All Products
Search
Document Center

Resource Orchestration Service:Overview

Last Updated:Nov 14, 2023

A stack group helps you manage multiple stacks in an efficient manner at low costs in Resource Orchestration Service (ROS). You can create a stack group to deploy multiple stacks across accounts and regions.

Scenarios

Cross-account and same-region stack deployment

Your enterprise wants to create the same resources across different accounts in the same region in an efficient manner. In the scenario, you can add multiple execution accounts and specify a region when you use the administrator account to create a stack group. This way, ROS deploys multiple stacks to create the same resources across the execution accounts in the same region.

Cross-region and same-account stack deployment

Your enterprise wants to create the same resources across different regions within the same account in an efficient manner. In the scenario, you can add an execution account and specify multiple regions when you use the administrator account to create a stack group. This way, ROS deploys multiple stacks to create the same resources across the regions within the same execution account.

Cross-account and cross-region stack deployment

Your enterprise wants to create the same resources across different accounts and in different regions in an efficient manner. In the scenario, you can add multiple execution accounts and specify multiple regions when you use the administrator account to create a stack group. This way, ROS deploys multiple stacks to create the same resources across the execution accounts and regions.

Permission models

ROS allows you to use one of the following permission models to create stack groups: self-managed permission model and service-managed permission model. You can use the administrator account to create a stack group in a region to deploy stacks across accounts and regions.

Self-managed permission model

In the following figure, a stack group that has self-managed permissions is created in the China (Hangzhou) region within the administrator account (Account A). Stacks are separately deployed in the China (Hangzhou) and China (Beijing) regions within execution accounts (Account B and Account C).

image.png

To use the self-managed permission model to deploy stacks, perform the following steps:

  1. Grant self-managed permissions

  2. Create a stack group

  3. (Optional) Create stack instances

Service-managed permission model

In the following figure, a stack group that has service-managed permissions is created in the China (Hangzhou) region within the administrator account (Account A). Stacks are separately deployed in the China (Hangzhou) and China (Beijing) regions within execution accounts in the specified folder of a resource directory. In this case, ROS automatically uses the members (Account B and Account C) in the specified folder as the execution accounts.

003

You can enable automatic deployment when you create a stack group that has service-managed permissions. This way, when an account is added to or removed from a resource directory, ROS automatically creates or deletes the stack instances that belong to the account.

To use the service-managed permission model to deploy stacks, perform the following steps:

  1. Create a delegated administrator account

  2. Enable trusted access

  3. Create a stack group

  4. (Optional) Create stack instances

Basic relationships

When you create a stack group within the administrator account in a region, ROS creates stack instances in the accounts and regions that you specify. This way, stacks that correspond to the stack instances are deployed. Operations on a stack group affect the stack instances in the group and the associated stacks. The operations include update and delete operations. The following figure shows the relationships between stack groups, stack instances, and stacks.

001

Stack groups, stack instances, and stacks are subject to the following items:

  • A stack instance belongs to only one stack group.

  • A stack instance corresponds to one or zero stack.

    A stack instance can exist without a stack. For example, a stack instance can be created even if the associated stack fails to be created due to a specific reason. In this case, you can view the stack instance to identify the reason for the creation failure.

  • When you delete a stack instance, you can choose to delete or retain the associated stack.

  • When you delete a stack, the associated stack instance is not deleted.

Terms

Term

Description

stack instance

A stack instance is a reference to an attempted or actual stack within an execution account. You can use the administrator account to view the stack instances in a stack group to check the deployment status of resources. You can use the administrator account of a stack group to create a stack instance in multiple execution accounts and regions at a time. This way, the stack instance is created in each region within each execution account.

administrator account

An account within which you create stack groups. For a stack group that has self-managed permissions, the administrator account is an Alibaba Cloud account. For a stack group that has service-managed permissions, the administrator account is the management account or a delegated administrator account.

execution account

An account into which you deploy stacks in your stack groups.