Create Amazon CloudFormation StackSets with service-managed permissions - Amazon CloudFormation
ConsiderationsCreate a StackSet with service-managed permissions (console)Create a StackSet with service-managed permissions (Amazon CLI)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create Amazon CloudFormation StackSets with service-managed permissions

With service-managed permissions, you can deploy stacks to accounts managed by Amazon Organizations in specific Regions. With this model, you don't need to create the necessary IAM roles; CloudFormation creates the IAM roles on your behalf. For more information, see Activate trusted access.

Considerations

Before you create a StackSet with service-managed permissions, consider the following:

  • StackSets with service-managed permissions are created in the management account, including StackSets that are created by delegated administrators.

  • Your StackSet can target your entire organization (includes all accounts) or specified organizational units (OUs). If your StackSet targets a parent OU, it also targets any child OUs. When your StackSet targets specific OUs, all accounts within those OUs are included by default. However, you can target specific accounts using account filter options.

  • Multiple StackSets can target the same organization or OU.

  • Your StackSet can't target accounts outside your organization.

  • Your StackSet can't deploy nested stacks.

  • CloudFormation doesn't deploy stacks to the organization's management account, even if the management account is in your organization or in an OU in your organization.

  • Automatic deployment is set at the StackSet level. You can't adjust automatic deployments selectively for OUs, accounts, or Regions.

  • The permissions of the IAM principal entity (user, role, or group) that you use to sign in to the management account determine whether you are authorized to deploy with StackSets. For an example IAM policy that grants permissions to deploy to an organization, see Restrict stack set operations based on Region and resource types.

  • Delegated administrators have full permissions to deploy to accounts in your organization. The management account can't limit delegated administrator permissions to deploy to specific OUs or to perform specific StackSet operations.

Create a StackSet with service-managed permissions (console)

To create a StackSet

  1. Sign in to the Amazon Web Services Management Console and open the Amazon CloudFormation console at https://console.amazonaws.cn/cloudformation.

  2. On the navigation bar at the top of the screen, choose the Amazon Web Services Region that you want to manage the StackSet from.

  3. From the navigation pane, choose StackSets.

  4. From the top of the StackSets page, choose Create StackSet.

  5. Under Permissions, choose Service-managed permissions.

    Note

    If trusted access with Amazon Organizations is disabled, a banner displays. Trusted access is required to create or update a StackSet with service-managed permissions. Only the administrator in the organization's management account has permissions to Activate trusted access for StackSets with Amazon Organizations.

  6. Under Prerequisite - Prepare template, choose Template is ready.

  7. Under Specify template, choose to either specify the URL for the S3 bucket that contains your stack template or upload a stack template file. Then, choose Next.

  8. On the Specify StackSet details page, provide a name for the StackSet, specify any parameters, and then choose Next.

  9. On the Configure StackSet options page, under Tags, specify any tags to apply to resources in your stack. For more information about how tags are used in Amazon, see Organizing and tracking costs using Amazon cost allocation tags in the Amazon Billing and Cost Management User Guide.

  10. For Execution configuration, choose Active to enable CloudFormation's optimized operation handling:

    • Non-conflicting operations run concurrently for faster deployment times.

    • Conflicting operations are automatically queued and processed in the order they were requested.

    While operations are running or queued, CloudFormation queues all incoming operations even if they're non-conflicting. You can't change execution settings during this time.

  11. If your template contains IAM resources, for Capabilities, choose I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template. For more information, see Acknowledging IAM resources in CloudFormation templates.

  12. Choose Next to proceed and to activate trusted access if not already activated.

  13. On the Set deployment options page, under Deployment targets, do one of the following:

    • To deploy to all accounts in your organization, choose Deploy to organization.

    • To deploy to all accounts in specific OUs, choose Deploy to organizational units (OUs). Choose Add an OU, and then paste the target OU ID in the text box. Repeat for each new target OU.

