StackSets with Parameter Store for AWS Resource Access Manager Shares

Using the StackSets when sharing resources to provision reference variables in parameter store

Table Of Contents

Today I Explained

When constructing infrastructure that is intended to be leveraged across multiple AWS Accounts, AWS supports resource sharing through the resource access manager. This can be especially useful when working with EC2 Prefix Lists, which allow sharing a group of CIDR blocks for security groups and route tables.

For prefix lists, it is expected that the group of CIDR blocks will not remain constant, as new IP ranges are added & removed over time, and having a single resource to manage can make this easier to update.

One of the difficulties with this approach is using the prefix list within CloudFormation. Prefix lists are generated with a unique identifier (pl-123456abcde123456) which is expected when working with security group resources. As CloudFormation doesn’t support any mechanism for lookup of these prefix list IDs, it is necessary to either pass it as a parameter or hardcode it.

Alternatively you provision a Parameter Store value within the AWS Region which contains the value of the prefix ID. This can then be used within the CloudFormation template using a fixed variable name. Manually provisioning this value in every single AWS Account would be a cumbersome process. This can be resolved by making use of the AWS CloudFormation Stacksets:

  ExportStackSet:
    Type: AWS::CloudFormation::StackSet
    Properties:
      PermissionModel: SERVICE_MANAGED
      StackSetName:
        Fn::Sub: ${AWS::StackName}-Export
      AutoDeployment:
        Enabled: false
        RetainStacksOnAccountRemoval: false
      CallAs: DELEGATED_ADMIN
      Capabilities:
      - CAPABILITY_IAM
      Description: Provision a Parameter Store entry in each AWS Account with the ID
      ManagedExecution:
        Active: true
      Parameters:
      - ParameterKey: Name
        ParameterValue: /networking/myprefixlist
      - ParameterKey: Value
        ParameterValue:
          Fn::GetAtt:
          - MyPrefixListResource
          - PrefixListId
      TemplateURL:
        Fn::Sub: https://mybucketnamefortemplates.s3.${AWS::Region}.amazonaws.com/parameterstore.template

Within the CloudFormation stacks that intend to consume this infrastructure, it is then possible to leverage this resource using the following:

  RestrictedByList:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      # ...
      SourcePrefixListId: '{{resolve:ssm:/networking/myprefixlist}}'