Skip to content

Update Stack Set

cloudformation_update_stack_set R Documentation

Updates the StackSet and associated stack instances in the specified accounts and Amazon Web Services Regions

Description

Updates the StackSet and associated stack instances in the specified accounts and Amazon Web Services Regions.

Even if the StackSet operation created by updating the StackSet fails (completely or partially, below or above a specified failure tolerance), the StackSet is updated with your changes. Subsequent create_stack_instances calls on the specified StackSet use the updated StackSet.

The maximum number of organizational unit (OUs) supported by a update_stack_set operation is 50.

If you need more than 50, consider the following options:

  • Batch processing: If you don't want to expose your OU hierarchy, split up the operations into multiple calls with less than 50 OUs each.

  • Parent OU strategy: If you don't mind exposing the OU hierarchy, target a parent OU that contains all desired child OUs.

Usage

cloudformation_update_stack_set(StackSetName, Description, TemplateBody,
  TemplateURL, UsePreviousTemplate, Parameters, Capabilities, Tags,
  OperationPreferences, AdministrationRoleARN, ExecutionRoleName,
  DeploymentTargets, PermissionModel, AutoDeployment, OperationId,
  Accounts, Regions, CallAs, ManagedExecution)

Arguments

StackSetName

[required] The name or unique ID of the StackSet that you want to update.
Description

A brief description of updates that you are making.
TemplateBody

The structure that contains the template body, with a minimum length of 1 byte and a maximum length of 51,200 bytes.

Conditional: You must specify only one of the following parameters: TemplateBody or TemplateURL—or set UsePreviousTemplate to true.
TemplateURL

The URL of a file that contains the template body. The URL must point to a template (maximum size: 1 MB) that is located in an Amazon S3 bucket or a Systems Manager document. The location for an Amazon S3 bucket must start with ⁠https://⁠. S3 static website URLs are not supported.

Conditional: You must specify only one of the following parameters: TemplateBody or TemplateURL—or set UsePreviousTemplate to true.
UsePreviousTemplate

Use the existing template that's associated with the StackSet that you're updating.

Conditional: You must specify only one of the following parameters: TemplateBody or TemplateURL—or set UsePreviousTemplate to true.
Parameters

A list of input parameters for the StackSet template.
Capabilities

In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for CloudFormation to update the StackSet and its associated stack instances.

  • CAPABILITY_IAM and CAPABILITY_NAMED_IAM

    Some stack templates might include resources that can affect permissions in your Amazon Web Services account, for example, by creating new IAM users. For those stacks sets, you must explicitly acknowledge this by specifying one of these capabilities.

    The following IAM resources require you to specify either the CAPABILITY_IAM or CAPABILITY_NAMED_IAM capability.

    • If you have IAM resources, you can specify either capability.

    • If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM.

    • If you don't specify either of these capabilities, CloudFormation returns an InsufficientCapabilities error.

    If your stack template contains these resources, we recommend that you review all permissions associated with them and edit their permissions if necessary.

    For more information, see Acknowledging IAM resources in CloudFormation templates.

  • CAPABILITY_AUTO_EXPAND

    Some templates reference macros. If your StackSet template references one or more macros, you must update the StackSet directly from the processed template, without first reviewing the resulting changes in a change set. To update the StackSet directly, you must acknowledge this capability. For more information, see Perform custom processing on CloudFormation templates with template macros.

    StackSets with service-managed permissions do not currently support the use of macros in templates. (This includes the AWS::Include and AWS::Serverless transforms, which are macros hosted by CloudFormation.) Even if you specify this capability for a StackSet with service-managed permissions, if you reference a macro in your template the StackSet operation will fail.
Tags

The key-value pairs to associate with this StackSet and the stacks created from it. CloudFormation also propagates these tags to supported resources that are created in the stacks. You can specify a maximum number of 50 tags.

If you specify tags for this parameter, those tags replace any list of tags that are currently associated with this StackSet. This means:

  • If you don't specify this parameter, CloudFormation doesn't modify the stack's tags.

  • If you specify any tags using this parameter, you must specify all the tags that you want associated with this StackSet, even tags you've specified before (for example, when creating the StackSet or during a previous update of the StackSet.). Any tags that you don't include in the updated list of tags are removed from the StackSet, and therefore from the stacks and resources as well.

  • If you specify an empty value, CloudFormation removes all currently associated tags.

If you specify new tags as part of an update_stack_set action, CloudFormation checks to see if you have the required IAM permission to tag resources. If you omit tags that are currently associated with the StackSet from the list of tags you specify, CloudFormation assumes that you want to remove those tags from the StackSet, and checks to see if you have permission to untag resources. If you don't have the necessary permission(s), the entire update_stack_set action fails with an ⁠access denied⁠ error, and the StackSet is not updated.
OperationPreferences

Preferences for how CloudFormation performs this StackSet operation.
AdministrationRoleARN

[Self-managed permissions] The Amazon Resource Name (ARN) of the IAM role to use to update this StackSet.

Specify an IAM role only if you are using customized administrator roles to control which users or groups can manage specific StackSets within the same administrator account. For more information, see Grant self-managed permissions in the CloudFormation User Guide.

If you specified a customized administrator role when you created the StackSet, you must specify a customized administrator role, even if it is the same customized administrator role used with this StackSet previously.
ExecutionRoleName

[Self-managed permissions] The name of the IAM execution role to use to update the stack set. If you do not specify an execution role, CloudFormation uses the AWSCloudFormationStackSetExecutionRole role for the StackSet operation.

Specify an IAM role only if you are using customized execution roles to control which stack resources users and groups can include in their StackSets.

