Reputation: 2351
Can AppConfig be used for cross-account deployments?
I'm considering using AppConfig, but am struggling to understand how configurations would be used in a scenario where the Test and Staging deployments are in different accounts.
Having two completely different AppConfig setups in these two accounts seems counter productive, since it would make it difficult to elevate configurations to the different deployments.
I could alternately have one AppConfig setup, and call it from my application, but that would require cross account access, using a different role I presume, since there is no access to AppConfig using an ARN or resource-based policies.
So how would I access AppConfig across multiple accounts?
Upvotes: 5
Views: 1943
Answers (2)
Reputation: 8137
Stack Sets
Some services do have native multi-account support through the console. But if that fails, you can always use StackSets. If you can manage to package your AppConfig nicely up into a CloudFormation template, you can deploy a set of stacks to an Organizational Unit, which will deploy to all accounts in that OU.
This may or may not fit your use case based on your requirements. The typical use case for this is to enforce compliance and uniformity in these accounts that the VPC setup is consistent, logging is enabled etc. It isn't necessarily to deploy an application into different accounts not to say that this isn't a good idea, it just depends.
CI/CD - Preferred (IMO)
What I believe most people do is have a CI/CD account in AWS, or a separate CI/CD tool outside of AWS, which would have a pipe line (Code Pipline in AWS), which would have each of these accounts as a separate Stage. In your pipelines, you would have environment variables for each account if needed, and make the CLI/API calls to AWS which you are manually doing ATM. IMO this would be the most maintainable approach most of the time for the following reasons:
- Can easily have differences in the environments, (conditions in
CloudFormationare very hard to maintain IMO - If there is a problem in one stack your stack set it is not such an issue, as you may have one stack effect others.
- You generally have more granularity and control than you would with only
CloudFormationandStackSetsalthough with a bit of effort you can technically do everything withCloudFormation.
Service Catalog
Another alternative is to use the AWS Service Catalog, with auto update of provisioned products, there is an example of this here. But again this was for a slightly different use case of independent IT teams in an organization consuming IT products available to the company.
Upvotes: 0
Reputation: 386
App Config should be environment specific and cloud formation could be one of the solution to tackle the complxity of deployement.
Upvotes: -1
Related Questions
- Amazon AppConfig from Spring Boot
- Deploying an AWS Lambda from a different account
- Reading AWS AppConfig from .NET 6 Lambda Function
- AWS AppConfig Validation Lambda Policy in SAM Template
- AWS AppConfig and Parameter Store
- Cross Account AWS Lambda with IAM credentials
- Can't get configuration profile of AppConfig from AWS Lambda function
- Deploy AWS Lambda + API Gateway on Different Environments (Dev, QA, Demo etc) in Single AWS Account
- Cross-account deployement in AWS through Code-deploy service
- Provide single config to Multiple AWS APIs with Lambda integrations