community.aws.cloudformation_stack_set module – Manage groups of CloudFormation stacks
Note
This module is part of the community.aws collection (version 9.0.0-dev0).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.aws
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.aws.cloudformation_stack_set
.
New in community.aws 1.0.0
Synopsis
Launches/updates/deletes AWS CloudFormation Stack Sets.
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.6
boto3 >= 1.28.0
botocore >= 1.31.0
Parameters
Parameter |
Comments |
---|---|
AWS access key ID. See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys. The The aws_access_key and profile options are mutually exclusive. The aws_access_key_id alias was added in release 5.1.0 for consistency with the AWS botocore SDK. The ec2_access_key alias has been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
A list of AWS accounts in which to create instance of CloudFormation stacks. At least one region must be specified to create a stack set. On updates, if fewer regions are specified only the specified regions will have their stack instances updated. |
|
ARN of the administration role, meaning the role that CloudFormation Stack Sets use to assume the roles in your child accounts. This defaults to |
|
The location of a CA Bundle to use when validating SSL certificates. The |
|
A dictionary to modify the botocore configuration. Parameters can be found in the AWS documentation https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config. |
|
Capabilities allow stacks to create and modify IAM resources, which may include adding users or roles. Currently the only available values are ‘CAPABILITY_IAM’ and ‘CAPABILITY_NAMED_IAM’. Either or both may be provided. The following resources require that one or both of these parameters is specified: AWS::IAM::AccessKey, AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User, AWS::IAM::UserToGroupAddition Choices:
|
|
Use a The Choices:
|
|
A description of what this stack set creates. |
|
URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. The The ec2_url and s3_url aliases have been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
ARN of the execution role, meaning the role that CloudFormation Stack Sets assumes in your child accounts. This MUST NOT be an ARN, and the roles must exist in each child account specified. The default name for the execution role is |
|
Settings to change what is considered “failed” when running stack instance updates, and how many to do at a time. Default: |
|
The number of accounts, per region, for which this operation can fail before CloudFormation stops the operation in that region. You must specify one of fail_count and fail_percentage. |
|
The percentage of accounts, per region, for which this stack operation can fail before CloudFormation stops the operation in that region. You must specify one of fail_count and fail_percentage. |
|
The maximum number of accounts in which to perform this operation at one time. parallel_count may be at most one more than the fail_count. You must specify one of parallel_count and parallel_percentage. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual count may be lower. |
|
The maximum percentage of accounts in which to perform this operation at one time. You must specify one of parallel_count and parallel_percentage. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual percentage may be lower. |
|
Name of the CloudFormation stack set. |
|
A list of hashes of all the template variables for the stack. The value can be a string or a dict. Dict can be used to set additional template parameter attributes like UsePreviousValue (see example). Default: |
|
A named AWS profile to use for authentication. See the AWS documentation for more information about named profiles https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html. The The profile option is mutually exclusive with the aws_access_key, aws_secret_key and security_token options. |
|
Only applicable when state=absent. Sets whether, when deleting a stack set, the stack instances should also be deleted. By default, instances will be deleted. To keep stacks when stack set is deleted set purge_stacks=false. Choices:
|
|
The AWS region to use. For global services such as IAM, Route53 and CloudFront, region is ignored. The See the Amazon AWS documentation for more information http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region. The Support for the |
|
A list of AWS regions to create instances of a stack in. The region parameter chooses where the Stack Set is created, and regions specifies the region for stack instances. At least one region must be specified to create a stack set. On updates, if fewer regions are specified only the specified regions will have their stack instances updated. |
|
AWS secret access key. See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys. The The secret_key and profile options are mutually exclusive. The aws_secret_access_key alias was added in release 5.1.0 for consistency with the AWS botocore SDK. The ec2_secret_key alias has been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
