cloudformation-coverage-roadmap
cloudformation-coverage-roadmap copied to clipboard
aws-cloudformation
StackSets: Requirement for ParameterOverrides to propagate to NEW Stack instances when AutoDeployment is enabled.
Name of the resource
AWS::CloudFormation::StackSet
Resource name
No response
Description
Deploying a Stackset with ParameterOverrides and AutoDeployment enabled to existing accounts, works well . However, when new account instances are created, ParameterOverrides are not used on the target accounts. Instead, the default parameter values are used.
Can this behavior be changed to work as expected?
Replication steps:
- Create Template1.yml with Environment parameter and (for example) an IAM Role, that references the parameter.
- Upload Template1.yml to s3 in the master organization account from where you will deploy the stackset. Take note of the bucket url.
- Create Template2.yml
- Update the TemplateURL to the s3 bucket url from step 2
- Update the OrganizationalUnitIds to reflect 2 existing OU's.
- Before creating the stackset from Template2.yml, ensure the OU's provided contains at least 1 account each.
- From the master account, open Cloudformation stacks, then create a new stack by providing Template2.yml. During deployment, this stack will create the stackset.
- Once completed, login to the targeted accounts and verify that the 2 roles were created with dev and prod respectively.
- Finally, create a new account inside the OU's
- Notice now that the role do not not include either dev or prod. However, it is created with the default value of UNDEFINED.
Expected Behavior: It was expected that the new account instance would also use the ParameterOverrides value, however the default value is used.
Template1.yml:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Environment:
Type: String
Description: "Description of the environment."
Default: UNDEFINED
Resources:
StackSetResourceRole:
Type: AWS::IAM::Role
Properties:
Description: !Sub
- 'ROLE-${Env}'
- Env: !Ref Environment
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Template2.yml:
Parameters:
Environment:
Type: String
Description: "Description of the environment."
Default: UNDEFINED
Resources:
CFNResourceWithParms:
Type: AWS::CloudFormation::StackSet
Properties:
AutoDeployment:
Enabled: true
RetainStacksOnAccountRemoval: false
PermissionModel: SERVICE_MANAGED
StackSetName: CFNResourceWithParms
Capabilities:
- 'CAPABILITY_IAM'
TemplateURL: https://xxx-yyyy-bucket-us-east-1.s3.amazonaws.com/Template1.yml # example bucket
StackInstancesGroup:
-
ParameterOverrides:
- { ParameterKey: "Environment", ParameterValue: "prod" }
DeploymentTargets:
OrganizationalUnitIds:
- ou-xxx-xxx # example ou
Regions:
- us-east-1
-
ParameterOverrides:
- { ParameterKey: "Environment", ParameterValue: "dev" }
DeploymentTargets:
OrganizationalUnitIds:
- ou-yyy-yyy # example ou
Regions:
- us-east-1
Work-around: As a work-around, update-stack-instances corrects the needed values in the target account instance.
aws cloudformation update-stack-instances --stack-set-name stacksetname --parameter-overrides ParameterKey=Environment,ParameterValue=prod --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1 --accounts "NEW_ACCOUNT_ID" --regions "us-east-1"
References:
[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stackinstances-override.html#stackinstances-override-cli
ps: creating request on behalf of customer.
Other Details
No response
