Create a stack set - AWS CloudFormation
Create a stack set with self-managed permissionsCreate a stack set with service-managed permissions

Create a stack set

You can create a stack set using the AWS Management Console or using AWS CloudFormation commands in the AWS CLI. You can create a stack set with either self-managed or service-managed permissions.

With self-managed permissions, you can deploy stack instances to specific AWS accounts in specific Regions. To do this, you must first create the necessary IAM roles to establish a trusted relationship between the account you're administering the stack set from and the account you're deploying stack instances to.

With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. With this model, you don't need to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. You can also enable automatic deployments to accounts that are added to a target organization or organizational unit (OU) in the future. With automatic deployments enabled, StackSets automatically deletes stack instances from an account if it's removed from a target organization or OU.

Create a stack set with self-managed permissions

Create a stack set with self-managed permissions using the AWS Management Console

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. From the navigation pane, choose StackSets.

  3. At the top of the StackSets page, choose Create StackSet.

  4. Under Prerequisite - Prepare template, choose Use a sample template.

  5. Under Select a sample template, from the drop-down menu choose the Enable AWS config template. Select Next.

    StackSets sample Enable AWS Config template

  6. On the Specify StackSet details page, provide the following information.

    1. Provide a name for the stack set. Stack set names must begin with an alphabetical character, and contain only letters, numbers, and hyphens. In this walkthrough, we use the name my-awsconfig-stackset.

    2. You are prompted to specify values for parameters that are used by AWS Config. For more information about these parameters, see Setting up AWS Config with the console in the AWS Config Developer Guide. In this walkthrough, we will leave default settings for all AWS Config parameters.

    3. You can configure Amazon Simple Notification Service (SNS) updates by email, based on log content, using the TopicARN and NotificationEmail parameters. For the purposes of this walkthrough, we are not configuring Amazon SNS updates.

    4. You can configure the delivery channel for updates and notifications using the DeliveryChannelName and Frequency parameters. For more information about the delivery channel in AWS Config, see Managing the delivery channel in the AWS Config Developer Guide. For the purposes of this walkthrough, we are leaving default settings in this area.

  7. When you are finished specifying parameters for AWS Config, choose Next.

  8. On the Configure StackSet options page, add a tag by specifying a key and value pair. In this walkthrough, we create a tag called Stage, with a value of Test. Tags that you apply to stack sets are applied to all resources that are created by your stacks. For more information about how tags are used in AWS, see Using cost allocation tags in the AWS Billing and Cost Management User Guide.

    Leave Permissions unspecified.

  9. For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  10. Choose Next.

  11. On the Set deployment options page, provide the accounts and Regions into which you want stacks in your stack set deployed.

    AWS CloudFormation will deploy stacks in the specified accounts within the first Region, then moves on to the next, and so on, as long as a Region's deployment failures do not exceed a specified failure tolerance.

    1. For Accounts, choose Deploy stacks in accounts. Paste your target account numbers in the text box, separating multiple numbers with commas.

    2. For Specify regions, choose US East (N. Virginia) Region. Repeat for the US West (Oregon) Region. Select the up arrow next to US West (Oregon) Region to move it to be the first entry in the list. The order of the Regions under Specify regions determines their deployment order.

    3. For Deployment options:

      • For Maximum concurrent accounts, keep the defaults of Number and 1.

        This means that AWS CloudFormation deploys your stack in only one account at one time.

      • For Failure tolerance, keep the defaults of Number and 0.

        This means that a maximum of one stack deployment can fail in one of your specified Regions before AWS CloudFormation stops deployment in the current Region, and cancels deployment in remaining Regions.

    4. For Region concurrency:

      • Select Sequential or Parallel to determine StackSets deployment order for specified Regions. By default, Sequential is selected.

      Select Next.

    Set Deployment Options page

  12. On the Review page, review your choices and your stack set's properties. To make changes, choose Edit in the area in which you want to change properties. Before you can create the stack set, you must fill the check box in the Capabilities area to acknowledge that some of the resources that you are creating with the stack set might require new IAM resources and permissions. For more information about potentially required permissions, see Acknowledging IAM resources in AWS CloudFormation templates in this guide. When you are ready to create your stack set, choose Submit.

