The mappings section of a CloudFormation template matches a key to a corresponding set of named values. For example, if you want to set values based on a region, you can create a mapping that uses the AWS region name as a key and contains the values you want to specify depending on the region where the template is deployed. This may be particularly useful when deploying AMIs globally where you must deploy a different AMI ID per region due to disaster recovery or security considerations that differ across geographic regions.
AWS CloudFormation StackSets extend the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. Using an administrator account, you define and manage an AWS CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts across specified regions. For example, you can easily establish a global AWS CloudTrail or AWS Config policy across multiple accounts with a single StackSet operation. You can also use StackSets to deploy resources in a single account across multiple regions.
In this lab, we will deploy a CloudFormation template that provisions an EC2 instance with a simple webserver to verify proper deployment across multiple regions. We will use mappings to properly deploy the proper Amazon Linux 2 AMI for the selected region while using StackSets to configure which AWS regions will deploy this template.
For the sake of simplicity, we will be utilizing one account as both the administrator and execution role, but you can utilize StackSets across multiple accounts. Please review the Prerequisites: Granting Permissions for Stack Set Operations page for additional information on how to properly configure the two roles required to deploy StackSets across multiple accounts.
First we will deploy a single stack (not a complete StackSet) to our test account.
This template deploys IAM resources, which are global. Attempts to deploy this same stack to multiple regions by way of a StackSet would fail with an error.
File name | Purpose | Download |
---|---|---|
mapping_stacksets_iam.yml |
Creates the CloudFormation stack | Download the template |
mapping-stacksets-iam
.Examine the CloudFormation template to see that it is a simple nested CloudFormation template that will call two AWS-provided YAML files to provision IAM roles within your account. These are both AWS-managed example templates that you can freely download and further explore.
---
AWSTemplateFormatVersion: '2010-09-09'
Description: This CloudFormation StackSet deploys two AWS provided CloudFormation templates that add Administrator and Execution Roles required to use AWSCloudFormationStackSetAdministrationRole
Resources:
AWSCloudFormationStackSetAdministrationRole:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml
TimeoutInMinutes: '3'
AWSCloudFormationStackSetExecutionRole:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml
TimeoutInMinutes: '3'
Parameters:
AdministratorAccountId : !Ref 'AccountID'
Parameters:
AccountID:
Type: String
Description: Your AWS Account ID
MaxLength: 12
MinLength: 12
This template will deploy resources into the default VPC in each selected region. Please select regions where there is still a default VPC
Now we will create an actual StackSet - though only in this single account. The mechanism is identical whether we deploy to the same account and region, or to multiple accounts and regions.
File name | Purpose | Download |
---|---|---|
mapping_stacksets_ec2.yml |
Creates the CloudFormation stack | Download the template |
mapping-stacksets-ec2
), and enter a CIDR range that makes sense (or leave as the default, but only if you understand the risk of leaving an EC2 instance’s web server open to the entire Internet).
Exposing these services publicly without full understanding is not recommended outside of a lab environment.
This next page may appear slightly different if you are using an AWS account that is a part of an exising AWS Organization. If your page presents a choice between Service-managed permissions and Self-service permissions, please select the latter.
StackSet-
)Opening the StackSet template, notice the mapping component of this template that will deploy the proper Amazon Linux 2 AMI based on the region where the template is deployed.
Mappings:
# Mapping of Amazon Linux 2 AMI IDs in every AWS Region
# When deploying a StackSet, the template will automatically deploy the proper AMI in each selected region
RegionMap:
us-east-1:
AMI: ami-04681a1dbd79675a5
us-east-2:
AMI: ami-0cf31d971a3ca20d6
us-west-1:
AMI: ami-0782017a917e973e7
us-west-2:
AMI: ami-6cd6f714
ap-south-1:
AMI: ami-00b6a8a2bd28daf19
ap-northeast-3:
AMI: ami-00f7ef6bf92e8f916
ap-northeast-2:
AMI: ami-012566705322e9a8e
ap-southeast-1:
AMI: ami-01da99628f381e50a
ap-southeast-2:
AMI: ami-00e17d1165b9dd3ec
ap-northeast-1:
AMI: ami-08847abae18baa040
ca-central-1:
AMI: ami-ce1b96aa
eu-central-1:
AMI: ami-0f5dbc86dd9cbf7a8
eu-west-1:
AMI: ami-0bdb1d6c15a40392c
eu-west-2:
AMI: ami-e1768386
eu-west-3:
AMI: ami-06340c8c12baa6a09
sa-east-1:
AMI: ami-0ad7b0031d41ed4b9