StackSets Support

[eladb]

Description

Allow users to define a template through AWS CDK constructs and deploy as a Self-Managed CloudFormation StackSet.

• User defines stack set the same way as normal cdk stack
• When user executes cdk deploy it would create a stack set if it does not exist or update an existing stack set + existing stack set instances.

Proposed Scope:

• Create New Self-Managed Stack Set (docs).
• Update Existing Self-Managed Stack Set:
  • Update includes updating existing Stack Set instances as well
  • https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_UpdateStackSet.html
  • https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_UpdateStackInstances.html
• Ability to set stack set configuration/deployment properties:
  • Administration Role, Execution Role, Fault Tolerance, Concurrency, etc.

Out of Scope for v1 (May be iteratively added in future):

• Service-Managed Stack Set
• Add/Remove stack set instances by ID or OU

Roles

Role	User
Proposed by	@linsona
Author(s)	@linsona
API Bar Raiser	@skinny85
Stakeholders	@alias, @alias, @alias

See RFC Process for details

Workflow

• [x] Tracking issue created (label: status/proposed)
• [x] API bar raiser assigned (ping us at #aws-cdk-rfcs if needed)
• [x] Kick off meeting
• [x] RFC pull request submitted (label: status/review)
• [ ] Community reach out (via Slack and/or Twitter)
• [ ] API signed-off (label api-approved applied to pull request)
• [ ] Final comments period (label: status/final-comments-period)
• [ ] Approved and merged (label: status/approved)
• [ ] Execution plan submitted (label: status/planning)
• [ ] Plan approved and merged (label: status/implementing)
• [ ] Implementation complete (label: status/done)

---

Author is responsible to progress the RFC according to this checklist, and apply the relevant labels to this issue so that the RFC table in README gets updated.

[paulfryer]

Yes, I have global applications that I need to deploy the same infrastructure in multiple regions. Using stacksets the CF templates need to use ${AWS::Region} and ${AWS::AccountId} variables to set the right values for each region/account. Looking at the Synth'd CF templates from CDK there are no variables like this. My suggestion is to use variable everywhere possible so we can support multiple regions and accounts, and StackSets. At this point I don't think I can use CDK for global applications with StackSets because of this limitation.

[paulfryer]

I built something like CDK in the past and to get it to work with StackSets I had to copy Lambda code to a bucket in each region. This is because Lambda wants the code in the same region. I'd assume we'll need to do something similar for CDK to support StackSets.

[eladb]

still relevant

[aksdari]

Currently, I am trying to switch from troposphere to AWS CDK. The only issue that is stopping me or actually just limiting my options with AWS CDK is deployment using StackSets.

The issue is as following:

• I am creating a lambda using aws-lambda.Function and Code.asset which relies on using cdk deploy to inject the parameter values for the S3 bucket, object key and version.

I can get away if I use lower level construct CfnFunction but it defeats the purpose imo.

are there any workarounds you guys recommend? at least until it is natively supported.

[eladb]

I believe that when we implement aws/aws-cdk#3437 and asset locations will be hard-coded (without parameters), this will be enabled.

[SoManyHs]

Had a customer today ask about stackset support. Is aws/aws-cdk#3437 still the going solution?

[timpur]

Any update on this ? since aws/aws-cdk#3437 is merged ?

[AntonioAngelino]

Any news?

[apidinom]

Any update on this ?

[JamieMcKernanKaizen]

It would be good to see some progress on this

[AntonioAngelino]

@eladb Do you have any update? 🙏

We would love to use AWS CDK in combination with AWS Org. and CloudFormation StackSets.

[corrjo]

Do we know what actually needs to be done to implement this? Would love to be able to deploy multiple instances from a single place. Happy to help however I can to make this happen.

[eroteme]

I would also love to be able to deploy stacksets via CDK. We have lots of accounts under a centrally managed organisation account. Recently our team was required to create all sorts of AWS resources in these accounts for initialisation purposes. The aws resources required would be defined via Cloudformation from other teams and applying them in the main org account using stacksets was a good way to achieve this. We basically create the stackset in the org account (service managed) and apply stackset instances to an org tree based on OU; any accounts under that OU will get the resources required.

The issue we had is that some teams wanted to use CDK to create their Cloudformation but stacksets are not currently supported. The way we got around this was to make the a cloudformation template via cdk synth and apply that template using simple bash script using aws-cli. It wasn't a pretty solution but worked. We didn't want to put too much dev time into making lambda functions/custom resource definitions etc if this ticket was close to being complete. Do we know how long until stacksets are supported under CDK?

From what issues I saw, CDK needs to be able to do the following:

1. As we used service managed permissions we need to allow the org account access to all sub accounts ( as per https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html).
2. Allow CDK to create a stackset into a single account (org account) using a cloudformation template (from 1 or more CDK apps)
3. Have a way for CDK to apply stacksets instances to (either accountId or Org OU) and region

Maybe there is a better way, I'm open to suggestions :)

[zoonderkins]

We also have 2 OU and each has its own sandbox. I hope cdk can support stacksets too~~ https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/

[dejonghe]

Also critical for my team, anyone using Control Tower for large orgs needs this.

[eladb]

Also critical for my team, anyone using Control Tower for large orgs needs this.

@dejonghe can you please describe your use case in more detail? In what way do you wish to use stack sets?