    Acknowledge required capabilities

  13. AWS CloudFormation starts creating your stack set. View the progress and status of the creation of the stacks in your stack set in the stack set details page that opens when you choose Submit.

    Operations tab of the StackSets details page

Create a stack set with self-managed permissions using the AWS CLI

When you create stack sets by using AWS CLI commands, you run two separate commands: create-stack-set to upload your template and create the stack set container, and create-stack-instances to create the stacks within your stack set. Start by running an AWS CLI command, create-stack-set, to upload the sample AWS CloudFormation template that enables AWS Config, and then start stack set creation.

  1. Open the AWS CLI.

  2. Run the following command.

    For the --template-url parameter, provide the URL of the Amazon S3 bucket in which you are storing your template. For this walkthrough, we use my-awsconfig-stackset as the value of the --stack-set-name parameter. We also activate --managed-execution so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

    aws cloudformation create-stack-set \
  --stack-set-name my-awsconfig-stackset \
  --template-url https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSConfig.yml

  3. After your create-stack-set command is finished, run the list-stack-sets command to see that your stack set has been created. You should see your new stack set in the results.

    aws cloudformation list-stack-sets

  4. Run the create-stack-instances AWS CLI command to add stack instances to your stack set. In this walkthrough, we use us-west-2 and us-east-1 as the values of the --regions parameter.

    Set the failure tolerance and maximum concurrent accounts by setting FailureToleranceCount to 0 and MaxConcurrentCount to 1 in the --operation-preferences parameter, as shown in the following example. To apply percentages instead, use FailureTolerancePercentage or MaxConcurrentPercentage. For the purposes of this walkthrough, we are using count, not percentage.

    Note

    The value of MaxConcurrentCount is dependent on the value of FailureToleranceCount. MaxConcurrentCount is at most one more than FailureToleranceCount.

    aws cloudformation create-stack-instances \
  --stack-set-name my-awsconfig-stackset \
  --accounts '["account_ID_1","account_ID_2"]' \
  --regions '["region_1","region_2"]' \
  --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1
    Note

    The concurrency of the StackSet instance deployments in the operation is dependent on the value of FailureToleranceCount-MaxConcurrentCount and is at most one more than the FailureToleranceCount.

    Important

    Wait until an operation is complete before starting another one. You can run only one operation at a time.

  5. Verify that the stack instances were created successfully. Run DescribeStackSetOperation with the operation-id that is returned as part of the output of step 4.

    aws cloudformation describe-stack-set-operation \
  --stack-set-name my-awsconfig-stackset \
  --operation-id operation_ID

Create a stack set with service-managed permissions

Considerations when creating a stack set with service-managed permissions

Before you create a stack set with service-managed permissions, consider the following:

  • Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.

  • Your stack set can target your entire organization or specified organizational units (OUs). If your stack set targets your organization, it also targets all accounts in all OUs in the organization. If your stack set targets specified OUs, it also targets all accounts in those OUs.

  • If your stack set targets a parent OU, the stack set also targets any child OUs.

  • Multiple stack sets can target the same organization or OU.

  • Your stack set can't target accounts outside your organization.

  • Your stack set can't deploy nested stacks.

  • StackSets doesn't deploy stack instances to the organization's management account, even if the management account is in your organization or in an OU in your organization.

  • Automatic deployment is set at the stack set level. You can't adjust automatic deployments selectively for OUs, accounts, or Regions.

  • The permissions of the IAM principal entity (user, role, or group) that you use to sign in to the management account determine whether you are authorized to deploy with StackSets. For an example IAM policy that grants permissions to deploy to an organization, see Sample policy that grants service-managed stack set permissions.

  • Delegated administrators have full permissions to deploy to accounts in your organization. The management account can't limit delegated administrator permissions to deploy to specific OUs or to perform specific stack set operations.

Create a stack set with service-managed permissions using the AWS CloudFormation console

  1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. From the navigation pane, choose StackSets.

  3. At the top of the StackSets page, choose Create StackSet.

  4. Under Prepare template, choose Template is ready.

  5. Under Specify template, choose to either specify the URL for the S3 bucket that contains your stack template or upload a stack template file. Choose Next.

