Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Integrate AWS CloudFormation StackSets for AWS Organizations as part of `cdk deploy`

See original GitHub issue

I’d like to be able to configure Stacks to be part of a StackSet that is deployed to my AWS Organization.

AWS CloudFormation StackSets introduces automatic deployments across accounts and regions through AWS Organizations

Use Case

I want to make use of CloudFormation features provided by the AWS team rather than attempting to roll my own CodePipeline to address the rollout of CloudFormation templates generated from CDK.

Proposed Solution


const stackSet = new cloudformation.StackSet(this, 'MyStackSet', {
   permissionModel: 'SERVICE_MANGED',
   autoDeployment: true,
   retainStacksOnAccountRemoval: true,
   deploymentTargets: {
         organizationalUnitIds: ["ou-rcuk-1x5j1lwo", "ou-rcuk-slr5lh0a"]
   },
  regions: ["eu-west-1"]
});

const stack = new cdk.Stack(app, 'MultipleAccountsStack');

stackSet.add(stack);

This is a 🚀 Feature Request

Issue Analytics

State:
Created 4 years ago
Reactions:44
Comments:5 (1 by maintainers)

Top GitHub Comments

6reactions

IndikaUdagedaracommented, Aug 20, 2020

Having this would be a nice feature! I ended up creating a StackSet construct with custom resources. I believe CDK will also have to implement something similar (i.e. consume Cloudformation stack set API directly) to add this feature…

import * as cdk from "@aws-cdk/core";
import { Construct, CfnOutput, Stack } from "@aws-cdk/core";
import * as cloudtrail from "@aws-cdk/aws-cloudtrail";
import * as sns from "@aws-cdk/aws-sns";
import {
  Bucket,
  BucketPolicy,
  BlockPublicAccess,
  BucketAccessControl,
} from "@aws-cdk/aws-s3";

import {
  PolicyStatement,
  Effect,
} from "@aws-cdk/aws-iam";
import { ITopic } from "@aws-cdk/aws-sns";
import {
  AwsCustomResource,
  PhysicalResourceId,
  AwsCustomResourcePolicy,
} from "@aws-cdk/custom-resources";

interface StackSetProps extends cdk.StackProps {
  templateURL: string;
  orgUnitIds: string[];
  regions: string[]
  name: string;
}

export class StackSet extends Construct {
  constructor(scope: Construct, id: string, props: StackSetProps) {
    super(scope, id);

    const rolePolicy = AwsCustomResourcePolicy.fromStatements([
      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: ["s3:ListBucket"],
        resources: ["arn:aws:s3:::cdktoolkit-stagingbucket*"],
      }),
      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: ["s3:GetObject"],
        resources: ["arn:aws:s3:::cdktoolkit-stagingbucket*/*"],
      }),
      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: ["cloudformation:*"],
        resources: ["*"],
      }),
    ]);

    const stackSet = new AwsCustomResource(this, props.name, {
      onCreate: {
        service: "CloudFormation",
        action: "createStackSet",
        physicalResourceId: PhysicalResourceId.of(props.name),
        parameters: {
          StackSetName: props.name,
          TemplateURL: props.templateURL,
          PermissionModel: "SERVICE_MANAGED",
          AutoDeployment: {
            Enabled: true,
            RetainStacksOnAccountRemoval: true,
          },
        },
      },
      onDelete: {
        service: "CloudFormation",
        action: "deleteStackSet",
        parameters: {
          StackSetName: props.name,
        },
      },
      policy: rolePolicy,
    });

    const stackInstancesName = `${props.name}-Instances`;
    const stackInstances = new AwsCustomResource(this, stackInstancesName, {
      onCreate: {
        service: "CloudFormation",
        action: "createStackInstances",
        physicalResourceId: PhysicalResourceId.of(stackInstancesName),
        parameters: {
          Regions: [Stack.of(this).region],
          StackSetName: props.name,
          DeploymentTargets: {
            OrganizationalUnitIds: props.orgUnitIds,
          },
          OperationPreferences: {
            MaxConcurrentCount: 4,
            FailureTolerancePercentage: 100,
          },
        },
      },
      onUpdate: {
        service: "CloudFormation",
        action: "updateStackInstances",
        physicalResourceId: PhysicalResourceId.of(stackInstancesName),
        parameters: {
          Regions: props.regions,
          StackSetName: props.name,
          DeploymentTargets: {
            OrganizationalUnitIds: props.orgUnitIds,
          },
          OperationPreferences: {
            MaxConcurrentCount: 4,
            FailureTolerancePercentage: 100,
          },
        },
      },
      onDelete: {
        service: "CloudFormation",
        action: "deleteStackInstances",
        parameters: {
          Regions: props.regions,
          StackSetName: props.name,
          DeploymentTargets: {
            OrganizationalUnitIds: props.orgUnitIds,
          },
          RetainStacks: false,
        },
      },
      policy: rolePolicy,
    });

    stackInstances.node.addDependency(stackSet);
  }
}

1reaction

hlascellescommented, Jan 26, 2021

I can see how the above works 👍. How does it differ to using new cdk.CfnStackSet (plus a couple of hack lines) like here? https://github.com/aws/aws-cdk-rfcs/issues/66#issuecomment-754599325

Top Results From Across the Web

Bootstrapping multiple AWS accounts for AWS CDK using ...

Once the integration has been configured, the Organizations management account will have access to deploy StackSet stacks to any account that ...

AWS CloudFormation StackSets and AWS Organizations

AWS CloudFormation StackSets enables you to create, update, or delete stacks across multiple AWS accounts and AWS Regions with a single operation.

Use AWS CloudFormation StackSets for Multiple Accounts in ...

Today, we are simplifying the use of CloudFormation StackSets for customers managing multiple accounts with AWS Organizations.

class CfnStackSet (construct) · AWS CDK

The AWS::CloudFormation::StackSet enables you to provision stacks into AWS ... the IAM roles required to deploy to accounts managed by AWS Organizations ....

StackSets concepts - AWS CloudFormation

With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations. Using this permissions model, you don't have to ...