Cloudformation-coverage-roadmap: Transform Support for Cloudformation Stacksets

Created on 7 Oct 2019  路  8Comments  路  Source: aws-cloudformation/cloudformation-coverage-roadmap

Title -> SAM support for Cloudformation Stacksets
Scope of request -> CloudFormation Stacksets should be able to support templates
Expected behavior -> It should allow the definition of a transform in the stackset template or convert it to normal Cloudformation stack in the backend.

enhancement
Source
picture akshayvvr
👍30

Most helpful comment

https://aws.amazon.com/about-aws/whats-new/2021/04/you-can-now-use-macros-and-transforms-in-cloudformation-templates-to-create-aws-cloudformation-stacksets/

picture PatMyron on 16 Apr 2021
🚀3

All 8 comments

I've been thinking about this today, some notes:

  • Supporting any transform would be great, but can be challenging
  • The transform would need to either run in the StackSet account or the StackInstance account. For most SAM resources this will not make it difference.
  • caveat/exception: AWS::Serverless::Application, where the tranform needs permission to see the application and the StackInstance needs to be able to read the template from S3.
  • caveat/exception: every upload to an S3 bucket needs to be readable by all the StackInstances. This should be solvable by using the organization id in a bucket policy, but might lead to errors that are not immediately obvious when the user forgets to do this.
benbridts picture benbridts on 13 Feb 2020
👍1

Now with the new Organization support this is something that I would really appreciate.

erkwish picture erkwish on 14 Feb 2020
👍2

There is a current workaround supporting this use-case, by using nested stacks

Example https://s3.amazonaws.com/my-s3-bucket/stackset-spike/serverless-transform-stack.yml:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Create pipeline-dashboard application.
Resources:
  mechanicalrockpipelinedashboard:
    Type: AWS::Serverless::Application
    Properties:
      Location:
        ApplicationId: arn:aws:serverlessrepo:us-east-1:611781478414:applications/mechanicalrock-pipeline-dashboard
        SemanticVersion: 1.0.3
      Parameters:
        PipelinePattern: '*'

Deploy your stack set template:

Resources:
  serverlessTemplate:
    Type: AWS::CloudFormation::Stack
    Properties: 
      TemplateURL: "https://s3.amazonaws.com/my-s3-bucket/stackset-spike/serverless-transform-stack.yml"

Things of note:

  • Target accounts need access to the s3 bucket containing your nested stack reference.
  • The stack set deployment results in multiple nested stacks (as expected) meaning there's a possibility of confusion/maintenance burden
  • Complicates your CICD flow as you need to package/distribute/generate your indirection template
temyers picture temyers on 21 Feb 2020
👍1

There is a current workaround supporting this use-case, by using nested stacks

Example https://s3.amazonaws.com/my-s3-bucket/stackset-spike/serverless-transform-stack.yml:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Create pipeline-dashboard application.
Resources:
  mechanicalrockpipelinedashboard:
    Type: AWS::Serverless::Application
    Properties:
      Location:
        ApplicationId: arn:aws:serverlessrepo:us-east-1:611781478414:applications/mechanicalrock-pipeline-dashboard
        SemanticVersion: 1.0.3
      Parameters:
        PipelinePattern: '*'

Deploy your stack set template:

Resources:
  serverlessTemplate:
    Type: AWS::CloudFormation::Stack
    Properties: 
      TemplateURL: "https://s3.amazonaws.com/my-s3-bucket/stackset-spike/serverless-transform-stack.yml"

Things of note:

  • Target accounts need access to the s3 bucket containing your nested stack reference.
  • The stack set deployment results in multiple nested stacks (as expected) meaning there's a possibility of confusion/maintenance burden
  • Complicates your CICD flow as you need to package/distribute/generate your indirection template

@temyers could you please specify how you enabled cross-account s3 access to the bucket?
I have created a role in the parent account providing the child account ID s3:* on the bucket

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ChildAccountId:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

but still get an Access Denied

jaidisido picture jaidisido on 1 Oct 2020

@jaidisido did you allow cross account access on the bucket itself? You need to enable cross account access via bucket policy. The bucket itself is not going to support cross account access natively.

rhanson32 picture rhanson32 on 16 Mar 2021

For the purposes of the demonstration above, the bucket was publicly readable.

For real world usage, a bucket policy is required grant cross-account access

temyers picture temyers on 17 Mar 2021

https://aws.amazon.com/about-aws/whats-new/2021/04/you-can-now-use-macros-and-transforms-in-cloudformation-templates-to-create-aws-cloudformation-stacksets/

PatMyron picture PatMyron on 16 Apr 2021
🚀3

Any update on this? Still cannot find an easy way to deploy stacksets with transforms across multiple accounts/regions all integrated with Codepipeline.

shnccg picture shnccg on 18 Jun 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

TheDanBlanco picture TheDanBlanco  路  3Comments
hoegertn picture hoegertn  路  4Comments
JohnPreston picture JohnPreston  路  3Comments
seansummers picture seansummers  路  3Comments
tortila picture tortila  路  3Comments