Config sets
You use config sets to specify which CloudFormation stacks you want to deploy to your organization's member accounts.

Config set directory and files

Config sets are standard Takomo stack configurations‚ but instead of the stacks directory, you put them to subdirectories under the config-sets directory. The directory names become the names of the config sets, and you use them to refer to the config sets in the organization configuration file. You place your stack group and stack configuration files directly in the config set directory's root. Other Takomo directories such as the templates directory remains in the project's root.

Example

Here is an example with two config sets named common and network.
.
├─ templates
├─ config-sets
│ ├─ common # config set named 'common'
│ │ ├─ budgets.yml
│ │ └─ cloudtrail.yml
│ └─ network # config set named 'network'
│ ├─ config.yml
│ └─ vpc.yml
└─ organization
└─ organization.yml
The common config set has two stacks: budgets.yml and cloudtrail.yml. The network config set has vpc.yml stack and a stack group configuration file config.yml.

Attaching config sets

You can attach config sets to organizational units or accounts. Organizational units and accounts inherit config sets from the organizational unit they belong to. They can add config sets of their own but can't remove the config sets they inherited. You attach config sets to organizational units and accounts by providing single config set name or a list of config set names in their configSets property.

Example

Let's continue the organization configuration we started in the previous chapters and see how to attach our config sets to accounts.
organization.yml
accountCreation:
defaults:
iamUserAccessToBilling: true
roleName: MyAccountAdminRole
constraints:
namePattern: "^my-account-[a-z0-9-]+quot;
emailPattern: "^admin\\+my-account-[0-9a-z-][email protected]quot;
masterAccountId: "098765432100"
organizationAdminRoleName: MyOrganizationAdminRole
serviceControlPolicies:
restrict-by-regions:
description: Restrict regions
FullAWSAccess:
description: AWS managed default policy
awsManaged: true
backupPolicies:
MyBackups:
description: Backup policy
organizationalUnits:
Root:
serviceControlPolicies: FullAWSAccess
accounts:
- "098765432100"
# Attach 'common' config set to this OU which
# makes all OUs and accounts under this OU to
# inherit it.
configSets: common
Root/Workloads:
serviceControlPolicies: restrict-by-regions
Root/Workloads/Dev: {}
Root/Workloads/Test: {}
Root/Workloads/Prod:
accounts:
- id: "876754648373"
name: MyAccount
description: This is a production account
# Attach 'networking' config set diretly
# to this account.
configSets:
- networking
Root/Sandbox:
accounts:
- id: "123456789012"
backupPolicies:
- MyBackups
- "448873940474"
We attached the common config set to the Root organizational unit which attaches it to all OUs and accounts that are located under the Root OU. We chose a different approach with the networking config set and attached it directly to account 876754648373.

Account admin role

When you deploy config sets to your accounts, Takomo assumes an IAM role from each account and uses it to execute the deployment. By default, Takomo attempts to assume a role named OrganizationAccountAccessRole, but you can change the role by providing a different role name in accountAdminRoleName property. This property can be used at the top-level of organization configuration, in organizational units, and in accounts.
The credentials used to run the deploy command must have permissions to assume the account admin role from each account.

Example

This is how you specify the account admin role.
organization.yml
accountCreation:
defaults:
iamUserAccessToBilling: true
roleName: MyAccountAdminRole
constraints:
namePattern: "^my-account-[a-z0-9-]+quot;
emailPattern: "^admin\\+my-account-[0-9a-z-][email protected]quot;
masterAccountId: "098765432100"
organizationAdminRoleName: MyOrganizationAdminRole
# Define the account admin role at the top-level
accountAdminRoleName: MyAccountAdminRole
serviceControlPolicies:
restrict-by-regions:
description: Restrict regions
FullAWSAccess:
description: AWS managed default policy
awsManaged: true
backupPolicies:
MyBackups:
description: Backup policy
organizationalUnits:
Root:
serviceControlPolicies: FullAWSAccess
accounts:
- "098765432100"
configSets: common
Root/Workloads:
serviceControlPolicies: restrict-by-regions
# Set the account admin role for this
# organizational unit. Overrides the value
# given at the top-level. All OUs and accounts
# under this OU will inherit the account
# admin role name.
accountAdminRoleName: AnotherAdminRole
Root/Workloads/Dev: {}
Root/Workloads/Test: {}
Root/Workloads/Prod:
accounts:
- id: "876754648373"
name: MyAccount
description: This is a production account
configSets:
- networking
Root/Sandbox:
accounts:
- id: "123456789012"
# Define the account admin role only
# for this account.
accountAdminRoleName: AccountSpecificRole
backupPolicies:
- MyBackups
- "448873940474"
Copy link
On this page
Config set directory and files
Attaching config sets
Account admin role