Stack
data class StackSetArgs(val administrationRoleArn: Output<String>? = null, val autoDeployment: Output<StackSetAutoDeploymentArgs>? = null, val callAs: Output<String>? = null, val capabilities: Output<List<String>>? = null, val description: Output<String>? = null, val executionRoleName: Output<String>? = null, val managedExecution: Output<StackSetManagedExecutionArgs>? = null, val name: Output<String>? = null, val operationPreferences: Output<StackSetOperationPreferencesArgs>? = null, val parameters: Output<Map<String, String>>? = null, val permissionModel: Output<String>? = null, val tags: Output<Map<String, String>>? = null, val templateBody: Output<String>? = null, val templateUrl: Output<String>? = null) : ConvertibleToJava<StackSetArgs>
Manages a CloudFormation StackSet. StackSets allow CloudFormation templates to be easily deployed across multiple accounts and regions via StackSet Instances (aws.cloudformation.StackSetInstance resource). Additional information about StackSets can be found in the AWS CloudFormation User Guide.
NOTE: All template parameters, including those with a
Default, must be configured or ignored with thelifecycleconfiguration blockignore_changesargument. NOTE: AllNoEchotemplate parameters must be ignored with thelifecycleconfiguration blockignore_changesargument. NOTE: When using a delegated administrator account, ensure that your IAM User or Role has theorganizations:ListDelegatedAdministratorspermission. Otherwise, you may get an error likeValidationError: Account used is not a delegated administrator.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [{
identifiers: ["cloudformation.amazonaws.com"],
type: "Service",
}],
}],
});
const aWSCloudFormationStackSetAdministrationRole = new aws.iam.Role("AWSCloudFormationStackSetAdministrationRole", {
assumeRolePolicy: aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.then(aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy => aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.json),
name: "AWSCloudFormationStackSetAdministrationRole",
});
const example = new aws.cloudformation.StackSet("example", {
administrationRoleArn: aWSCloudFormationStackSetAdministrationRole.arn,
name: "example",
parameters: {
VPCCidr: "10.0.0.0/16",
},
templateBody: JSON.stringify({
Parameters: {
VPCCidr: {
Type: "String",
Default: "10.0.0.0/16",
Description: "Enter the CIDR block for the VPC. Default is 10.0.0.0/16.",
},
},
Resources: {
myVpc: {
Type: "AWS::EC2::VPC",
Properties: {
CidrBlock: {
Ref: "VPCCidr",
},
Tags: [{
Key: "Name",
Value: "Primary_CF_VPC",
}],
},
},
},
}),
});
const aWSCloudFormationStackSetAdministrationRoleExecutionPolicy = aws.iam.getPolicyDocumentOutput({
statements: [{
actions: ["sts:AssumeRole"],
effect: "Allow",
resources: [pulumi.interpolate`arn:aws:iam::*:role/${example.executionRoleName}`],
}],
});
const aWSCloudFormationStackSetAdministrationRoleExecutionPolicyRolePolicy = new aws.iam.RolePolicy("AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy", {
name: "ExecutionPolicy",
policy: aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.apply(aWSCloudFormationStackSetAdministrationRoleExecutionPolicy => aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.json),
role: aWSCloudFormationStackSetAdministrationRole.name,
});Content copied to clipboard
import pulumi
import json
import pulumi_aws as aws
a_ws_cloud_formation_stack_set_administration_role_assume_role_policy = aws.iam.get_policy_document(statements=[{
"actions": ["sts:AssumeRole"],
"effect": "Allow",
"principals": [{
"identifiers": ["cloudformation.amazonaws.com"],
"type": "Service",
}],
}])
a_ws_cloud_formation_stack_set_administration_role = aws.iam.Role("AWSCloudFormationStackSetAdministrationRole",
assume_role_policy=a_ws_cloud_formation_stack_set_administration_role_assume_role_policy.json,
name="AWSCloudFormationStackSetAdministrationRole")
example = aws.cloudformation.StackSet("example",
administration_role_arn=a_ws_cloud_formation_stack_set_administration_role.arn,
name="example",
parameters={
"VPCCidr": "10.0.0.0/16",
},
