Resource: awsCloudformationStackSet

Manages a CloudFormation StackSet. StackSets allow CloudFormation templates to be easily deployed across multiple accounts and regions via StackSet Instances (awsCloudformationStackSetInstance resource). Additional information about StackSets can be found in the AWS CloudFormation User Guide.

\~> NOTE: All template parameters, including those with a default, must be configured or ignored with the lifecycle configuration block ignoreChanges argument.

\~> NOTE: All noEcho template parameters must be ignored with the lifecycle configuration block ignoreChanges argument.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAwsCloudFormationStackSetAdministrationRoleAssumeRolePolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "AWSCloudFormationStackSetAdministrationRole_assume_role_policy",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["cloudformation.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const awsIamRoleAwsCloudFormationStackSetAdministrationRole =
  new aws.iamRole.IamRole(this, "AWSCloudFormationStackSetAdministrationRole", {
    assumeRolePolicy:
      dataAwsIamPolicyDocumentAwsCloudFormationStackSetAdministrationRoleAssumeRolePolicy.json,
    name: "AWSCloudFormationStackSetAdministrationRole",
  });
const awsCloudformationStackSetExample =
  new aws.cloudformationStackSet.CloudformationStackSet(this, "example", {
    administrationRoleArn:
      awsIamRoleAwsCloudFormationStackSetAdministrationRole.arn,
    name: "example",
    parameters: {
      VPCCidr: "10.0.0.0/16",
    },
    templateBody:
      '${jsonencode({\n    Parameters = {\n      VPCCidr = {\n        Type        = "String"\n        Default     = "10.0.0.0/16"\n        Description = "Enter the CIDR block for the VPC. Default is 10.0.0.0/16."\n      }\n    }\n    Resources = {\n      myVpc = {\n        Type = "AWS::EC2::VPC"\n        Properties = {\n          CidrBlock = {\n            Ref = "VPCCidr"\n          }\n          Tags = [\n            {\n              Key   = "Name"\n              Value = "Primary_CF_VPC"\n            }\n          ]\n        }\n      }\n    }\n  })}',
  });
const dataAwsIamPolicyDocumentAwsCloudFormationStackSetAdministrationRoleExecutionPolicy =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          resources: [
            `arn:aws:iam::*:role/\${${awsCloudformationStackSetExample.executionRoleName}}`,
          ],
        },
      ],
    }
  );
const awsIamRolePolicyAwsCloudFormationStackSetAdministrationRoleExecutionPolicy =
  new aws.iamRolePolicy.IamRolePolicy(
    this,
    "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy_4",
    {
      name: "ExecutionPolicy",
      policy:
        dataAwsIamPolicyDocumentAwsCloudFormationStackSetAdministrationRoleExecutionPolicy.json,
      role: awsIamRoleAwsCloudFormationStackSetAdministrationRole.name,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAwsCloudFormationStackSetAdministrationRoleExecutionPolicy.overrideLogicalId(
  "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy"
);

Argument Reference

The following arguments are supported:

• administrationRoleArn - (Optional) Amazon Resource Number (ARN) of the IAM Role in the administrator account. This must be defined when using the SELF_MANAGED permission model.
• autoDeployment - (Optional) Configuration block containing the auto-deployment model for your StackSet. This can only be defined when using the SERVICE_MANAGED permission model.
• enabled - (Optional) Whether or not auto-deployment is enabled.
• retainStacksOnAccountRemoval - (Optional) Whether or not to retain stacks when the account is removed.
• name - (Required) Name of the StackSet. The name must be unique in the region where you create your StackSet. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and cannot be longer than 128 characters.
• capabilities - (Optional) A list of capabilities. Valid values: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_AUTO_EXPAND.
• operationPreferences - (Optional) Preferences for how AWS CloudFormation performs a stack set update.
• description - (Optional) Description of the StackSet.
• executionRoleName - (Optional) Name of the IAM Role in all target accounts for StackSet operations. Defaults to awsCloudFormationStackSetExecutionRole when using the SELF_MANAGED permission model. This should not be defined when using the SERVICE_MANAGED permission model.
• parameters - (Optional) Key-value map of input parameters for the StackSet template. All template parameters, including those with a default, must be configured or ignored with lifecycle configuration block ignoreChanges argument. All noEcho template parameters must be ignored with the lifecycle configuration block ignoreChanges argument.
• permissionModel - (Optional) Describes how the IAM roles required for your StackSet are created. Valid values: SELF_MANAGED (default), SERVICE_MANAGED.
• callAs - (Optional) Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account. Valid values: self (default), DELEGATED_ADMIN.
• tags - (Optional) Key-value map of tags to associate with this StackSet and the Stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the Stacks. A maximum number of 50 tags can be specified. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
• templateBody - (Optional) String containing the CloudFormation template body. Maximum size: 51,200 bytes. Conflicts with templateUrl.
• templateUrl - (Optional) String containing the location of a file containing the CloudFormation template body. The URL must point to a template that is located in an Amazon S3 bucket. Maximum location file size: 460,800 bytes. Conflicts with templateBody.

operationPreferences Argument Reference

The operationPreferences configuration block supports the following arguments:

• failureToleranceCount - (Optional) The number of accounts, per Region, for which this operation can fail before AWS CloudFormation stops the operation in that Region.
• failureTolerancePercentage - (Optional) The percentage of accounts, per Region, for which this stack operation can fail before AWS CloudFormation stops the operation in that Region.
• maxConcurrentCount - (Optional) The maximum number of accounts in which to perform this operation at one time.
• maxConcurrentPercentage - (Optional) The maximum percentage of accounts in which to perform this operation at one time.
• regionConcurrencyType - (Optional) The concurrency type of deploying StackSets operations in Regions, could be in parallel or one Region at a time.
• regionOrder - (Optional) The order of the Regions in where you want to perform the stack operation.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• arn - Amazon Resource Name (ARN) of the StackSet.
• id - Name of the StackSet.
• stackSetId - Unique identifier of the StackSet.
• tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Timeouts

Configuration options:

• update - (Default 30M)

Import

CloudFormation StackSets can be imported using the name, e.g.,

$ terraform import aws_cloudformation_stack_set.example example