    If you chose Deploy to organizational units (OUs), for Account filter type, you can set your deployment targets to be specific individual accounts by choosing one of the following options and providing account numbers.

    • None (default) – Deploy stacks to all accounts in the specified OUs.

    • Intersection – Deploy stacks to specific individual accounts within the selected OUs.

    • Difference – Deploy stacks to all accounts in the selected OUs except for specific accounts.

    • Union – Deploy stacks to the specified OUs plus additional individual accounts.

  14. Under Automatic deployment, choose whether to automatically deploy to accounts that are added to the target organization or OUs in the future. For more information, see Enable or disable automatic deployments for StackSets in Amazon Organizations.

  15. If you enabled automatic deployment, under Account removal behavior, choose whether stack resources are retained or deleted when an account is removed from a target organization or OU.

    Note

    With Retain stacks selected, stacks are removed from your StackSet, but the stacks and their associated resources are retained. The resources stay in their current state, but will no longer be part of the StackSet.

  16. Under Specify regions, choose the Regions you want to deploy stacks in.

  17. For Deployment options, do the following:

    • For Maximum concurrent accounts, specify how many accounts are processed concurrently.

    • For Failure tolerance, specify the maximum number of account failures allowed per Region. The operation will stop and won't proceed to other Regions once this limit is reached.

    • For Region concurrency, choose how to process Regions: Sequential (one Region at a time) or Parallel (multiple Regions concurrently).

    • For Concurrency mode, choose how concurrency behaves during operation execution.

      • Strict failure tolerance – Reduces account concurrency level when failures occur, staying within Failure tolerance +1.

      • Soft failure tolerance – Maintains your specified concurrency level (the value of Maximum concurrent accounts) regardless of failures.

  18. Choose Next to continue.

  19. On the Review page, verify that your StackSet will deploy to the correct accounts in the correct Regions, and then choose Create StackSet.

    The StackSet details page opens. You can view the progress and status of the creation of the stacks in your StackSet.

Create a StackSet with service-managed permissions (Amazon CLI)

Follow the steps in this section to use the Amazon CLI to:

  • Create the StackSet container.

  • Deploy stack instances.

Note

When acting as a delegated administrator, you must include --call-as DELEGATED_ADMIN in the command.

Deploy to your organization
To create a StackSet

  1. Use the create-stack-set command to create a new StackSet named my-stackset. The following example uses a template stored in an S3 bucket, enables automatic deployments, and preserves stacks when accounts are removed. For more information, see Enable or disable automatic deployments for StackSets in Amazon Organizations.

    aws cloudformation create-stack-set \
  --stack-set-name my-stackset \
  --template-url https://s3.region-code.amazonaws.com/amzn-s3-demo-bucket/MyApp.template \
  --permission-model SERVICE_MANAGED \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=true

  2. Use the list-stack-sets command to confirm that your StackSet was created. Your new StackSet is listed in the results.

    aws cloudformation list-stack-sets

    • If you set the --call-as option to DELEGATED_ADMIN while signed in to your member account, list-stack-sets returns all StackSets with service-managed permissions in the organization's management account.

    • If you set the --call-as option to SELF while signed in to your Amazon Web Services account, list-stack-sets returns all self-managed StackSets in your Amazon Web Services account.

    • If you set the --call-as option to SELF while signed in to the organization's management account, list-stack-sets returns all StackSets in the organization's management account.

  3. Use the create-stack-instances command to add stacks to your StackSet. For the --deployment-targets option, specify the organization root ID to deploy to all accounts in your organization.

    Set concurrent account processing and other deployment preferences using the --operation-preferences option. This example uses count-based settings. Note that MaxConcurrentCount must not exceed FailureToleranceCount + 1. For percentage-based settings, use FailureTolerancePercentage or MaxConcurrentPercentage instead. 

    aws cloudformation create-stack-instances --stack-set-name my-stackset \
  --deployment-targets OrganizationalUnitIds=r-a1b2c3d4e5 \
  --regions us-west-2 us-east-1 \
  --operation-preferences MaxConcurrentCount=1,FailureToleranceCount=0

    For more information, see CreateStackInstances in the Amazon CloudFormation API Reference.

