- class aws_cdk.aws_codepipeline_actions.StackSetDeploymentModel
Determines how IAM roles are created and managed.
# pipeline: codepipeline.Pipeline # source_output: codepipeline.Artifact pipeline.add_stage( stage_name="DeployStackSets", actions=[ # First, update the StackSet itself with the newest template codepipeline_actions.CloudFormationDeployStackSetAction( action_name="UpdateStackSet", run_order=1, stack_set_name="MyStackSet", template=codepipeline_actions.StackSetTemplate.from_artifact_path(source_output.at_path("template.yaml")), # Change this to 'StackSetDeploymentModel.organizations()' if you want to deploy to OUs deployment_model=codepipeline_actions.StackSetDeploymentModel.self_managed(), # This deploys to a set of accounts stack_instances=codepipeline_actions.StackInstances.in_accounts(["111111111111"], ["us-east-1", "eu-west-1"]) ), # Afterwards, update/create additional instances in other accounts codepipeline_actions.CloudFormationDeployStackInstancesAction( action_name="AddMoreInstances", run_order=2, stack_set_name="MyStackSet", stack_instances=codepipeline_actions.StackInstances.in_accounts(["222222222222", "333333333333"], ["us-east-1", "eu-west-1"]) ) ] )
- classmethod organizations(*, auto_deployment=None)
Deploy to AWS Organizations accounts.
AWS CloudFormation StackSets automatically creates the IAM roles required to deploy to accounts managed by AWS Organizations. This requires an account to be a member of an Organization.
Using this deployment model, you can specify either AWS Account Ids or Organization Unit Ids in the
StackSetOrganizationsAutoDeployment]) – Automatically deploy to new accounts added to Organizational Units. Whether AWS CloudFormation StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). Default: Disabled
- Return type:
- classmethod self_managed(*, administration_role=None, execution_role_name=None)
Deploy to AWS Accounts not managed by AWS Organizations.
You are responsible for creating Execution Roles in every account you will be deploying to in advance to create the actual stack instances. Unless you specify overrides, StackSets expects the execution roles you create to have the default name
AWSCloudFormationStackSetExecutionRole. See the Grant self-managed permissions section of the CloudFormation documentation.
The CDK will automatically create the central Administration Role in the Pipeline account which will be used to assume the Execution Role in each of the target accounts.
If you wish to use a pre-created Administration Role, use
Role.fromRoleArn()to import it, and pass it to this function:
existing_admin_role = iam.Role.from_role_name(self, "AdminRole", "AWSCloudFormationStackSetAdministrationRole") deployment_model = codepipeline_actions.StackSetDeploymentModel.self_managed( # Use an existing Role. Leave this out to create a new Role. administration_role=existing_admin_role )
Using this deployment model, you can only specify AWS Account Ids in the
IRole]) – The IAM role in the administrator account used to assume execution roles in the target accounts. You must create this role before using the StackSet action. The role needs to be assumable by CloudFormation, and it needs to be able to
sts:AssumeRoleeach of the execution roles (whose names are specified in the
executionRoleNameparameter) in each of the target accounts. If you do not specify the role, we assume you have created a role named
AWSCloudFormationStackSetAdministrationRole. Default: - Assume an existing role named
AWSCloudFormationStackSetAdministrationRolein the same account as the pipeline.
str]) – The name of the IAM role in the target accounts used to perform stack set operations. You must create these roles in each of the target accounts before using the StackSet action. The roles need to be assumable by by the
administrationRole, and need to have the permissions necessary to successfully create and modify the resources that the subsequent CloudFormation deployments need. Administrator permissions would be commonly granted to these, but if you can scope the permissions down frome there you would be safer. Default: AWSCloudFormationStackSetExecutionRole
- Return type: