Our application is deployed across multiple AWS accounts, and completely using Cloudformation. So, we update our code, push to Git, this triggers a build, and then a package and deploy using the AWS CLI to one of 3 accounts depending on the environment.
It's unclear how this workflow will work with AppConfig, which doesn't seem to be able to support multiple account access. I've considered a couple of different approaches:
- Have a separate account with the configuration information for ALL accounts. Unfortunately, unless we have a separate role in the configuration account for AppConfig access, there does not appear to be a way for an application to get configuration data from a different account, so this approach doesn't seem feasible.
- Have a separate AppConfig::Application for each account, and each will just have a single environment. This is created via our Cloudformation deploy process, and we'll just manage and deploy configurations on an account by account basis (possibly using a separate Git repo to house the configuration data and push to each account in an automated way on commit).
Are there any other options? This seems more difficult than it should be, as AWS often suggests using separate accounts for different stages of deploy for security reasons.