Sub 'https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v13.23.0/security/account-password-policy.yaml'

Just deploy a stack based on the above template in your organization’s management account (or delegated admin account), and that’s it.

Things that I like about the approach:

  • Whenever you add a new account to your organization, the stack set will deploy the CloudFormation stack automatically.
  • The CloudFormation template lets me easily update all stack sets and stacks by bumping the version in the TemplateURL.
  • Existing stack sets can be imported into CloudFormation to migrate manually managed stack sets.

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 360 articles, 50 podcast episodes, and 48 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Markus Ellers, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Shawn Tolidano, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.