Create a stack set using the CloudFormation console or AWS CLI - AWS CloudFormation
Create a stack set with self-managed permissionsCreate a stack set with service-managed permissions

Create a stack set using the CloudFormation console or AWS CLI

You can create a stack set using the CloudFormation console or using CloudFormation commands in the AWS CLI. You can create a stack set with either self-managed or service-managed permissions.

Create a stack set with self-managed permissions

With self-managed permissions, you can deploy stack instances to specific AWS accounts in specific Regions. To do this, you must first create the necessary IAM roles to establish a trusted relationship between the account you're administering the stack set from and the account you're deploying stack instances to. For more information, see Grant self-managed permissions.

Note

Before you complete one of the following procedures, verify that the IAM roles AWSCloudFormationStackSetExecutionRole and AWSCloudFormationStackSetAdministrationRole exist in your administrator account. To launch stacks in accounts other than your administrator account, verify that the IAM role AWSCloudFormationStackSetExecutionRole exists in the target accounts.

Create a stack set with self-managed permissions using the CloudFormation console

  1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the navigation bar at the top of the screen, choose the AWS Region that you want to manage the stack set from.

  3. From the navigation pane, choose StackSets.

  4. From the top of the StackSets page, choose Create StackSet.

  5. Skip Permissions to use the IAM roles named AWSCloudFormationStackSetExecutionRole and AWSCloudFormationStackSetAdministrationRole that you created previously.

  6. Under Prerequisite - Prepare template, choose Use a sample template.

  7. Under Select a sample template, from the drop-down menu choose the Enable AWS Config template. Select Next.

  8. On the Specify StackSet details page, for StackSet name, provide a name for the stack set. Stack set names must begin with an alphabetical character, and contain only letters, numbers, and hyphens. In this walkthrough, we use the name my-awsconfig-stackset.

  9. For StackSet description, provide a description for the stack set.

  10. For Parameters, review the template parameters that are used by AWS Config.

    Note

    For the purposes of this walkthrough, you can use the default settings in this section.

    1. For Recorder Configuration, review the default values. For more information about these parameters, see Setting up AWS Config with the console in the AWS Config Developer Guide.

    2. (Optional) For Delivery Channel Configuration, review the default values for the delivery channel for updates and notifications. For more information about the delivery channel in AWS Config, see Managing the delivery channel in the AWS Config Developer Guide.

    3. (Optional) For Delivery Notifications, review the default configuration for the Amazon Simple Notification Service (SNS) notifications.

  11. Choose Next to continue.

  12. On the Configure StackSet options page, add a tag by specifying a key and value pair. In this walkthrough, we create a tag called Stage, with a value of Test. Tags that you apply to stack sets are applied to all resources that are created by your stacks. For more information about how tags are used in AWS, see Organizing and tracking costs using AWS cost allocation tags in the AWS Billing and Cost Management User Guide.

  13. For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  14. If your template contains IAM resources, for Capabilities, choose I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template. For more information, see Acknowledging IAM resources in CloudFormation templates.

  15. Choose Next.

  16. On the Set deployment options page, for Add stacks to stack set, choose Deploy new stacks.

  17. For Accounts, choose Deploy stacks in accounts. Paste your target AWS account numbers in the text box, separating multiple numbers with commas.

  18. For Specify regions, choose US East (N. Virginia) Region. Repeat for the US West (Oregon) Region. Select the up arrow next to US West (Oregon) Region to move it to be the first entry in the list. The order of the Regions under Specify regions determines their deployment order.

    By default, CloudFormation will deploy stacks in the specified accounts within the first Region, then moves on to the next, and so on, as long as a Region's deployment failures do not exceed a specified failure tolerance.

  19. For Deployment options:

    • For Maximum concurrent accounts, keep the defaults of Number and 1.

      This means that CloudFormation deploys your stack in only one account at one time.

    • For Failure tolerance, keep the defaults of Number and 0.

      This means that a maximum of one stack deployment can fail in one of your specified Regions before CloudFormation stops deployment in the current Region, and cancels deployment in remaining Regions.

    • For Region concurrency, select Sequential or Parallel to determine StackSets deployment order for specified Regions. By default, Sequential is selected.

    • For Concurrency mode, update the Concurrency mode as needed, or skip to the next step.

