subcategory | layout | page_title | description |
---|---|---|---|
CloudFormation |
aws |
AWS: aws_cloudformation_stack_set |
Manages a CloudFormation StackSet. |
Manages a CloudFormation StackSet. StackSets allow CloudFormation templates to be easily deployed across multiple accounts and regions via StackSet Instances (aws_cloudformation_stack_set_instance
resource). Additional information about StackSets can be found in the AWS CloudFormation User Guide.
~> NOTE: All template parameters, including those with a Default
, must be configured or ignored with the lifecycle
configuration block ignore_changes
argument.
~> NOTE: All NoEcho
template parameters must be ignored with the lifecycle
configuration block ignore_changes
argument.
~> NOTE: When using a delegated administrator account, ensure that your IAM User or Role has the organizations:ListDelegatedAdministrators
permission. Otherwise, you may get an error like ValidationError: Account used is not a delegated administrator
.
data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
identifiers = ["cloudformation.amazonaws.com"]
type = "Service"
}
}
}
resource "aws_iam_role" "AWSCloudFormationStackSetAdministrationRole" {
assume_role_policy = data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_assume_role_policy.json
name = "AWSCloudFormationStackSetAdministrationRole"
}
resource "aws_cloudformation_stack_set" "example" {
administration_role_arn = aws_iam_role.AWSCloudFormationStackSetAdministrationRole.arn
name = "example"
parameters = {
VPCCidr = "10.0.0.0/16"
}
template_body = jsonencode({
Parameters = {
VPCCidr = {
Type = "String"
Default = "10.0.0.0/16"
Description = "Enter the CIDR block for the VPC. Default is 10.0.0.0/16."
}
}
Resources = {
myVpc = {
Type = "AWS::EC2::VPC"
Properties = {
CidrBlock = {
Ref = "VPCCidr"
}
Tags = [
{
Key = "Name"
Value = "Primary_CF_VPC"
}
]
}
}
}
})
}
data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
resources = ["arn:aws:iam::*:role/${aws_cloudformation_stack_set.example.execution_role_name}"]
}
}
resource "aws_iam_role_policy" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" {
name = "ExecutionPolicy"
policy = data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy.json
role = aws_iam_role.AWSCloudFormationStackSetAdministrationRole.name
}
This resource supports the following arguments:
administration_role_arn
- (Optional) Amazon Resource Number (ARN) of the IAM Role in the administrator account. This must be defined when using theSELF_MANAGED
permission model.auto_deployment
- (Optional) Configuration block containing the auto-deployment model for your StackSet. This can only be defined when using theSERVICE_MANAGED
permission model.enabled
- (Optional) Whether or not auto-deployment is enabled.retain_stacks_on_account_removal
- (Optional) Whether or not to retain stacks when the account is removed.
name
- (Required) Name of the StackSet. The name must be unique in the region where you create your StackSet. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and cannot be longer than 128 characters.capabilities
- (Optional) A list of capabilities. Valid values:CAPABILITY_IAM
,CAPABILITY_NAMED_IAM
,CAPABILITY_AUTO_EXPAND
.operation_preferences
- (Optional) Preferences for how AWS CloudFormation performs a stack set update.description
- (Optional) Description of the StackSet.execution_role_name
- (Optional) Name of the IAM Role in all target accounts for StackSet operations. Defaults toAWSCloudFormationStackSetExecutionRole
when using theSELF_MANAGED
permission model. This should not be defined when using theSERVICE_MANAGED
permission model.managed_execution
- (Optional) Configuration block to allow StackSets to perform non-conflicting operations concurrently and queues conflicting operations.active
- (Optional) When set to true, StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order. Default is false.
parameters
- (Optional) Key-value map of input parameters for the StackSet template. All template parameters, including those with aDefault
, must be configured or ignored withlifecycle
configuration blockignore_changes
argument. AllNoEcho
template parameters must be ignored with thelifecycle
configuration blockignore_changes
argument.permission_model
- (Optional) Describes how the IAM roles required for your StackSet are created. Valid values:SELF_MANAGED
(default),SERVICE_MANAGED
.call_as
- (Optional) Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account. Valid values:SELF
(default),DELEGATED_ADMIN
.tags
- (Optional) Key-value map of tags to associate with this StackSet and the Stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the Stacks. A maximum number of 50 tags can be specified. If configured with a providerdefault_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.template_body
- (Optional) String containing the CloudFormation template body. Maximum size: 51,200 bytes. Conflicts withtemplate_url
.template_url
- (Optional) String containing the location of a file containing the CloudFormation template body. The URL must point to a template that is located in an Amazon S3 bucket. Maximum location file size: 460,800 bytes. Conflicts withtemplate_body
.
The operation_preferences
configuration block supports the following arguments:
failure_tolerance_count
- (Optional) The number of accounts, per Region, for which this operation can fail before AWS CloudFormation stops the operation in that Region.failure_tolerance_percentage
- (Optional) The percentage of accounts, per Region, for which this stack operation can fail before AWS CloudFormation stops the operation in that Region.max_concurrent_count
- (Optional) The maximum number of accounts in which to perform this operation at one time.max_concurrent_percentage
- (Optional) The maximum percentage of accounts in which to perform this operation at one time.region_concurrency_type
- (Optional) The concurrency type of deploying StackSets operations in Regions, could be in parallel or one Region at a time.region_order
- (Optional) The order of the Regions in where you want to perform the stack operation.
This resource exports the following attributes in addition to the arguments above:
arn
- Amazon Resource Name (ARN) of the StackSet.id
- Name of the StackSet.stack_set_id
- Unique identifier of the StackSet.tags_all
- A map of tags assigned to the resource, including those inherited from the providerdefault_tags
configuration block.
update
- (Default30m
)
In Terraform v1.5.0 and later, use an import
block to import CloudFormation StackSets using the name
. For example:
import {
to = aws_cloudformation_stack_set.example
id = "example"
}
Import CloudFormation StackSets when acting a delegated administrator in a member account using the name
and call_as
values separated by a comma (,
). For example:
import {
to = aws_cloudformation_stack_set.example
id = "example,DELEGATED_ADMIN"
}
Using terraform import
, import CloudFormation StackSets using the name
. For example:
% terraform import aws_cloudformation_stack_set.example example
Using terraform import
, import CloudFormation StackSets when acting a delegated administrator in a member account using the name
and call_as
values separated by a comma (,
). For example:
% terraform import aws_cloudformation_stack_set.example example,DELEGATED_ADMIN