AppConfig and Multiple Accounts

Question

Our application is deployed across multiple AWS accounts, and completely using Cloudformation. So, we update our code, push to Git, this triggers a build, and then a package and deploy using the AWS CLI to one of 3 accounts depending on the environment.

It's unclear how this workflow will work with AppConfig, which doesn't seem to be able to support multiple account access. I've considered a couple of different approaches:

1. Have a separate account with the configuration information for ALL accounts. Unfortunately, unless we have a separate role in the configuration account for AppConfig access, there does not appear to be a way for an application to get configuration data from a different account, so this approach doesn't seem feasible.
2. Have a separate AppConfig::Application for each account, and each will just have a single environment. This is created via our Cloudformation deploy process, and we'll just manage and deploy configurations on an account by account basis (possibly using a separate Git repo to house the configuration data and push to each account in an automated way on commit).

Are there any other options? This seems more difficult than it should be, as AWS often suggests using separate accounts for different stages of deploy for security reasons.

Answer

In my opinion you should deploy AppConfig on each account the same as you are deploying every other resource because of exactly the same reasons :)

Basically, if you are separating the accounts to safely deploy applications in isolation, then the same should be done with config. You should not be able to break production editing config for dev what can happen if you are managing it in one AppConfig.

Answer

We just implemented this and this blog post will get you there: https://aws.amazon.com/blogs/mt/cross-account-configuration-with-aws-appconfig/

AppConfig and Multiple Accounts

Relevant content