Search code examples
amazon-web-servicesaws-cloudformationaws-policies

How to run CloudFormation for a specific AWS Account

I am trying to create a CloudFormation template for a custom-managed policy where whenever I run the template, it'll create the policy in the account I specified.

For example, I have 10 AWS accounts and I want to create a template in our main account where you just need to enter the accountID and the JSON and CloudFormation will create it for you. This is what I have so far (which dosen't work)

AWSTemplateFormatVersion: "2010-09-09"
Description: "This cloudformation template will create a managed policy in a perticular account"

#####################
# Define Parameters
#####################
Parameters:
  PolicyName:
    Type: String
    Description: The name that will be applied to the custom policy.

  PolicyDescription:
    Type: String
    Description: Type a description for this policy. This can NOT be changed after initial assignment.

  PolicyJson:
    Type: Json
    Description: Type permission for this policy in JSON format

  AccountID:
    Type: String
    Description: Enter the account ID where you want to create this policy


#####################
# Define Resources
#####################
Resources: 
  # ---------------------
  # Define Policy Resource
  # ---------------------
  ManagedPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties: 
      ManagedPolicyName: !Ref PolicyName
      Description: !Ref PolicyDescription
      Path: "/"
      PolicyDocument: !RefPolicyJson

#####################
# Define Outputs:
#####################
Outputs:
  PolicyName:
    Description: The name of the newly created managed policy
    Value: !Ref PolicyName

Issues:

  1. It's not allowed to pass whole JSON object as a variable ( Template format error: Unrecognized parameter type: Json). I thought of passing Resources: in parameter but I don't know how to do it as permissions will vary based on use case. So If possible, I want empty box where people can give their own JSON for the permission and I pass that as a value.
  2. I am not sure how to use accountID. How can I tell my template to go to spcific account (as defined in the parameter), assume this role and create this policy with the given Json

I am following https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html documentation in order to solve my problem.

We want whenever someone runs the template, they are provided with input fields where they can write policy name, Description, Account where to create the policy and Json of the permission. And Cloudformation should create it for them and return the policy ARN as output

Solution

  • You have to use stacksets for multi-account deployments of templates:

    AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation.