CloudFormation Stacksets

Stack sets are one of the features of CloudFormation, designed to help address the challenges while using Infrastructure as Code in situations that include multiple AWS accounts and/or AWS Regions. Creating the same resource manually across Regions and Accounts is tedious and takes up a lot of time; it even needs constant monitoring and consistency while granting IAM permissions.

With Stacksets, it is easy to define an AWS resource configuration in a CloudFormation template and then roll it out across multiple AWS accounts and or Regions with a few clicks. This saves a lot of time, makes resource creation across multiple accounts and regions much simpler, and helps to give the right IAM permissions without an issue. It is easy to configure, and once done; it can be expanded by adding additional accounts and regions as per the use case.

Working:

Note: First, Create an IAM Administration Role keeping CloudFormation as a use case for other services in Account A (Admin Account) with the policy below. Add ARN of the Execution Role in Account B (Target Account) created below in the Resource field. Create an IAM Execution Role keeping CloudFormation as a use case for other services in Account B (Target Account) with the correct permissions (policy) as per use-case. If not, then give Full Admin Access.

Make sure to add (root access) of Account A \”AWS\”: \”arn:aws:iam::1234567890:root\” in the Trust Relationship of Account B (Target Account). (Replace the number with your account ID).

1. In Account A (Admin Account), open CloudFormation from the AWS console and click on StackSets from the left panel.
2. Click on Create StackSet.
3. Once opened, select IAM admin role ARN, created initially, and type in Execution role name created initially, under IAM execution role name.
4. Further, using our own template or one of the samples is possible. Move ahead with the sample template (Enable AWS Cloudtrail) and click Next.
5. Name the StackSet, keep all the further configuration as it is, and click Next.
6. Keep Configure StackSet options as it is, and click Next.
7. Under Set Deployment options, select Deploy new stacks.
8. Select Deploy stacks in accounts from Deployment location and type in Account ID (number) of Account B (Target Account).
9. Specify the region in which the StackSet should be deployed. It is possible to select multiple regions for deployments.
10. Keep Maximum concurrent accounts as 1.
    Note: The Maximum concurrent accounts deploy the Stacks concurrently based on the number mentioned. This is helpful when multiple regions are selected. The deployment will be completed in one region and then moved to the second region. The higher the number, the faster the operation.
11. Keep Failure tolerance as 0 and Region Concurrency as it is and click Next.
    Note: Failure tolerance is also helpful when multiple regions are selected. It will tolerate the fault based on the number mentioned. It will start a rollback right away if the number is 0.
12. Review the entire configuration and click Submit.
13. Once submitted, the StackSet Create operation will be initiated.
    Note: Confirm the status Running under the Operations tab. The status will be changed to Succeeded once the deployment is done. Open up the Stack instances tab to see details of stack deployment. Initially, the status of each Stack Instance is OUTDATED, indicating that the template has yet to be deployed to the stack; this will change to CURRENT after a successful deployment.
14. The Account B (Target Account) in which the Stack has successfully been created. Using StackSets, creating resources across accounts/regions was easily possible. Further to clean up, first delete the Stacks from StackSets, or else there will be an error. Once Stacks are successfully deleted, Select the created StackSet, and from the Actions section, select Delete StackSet.

Conclusion: 

CloudFormation Stackset makes it possible to create multiple resources across accounts and regions from one Administrator account with the right IAM permissions. This removes the huge task of creating the same resources manually and helps with consistency.

To know more about such services, see the Blogs.

Happy Reading 😊

Chaitanya Karadkhedkar