  20. Choose Next.

  21. On the Review page, review your choices. To make changes, choose Edit on the related section.

  22. When you are ready to create your stack set, choose Submit.

    CloudFormation starts creating your stack set. View the progress and status of the creation of the stacks in your stack set in the stack set details page that opens when you choose Submit.

Create a stack set with self-managed permissions using the AWS CLI

When you create stack sets by using AWS CLI commands, you run two separate commands: create-stack-set to upload your template and create the stack set container, and create-stack-instances to create the stacks within your stack set.

  1. Start by running the following create-stack-set command to upload the sample template that enables AWS Config. For the --template-url option, provide the URL of the Amazon S3 bucket where your template is located. For this walkthrough, we use my-awsconfig-stackset as the value of the --stack-set-name option. 

    aws cloudformation create-stack-set \
  --stack-set-name my-awsconfig-stackset \
  --template-url https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSConfig.yml
    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  2. After your create-stack-set command is finished, run the list-stack-sets command to see that your stack set has been created. You should see your new stack set in the results.

    aws cloudformation list-stack-sets

  3. Use the create-stack-instances command to add stack instances to your stack set. In this walkthrough, we use us-west-2 and us-east-1 as the values of the --regions option.

    aws cloudformation create-stack-instances \
  --stack-set-name my-awsconfig-stackset \
  --accounts '["account_ID_1","account_ID_2"]' \
  --regions '["us-west-2","us-east-1"]'

    To specify your preferences for how CloudFormation performs this stack set operation, specify the --operation-preferences option, as in the following example. For the purposes of this example, we're using count, not percentage. To apply percentages instead, use FailureTolerancePercentage or MaxConcurrentPercentage.

    --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1
    Note

    The value of MaxConcurrentCount is dependent on the value of FailureToleranceCount. MaxConcurrentCount is at most one more than FailureToleranceCount.

    Important

    Wait until an operation is complete before starting another one. You can run only one operation at a time.

  4. Using the operation-id that was returned as part of the create-stack-instances output, use the following describe-stack-set-operation command to verify that your stack instances were created successfully.

    aws cloudformation describe-stack-set-operation \
  --stack-set-name my-awsconfig-stackset \
  --operation-id operation_ID

Create a stack set with service-managed permissions

With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations in specific Regions. With this model, you don't need to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. You can also enable automatic deployments to accounts that are added to a target organization or organizational unit (OU) in the future. With automatic deployments enabled, StackSets automatically deletes stack instances from an account if it's removed from a target organization or OU. For more information, see Activate trusted access for stack sets with Organizations.

Considerations when creating a stack set with service-managed permissions

Before you create a stack set with service-managed permissions, consider the following:

  • Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.

  • Your stack set can target your entire organization or specified organizational units (OUs). If your stack set targets your organization, it also targets all accounts in all OUs in the organization. If your stack set targets specified OUs, it also targets all accounts in those OUs.

  • If your stack set targets a parent OU, the stack set also targets any child OUs.

  • Multiple stack sets can target the same organization or OU.

  • Your stack set can't target accounts outside your organization.

  • Your stack set can't deploy nested stacks.

  • StackSets doesn't deploy stack instances to the organization's management account, even if the management account is in your organization or in an OU in your organization.

  • Automatic deployment is set at the stack set level. You can't adjust automatic deployments selectively for OUs, accounts, or Regions.

  • The permissions of the IAM principal entity (user, role, or group) that you use to sign in to the management account determine whether you are authorized to deploy with StackSets. For an example IAM policy that grants permissions to deploy to an organization, see Sample policy that grants service-managed stack set permissions.

  • Delegated administrators have full permissions to deploy to accounts in your organization. The management account can't limit delegated administrator permissions to deploy to specific OUs or to perform specific stack set operations.

Create a stack set with service-managed permissions using the CloudFormation console

  1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. On the navigation bar at the top of the screen, choose the AWS Region that you want to manage the stack set from.

  3. From the navigation pane, choose StackSets.

  4. From the top of the StackSets page, choose Create StackSet.

  5. Under Permissions, choose Service-managed permissions.

    Note

    If trusted access with AWS Organizations is disabled, a banner displays. Trusted access is required to create or update a stack set with service-managed permissions. Only the administrator in the organization's management account has permissions to Activate trusted access for stack sets with Organizations.

  6. Under Prerequisite - Prepare template, choose Template is ready.

  7. Under Specify template, choose to either specify the URL for the S3 bucket that contains your stack template or upload a stack template file. Choose Next.

