Tool to orchestrate execution of AWS CloudFormation templates

Question

The AWS Console and CLI is great for executing a single template to a single AWS account. But for provisioning to multiple accounts it is not usable.

I like a tool to orchestrate the provisioning of CloudFormation templates through multiple developer AWS accounts all the way to Production. At the very best the tool should have the ability to have manual approval steps and present a change set before execution. A web UI would be preferred for visibility.

Suggestions on both commercial and OSS tools are welcomed.

Could eventually CodePipeline be used for this? If yes, any samples of how to do that?

Answer 1

Update 6/27/2019:

Multiple-AWS account use-cases have become much more common and officially-supported, particularly since the launch of AWS Organizations (released on 27 Feb 2017; two weeks after my original answer below).

On 25 Jul 2017, CloudFormation launched a new feature called StackSets which directly supports the specific use case of provisioning CloudFormation resources across multiple accounts. Today, the best tool to use for managing multi-account CloudFormation resources is the StackSets feature.

---

I like a tool to orchestrate the provisioning of CloudFormation templates through multiple developer AWS accounts all the way to Production.

It's not clear from the question where exactly the need for "multiple developer AWS accounts" comes from. Most typical use cases involving multiple developers working within a single organization are much better served by creating individual IAM users within a single AWS account, which is the documented best practice. Unless you have specific (non-standard) reasons for requiring multiple developers to work from separate AWS accounts (and if so, add these details to your question), creating individual IAM users within a single AWS is strongly recommended, since it will make configuration much simpler.

At the very best the tool should have the ability to have manual approval steps and present a change set before execution. A web UI would be preferred for visibility.

AWS CodePipeline is the tool that fits this description exactly. It supports:

• Provisioning CloudFormation templates
• Manual approval steps
• Present a Change Set before execution using CHANGE_SET_REPLACE ("Create or replace a change set") / CHANGE_SET_EXECUTE ("Execute a change set") Action Modes in your pipeline
• Web UI is available through the AWS Management Console

Could eventually CodePipeline be used for this? If yes, any samples of how to do that?

See the Walkthrough: Building a Pipeline for Test and Production Stacks in the AWS CloudFormation User Guide for a complete sample.

Answer 2

There is commercial tool/service that can do this or more: https://www.cloudaware.com

Note: I am not affiliated with that company, nor have I used that tool

Answer 3

Firstly I'm not aware of a single tool which delivers all of the functionality you require. I can however recommend Ansible which would allow you to create CloudFormation stacks against a number of subscriptions and give you a web UI for visibility.

The web UI could be provided by either using Ansible Tower or Ansible coupled with your choice of CI/CD platform (e.g. TeamCity / Jenkins).

An example of firing up a CloudFormation stack and returning some of the stack outputs can be seen here:

https://www.unixdaemon.net/tools/managing-cloudformation-stacks-with-ansible/

- name: Create Webapp
action: cloudformation
  stack_name={{ stack_name }}-webapp
  state=present
  region="{{region}}"
  template=-webapp.json
args:
  template_parameters:
    Owner: "{{ owner }}"
    AMIId: "{{ ami_id }}"
    KeyName: "{{ keyname }}"
    AppServerFleetSize: 1
    ASGSNSArn:             "{{ asgsns['stack_outputs']['EmailSNSTopicARN']      }}"
    WebappSGID:            "{{ secgrp['stack_outputs']['WebappSGID']            }}"
    ElasticacheClientSGID: "{{ secgrp['stack_outputs']    ['ElasticacheClientSGID'] }}"