A StackSet is a set of CloudFormation stacks that can easily be deployed to multiple AWS accounts and/or multiple AWS regions. Before, each stack had to be deployed separately and custom scripts were required to orchestrate deploying to multiple accounts/regions. Therefore, this feature is bound to make the lives of AWS administrators a bit easier.
There are loads of use cases for deploying stacks to multiple locations. For example, it’s considered a best practice to enable AWS Config in every region. This service keeps track of resources in an AWS account and changes to those resources. AWS Config needs to be enabled in every region separately, so a CloudFormation stack is required for every region.
Another use case is sandbox account. If you have a set of sandbox accounts for software engineers in your company, you want to keep these accounts in the same state. Instead of provision CloudFormation stacks in every account separately, you can now use a single StackSet to provision all accounts with a single API call.
The feature announcement from AWS already included for how to set this up through the AWS Console. Us AWS pros of course want to provision our accounts automatically, so let’s see how we can use the newly added AWS CLI methods to provision a StackSet in multiple regions.
You can create a stack set in either the AWS Management Console, or by using AWS CloudFormation commands in the AWS CLI.
To create a stack set by using the AWS Management Console
- Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
- In this page, choose StackSets, and then choose Create stack set.
- On the Select template page of the Create stack set wizard, choose Select a sample template from the following templates. Choose the Enable AWS Config sample template, and then choose Next.
- On the Specify details page provide the name of stack set and provide the specific values for parameters that used by AWS Config. To know about the parameters, refer Setting up AWS Config with the Console
- In the Delivery Channel Configuration area, you can configure the delivery channel for updates and notifications. To know about the parameters, refer Managing the Delivery Channel
- In the Delivery Notifications area, you can configure Amazon Simple Notification Service (SNS) updates by email, based on log content.
- When you are finished specifying parameters for AWS Config, choose Next.
- On the Set deployment options page, provide the accounts and regions into which you want stacks in your stack set deployed. AWS CloudFormation deploys stacks in the specified accounts within the first region, then moves on to the next, and so on, as long as a region’s deployment failures do not exceed a specified failure tolerance.
In the Accounts area, choose Deploy stacks in accounts. Paste your target account numbers in the text box, separating multiple numbers with commas.
In the Regions area, choose US West (Oregon) Region and then choose Add. Repeat for the US East (N. Virginia) Region. US West (Oregon) Region should be first in the Deployment order box.
In the Preferences area, keep the default value of 1 and By number for Maximum concurrent accounts. This means that AWS CloudFormation deploys your stack in only one account at one time. Keep Failure tolerance at the default value of 0, and keep the By number default option. This means that a maximum of one stack deployment can fail in one of your specified regions before AWS CloudFormation stops deployment in the current region, and cancels deployment in remaining regions. Choose Next.
- On the Tags page, add a tag by specifying a key and value pair. In this walkthrough, we create a tag called Stage, with a value of Test. Tags that you apply to stack sets are applied to all resources that are created by your stacks. hoose Next.
- On the Review page, review your choices and your stack set’s properties. To make changes, choose Edit in the area in which you want to change properties. Before you can create the stack set, you must fill the check box in the Capabilities area to acknowledge that some of the resources that you are creating with the stack set might require new IAM resources and permissions. When you are are ready to create your stack set, choose Create.
Note: For more information about potentially required permissions, see Acknowledging IAM Resources in AWS CloudFormation Templates in this guide.
- AWS CloudFormation starts creating your stack set.
CloudFormation StackSets is certainly a welcome new feature that will make the lives for AWS administrators easier. Of course, this is just the first version of this great new functionality. I’m hoping the following limitations are already somewhere on the roadmap to be addressed:
- Only a single set of parameters can be defined. Consider the use case of Sandbox environments that all have non-overlapping VPCs CIDR blocks: we’d like to provide different blocks per account. Currently, that’s not possible by specifying different parameters to our Stack instances. Dozens of other use cases exist where this would make sense.
- There is no way to specify “ALL” AWS regions. This would be great for both readability and maintainability.
- It’s possible to specify the order in which stacks are deployed to accounts/regions. This allows you to provision a stack to a staging environment first before provisioning it to production (you can configure it to stop on failure). However, even better would be if we could run an automated test in-between those two deployments. Of course, this is something that is possible in AWS CodePipeline but with that tool, some hacking is required to set it up multi-account/multi-region. In other words: if AWS would somehow bring these two tools closer together, we would get the best of both worlds.
Read More: AWS CloudFormation Tutorial