How to roll out Serverless Framework stack to multiple accounts

If you're working in a multi-account [[AWS]] setup and have a stack defined in [[Serverless Framework]] that you wish to install on all accounts, you need a mechanism for deploying it. If you're using raw [[AWS CloudFormation|CloudFormation]] you can use its [StackSets](https://aws.amazon.com/blogs/aws/use-cloudformation-stacksets-to-provision-resources-across-multiple-aws-accounts-and-regions/) feature. However, this is not currently supported in Serverless Framework or the [[AWS CDK]]. This makes it difficult to roll out stacks that contain Lambda code to multiple accounts using stack sets alone. The following multi-stage solution describes an approach to achieve this: #### 1) Create `MultiAccountDeployer` IAM role in Tools account This role is used in step 3 below to initiate the cross account deployment process. In its PolicyDocument, it needs permissions to access the AWS Organizations APIs and to assume the `MultiAccountDeployer` role in all accounts. #### 2) Use StackSets to roll out per-account deployer role In the master account of the AWS Organization, create a CloudFormation StackSet template with a single IAM role resource named `DeployEventDiscoverer`. This should be assigned all the requisite permissions to perform the Serverless Framework service deployment within its own account. Also, in the AssumeRolePolicy of this role definition, grant the `MultiAccountDeployer` role from the Tools account permissions to assume this role. *An alternative to using stack sets directly here is to use [OrgFormation](https://github.com/org-formation/org-formation-cli) which works great for rolling out non-Lambda stacks to multiple accounts through a higher-level IaC (using stack sets under the hood).* #### 3) Use Serverless Framework CLI to deploy to each account in series This step could be performed either adhoc on a developer workstation (e.g. when a new account has been created) or in a CI script whenever a Git push is made to the `event-discoverer` repo. 1. Assume the `MultiAccountDeployer` IAM role 2. Use AWS Organizations [ListAccounts API](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) to get all account IDs in the org 3. For each account ID: 1. Use `aws sts assume-role` CLI command to assume the `DeployEventDiscoverer` role in the target account 2. run the `serverless deploy` command to deploy the stack to that account If you only need to install a single account ID that you already know, you can bypass step 2.