template_body=json.dumps({
"Parameters": {
"VPCCidr": {
"Type": "String",
"Default": "10.0.0.0/16",
"Description": "Enter the CIDR block for the VPC. Default is 10.0.0.0/16.",
},
},
"Resources": {
"myVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "VPCCidr",
},
"Tags": [{
"Key": "Name",
"Value": "Primary_CF_VPC",
}],
},
},
},
}))
a_ws_cloud_formation_stack_set_administration_role_execution_policy = aws.iam.get_policy_document_output(statements=[{
"actions": ["sts:AssumeRole"],
"effect": "Allow",
"resources": [example.execution_role_name.apply(lambda execution_role_name: f"arn:aws:iam::*:role/{execution_role_name}")],
}])
a_ws_cloud_formation_stack_set_administration_role_execution_policy_role_policy = aws.iam.RolePolicy("AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy",
name="ExecutionPolicy",
policy=a_ws_cloud_formation_stack_set_administration_role_execution_policy.json,
role=a_ws_cloud_formation_stack_set_administration_role.name)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRole",
},
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Identifiers = new[]
{
"cloudformation.amazonaws.com",
},
Type = "Service",
},
},
},
},
});
var aWSCloudFormationStackSetAdministrationRole = new Aws.Iam.Role("AWSCloudFormationStackSetAdministrationRole", new()
{
AssumeRolePolicy = aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
Name = "AWSCloudFormationStackSetAdministrationRole",
});
var example = new Aws.CloudFormation.StackSet("example", new()
{
AdministrationRoleArn = aWSCloudFormationStackSetAdministrationRole.Arn,
Name = "example",
Parameters =
{
{ "VPCCidr", "10.0.0.0/16" },
},
TemplateBody = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Parameters"] = new Dictionary<string, object?>
{
["VPCCidr"] = new Dictionary<string, object?>
{
["Type"] = "String",
["Default"] = "10.0.0.0/16",
["Description"] = "Enter the CIDR block for the VPC. Default is 10.0.0.0/16.",
},
},
["Resources"] = new Dictionary<string, object?>
{
["myVpc"] = new Dictionary<string, object?>
{
["Type"] = "AWS::EC2::VPC",
["Properties"] = new Dictionary<string, object?>
{
["CidrBlock"] = new Dictionary<string, object?>
{
["Ref"] = "VPCCidr",
},
["Tags"] = new[]
{
new Dictionary<string, object?>
{
["Key"] = "Name",
["Value"] = "Primary_CF_VPC",
},
},
},
},
},
}),
});
var aWSCloudFormationStackSetAdministrationRoleExecutionPolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRole",
},
Effect = "Allow",
Resources = new[]
{
$"arn:aws:iam::*:role/{example.ExecutionRoleName}",
},
},
},
});
var aWSCloudFormationStackSetAdministrationRoleExecutionPolicyRolePolicy = new Aws.Iam.RolePolicy("AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy", new()
{
Name = "ExecutionPolicy",
Policy = aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
Role = aWSCloudFormationStackSetAdministrationRole.Name,
});
});Content copied to clipboard
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudformation"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"sts:AssumeRole",
},
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Identifiers: []string{
"cloudformation.amazonaws.com",
},
Type: "Service",
},
},
},
},
}, nil)
if err != nil {
return err
}
aWSCloudFormationStackSetAdministrationRole, err := iam.NewRole(ctx, "AWSCloudFormationStackSetAdministrationRole", &iam.RoleArgs{
AssumeRolePolicy: pulumi.String(aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.Json),
Name: pulumi.String("AWSCloudFormationStackSetAdministrationRole"),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Parameters": map[string]interface{}{
"VPCCidr": map[string]interface{}{
"Type": "String",
"Default": "10.0.0.0/16",
"Description": "Enter the CIDR block for the VPC. Default is 10.0.0.0/16.",
},
},
"Resources": map[string]interface{}{
"myVpc": map[string]interface{}{
"Type": "AWS::EC2::VPC",
"Properties": map[string]interface{}{
"CidrBlock": map[string]interface{}{
"Ref": "VPCCidr",
},
"Tags": []map[string]interface{}{
map[string]interface{}{
"Key": "Name",
"Value": "Primary_CF_VPC",
},
},
},
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