  8. On the Specify StackSet details page, provide a name for the stack set, specify any parameters, and then choose Next.

  9. On the Configure StackSet options page, under Tags, specify any tags to apply to resources in your stack.

  10. For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  11. Choose Next to proceed and to activate trusted access if not already activated.

  12. On the Set deployment options page, under Deployment targets, do one of the following:

    • To deploy to all accounts in your organization, choose Deploy to organization.

    • To deploy to all accounts in specific OUs, choose Deploy to organizational units (OUs). Choose Add an OU, and then paste the target OU ID in the text box. Repeat for each new target OU.

  13. Under Automatic deployment, choose whether StackSets will automatically deploy to accounts that are added to the target organization or OUs in the future.

  14. If you enabled automatic deployment, under Account removal behavior, choose whether stack resources are retained or deleted when an account is removed from a target organization or OU.

    Note

    With Retain stacks selected, stack instances are removed from your stack set, but the stacks and their associated resources are retained. The resources stay in their current state, but will no longer be part of the stack set.

  15. Under Specify regions, choose the Regions you want to deploy stack instances in.

  16. For Deployment options:

    • For Maximum concurrent accounts, configure the maximum concurrent accounts as needed.

    • For Failure tolerance, configure the failure tolerance as needed.

    • For Region concurrency, choose the region concurrency as needed.

    • For Concurrency mode, choose the concurrency mode as needed.

  17. Choose Next to continue.

  18. On the Review page, verify that StackSets will deploy to the correct accounts in the correct Regions, and then choose Create StackSet.

    The StackSet details page opens. You can view the progress and status of the creation of the stacks in your stack set.

Create a stack set with service-managed permissions using the AWS CLI

When you create stack sets using the AWS CLI, you run two separate commands. During create-stack-set, you upload your template, create the stack set container, and manage automatic deployments. During create-stack-instances, you create stack instances in specific target accounts.

When acting as a delegated administrator, you must set the --call-as option to DELEGATED_ADMIN each time you run a StackSets command.

--call-as DELEGATED_ADMIN

Stack sets created by a delegated administrator are created in the organization's management account.

  1. Use the create-stack-set CLI command.

    In the following example, we enable automatic deployments to allow StackSets to automatically deploy to accounts that are added to the target organization or OUs in the future. We retain stack resources when an account is removed from a target organization or OU. 

    aws cloudformation create-stack-set \
  --stack-set-name my-stackset \
  --template-url https://s3.us-west-2.amazonaws.com/cloudformation-templates-us-west-2/MyApp.template \
  --permission-model SERVICE_MANAGED \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true
    Note

    If there are already running or queued operations, StackSets queues all incoming operations even if they are non-conflicting.

    You can't modify your stack set's execution configuration while there are running or queued operations for that stack set.

  2. After your create-stack-set command is finished, run the list-stack-sets command to confirm that your stack set was created. Your new stack set is listed in the results.

    aws cloudformation list-stack-sets

    • If you set the --call-as option to DELEGATED_ADMIN while signed in to your member account, list-stack-sets returns all stack sets with service-managed permissions in the organization's management account.

    • If you set the --call-as option to SELF while signed in to your AWS account, list-stack-sets returns all self-managed stack sets in your AWS account.

    • If you set the --call-as option to SELF while signed in to the organization's management account, list-stack-sets returns all stack sets in the organization's management account.

  3. Use the create-stack-instances command to add stack instances to your stack set. For the --deployment-targets option, specify the organization root ID to deploy to all accounts in your organization, or specify OU IDs to deploy to all accounts in those OUs. In this example, we specify OUs with ou-rcuk-1x5j1lwo and ou-rcuk-slr5lh0a IDs.

    aws cloudformation create-stack-instances --stack-set-name my-stackset \
  --deployment-targets OrganizationalUnitIds='["ou-rcuk-1x5j1lwo", "ou-rcuk-slr5lh0a"]' \
  --regions '["us-west-2","us-east-1"]'
    Important

    Wait until an operation is complete before starting another one. You can run only one operation at a time.

  4. Using the operation-id that was returned as part of the create-stack-instances output, use the following describe-stack-set-operation command to verify that your stack instances were created successfully.

    aws cloudformation describe-stack-set-operation \
  --stack-set-name my-awsconfig-stackset \
  --operation-id operation_ID