If you specify a customized execution role, CloudFormation uses that role to update the stack. If you do not specify a customized execution role, CloudFormation performs the update using the role previously associated with the StackSet, so long as you have permissions to perform operations on the StackSet.
DeploymentTargets

[Service-managed permissions] The Organizations accounts in which to update associated stack instances.

To update all the stack instances associated with this StackSet, do not specify DeploymentTargets or Regions.

If the StackSet update includes changes to the template (that is, if TemplateBody or TemplateURL is specified), or the Parameters, CloudFormation marks all stack instances with a status of OUTDATED prior to updating the stack instances in the specified accounts and Amazon Web Services Regions. If the StackSet update doesn't include changes to the template or parameters, CloudFormation updates the stack instances in the specified accounts and Regions, while leaving all other stack instances with their existing stack instance status.
PermissionModel

Describes how the IAM roles required for StackSet operations are created. You cannot modify PermissionModel if there are stack instances associated with your stack set.
AutoDeployment

[Service-managed permissions] Describes whether StackSets automatically deploys to Organizations accounts that are added to a target organization or organizational unit (OU). For more information, see Enable or disable automatic deployments for StackSets in Organizations in the CloudFormation User Guide.

If you specify AutoDeployment, don't specify DeploymentTargets or Regions.
OperationId

The unique ID for this StackSet operation.

The operation ID also functions as an idempotency token, to ensure that CloudFormation performs the StackSet operation only once, even if you retry the request multiple times. You might retry StackSet operation requests to ensure that CloudFormation successfully received them.

If you don't specify an operation ID, CloudFormation generates one automatically.

Repeating this StackSet operation with a new operation ID retries all stack instances whose status is OUTDATED.
Accounts

[Self-managed permissions] The accounts in which to update associated stack instances. If you specify accounts, you must also specify the Amazon Web Services Regions in which to update StackSet instances.

To update all the stack instances associated with this StackSet, don't specify the Accounts or Regions properties.

If the StackSet update includes changes to the template (that is, if the TemplateBody or TemplateURL properties are specified), or the Parameters property, CloudFormation marks all stack instances with a status of OUTDATED prior to updating the stack instances in the specified accounts and Amazon Web Services Regions. If the StackSet update does not include changes to the template or parameters, CloudFormation updates the stack instances in the specified accounts and Amazon Web Services Regions, while leaving all other stack instances with their existing stack instance status.
Regions

The Amazon Web Services Regions in which to update associated stack instances. If you specify Regions, you must also specify accounts in which to update StackSet instances.

To update all the stack instances associated with this StackSet, do not specify the Accounts or Regions properties.

If the StackSet update includes changes to the template (that is, if the TemplateBody or TemplateURL properties are specified), or the Parameters property, CloudFormation marks all stack instances with a status of OUTDATED prior to updating the stack instances in the specified accounts and Regions. If the StackSet update does not include changes to the template or parameters, CloudFormation updates the stack instances in the specified accounts and Regions, while leaving all other stack instances with their existing stack instance status.
CallAs

[Service-managed permissions] Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account.

By default, SELF is specified. Use SELF for StackSets with self-managed permissions.

  • If you are signed in to the management account, specify SELF.

  • If you are signed in to a delegated administrator account, specify DELEGATED_ADMIN.

    Your Amazon Web Services account must be registered as a delegated administrator in the management account. For more information, see Register a delegated administrator in the CloudFormation User Guide.
ManagedExecution

Describes whether CloudFormation performs non-conflicting operations concurrently and queues conflicting operations.

Value

A list with the following syntax:

list(
  OperationId = "string"
)

Request syntax

svc$update_stack_set(
  StackSetName = "string",
  Description = "string",
  TemplateBody = "string",
  TemplateURL = "string",
  UsePreviousTemplate = TRUE|FALSE,
  Parameters = list(
    list(
      ParameterKey = "string",
      ParameterValue = "string",
      UsePreviousValue = TRUE|FALSE,
      ResolvedValue = "string"
    )
  ),
  Capabilities = list(
    "CAPABILITY_IAM"|"CAPABILITY_NAMED_IAM"|"CAPABILITY_AUTO_EXPAND"
  ),
  Tags = list(
    list(
      Key = "string",
      Value = "string"
    )
  ),
  OperationPreferences = list(
    RegionConcurrencyType = "SEQUENTIAL"|"PARALLEL",
    RegionOrder = list(
      "string"
    ),
    FailureToleranceCount = 123,
    FailureTolerancePercentage = 123,
    MaxConcurrentCount = 123,
    MaxConcurrentPercentage = 123,
    ConcurrencyMode = "STRICT_FAILURE_TOLERANCE"|"SOFT_FAILURE_TOLERANCE"
  ),
  AdministrationRoleARN = "string",
  ExecutionRoleName = "string",
  DeploymentTargets = list(
    Accounts = list(
      "string"
    ),
    AccountsUrl = "string",
    OrganizationalUnitIds = list(
      "string"
    ),
    AccountFilterType = "NONE"|"INTERSECTION"|"DIFFERENCE"|"UNION"
  ),
  PermissionModel = "SERVICE_MANAGED"|"SELF_MANAGED",
  AutoDeployment = list(
    Enabled = TRUE|FALSE,
    RetainStacksOnAccountRemoval = TRUE|FALSE,
    DependsOn = list(
      "string"
    )
  ),
  OperationId = "string",
  Accounts = list(
    "string"
  ),
  Regions = list(
    "string"
  ),
  CallAs = "SELF"|"DELEGATED_ADMIN",
  ManagedExecution = list(
    Active = TRUE|FALSE
  )
)