example, err := cloudformation.NewStackSet(ctx, "example", &cloudformation.StackSetArgs{
AdministrationRoleArn: aWSCloudFormationStackSetAdministrationRole.Arn,
Name: pulumi.String("example"),
Parameters: pulumi.StringMap{
"VPCCidr": pulumi.String("10.0.0.0/16"),
},
TemplateBody: pulumi.String(json0),
})
if err != nil {
return err
}
aWSCloudFormationStackSetAdministrationRoleExecutionPolicy := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Actions: pulumi.StringArray{
pulumi.String("sts:AssumeRole"),
},
Effect: pulumi.String("Allow"),
Resources: pulumi.StringArray{
example.ExecutionRoleName.ApplyT(func(executionRoleName string) (string, error) {
return fmt.Sprintf("arn:aws:iam::*:role/%v", executionRoleName), nil
}).(pulumi.StringOutput),
},
},
},
}, nil)
_, err = iam.NewRolePolicy(ctx, "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy", &iam.RolePolicyArgs{
Name: pulumi.String("ExecutionPolicy"),
Policy: pulumi.String(aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.ApplyT(func(aWSCloudFormationStackSetAdministrationRoleExecutionPolicy iam.GetPolicyDocumentResult) (*string, error) {
return &aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.Json, nil
}).(pulumi.StringPtrOutput)),
Role: aWSCloudFormationStackSetAdministrationRole.Name,
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.cloudformation.StackSet;
import com.pulumi.aws.cloudformation.StackSetArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.identifiers("cloudformation.amazonaws.com")
.type("Service")
.build())
.build())
.build());
var aWSCloudFormationStackSetAdministrationRole = new Role("aWSCloudFormationStackSetAdministrationRole", RoleArgs.builder()
.assumeRolePolicy(aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.json())
.name("AWSCloudFormationStackSetAdministrationRole")
.build());
var example = new StackSet("example", StackSetArgs.builder()
.administrationRoleArn(aWSCloudFormationStackSetAdministrationRole.arn())
.name("example")
.parameters(Map.of("VPCCidr", "10.0.0.0/16"))
.templateBody(serializeJson(
jsonObject(
jsonProperty("Parameters", jsonObject(
jsonProperty("VPCCidr", jsonObject(
jsonProperty("Type", "String"),
jsonProperty("Default", "10.0.0.0/16"),
jsonProperty("Description", "Enter the CIDR block for the VPC. Default is 10.0.0.0/16.")
))
)),
jsonProperty("Resources", jsonObject(
jsonProperty("myVpc", jsonObject(
jsonProperty("Type", "AWS::EC2::VPC"),
jsonProperty("Properties", jsonObject(
jsonProperty("CidrBlock", jsonObject(
jsonProperty("Ref", "VPCCidr")
)),
jsonProperty("Tags", jsonArray(jsonObject(
jsonProperty("Key", "Name"),
jsonProperty("Value", "Primary_CF_VPC")
)))
))
))
))
)))
.build());
final var aWSCloudFormationStackSetAdministrationRoleExecutionPolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.effect("Allow")
.resources(example.executionRoleName().applyValue(_executionRoleName -> String.format("arn:aws:iam::*:role/%s", _executionRoleName)))
.build())
.build());
var aWSCloudFormationStackSetAdministrationRoleExecutionPolicyRolePolicy = new RolePolicy("aWSCloudFormationStackSetAdministrationRoleExecutionPolicyRolePolicy", RolePolicyArgs.builder()
.name("ExecutionPolicy")
.policy(aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.applyValue(_aWSCloudFormationStackSetAdministrationRoleExecutionPolicy -> _aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.json()))
.role(aWSCloudFormationStackSetAdministrationRole.name())
.build());
}
}Content copied to clipboard
resources:
aWSCloudFormationStackSetAdministrationRole:
type: aws:iam:Role
name: AWSCloudFormationStackSetAdministrationRole
properties:
assumeRolePolicy: ${aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.json}
name: AWSCloudFormationStackSetAdministrationRole
example:
type: aws:cloudformation:StackSet
properties:
administrationRoleArn: ${aWSCloudFormationStackSetAdministrationRole.arn}
name: example
parameters:
VPCCidr: 10.0.0.0/16
templateBody:
fn::toJSON:
Parameters:
VPCCidr:
Type: String
Default: 10.0.0.0/16
Description: Enter the CIDR block for the VPC. Default is 10.0.0.0/16.
