💾 Archived View for cfdocs.wetterberg.nu › stacksets-account-gating.gemini captured on 2024-05-12 at 16:01:16. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

Configuring a target account gate in AWS CloudFormation StackSets

Search

An account gate is an optional feature that lets you specify an AWS Lambda function to verify that a target account meets certain requirements before AWS CloudFormation StackSets begins stack operations in that account. A common example of an account gate is verifying that there are no CloudWatch alarms active or unresolved on the target account. StackSets invokes the function each time you start stack operations in the target account, and only continues if the function returns a `SUCCEEDED` code. If the Lambda function returns a status of `FAILED`, StackSets does not continue with your requested operation. If you do not have an account gating Lambda function configured, StackSets skips the check, and continues with your operation.

AWS Lambda

If your target account fails an account gate check, the failed operation counts toward your specified failure tolerance number or percentage of stacks. For more information about failure tolerance, see Stack set operation options.

Stack set operation options

Account gating is only available for StackSets operations. This functionality is not available for other AWS CloudFormation operations outside of StackSets.

Setup requirements

The following list describes setup requirements for account gating.

• To work with the StackSets account gating functionality, your Lambda function must be named AWSCloudFormationStackSetAccountGate.
• The AWSCloudFormationStackSetExecutionRole needs permissions to invoke your Lambda function. Without these permissions, StackSets skips the account gating check, and continues with stack operations.
• The Lambda InvokeFunction permission must be added to target accounts for account gating to work. The target account trust policy must have a trust relationship with the administrator account. The following is an example of a policy statement that grants Lambda invokefunction permissions.

Sample Lambda account gating functions

The following sample AWS CloudFormation templates are available for you to create Lambda *AWSCloudFormationStackSetAccountGate* functions. For more information about how to create a new stack using either of these templates, see Creating a stack in this guide.

Creating a stack

| Template location | Description |

| --- | --- |

| https://s3\.amazonaws\.com/cloudformation\-stackset\-templates\-us\-east\-1/cloudformation\-stack\-set\-accountgate\-succeeded\.template | Creates a stack that implements a Lambda account gate function that will return a status of `SUCCEEDED`. |

| https://s3\.amazonaws\.com/cloudformation\-stackset\-templates\-us\-east\-1/cloudformation\-stack\-set\-accountgate\-failed\.template | Creates a stack that implements a Lambda account gate function that will return a status of `FAILED`. |

https://s3.amazonaws.com/cloudformation-stackset-templates-us-east-1/cloudformation-stack-set-accountgate-succeeded.template

https://s3.amazonaws.com/cloudformation-stackset-templates-us-east-1/cloudformation-stack-set-accountgate-failed.template