Home > OS >  AWS Codepipeline deploy cloudformation to Dev account and use output stack to create Parameter store
AWS Codepipeline deploy cloudformation to Dev account and use output stack to create Parameter store

Time:11-05

I want to build a cross account Codepiepline the Codepipeline stay on Central Account so i assume role to DEV Account and create stack but at the same time i want to create parameter store in Central Account with output stack from Dev account

for example

  1. Codepipeline in Central account will assume role to Dev Account for deploy s3bucket
  2. and !GetAtt mydemo.DomainName to create parameter store in Central account

** My all pipeline with stay on Central account and keep all parameter store from DEV Account so my codebuild, another codepipeline can read the value

so any idea for me ?

#This s3 will be deploy to dev account
 Resources:
  DeployDevAccountBucket:
    Type: AWS::S3::Bucket
    Properties: 
      BucketName: "dev-bucket"
      AccessControl: Private
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: "Enabled"
#This parameter store will be deploy to Central account 
  BucketNameParameter: 
    Type: AWS::SSM::Parameter
    Properties: 
      Name: !Sub "dev-account-s3-domainname"
      Type: String
      Value: !GetAtt  DeployDevAccountBucket.DomainName

CodePudding user response:

You can't do this with CloudFormation (CFN) and a single stack. CFN is region and account specific, and does not support cross-account deployments.

You would have to re-architect your pipeline to use CFN StackSets, which requires you to split your template to different ones, depending on the account or region.

But probably the easiest way is to use CodeBuild where you explicitly assume cross-account roles to deploy stacks in different accounts.

CodePudding user response:

#This parameter store will be deploy to Central account

there isn't any way to use the AWS::SSM::Parameter resource within your dev account to create a parameter in a different account.

My all pipeline with stay on Central account and keep all parameter store from DEV Account so my codebuild, another codepipeline can read the value

But, if the pipeline is in the central account, and you're using the cloudformation action type in code pipeline, you can still access stack outputs via Code Pipeline Cloudformation Action Output Variables . A downstream pipeline task could put those outputs into a parameter - in the Central account ,wehre the pipeline is already running, or really in any account, via role assumption.

There is another method: you could define a custom cloudformation resource that would assume a role in a different account and manage the parameter there. You'd have to manage the roles and the lambda (or whatever implementation) for that resource all separately, though. I think the stack outputs approach is better.

Page link:https//www.codepudding.com/os/180269.html

Prev:How to deploy multiple instances of the same stackset in the same AWS account and region?
Next:Recursive monad execution with cats
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding