AWS::CloudFormation::StackSet - AWS CloudFormation

AWS::CloudFormation::StackSet

The AWS::CloudFormation::StackSet enables you to provision stacks into AWS accounts and across Regions by using a single CloudFormation template. In the stack set, you specify the template to use, as well as any parameters and capabilities that the template requires.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::CloudFormation::StackSet", "Properties" : { "AdministrationRoleARN" : String, "AutoDeployment" : AutoDeployment, "CallAs" : String, "Capabilities" : [ String, ... ], "Description" : String, "ExecutionRoleName" : String, "ManagedExecution" : Json, "OperationPreferences" : OperationPreferences, "Parameters" : [ Parameter, ... ], "PermissionModel" : String, "StackInstancesGroup" : [ StackInstances, ... ], "StackSetName" : String, "Tags" : [ Tag, ... ], "TemplateBody" : String, "TemplateURL" : String } }

Properties

AdministrationRoleARN

The Amazon Resource Number (ARN) of the IAM role to use to create this stack set. Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account.

Use customized administrator roles to control which users or groups can manage specific stack sets within the same administrator account. For more information, see Prerequisites: Granting Permissions for Stack Set Operations in the AWS CloudFormation User Guide.

Minimum: 20

Maximum: 2048

Required: No

Type: String

Update requires: No interruption

AutoDeployment

[Service-managed permissions] Describes whether StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU).

Required: No

Type: AutoDeployment

Update requires: No interruption

CallAs

[Service-managed permissions] Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account.

By default, SELF is specified. Use SELF for stack sets with self-managed permissions.

  • To create a stack set with service-managed permissions while signed in to the management account, specify SELF.

  • To create a stack set with service-managed permissions while signed in to a delegated administrator account, specify DELEGATED_ADMIN.

    Your AWS account must be registered as a delegated admin in the management account. For more information, see Register a delegated administrator in the AWS CloudFormation User Guide.

Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.

Valid Values: SELF | DELEGATED_ADMIN

Required: No

Type: String

Update requires: No interruption

Capabilities

The capabilities that are allowed in the stack set. Some stack set templates might include resources that can affect permissions in your AWS account—for example, by creating new AWS Identity and Access Management (IAM) users. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.

Required: No

Type: List of String

Update requires: No interruption

Description

A description of the stack set.

Minimum: 1

Maximum: 1024

Required: No

Type: String

Update requires: No interruption

ExecutionRoleName

The name of the IAM execution role to use to create the stack set. If you don't specify an execution role, AWS CloudFormation uses the AWSCloudFormationStackSetExecutionRole role for the stack set operation.

Minimum: 1

Maximum: 64

Pattern: [a-zA-Z_0-9+=,.@-]+

Required: No

Type: String

Update requires: No interruption

ManagedExecution

Describes whether StackSets performs non-conflicting operations concurrently and queues conflicting operations.

When active, StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

Note

If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

When inactive (default), StackSets performs one operation at a time in request order.

Required: No

Type: Json

Update requires: No interruption

OperationPreferences

The user-specified preferences for how AWS CloudFormation performs a stack set operation.

Required: No

Type: OperationPreferences

Update requires: No interruption

Parameters

The input parameters for the stack set template.

Required: No

Type: List of Parameter

Update requires: No interruption

PermissionModel

Describes how the IAM roles required for stack set operations are created.

Allowed Values: SERVICE_MANAGED | SELF_MANAGED

Note

The PermissionModel property is required.

Required: Yes

Type: String

Update requires: Replacement

StackInstancesGroup

A group of stack instances with parameters in some specific accounts and Regions.

Required: No

Type: List of StackInstances

Update requires: No interruption

StackSetName

The name to associate with the stack set. The name must be unique in the Region where you create your stack set.

Maximum: 128

Pattern: ^[a-zA-Z][a-zA-Z0-9-]{0,127}$

Note

The StackSetName property is required.

Required: Yes

Type: String

Update requires: Replacement

Tags

The key-value pairs to associate with this stack set and the stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the stacks. A maximum number of 50 tags can be specified.

Required: No

Type: List of Tag

Update requires: No interruption

TemplateBody

The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.

You must include either TemplateURL or TemplateBody in a StackSet, but you can't use both. Dynamic references in the TemplateBody may not work correctly in all cases. It's recommended to pass templates containing dynamic references through TemplateUrl instead.

Minimum: 1

Maximum: 51200

Required: Conditional

Type: String

Update requires: No interruption

TemplateURL

Location of file containing the template body. The URL must point to a template (max size: 460,800 bytes) that's located in an Amazon S3 bucket.

You must include either TemplateURL or TemplateBody in a StackSet, but you can't use both.

Minimum: 1

Maximum: 1024

Required: Conditional

Type: String

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the StackSetId.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

StackSetId

The ID of the stack that you're creating.

Examples

Activate managed execution for your stack set

The following example creates a stack set and specifies ManagedExecution. With managed execution activated, StackSets performs non-conflicting operations concurrently and queues conflicting operations.

JSON

{ "TestStackSet1": { "Type": "AWS::CloudFormation::StackSet", "DeletionPolicy": "Retain", "Properties": { "StackSetName": "TestStackSet12345", "Description": "Updatedescription1", "PermissionModel": "SELF_MANAGED", "ManagedExecution": { "Active": true }, "Tags": [ { "Key": "tag1", "Value": "value1" } ], "TemplateBody": "{\n \"AWSTemplateFormatVersion\": \"2010-09-09\",\n \"Resources\": {\n \"testWaitHandle\": {\n \"Type\": \"AWS::CloudFormation::WaitConditionHandle\"\n }\n }\n}\n" } } }

YAML

TestStackSet1: Type: 'AWS::CloudFormation::StackSet' DeletionPolicy: Retain Properties: StackSetName: TestStackSet12345 Description: Updatedescription1 PermissionModel: SELF_MANAGED ManagedExecution: Active: true Tags: - Key: tag1 Value: value1 TemplateBody: | { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "testWaitHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" } } }

Specifying Secrets Manager secrets in CloudFormation

When using the TemplateBody property, if the template intends to resolve secrets from Secrets Manager secret's through an ARN and !Join is used to construct Secrets Manager's dynamic reference, secret's resolution needs to be avoided at stack level so that it will only be performed upon stack instance creation.

In the following example, secret's resolution are avoided at stack level by providing {{ and resolve:secretsmanager: as separate strings to !Join instead of {{resolve:secretsmanager: being provided as a single string:

JSON

{ "Fn::Join": [ "", [ "{{", "resolve:secretsmanager:", { "Fn::Sub": "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my-secret" }, "::my-secret-key::}}" ] ] }

YAML

!Join - '' - - '{{' - 'resolve:secretsmanager:' - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my-secret' - '::my-secret-key::}}'

See also