Create AWS CloudFormation StackSets with self-managed permissions
This topic describes how to create StackSets with self-managed permissions to deploy stacks across AWS accounts and Regions.
Note
Before you continue, create the IAM service roles required by StackSets to establish a trusted relationship between the account you're administering the StackSet from and the account you're deploying stacks to. For more information, see Grant self-managed permissions.
Topics
Create a StackSet with self-managed permissions (console)
To create a StackSet
Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation
. -
On the navigation bar at the top of the screen, choose the AWS Region that you want to manage the StackSet from.
-
From the navigation pane, choose StackSets.
-
From the top of the StackSets page, choose Create StackSet.
-
Under Permissions, choose Self-service permissions and choose the IAM roles you created.
-
Under Prerequisite - Prepare template, choose Template is ready.
-
Under Specify template, choose to either specify the URL for the S3 bucket that contains your stack template or upload a stack template file. Then, choose Next.
-
On the Specify StackSet details page, provide a name for the StackSet, specify any parameters, and then choose Next.
-
Choose Next to continue.
-
On the Configure StackSet options page, under Tags, specify any tags to apply to resources in your stack. For more information about how tags are used in AWS, see Organizing and tracking costs using AWS cost allocation tags in the AWS Billing and Cost Management User Guide.
-
For Execution configuration, choose Active to enable CloudFormation's optimized operation handling:
-
Non-conflicting operations run concurrently for faster deployment times.
-
Conflicting operations are automatically queued and processed in the order they were requested.
While operations are running or queued, CloudFormation queues all incoming operations even if they're non-conflicting. You can't change execution settings during this time.
-
-
If your template contains IAM resources, for Capabilities, choose I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template. For more information, see Acknowledging IAM resources in CloudFormation templates.
-
Choose Next.
-
On the Set deployment options page, for Add stacks to StackSet, choose Deploy new stacks.
-
For Accounts, choose Deploy stacks in accounts. Paste your target AWS account numbers in the text box, separating multiple numbers with commas.
Note
You can include your administrator account ID if you want to deploy stacks in that account as well.
-
Under Specify regions, choose the Regions you want to deploy stacks in.
-
For Deployment options, do the following:
-
For Maximum concurrent accounts, specify how many accounts are processed concurrently.
-
For Failure tolerance, specify the maximum number of account failures allowed per Region. The operation will stop and won't proceed to other Regions once this limit is reached.
-
For Region concurrency, choose how to process Regions: Sequential (one Region at a time) or Parallel (multiple Regions concurrently).
-
For Concurrency mode, choose how concurrency behaves during operation execution.
-
Strict failure tolerance – Reduces account concurrency level when failures occur, staying within Failure tolerance +1.
-
Soft failure tolerance – Maintains your specified concurrency level (the value of Maximum concurrent accounts) regardless of failures.
-
-
-
Choose Next.
-
On the Review page, review your choices. To make changes, choose Edit on the related section.
-
When you are ready to create your StackSet, choose Submit.
CloudFormation starts creating your StackSet. View the progress and status of the creation of the stacks in your StackSet in the StackSet details page that opens when you choose Submit.
Create a StackSet with self-managed permissions (AWS CLI)
Follow the steps in this section to use the AWS CLI to:
-
Create the StackSet container.
-
Deploy stack instances.
To create a StackSet
-
Use the create-stack-set command to create a new StackSet named
my-stacksetKeyPairNameTestKeyaws cloudformation create-stack-set \ --stack-set-namemy-stackset\ --template-urlhttps://s3.region-code.amazonaws.com/amzn-s3-demo-bucket/MyApp.template\ --parametersParameterKey=KeyPairName,ParameterValue=TestKey -
After your create-stack-set command is finished, run the list-stack-sets command to see that your StackSet has been created. You should see your new StackSet in the results.
aws cloudformation list-stack-sets -
Use the create-stack-instances command to deploy stacks within your StackSet. The following example deploys stacks in two AWS accounts (
account_ID_1account_ID_2us-west-2us-east-1Set concurrent account processing and other deployment preferences using the
--operation-preferencesoption. This example uses count-based settings. Note thatMaxConcurrentCountmust not exceedFailureToleranceCount+ 1. For percentage-based settings, useFailureTolerancePercentageorMaxConcurrentPercentageinstead.aws cloudformation create-stack-instances \ --stack-set-namemy-stackset\ --accountsaccount_ID_1 account_ID_2\ --regionsus-west-2 us-east-1\ --operation-preferencesMaxConcurrentCount=1,FailureToleranceCount=0For more information, see CreateStackInstances in the AWS CloudFormation API Reference.
-
Use the describe-stack-set-operation command to verify that your stacks were created successfully. For the
--operation-idoption, specify the operation ID that was returned as part of the create-stack-instances output.aws cloudformation describe-stack-set-operation \ --stack-set-namemy-stackset\ --operation-idoperation_ID
