Distributing AWS CloudFormation Templates to Accounts
CloudFormation templates must be attached to cloud rules for Kion to apply the templates to the AWS accounts. For more information about cloud rules, see What is a Cloud Rule?
Templates are region-specific, but not all resources that templates create are region-specific. For instance, if you have a template that creates an IAM role with a specific name and you run that template in two different regions in the same AWS account, one of the templates will fail with an error stating the role already exists.
Order of Operations
When a cloud rule is applied to a project:
- If a Pre-Rule Webhook is specified on the cloud rule, the webhook triggers and waits for a success.
- If the request is not successful, the process stops and the owner of the cloud rule is notified of the error.
- If an AWS CloudFormation Template is specified on the cloud rule, an AWS CloudFormation stack is created in the AWS account in the region specified on the template.
- If a template with the same name already exists in the account, an update stack operation is triggered instead of creating a new stack.
- If the template creation fails, Kion attempts two more times before the process stops and the owner of the cloud rule is notified of the error.
- If a Post-Rule Webhook is specified on the cloud rule, the webhook triggers.
Cloud Rule Exemptions
Cloud rule exemptions can happen in a few different places, which changes how they behave.
- Exempted at an OU. All resources are blocked from being inherited by descendant accounts.
- Exempted on a project. All resources are blocked from being inherited by attached accounts.
- Exempted on a cloud access role. Only the IAM policies attached to the cloud rule are blocked. All other cloud rule components are still applied (webhooks, CloudFormation templates, AMIs, SCPs, service catalog portfolios, etc.).
For more information, see Cloud Rule Inheritance and Exemption.