Updating CFN stack over multiple accounts


A customer is implementing a multi-account deployment strategy (account 1 for DEVO, account 2 for UAT, account 3 for Production) using CFN templates to provision their infra as code

The deployment process includes the typical deploy/validate/promote workflow where a new version of the CFN template should be validated in a DEVO environment before promoting it to UAT and so on

My initial approach was using CFN StackSets and it works nice on stack creation time but when it comes to stack update, it seems to be impossible to control when/where to deploy the new version of the template (i.e. "Updating a stack set always touches all stack instances") so I can not validate a stage deployment before promoting to the next stage (probably target account gates lambdas can make the trick but looks to me like a lot of additional complexity)

I would expect having something like update-stack-set without updating the existing stack instances and allowing me to perform an account by account update of the stack after proper validation is performed

The alternative solution I am exploring is using cross-account roles to target individual accounts using CFN update-stack (hence ignoring stacksets)

Any experience on similar requirement?

asked 5 years ago23 views
1 Answer
Accepted Answer

Yup, for now you can only attach a single template to a StackSet -- when you check a new template in, it will being pushing out to the accounts and only stop of you cross your fault tolerance threshold.

The most common approach I've seen with the current tools available is CodePipeline chaining -- trigger the pipeline in DEVO, when it completes successfully use a custom action to copy the template into a bucket in the next account, similar to this model: https://aws.amazon.com/blogs/devops/building-a-cross-regioncross-account-code-deployment-solution-on-aws/

I've had several customers ask for more complex deployment patterns for StackSets -- what would you prefer here?

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions