aws-sso-util
aws-sso-util copied to clipboard
benkehoe
MaxAssignmentsAllocation: Nested stack logic
Trying to understand the logic between MaxAssignmentsAllocation and the number of nested stacks
For example, below resource, would result in 12 assignments so with MaxAssignmentsAllocation set to 6 I was expecting 2 nested stacks but I am seeing single nested stack with 12 assignments. Essentially with the aws current resource limit per stack to be 500, I am hoping that I can set MaxAssignmentsAllocation to a lower amount like 400, and the above that would get split into further nest stacks.
Metadata:
SSO:
MaxAssignmentsAllocation: 6
Description: Builds AWS SSO PermissionSet and Assignment Resources
Parameters:
SSOInstanceArn:
Type: String
Description: 'The ARN of the SSO instance i.e: arn:aws:sso:::instance/ssoins-instanceId'
Default: 'arn:aws:sso:::instance/ssoins-1234567879078fe73b718'
Resources:
ReadOnlyAssignmentAssignmentGroup:
Type: SSOUtil::SSO::AssignmentGroup
Properties:
Name: ReadOnlyAssignment
Principal:
- Type: GROUP
Id:
- '111111'
- '22222'
- '33333'
PermissionSet:
- 'arn:aws:sso:::permissionSet/ssoins-1111/ps-1111'
- 'arn:aws:sso:::permissionSet/ssoins-2222/ps-2222'
Target:
- Type: AWS_ACCOUNT
Id:
- '1111111111111111'
- '222222222222'
You are looking for MaxResourcesPerTemplate. MaxAssignmentsAllocation is intended to be the maximum number of assignments you ever expect to create, which, when divided by MaxResourcesPerTemplate (which defaults to the CloudFormation limit of 500), results in a fixed number of child stacks.
Thanks, so with default (-1) configurations would nesting automatically kick in for a template of over 500 assignments.
Yes. In general I recommend choosing a fixed number of stacks (or max allocation) for a given template, as it prevents assignments from being moved between substacks when the number of substacks changes, which can cause issues.