Stacksets is one of the features of CloudFormation, which is designed to help and address the challenges that are there while using Infrastructure as Code in situations that include multiple AWS accounts and/or AWS Regions. Creating the same resource manually across Region and Account is one of the tedious things and takes up a lot of time it even needs constant monitoring and consistency while granting IAM permissions.

With Stacksets, it is easy to define an AWS resource configuration in a CloudFormation template and then roll it out across multiple AWS accounts and or Regions with a couple of clicks. This saves a lot of time, makes resource creation across multiple accounts and regions much simpler, and helps to give the right IAM permissions without an issue. It is easy to configure, and once done, it can be expanded by adding additional accounts and regions as per use-case.

Working:

Note: First, Create an IAM Administration Role keeping CloudFormation as a use case for other services in Account A (Admin Account) with the policy below. Add ARN of the Execution Role in Account B (Target Account) created below in the Resource field.Create IAM Execution Role keeping CloudFormation as a use case for other services in Account B (Target Account) with the right permissions(policy) as per use-case, if not then give Full Admin Access.

Make sure to add (root access) of Account A \”AWS\”: \”arn:aws:iam::1234567890:root\” in Trust Relationship of Account B (Target Account). (Replace the number with your account ID).

1. In Account A (Admin Account), open CloudFormation from the AWS console and click on StackSets from the left panel.
2. Click on Create StackSet.
3. Once opened, select IAM admin role ARN, which was created initially and type in Execution role name created initially, under IAM execution role name.
4. Further, it is possible to use our own template or one of the samples. Here move ahead with the sample template (Enable AWS Cloudtrail) and click Next.
5. Name the StackSet, keep all the further configuration as it is, and click Next.
6. Keep Configure StackSet options as it is and click
7. Under Set Deployment options, select Deploy new stacks.
8. Select Deploy stacks in accounts from Deployment location and type in Account ID (number) of Account B (Target Account).
9. Specify the region in which the StackSet should be deployed. It is possible to select multiple regions for deployments.
10. Keep Maximum concurrent accounts as 1.
    Note: The Maximum concurrent accounts deploy’s the Stacks concurrently based on the number mentioned. This is helpful when multiple regions are selected. The deployment will be completed in one region, and then it will move on to the second region. The higher the number, the faster the operation.
11. Keep Failure tolerance as 0 and Region Concurrency as it is and click Next.
    Note: Failure tolerance is also helpful when multiple regions are selected. It will tolerate the fault on the basis of the number mentioned. Will start a rollback right away if the number is 0.
12. Review the entire configuration and click Submit.
13. Once submitted, the StackSet Create operation will be initiated.
    Note: Confirm the status Running under the Operations tab. The status will be changed to Succeeded once the deployment is done. Open up the Stack instances tab to see details of stack deployment. Initially, the status of each Stack Instance is OUTDATED, indicating that the template has yet to be deployed to the stack; this will change to CURRENT after a successful deployment.
14. The Account B (Target Account) in which the Stack has successfully been created.Using StackSets, it was easily possible to create resources across accounts/regions. Further to clean up, first delete the Stacks from StackSets, or else there will be an error. Once Stacks are successfully deleted, Select the created StackSet, and from the Actions section, select Delete StackSet.

Conclusion: 

CloudFormation Stackset makes it possible to create multiple resources across accounts and regions from one Administrator account with the right IAM permissions. This removes the huge task of creating the same resources manually and helps with consistency.

To know more about such services, see the Blogs.

Happy Reading 😊

Chaitanya Karadkhedkar