community / community.aws / 1.1.0 / module / cloudformation_stack_set Manage groups of CloudFormation stacks | "added in version" 1.0.0 of community.aws" Authors: Ryan Scott Brown (@ryansb)community.aws.cloudformation_stack_set (1.1.0) — module
Install with ansible-galaxy collection install community.aws:==1.1.0
collections: - name: community.aws version: 1.1.0
Launches/updates/deletes AWS CloudFormation Stack Sets.
- name: Create a stack set with instances in two accounts community.aws.cloudformation_stack_set: name: my-stack description: Test stack in two accounts state: present template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template accounts: [1234567890, 2345678901] regions: - us-east-1
- name: on subsequent calls, templates are optional but parameters and tags can be altered community.aws.cloudformation_stack_set: name: my-stack state: present parameters: InstanceName: my_stacked_instance tags: foo: bar test: stack accounts: [1234567890, 2345678901] regions: - us-east-1
- name: The same type of update, but wait for the update to complete in all stacks community.aws.cloudformation_stack_set: name: my-stack state: present wait: true parameters: InstanceName: my_restacked_instance tags: foo: bar test: stack accounts: [1234567890, 2345678901] regions: - us-east-1
name: description: - Name of the CloudFormation stack set. required: true type: str tags: description: - Dictionary of tags to associate with stack and its resources during stack creation. - Can be updated later, updating tags removes previous entries. type: dict wait: default: false description: - Whether or not to wait for stack operation to complete. This includes waiting for stack instances to reach UPDATE_COMPLETE status. - If you choose not to wait, this module will not notify when stack operations fail because it will not wait for them to finish. type: bool state: choices: - present - absent default: present description: - If I(state=present), stack will be created. If I(state=present) and if stack exists and template has changed, it will be updated. If I(state=absent), stack will be removed. type: str region: aliases: - aws_region - ec2_region description: - The AWS region to use. - For global services such as IAM, Route53 and CloudFront, I(region) is ignored. - The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used. - See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region). - The C(ec2_region) alias has been deprecated and will be removed in a release after 2024-12-01 - Support for the C(EC2_REGION) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str profile: aliases: - aws_profile description: - A named AWS profile to use for authentication. - See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). - The C(AWS_PROFILE) environment variable may also be used. - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str regions: description: - A list of AWS regions to create instances of a stack in. The I(region) parameter chooses where the Stack Set is created, and I(regions) specifies the region for stack instances. - At least one region must be specified to create a stack set. On updates, if fewer regions are specified only the specified regions will have their stack instances updated. elements: str type: list accounts: description: - A list of AWS accounts in which to create instance of CloudFormation stacks. - At least one region must be specified to create a stack set. On updates, if fewer regions are specified only the specified regions will have their stack instances updated. elements: str type: list template: description: - The local path of the CloudFormation template. - This must be the full path to the file, relative to the working directory. If using roles this may look like C(roles/cloudformation/files/cloudformation-example.json). - If I(state=present) and the stack does not exist yet, either I(template), I(template_body) or I(template_url) must be specified (but only one of them). - If I(state=present), the stack does exist, and neither I(template), I(template_body) nor I(template_url) are specified, the previous template will be reused. type: path access_key: aliases: - aws_access_key_id - aws_access_key - ec2_access_key description: - AWS access key ID. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables may also be used in decreasing order of preference. - The I(aws_access_key) and I(profile) options are mutually exclusive. - The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_access_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict parameters: default: {} description: - A list of hashes of all the template variables for the stack. The value can be a string or a dict. - Dict can be used to set additional template parameter attributes like UsePreviousValue (see example). type: dict secret_key: aliases: - aws_secret_access_key - aws_secret_key - ec2_secret_key description: - AWS secret access key. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variables may also be used in decreasing order of preference. - The I(secret_key) and I(profile) options are mutually exclusive. - The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with the AWS botocore SDK. - The I(ec2_secret_key) alias has been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str description: description: - A description of what this stack set creates. type: str capabilities: choices: - CAPABILITY_IAM - CAPABILITY_NAMED_IAM description: - Capabilities allow stacks to create and modify IAM resources, which may include adding users or roles. - Currently the only available values are 'CAPABILITY_IAM' and 'CAPABILITY_NAMED_IAM'. Either or both may be provided. - 'The following resources require that one or both of these parameters is specified: AWS::IAM::AccessKey, AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User, AWS::IAM::UserToGroupAddition ' elements: str type: list endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. - The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing order of preference. - The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_URL) environment variable has been deprecated and will be removed in a release after 2024-12-01. type: str purge_stacks: default: true description: - Only applicable when I(state=absent). Sets whether, when deleting a stack set, the stack instances should also be deleted. - By default, instances will be deleted. To keep stacks when stack set is deleted set I(purge_stacks=false). type: bool template_url: description: - Location of file containing the template body. - The URL must point to a template (max size 307,200 bytes) located in an S3 bucket in the same region as the stack. - If I(state=present) and the stack does not exist yet, either I(template), I(template_body) or I(template_url) must be specified (but only one of them). - If I(state=present), the stack does exist, and neither I(template), I(template_body) nor I(template_url) are specified, the previous template will be reused. type: str wait_timeout: default: 900 description: - How long to wait (in seconds) for stacks to complete create/update/delete operations. type: int aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - The C(AWS_CA_BUNDLE) environment variable may also be used. type: path session_token: aliases: - aws_session_token - security_token - aws_security_token - access_token description: - AWS STS session token for use with temporary credentials. - See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variables may also be used in decreasing order of preference. