Skip to content

StackSets: The Coolest Thing Since Sliced Bread

Deploying Infrastructure on AWS

As companies scale up, maintaining their entire cloud infrastructure in a single account becomes untenable and it becomes necessary to wire multiple accounts together. Here are some common uses cases for separate accounts:

  • Meeting different regulatory requirements (SOX, HIPAA, PCI, FEDRAMP)
  • Maintaining an account for Disaster Recovery
  • Giving different business units autonomy over their own systems
  • Minimizing the “blast radius” of system failures/human error
  • Creating “cleaner” permissioning schemes
  • Getting better insight into costs

There is a great re:Invent video on the topic HERE.
AWS has been releasing cross-account tools in recent months (e.g. AWS Organizations  and CloudWatch Cross-Account Event Buses), however there are still a few notable challenges, one of which is deploying infrastructure across accounts.
While companies have come up with numerous solutions to this challenge (commonly something like Jenkins, Ansible, CircleCI, Chef, etc.), there hasn’t been a great AWS “native” way to do it. It is possible—but hacky—and doesn’t feel like proper deployment, in that there is a lack of error handling as well as a lack of monitoring the cross-across deployments, etc.

 

Enter CloudFormation StackSets

AWS just made cross-account and cross-region deployment much simpler. StackSets is a new feature of CloudFormation that allows for easy deployment of up to 50 CloudFormation Templates at a time into target regions and accounts.

Terms:

  • Managed Account – the account(s) into which the CloudFormation StackSet will deploy. For clarity I will use the term Target Account(s)
  • Master Account – the account where the StackSet lives and has permissions to reach out into each of the Managed/Target Accounts. This would be the equivalent of a centralized CI/CD pipeline or Share Services Account.

  • Cross-Account Role – f

    or more on cross-account roles, visit this tutorial.

Getting started is pretty straight forward:

  1. Deploy this CloudFormation Template into each of your Target Accounts. This creates the AWSCloudFormationStackSetExecutionRole that the CloudFormation service will assume to deploy StackSets in the Target Account.
  2. Deploy this CloudFormation Template into your Master Account. This creates a cross-account role called AWSCloudFormationStackSetAdministrationRole that CloudFormation will use to assume the AWSCloudFormationStackSetExecutionRole in each of the Target Accounts.
  3. Select the CloudFormation template(s) you would like to deploy into the Target Accounts. One of the very first things anyone should do when creating a new AWS account is to enable CloudTrail. This AWS service logs all API activity in your account and can be used for a number of purposes, including forensic analysis and automated remediation of security events. For the purposes of this example, our StackSet will enable CloudTrail in each of the target accounts.
  4. Specify stack parameters as you would a single CloudFormation template. These parameters will be applied in each Target Account.
  5. Specify the account numbers of the Target Accounts (or all of the accounts in an AWS Organizations – Organizational Unit (OU)! Fantastic!). Specify the region(s) in which your CloudFormation StackSet will be deployed.
  6. Determine your deployment strategy (see image for descriptions)
  7. And you’re off to the races!

 
And THAT. IS. AWESOME!
The CloudFormation Stacks from the StackSet show up in the Target Account(s) as you would expect and can be managed separately if needed.

An existing StackSet has 3 management actions, Create (i.e. add additional Stack to the StackSet), Update, or Delete. Each of these actions has the same behavior that you would expect from normal CloudFormation Stacks.
 
You can monitor the deployment of all the stacks from the console and watch as the Stacks are updated (Outdated -> Current)

I can think of all sorts of neat uses for this, and I look forward to exploring them with our customers. I also can’t wait to see how StackSets will be supported by other services in the future (CodePipeline?).
Need help with your AWS Project? Click HERE to schedule a consultation with one of our AWS Experts.

Recent Blog Posts

November 2, 2021 | admin

Auto Remediation Using AWS Lambda and Amazon EventBridge

September 7, 2021 | admin

Execute queries in parallel against Snowflake using AWS Glue

July 27, 2021 | admin

5 Reasons to Use Amazon S3

Categories

Categories