StackSetDeploymentModel

class aws_cdk.aws_codepipeline_actions.StackSetDeploymentModel

Bases: object

Determines how IAM roles are created and managed.

ExampleMetadata:

infused

Example:

# pipeline: codepipeline.Pipeline
# source_output: codepipeline.Artifact


pipeline.add_stage(
    stage_name="DeployStackSets",
    actions=[
        # First, update the StackSet itself with the newest template
        codepipeline_actions.CloudFormationDeployStackSetAction(
            action_name="UpdateStackSet",
            run_order=1,
            stack_set_name="MyStackSet",
            template=codepipeline_actions.StackSetTemplate.from_artifact_path(source_output.at_path("template.yaml")),

            # Change this to 'StackSetDeploymentModel.organizations()' if you want to deploy to OUs
            deployment_model=codepipeline_actions.StackSetDeploymentModel.self_managed(),
            # This deploys to a set of accounts
            stack_instances=codepipeline_actions.StackInstances.in_accounts(["111111111111"], ["us-east-1", "eu-west-1"])
        ),

        # Afterwards, update/create additional instances in other accounts
        codepipeline_actions.CloudFormationDeployStackInstancesAction(
            action_name="AddMoreInstances",
            run_order=2,
            stack_set_name="MyStackSet",
            stack_instances=codepipeline_actions.StackInstances.in_accounts(["222222222222", "333333333333"], ["us-east-1", "eu-west-1"])
        )
    ]
)

Static Methods

classmethod organizations(*, auto_deployment=None)

Deploy to AWS Organizations accounts.

AWS CloudFormation StackSets automatically creates the IAM roles required to deploy to accounts managed by AWS Organizations. This requires an account to be a member of an Organization.

Using this deployment model, you can specify either AWS Account Ids or Organization Unit Ids in the stackInstances parameter.

Parameters:

auto_deployment (Optional[StackSetOrganizationsAutoDeployment]) – Automatically deploy to new accounts added to Organizational Units. Whether AWS CloudFormation StackSets automatically deploys to AWS Organizations accounts that are added to a target organization or organizational unit (OU). Default: Disabled

Return type:

StackSetDeploymentModel

classmethod self_managed(*, administration_role=None, execution_role_name=None)

Deploy to AWS Accounts not managed by AWS Organizations.

You are responsible for creating Execution Roles in every account you will be deploying to in advance to create the actual stack instances. Unless you specify overrides, StackSets expects the execution roles you create to have the default name AWSCloudFormationStackSetExecutionRole. See the Grant self-managed permissions section of the CloudFormation documentation.

The CDK will automatically create the central Administration Role in the Pipeline account which will be used to assume the Execution Role in each of the target accounts.

If you wish to use a pre-created Administration Role, use Role.fromRoleName() or Role.fromRoleArn() to import it, and pass it to this function:

existing_admin_role = iam.Role.from_role_name(self, "AdminRole", "AWSCloudFormationStackSetAdministrationRole")

deployment_model = codepipeline_actions.StackSetDeploymentModel.self_managed(
    # Use an existing Role. Leave this out to create a new Role.
    administration_role=existing_admin_role
)

Using this deployment model, you can only specify AWS Account Ids in the stackInstances parameter.

Parameters:

  • administration_role (Optional[IRole]) – The IAM role in the administrator account used to assume execution roles in the target accounts. You must create this role before using the StackSet action. The role needs to be assumable by CloudFormation, and it needs to be able to sts:AssumeRole each of the execution roles (whose names are specified in the executionRoleName parameter) in each of the target accounts. If you do not specify the role, we assume you have created a role named AWSCloudFormationStackSetAdministrationRole. Default: - Assume an existing role named AWSCloudFormationStackSetAdministrationRole in the same account as the pipeline.

  • execution_role_name (Optional[str]) – The name of the IAM role in the target accounts used to perform stack set operations. You must create these roles in each of the target accounts before using the StackSet action. The roles need to be assumable by by the administrationRole, and need to have the permissions necessary to successfully create and modify the resources that the subsequent CloudFormation deployments need. Administrator permissions would be commonly granted to these, but if you can scope the permissions down frome there you would be safer. Default: AWSCloudFormationStackSetExecutionRole

See:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html

Return type:

StackSetDeploymentModel