cloudonaut
Home Blog Podcast YouTube Games Books Logout
Subscribe Logout

Automate CloudFormation StackSets with CloudFormation

Andreas Wittig – 13 May 2022

CloudFormation StackSets rollout CloudFormation stacks to all or some of your AWS accounts. Also, stack sets allow you to deploy stacks to multiple regions. Therefore, CloudFormation stack sets are a great way to deploy baseline configurations to multiple accounts and regions. For example, we use CloudFormation stack sets to roll out baseline monitoring to all accounts belonging to our AWS organization. But how do you maintain CloudFormation stack sets? Amazingly, AWS announced a CloudFormation resource to manage CloudFormation stack sets recently.

Manage CloudFormation stack sets in CloudFormation

The following CloudFormation template defines a stack set that deploys one of our open-source CloudFormation templates to configure a password policy in all AWS accounts of an organization.

Remember to enable stack sets for your organization before you proceed.

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  AccountPasswordPolicy:
    Type: 'AWS::CloudFormation::StackSet'
    Properties:
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: false
      # CallAs: DELEGATED_ADMIN # TODO uncomment line if you use an delegated administrator account to manage stack sets in your organization
      Capabilities:
      - 'CAPABILITY_IAM'
      PermissionModel: SERVICE_MANAGED
      StackInstancesGroup:
      - DeploymentTargets:
          OrganizationalUnitIds:
          - 'r-xxxx' # TODO replace with your organization id or unit id ou-xxxx-xxxxxxxx
        Regions:
        - 'us-east-1'
      StackSetName: 'account-password-policy'
      TemplateURL: !Sub 'https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v13.23.0/security/account-password-policy.yaml'

Just deploy a stack based on the above template in your organization’s management account (or delegated admin account), and that’s it.

Things that I like about the approach:

  • Whenever you add a new account to your organization, the stack set will deploy the CloudFormation stack automatically.
  • The CloudFormation template lets me easily update all stack sets and stacks by bumping the version in the TemplateURL.
  • Existing stack sets can be imported into CloudFormation to migrate manually managed stack sets.

Andreas Wittig

Andreas Wittig

I’ve been building on AWS since 2012 together with my brother Michael. We are sharing our insights into all things AWS on cloudonaut and have written the book AWS in Action. Besides that, we’re currently working on bucketAV,HyperEnv for GitHub Actions, and marbot.

Here are the contact options for feedback and questions.

Further reading