AWS STS session token for use with temporary credentials. See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys. The The security_token and profile options are mutually exclusive. Aliases aws_session_token and session_token were added in release 3.2.0, with the parameter being renamed from security_token to session_token in release 6.0.0. The security_token, aws_security_token, and access_token aliases have been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
If state=present, stack will be created. If state=present and if stack exists and template has changed, it will be updated. If state=absent, stack will be removed. Choices:
|
|
Dictionary of tags to associate with stack and its resources during stack creation. Can be updated later, updating tags removes previous entries. |
|
The local path of the CloudFormation template. This must be the full path to the file, relative to the working directory. If using roles this may look like If state=present and the stack does not exist yet, either template, template_body or template_url must be specified (but only one of them). If state=present, the stack does exist, and neither template, template_body nor template_url are specified, the previous template will be reused. |
|
Template body. Use this to pass in the actual body of the CloudFormation template. If state=present and the stack does not exist yet, either template, template_body or template_url must be specified (but only one of them). If state=present, the stack does exist, and neither template, template_body nor template_url are specified, the previous template will be reused. |
|
Location of file containing the template body. The URL must point to a template (max size 307,200 bytes) located in an S3 bucket in the same region as the stack. If state=present and the stack does not exist yet, either template, template_body or template_url must be specified (but only one of them). If state=present, the stack does exist, and neither template, template_body nor template_url are specified, the previous template will be reused. |
|
When set to Setting validate_certs=false is strongly discouraged, as an alternative, consider setting aws_ca_bundle instead. Choices:
|
|
Whether or not to wait for stack operation to complete. This includes waiting for stack instances to reach UPDATE_COMPLETE status. If you choose not to wait, this module will not notify when stack operations fail because it will not wait for them to finish. Choices:
|
|
How long to wait (in seconds) for stacks to complete create/update/delete operations. Default: |
Notes
Note
To make an individual stack, you want the amazon.aws.cloudformation module.
Caution: For modules, environment variables and configuration files are read from the Ansible ‘host’ context and not the ‘controller’ context. As such, files may need to be explicitly copied to the ‘host’. For lookup and connection plugins, environment variables and configuration files are read from the Ansible ‘controller’ context and not the ‘host’ context.
The AWS SDK (boto3) that Ansible uses may also read defaults for credentials and other settings, such as the region, from its configuration files in the Ansible ‘host’ context (typically
~/.aws/credentials
). See https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html for more information.
Examples
- name: Create a stack set with instances in two accounts
community.aws.cloudformation_stack_set:
name: my-stack
description: Test stack in two accounts
state: present
template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template
accounts:
- 123456789012
- 234567890123
regions:
- us-east-1
- name: on subsequent calls, templates are optional but parameters and tags can be altered
community.aws.cloudformation_stack_set:
name: my-stack
state: present
parameters:
InstanceName: my_stacked_instance
tags:
foo: bar
test: stack
accounts:
- 123456789012
- 234567890123
regions:
- us-east-1
- name: The same type of update, but wait for the update to complete in all stacks
community.aws.cloudformation_stack_set:
name: my-stack
state: present
wait: true
parameters:
InstanceName: my_restacked_instance
tags:
foo: bar
test: stack
accounts:
- 123456789012
- 234567890123
regions:
- us-east-1
- name: Register new accounts (create new stack instances) with an existing stack set.
community.aws.cloudformation_stack_set:
name: my-stack
state: present
wait: true
parameters:
InstanceName: my_restacked_instance
tags:
foo: bar
test: stack
accounts:
- 123456789012
- 234567890123
- 345678901234
regions:
- us-east-1
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
All operations initiated by this run of the cloudformation_stack_set module Returned: always Sample: |
|
Most recent events in CloudFormation’s event log. This may be from a previous run in some cases. Returned: always Sample: |
|
CloudFormation stack instances that are members of this stack set. This will also include their region and account ID. Returned: state == present Sample: |
|
Facts about the currently deployed stack set, its parameters, and its tags Returned: state == present Sample: |