Leveraging the Power of AWS CloudFormation StackSets

by adminin CloudFormationon Posted on

This image has an empty alt attribute; its file name is DALL%C2%B7E-2024-02-09-10.58.46-Illustrate-an-abstract-concept-showing-the-integration-and-power-of-AWS-CloudFormation-StackSets.-The-image-should-depict-a-series-of-interconnected-c.webp

Introduction

Whether you’re a startup or a large corporation, managing infrastructure at scale across multiple AWS accounts and regions can become a complex task. Enter AWS CloudFormation StackSets – a solution designed to ease this complexity. In this post, we’ll dive deep into the myriad benefits of using StackSets and how to create a StackSet that allows creating of an AWS role across your AWS Organization. I have used this in the past to automate creation of roles across hundres of AWS accounts and using that role to produce centralized automated reports (e.g. EC2 lists) against the whole Organization and within each AWS account. One of the silent benefits is that this service not only configures current accounts, but also future accounts without any further inputs.

Benefits

Centralized Multi-Account, Multi-Region Deployment

With the growing trend towards a multi-account AWS setup (often driven by AWS Control Tower/AWS Organizations), StackSets offers a seamless way to deploy CloudFormation stacks across different accounts and even across different regions from a central account. This means you can maintain a centralized control while deploying resources in decentralized accounts.

Consistent and Repeatable Deployments

Inconsistencies across environments can lead to a slew of operational nightmares. StackSets ensures that the same set of resources is being deployed consistently across all selected accounts and regions. This not only reduces errors but also ensures that environments are almost mirror images of each other.

Simplified Governance and Compliance

For industries with stringent compliance requirements, StackSets is a no-brainer. By leveraging StackSets with AWS Organizations’ service control policies (SCPs), you can enforce specific configurations across all accounts. This ensures every account adheres to the company’s governance framework and regulatory mandates.

Integrated with AWS Control Tower/Organizations

If you’re using AWS Control Tower or only AWS Organizations to manage multiple accounts, StackSets integrates seamlessly. This allows you to target specific organizational units (OUs) or even the entire organization, making it even easier to manage deployments at scale.

Simplified Operational Overhead

Imagine having to deploy a security group rule across thousands of accounts and regions manually. With StackSets, such tasks are dramatically simplified. Any updates to the master template automatically propagate to all associated stacks, ensuring that changes are consistent everywhere.

Reduces Error Surface

When operating at scale, even small mistakes can have large implications. By deploying stacks programmatically, the chance of human error – like misconfigurations or missed accounts – is drastically reduced.

Built-in Rollback Mechanisms

A critical feature of AWS CloudFormation is the ability to roll back changes if errors occur. StackSets extends this capability across multiple accounts and regions. If a StackSet deployment fails in one or more target accounts, AWS can automatically roll back the changes in all the affected accounts, ensuring environments remain stable.

Granular Control

Need to deploy a stack in specific accounts or regions? StackSets offers the flexibility to cherry-pick target Organizational Units, accounts, and regions. This means resources are deployed only where they are needed, allowing for efficient and cost-effective operations.

How-To

Goal

In this example, my goal is to use a time-limited token from my management/payer account in my AWS Organization. This token is obtained whenever we go to the SSO site defined in your IAM Identity Center. Once the StackeSet is created, I can use these time-limited credentials (comprised of the access key, secret access key, and token key) to assume the role which has administrator rights (adjust this to met your business needs) to all my current AWS accounts and future AWS accounts.

Steps

Create a local yaml file, which will be the CloudFormation template, with the following code:



AWSTemplateFormatVersion: '2010-09-09'
Description: Cross-Account Role with AdministratorAccess policy
Resources:
  CrossAccountRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: 'CrossAccountAdminRole'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - 'arn:aws:iam::123456789012:root'
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AdministratorAccess'
  • Update RoleName to a name you would rather use
  • Update the Principal AWS account to your management account ID
  • Of course for the demo, I am using the AdministratorAccess policy; however please change this to the policy your business needs
  1. Log into your management/payer account
  2. Browse over to the CloudFormation console
  3. Click on StackSets in the left pane
  4. Click on Create StackSet
    1. Choose a template
      1. Permissions: Service-managed permissions
      2. Prerequisite – Prepare template: Template is ready
      3. Specify template: Upload a template file, Choose file, and browse to the yaml file from above; Next
    2. Specify StackSet details
      1. StackSet Name: Anything you want
      2. StackSet Description: Anything you want; Next
    3. Configure StackSet options
      1. Tags: Anything you want
      2. Execution configuration: Inactive; Next
    4. Set deployment options
      1. Add stacks to stack set: Deploy new stacks
      2. Deployment targets:
        1. Use either Deploy to organization which deploys this configuration to all accounts in your organization or
        2. Deploy to organizational units (OUs) which you can choose which OU you want to target
      3. Auto-deployment options
        1. Automatic deployment: activated
        2. Account removal behavior: Delete stacks
      4. Specify regions:
        1. Choose the region where this stack will be created in each of your accounts; Next
    5. Review
      1. Check the acknowledge box after reviewing your choices; Submit
  5. Verify the StackSet was created and click into it
    1. Stack instances: will show you where the process is currently at
    2. Operations: provides a status of where the process is currently at
  6. Once the StackSet has been completed, you should log into your other accounts and verify the IAM role was indeed created

Conclusion

AWS CloudFormation StackSets fills a critical need for businesses operating in a multi-account, multi-region AWS environment. By providing centralized management, consistency, governance, and reducing both operational overheads and errors, StackSets proves itself as an indispensable tool in the cloud practitioner’s arsenal.

Whether you’re scaling your infrastructure, ensuring compliance, or simply wanting to streamline AWS resource management, StackSets should be on your radar.

Open document settingsOpen publish panel

  • Post

Post author

Written by

Leave a Comment

Your email address will not be published. Required fields are marked *