  4. Using the operation-id that was returned as part of the create-stack-instances output, use the following describe-stack-set-operation command to verify that your stacks were created successfully.

    aws cloudformation describe-stack-set-operation \
  --stack-set-name my-stackset \
  --operation-id operation_ID
Deploy to organizational units (OUs)
To create a StackSet

  1. Use the create-stack-set command to create a new StackSet named my-stackset. The following example uses a template stored in an S3 bucket and includes a parameter that sets a KeyPairName with the value TestKey

    aws cloudformation create-stack-set \
  --stack-set-name my-stackset \
  --template-url https://s3.region-code.amazonaws.com/amzn-s3-demo-bucket/MyApp.template \
  --permission-model SERVICE_MANAGED \
  --parameters ParameterKey=KeyPairName,ParameterValue=TestKey

  2. Use the list-stack-sets command to confirm that your StackSet was created. Your new StackSet is listed in the results.

    aws cloudformation list-stack-sets

    • If you set the --call-as option to DELEGATED_ADMIN while signed in to your member account, list-stack-sets returns all StackSets with service-managed permissions in the organization's management account.

    • If you set the --call-as option to SELF while signed in to your Amazon Web Services account, list-stack-sets returns all self-managed StackSets in your Amazon Web Services account.

    • If you set the --call-as option to SELF while signed in to the organization's management account, list-stack-sets returns all StackSets in the organization's management account.

  3. Use the create-stack-instances command to add stacks to your StackSet. For the --deployment-targets option, specify the OU IDs to deploy to.

    Set concurrent account processing and other deployment preferences using the --operation-preferences option. This example uses count-based settings. Note that MaxConcurrentCount must not exceed FailureToleranceCount + 1. For percentage-based settings, use FailureTolerancePercentage or MaxConcurrentPercentage instead. 

    aws cloudformation create-stack-instances --stack-set-name my-stackset \
  --deployment-targets OrganizationalUnitIds=ou-rcuk-1x5j1lwo,ou-rcuk-slr5lh0a \
  --regions us-west-2 us-east-1 \
  --operation-preferences MaxConcurrentCount=1,FailureToleranceCount=0

    For more information, see CreateStackInstances in the Amazon CloudFormation API Reference.

  4. Using the operation-id that was returned as part of the create-stack-instances output, use the following describe-stack-set-operation command to verify that your stacks were created successfully.

    aws cloudformation describe-stack-set-operation \
  --stack-set-name my-stackset \
  --operation-id operation_ID
Deploy to specific accounts in OUs

You can target specific organizational units (OUs) and use account filtering to precisely control which accounts receive stack deployments. By default, stacks deploy to all accounts within specified OUs if no account filtering is specified.

In the Amazon CLI, you specify account filtering with the --deployment-targets option. For more information, see DeploymentTargets.

After you create the StackSet container with the create-stack-set command, use one of the following examples to deploy stacks to specific accounts.

Target specific accounts in an OU

The following example deploys stacks only to accounts A1 and A2 in OU1.

aws cloudformation create-stack-instances --stack-set-name my-stackset \
  --deployment-targets OrganizationalUnitIds=OU1,Accounts=A1,A2,AccountFilterType=INTERSECTION \
  --regions us-west-2 us-east-1
Exclude accounts from an OU

The following example deploys stacks to all accounts in OU1 except accounts A1 and A2.

aws cloudformation create-stack-instances --stack-set-name my-stackset \
  --deployment-targets OrganizationalUnitIds=OU1,Accounts=A1,A2,AccountFilterType=DIFFERENCE \
  --regions us-west-2 us-east-1