  6. On the Specify StackSet details page, provide a name for the stack set, specify any parameters, and then choose Next.

  7. On the Configure StackSet options page, under Tags, specify any tags to apply to resources in your stack.

  8. Under Permissions, choose Service-managed permissions.

    If trusted access with AWS Organizations is disabled, a banner displays. Trusted access is required to create or update a stack set with service-managed permissions. Only the administrator in the organization's management account has permissions to Activate trusted access with AWS Organizations.

    Activate trusted access banner.

  9. For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  10. Choose Next to proceed and to activate trusted access if not already activated.

  11. On the Set deployment options page, under Deployment targets, choose the accounts in your organization to deploy to.

    • Choose Deploy to organization to deploy to all accounts in your organization.

      Deploy stack instances to all accounts in your organization.

    • Choose Deploy to organizational units (OUs) to deploy to all accounts in specific OUs. Choose Add an OU, and then paste the target OU ID in the text box. Repeat for each new target OU.

      Deploy stack instances to all accounts in select OUs within your organization.

  12. Under Automatic deployment, choose whether StackSets will automatically deploy to accounts that are added to the target organization or OUs in the future.

    Automatic deployment settings for stack sets with service-managed permissions.

  13. If you enabled automatic deployment, under Account removal behavior, choose whether stack resources are retained or deleted when an account is removed from a target organization or OU.

    Account removal behavior settings for stack sets with service-managed permissions.
    Note

    With Retain stacks selected, stack instances are removed from your stack set, but the stacks and their associated resources are retained. The resources stay in their current state, but will no longer be part of the stack set.

  14. Under Deployment regions, choose the Regions in which you want to deploy stack instances. Choose Next.

  15. On the Review page, verify that StackSets will deploy to the correct accounts in the correct Regions, and then choose Create StackSet.

The StackSet details page opens. You can view the progress and status of the creation of the stacks in your stack set.

Create a stack set with service-managed permissions using the AWS CLI

When you create stack sets using the AWS CLI, you run two separate commands. During create-stack-set, you upload your template, create the stack set container, and manage automatic deployments. During create-stack-instances, you create stack instances in specific target accounts.

When acting as a delegated administrator, you must set the --call-as parameter to DELEGATED_ADMIN each time you run a StackSets command.

--call-as DELEGATED_ADMIN

Stack sets created by a delegated administrator are created in the organization's management account.

  1. Open the AWS CLI.

  2. Run the create-stack-set command.

    In the following example, we enable automatic deployments to allow StackSets to automatically deploy to accounts that are added to the target organization or OUs in the future. We retain stack resources when an account is removed from a target organization or OU. We also activate --managed-execution so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

    aws cloudformation create-stack-set \
  --stack-set-name StackSet_myApp \
  --template-url https://s3.us-west-2.amazonaws.com/cloudformation-templates-us-west-2/MyApp.template \
  --permission-model SERVICE_MANAGED \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true

  3. After your create-stack-set command is finished, run the list-stack-sets command to confirm that your stack set was created. Your new stack set is listed in the results.

    aws cloudformation list-stack-sets

    • If you set the --call-as parameter to DELEGATED_ADMIN while signed in to your member account, list-stack-sets returns all stack sets with service-managed permissions in the organization's management account.

    • If you set the --call-as parameter to SELF while signed in to your AWS account, list-stack-sets returns all self-managed stack sets in your AWS account.

    • If you set the --call-as parameter to SELF while signed in to the organization's management account, list-stack-sets returns all stack sets in the organization's management account.

  4. Run the create-stack-instances command to add stack instances to your stack set. For the --deployment-targets parameter, specify the organization root ID to deploy to all accounts in your organization, or specify OU IDs to deploy to all accounts in those OUs. In this example, we specify OUs with ou-rcuk-1x5j1lwo and ou-rcuk-slr5lh0a IDs.

    aws cloudformation create-stack-instances --stack-set-name StackSet_myApp --deployment-targets OrganizationalUnitIds='["ou-rcuk-1x5j1lwo", "ou-rcuk-slr5lh0a"]' --regions '["eu-west-1"]'
    Important

    Wait until an operation is complete before starting another one. You can run only one operation at a time.

  5. Using the operation-id that was returned as part of the create-stack-instances output in step 4, run describe-stack-set-operation to verify that your stack instances were created successfully.