问题
I have a simple CloudFormation stack that I want to deploy to all regions in my account so I don't have to manually go into each region to deploy the stack, or create a script that does that with the CLI.
I tried doing this with StackSets: I indicated that the account I want to deploy to is my own account number. Then I selected all the regions, and tried to deploy.
Unfortunately, it didn't work, saying:
Account 1234567867867 should have 'AWSCloudFormationStackSetExecutionRole' role with trust relationship to Role 'AWSCloudFormationStackSetAdministrationRole'.
So I looked into that and came across this tutorial on how to address that issue:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html
However, in going through that process, it wouldn't let me do the second step, where I create a role that trusts the administrator account... I'm guessing this is because the administrator account IS my account, so setting up the trust relationship doesn't work, but I'm not exactly sure. Here's the error I get:
AWSCloudFormationStackSetExecutionRole already exists
So is this even possible? Or should I just create a script that uses the CLI to deploy a normal CloudFormation stack across all the regions within my account?
回答1:
The answer is yes, you can use StackSets to deploy across multiple regions within YOUR ONE SINGLE ACCOUNT.
You still need to create the master/child roles as described in the article I linked in my original question. In this special case, you're basically saying you trust yourself to use your own role. But once you do that, you should be able to set up a StackSet, specify your own account number as the account into which you want to deploy the StackSet, and choose all the regions you want.
The reason I was running into a problem earlier was because apparently someone had already added the child role to my account, so when I tried to create it myself, it was already there (causing the error). You probably won't run into that, assuming nobody's been messing with your account. But if you do find you run into that (maybe you're in a company with lots of people working on the same sets of accounts like I am), then all you need to do is find the AWSCloudFormationStackSetExecutionRole role in IAM, edit the Trust Relationships, and add another trust relationship to trust:
arn:aws:iam::<your account number>:role/AWSCloudFormationStackSetAdministrationRole
来源:https://stackoverflow.com/questions/54525634/can-i-use-cloudformation-stacksets-to-deploy-to-multiple-regions-in-my-own-accou