Resources:
myVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock:
Ref: VPCCidr
Tags:
- Key: Name
Value: Primary_CF_VPC
aWSCloudFormationStackSetAdministrationRoleExecutionPolicyRolePolicy:
type: aws:iam:RolePolicy
name: AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy
properties:
name: ExecutionPolicy
policy: ${aWSCloudFormationStackSetAdministrationRoleExecutionPolicy.json}
role: ${aWSCloudFormationStackSetAdministrationRole.name}
variables:
aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- sts:AssumeRole
effect: Allow
principals:
- identifiers:
- cloudformation.amazonaws.com
type: Service
aWSCloudFormationStackSetAdministrationRoleExecutionPolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- sts:AssumeRole
effect: Allow
resources:
- arn:aws:iam::*:role/${example.executionRoleName}Content copied to clipboard
Import
Import CloudFormation StackSets when acting a delegated administrator in a member account using the name and call_as values separated by a comma (,). For example: Using pulumi import, import CloudFormation StackSets using the name. For example:
$ pulumi import aws:cloudformation/stackSet:StackSet example exampleContent copied to clipboard
Using pulumi import, import CloudFormation StackSets when acting a delegated administrator in a member account using the name and call_as values separated by a comma (,). For example:
$ pulumi import aws:cloudformation/stackSet:StackSet example example,DELEGATED_ADMINContent copied to clipboard
Constructors
Link copied to clipboard
constructor(administrationRoleArn: Output<String>? = null, autoDeployment: Output<StackSetAutoDeploymentArgs>? = null, callAs: Output<String>? = null, capabilities: Output<List<String>>? = null, description: Output<String>? = null, executionRoleName: Output<String>? = null, managedExecution: Output<StackSetManagedExecutionArgs>? = null, name: Output<String>? = null, operationPreferences: Output<StackSetOperationPreferencesArgs>? = null, parameters: Output<Map<String, String>>? = null, permissionModel: Output<String>? = null, tags: Output<Map<String, String>>? = null, templateBody: Output<String>? = null, templateUrl: Output<String>? = null)
Properties
Link copied to clipboard
Amazon Resource Number (ARN) of the IAM Role in the administrator account. This must be defined when using the SELF_MANAGED permission model.
Link copied to clipboard
Configuration block containing the auto-deployment model for your StackSet. This can only be defined when using the SERVICE_MANAGED permission model.
Link copied to clipboard
A list of capabilities. Valid values: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_AUTO_EXPAND.
Link copied to clipboard
Description of the StackSet.
Link copied to clipboard
Name of the IAM Role in all target accounts for StackSet operations. Defaults to AWSCloudFormationStackSetExecutionRole when using the SELF_MANAGED permission model. This should not be defined when using the SERVICE_MANAGED permission model.
Link copied to clipboard
Configuration block to allow StackSets to perform non-conflicting operations concurrently and queues conflicting operations.
Link copied to clipboard
Link copied to clipboard
Preferences for how AWS CloudFormation performs a stack set update.
Link copied to clipboard
Key-value map of input parameters for the StackSet template. All template parameters, including those with a Default, must be configured or ignored with lifecycle configuration block ignore_changes argument. All NoEcho template parameters must be ignored with the lifecycle configuration block ignore_changes argument.
Link copied to clipboard
Describes how the IAM roles required for your StackSet are created. Valid values: SELF_MANAGED (default), SERVICE_MANAGED.
Link copied to clipboard
Key-value map of tags to associate with this StackSet and the Stacks created from it. AWS CloudFormation also propagates these tags to supported resources that are created in the Stacks. A maximum number of 50 tags can be specified. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Link copied to clipboard
String containing the CloudFormation template body. Maximum size: 51,200 bytes. Conflicts with template_url.
Link copied to clipboard
String containing the location of a file containing the CloudFormation template body. The URL must point to a template that is located in an Amazon S3 bucket. Maximum location file size: 460,800 bytes. Conflicts with template_body.