Hello I am a little rusty on cloudformation. But working on deploying a stacset across 15 accounts and multi region. I have tested in one region but when add another it bombs out.the reason is because I have iam roles that my lambda from a central account will assume. The child roles deploy in us-east-1 in each account, but when it hit another region template fails due to iam being global. I have been looking over conditions on how to leverage but little confusing. Any assistance or ideas?
CodePudding user response:
There are two ways that you can handle this:
- Create a single role and provide the ARN of that role to the stacks that need it (via parameter or import). This means that you have two things to maintain.
- Create the role alongside the things that use that role, and add a region identifier to the role name.
Of these, I much prefer option #2. Here's an example for a Lambda execution role (LambdaName
is a stack parameter). Note that I also include the stack name: I like to have everything from the same stack listed together.
!Sub "${AWS::StackName}-${AWS::Region}-${LambdaName}-ExecutionRole"
The problem with detailed role names like this is that role names have a maximum length of 64 characters. So, I might omit LambdaName
to keep below this limit (especially stacks that create a single Lambda, where I typically use AWS::StackName
for the Lambda's name).
CodePudding user response:
The easiest way to handle this in my opinion and only have to use one stack is using Cloudformation 'Conditions'. I was able to create the necessary IAM roles in the target account that I need. These child roles my lambda functions will assume when going through each account and region. Also, it doesnt create two roles for each region as working from a previous response. That method works, but only need one role. here is an example. This method allows my global resources to be created once and other items to duplicate as needed for each region. Conditions: RegionCheck: !Equals - !Ref "AWS::Region" - us-east-1
Resources: ApprovedUntilDatePatchBaselineCrossAccountRole: Type: 'AWS::IAM::Role' Condition: RegionCheck Properties: RoleName: approved-until-date-patchbaseline-cross-account-role AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: - arn:aws:iam::/etc