You can technically define a CDK stack, synth a template and deploy it through StackSets. What additional support would you expect from the CDK for this scenario?

[dejonghe]

I guess that routes seems like it would fit. I would say it would be nice to be able to use the same deploy mechanism for stack sets. We're moving off of a custom cloudformation deployment tool that prepped out CFN, stashed it in S3 in a versioned prefix, as well as many other things but we had support for stacksets. Use case is that we are using Control tower and have things that need to be deployed to every account, and should be controlled / owned by the master account. What I'd like to see is a core.StackSet that takes a list of accounts or an OU or something. I know that this isn't a simple change based on the way things are built up in CDK. Using the same deployment mechanism is really what I would want.

[IngussNeilands]

👀

[dsudduth]

@eladb I would have to agree with @dejonghe.

Between CloudFormation, AWS CDK, and AWS SAM, the ProServe team definitely get a ton of questions from our customers surrounding the variations in tooling and lack of (full) integration. Control Tower and StackSets are the best option we have for easily deploying and maintaining services that need to exist within every account; a common pattern for the enterprise where operational resources are centrally managed.

CDK has the potential to be the go-to tool. I know I'm a fan. But, we definitely need to solve for "deployment at scale" whether that means integrating with StackSets or a separate mechanism. Either way, it would be great if we can avoid context switching (different tools) to get the job done.

[paul-ge]

Could below help?: -

https://docs.aws.amazon.com/cdk/latest/guide/stack_how_to_create_multiple_stacks.html

[dsudduth]

Could below help?: -

https://docs.aws.amazon.com/cdk/latest/guide/stack_how_to_create_multiple_stacks.html

Hi @paul-ge ,

I'm afraid not. These are fundamentally different ideas. The doc you shared provides an example of multiple CDK stacks which makes it easy to modularize code, but still deploys to a single account. What we're discussing is deployment across all accounts by leveraging managed StackSets in CloudFormation.

[pgarbe]

Is anyone working on that? I'd like to have a StackSet constructs which accepts a Stack property as input. But I'm running into issues during synth, as the "StackSetStack" requires the output of the other stack which will be written only at the end of the synth.

[McDoit]

I have just stumbled on this with StackSets and the CDK, but I assume one of the bigger issues would be the assets CDK provisions in S3 and lambda for Custom Resources and similar applications? Is there any way to gather them in a stack and apply aws:PrincipalOrgPaths https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html to their access roles?

[paulwehage]

Any updates on this?

[redbaron]

It is possible to deploy CDK as a StackSets by using intermediateStage. It is not pretty, but doable:

const app = new cdk.App()

// Stage allows us to synth CF template for Stacks added to it
const stage = new cdk.Stage(app, "Stage")
new StackToDeployAsStackset(stage, "XYZ")
const stackSetTemplateObj = stage.synth().stacks[0].template

const stackSetDeployer = new cdk.Stack(app, "StackSetDeployer")
new cdk.CfnStackSet(stackSetDeployer, "XYZASaStackSet", {
            ...
            templateBody: JSON.stringify(stackSetTemplateObj),
})

[IngussNeilands]

It is possible to deploy CDK as a StackSets by using intermediateStage. It is not pretty, but doable:

const app = new cdk.App()

// Stage allows us to synth CF template for Stacks added to it
const stage = new cdk.Stage(app, "Stage")
new StackToDeployAsStackset(stage, "XYZ")
const stackSetTemplateObj = stage.synth().stacks[0].template

const stackSetDeployer = new cdk.Stack(app, "StackSetDeployer")
new cdk.CfnStackSet(stackSetDeployer, "XYZASaStackSet", {
            ...
            templateBody: JSON.stringify(stackSetTemplateObj),
})

Use of this method may trigger the following error Unable to fetch parameters [/cdk-bootstrap/hnb659fds/version] from parameter store for this account.

It will happen when creating stackset for the account that is not bootstrapped.

I fixed this errror by removing the following sections from template before json dump:

• ["Resources"]["CDKMetadata"]
• ["Rules"]["CheckBootstrapVersion"]
• ["Parameters"]["BootstrapVersion"]

[pgarbe]

If you don't want to have the bootstrap check, you can use the BootstraplessSynthesizer.

Must work like this:

new StackToDeployAsStackset(stage, "XYZ", { synthesizer: new cdk.BootstraplessSynthesizer({}) });

[0xjjoyy]

@redbaron Nice snippet! Were you able to also figure out a way to take in and pass parameters to the stackset? CfnParameter must be part of a stack, so I'm not sure how to pass parameters here.

[tvb]

It is possible to deploy CDK as a StackSets by using intermediateStage. It is not pretty, but doable:

const app = new cdk.App()

// Stage allows us to synth CF template for Stacks added to it
const stage = new cdk.Stage(app, "Stage")
new StackToDeployAsStackset(stage, "XYZ")
const stackSetTemplateObj = stage.synth().stacks[0].template

const stackSetDeployer = new cdk.Stack(app, "StackSetDeployer")
new cdk.CfnStackSet(stackSetDeployer, "XYZASaStackSet", {
            ...
            templateBody: JSON.stringify(stackSetTemplateObj),
})

Are there any plans on natively integrate this with the CDK to make StackSets possible out-of-the-box?

[eladb]

We currently don't have concrete plans to add support for StackSets, but your comments and +1s will help us prioritize.