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with the parameter being renamed from I(security_token) to I(session_token) in release 6.0.0. - The I(security_token), I(aws_security_token), and I(access_token) aliases have been deprecated and will be removed in a release after 2024-12-01. - Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables has been deprecated and will be removed in a release after 2024-12-01. type: str template_body: description: - Template body. Use this to pass in the actual body of the CloudFormation template. - If I(state=present) and the stack does not exist yet, either I(template), I(template_body) or I(template_url) must be specified (but only one of them). - If I(state=present), the stack does exist, and neither I(template), I(template_body) nor I(template_url) are specified, the previous template will be reused. type: str validate_certs: default: true description: - When set to C(false), SSL certificates will not be validated for communication with the AWS APIs. - Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider setting I(aws_ca_bundle) instead. type: bool failure_tolerance: description: - Settings to change what is considered "failed" when running stack instance updates, and how many to do at a time. suboptions: fail_count: description: - The number of accounts, per region, for which this operation can fail before CloudFormation stops the operation in that region. - You must specify one of I(fail_count) and I(fail_percentage). type: int fail_percentage: description: - The percentage of accounts, per region, for which this stack operation can fail before CloudFormation stops the operation in that region. - You must specify one of I(fail_count) and I(fail_percentage). type: int parallel_count: description: - The maximum number of accounts in which to perform this operation at one time. - I(parallel_count) may be at most one more than the I(fail_count). - You must specify one of I(parallel_count) and I(parallel_percentage). - Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual count may be lower. type: int parallel_percentage: description: - The maximum percentage of accounts in which to perform this operation at one time. - You must specify one of I(parallel_count) and I(parallel_percentage). - Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual percentage may be lower. type: int type: dict execution_role_name: aliases: - exec_role_name - exec_role - execution_role description: - ARN of the execution role, meaning the role that CloudFormation Stack Sets assumes in your child accounts. - This MUST NOT be an ARN, and the roles must exist in each child account specified. - The default name for the execution role is C(AWSCloudFormationStackSetExecutionRole) type: str administration_role_arn: aliases: - admin_role_arn - admin_role - administration_role description: - ARN of the administration role, meaning the role that CloudFormation Stack Sets use to assume the roles in your child accounts. - This defaults to C(arn:aws:iam::{{ account ID }}:role/AWSCloudFormationStackSetAdministrationRole) where C({{ account ID }}) is replaced with the account number of the current IAM role/user/STS credentials. type: str debug_botocore_endpoint_logs: default: false description: - Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action") API calls made during a task, outputing the set to the resource_actions key in the task results. Use the C(aws_resource_action) callback to output to total list made during a playbook. - The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used. type: bool
operations: description: All operations initiated by this run of the cloudformation_stack_set module returned: always sample: - action: CREATE administration_role_arn: arn:aws:iam::1234567890:role/AWSCloudFormationStackSetAdministrationRole creation_timestamp: '2018-06-18T17:40:46.372000+00:00' end_timestamp: '2018-06-18T17:41:24.560000+00:00' execution_role_name: AWSCloudFormationStackSetExecutionRole operation_id: Ansible-StackInstance-Create-0ff2af5b-251d-4fdb-8b89-1ee444eba8b8 operation_preferences: region_order: - us-east-1 - us-east-2 stack_set_id: TestStackPrime:19f3f684-aae9-4e67-ba36-e09f92cf5929 status: FAILED type: list operations_log: description: Most recent events in CloudFormation's event log. This may be from a previous run in some cases. returned: always sample: - action: CREATE creation_timestamp: '2018-06-18T17:40:46.372000+00:00' end_timestamp: '2018-06-18T17:41:24.560000+00:00' operation_id: Ansible-StackInstance-Create-0ff2af5b-251d-4fdb-8b89-1ee444eba8b8 stack_instances: - account: '1234567890' region: us-east-1 stack_set_id: TestStackPrime:19f3f684-aae9-4e67-ba36-e09f92cf5929 status: OUTDATED status_reason: Account 1234567890 should have 'AWSCloudFormationStackSetAdministrationRole' role with trust relationship to CloudFormation service. status: FAILED type: list stack_instances: description: CloudFormation stack instances that are members of this stack set. This will also include their region and account ID. returned: state == present sample: - account: '1234567890' region: us-east-1 stack_set_id: TestStackPrime:19f3f684-aae9-4e67-ba36-e09f92cf5929 status: OUTDATED status_reason: 'Account 1234567890 should have ''AWSCloudFormationStackSetAdministrationRole'' role with trust relationship to CloudFormation service. ' - account: '1234567890' region: us-east-2 stack_set_id: TestStackPrime:19f3f684-aae9-4e67-ba36-e09f92cf5929 status: OUTDATED status_reason: Cancelled since failure tolerance has exceeded type: list stack_set: description: Facts about the currently deployed stack set, its parameters, and its tags returned: state == present sample: administration_role_arn: arn:aws:iam::1234567890:role/AWSCloudFormationStackSetAdministrationRole capabilities: [] description: test stack PRIME execution_role_name: AWSCloudFormationStackSetExecutionRole parameters: [] stack_set_arn: arn:aws:cloudformation:us-east-1:1234567890:stackset/TestStackPrime:19f3f684-aae9-467-ba36-e09f92cf5929 stack_set_id: TestStackPrime:19f3f684-aae9-4e67-ba36-e09f92cf5929 stack_set_name: TestStackPrime status: ACTIVE tags: Some: Thing an: other template_body: "AWSTemplateFormatVersion: \"2010-09-09\"\nParameters: {}\nResources:\n\ \ Bukkit:\n Type: \"AWS::S3::Bucket\"\n Properties: {}\n other:\n \ \ Type: \"AWS::SNS::Topic\"\n Properties: {}\n" type: dict