Skip to content

feat: hub-and-spoke multi-account support for StackSet deployments#161

Open
kuentzm wants to merge 1 commit intoaws-solutions-library-samples:mainfrom
kuentzm:feat/hub-spoke-multi-account
Open

feat: hub-and-spoke multi-account support for StackSet deployments#161
kuentzm wants to merge 1 commit intoaws-solutions-library-samples:mainfrom
kuentzm:feat/hub-spoke-multi-account

Conversation

@kuentzm
Copy link
Copy Markdown

@kuentzm kuentzm commented Mar 17, 2026

Summary

  • Add hub-and-spoke deployment mode to scale from single-account to multi-account (1,500+ developers) via CloudFormation StackSets
  • Hub account centralizes monitoring/dashboards/quota while spoke accounts receive auth infrastructure (IAM OIDC Provider + IAM Role) via StackSets
  • No changes to credential provider or CloudFormation templates — existing FederationType=direct templates deploy as-is via StackSet

Changes

  • config.py: Add deployment_mode, spoke_ou_id, spoke_account_ids, stackset_name fields to Profile
  • deploy.py: Add hub target (monitoring stacks only) and spoke-stackset target (auth via StackSet with OU or explicit account targeting)
  • init.py: Add hub mode wizard flow with OU ID or account list collection
  • package.py: Add per-account config generation (spoke-configs/config-{account_id}.json) for hub deployments
  • status.py: Add StackSet status display (name, status, spoke account counts)

Test plan

  • Run ccwb init — verify hub mode wizard collects OU ID and saves to profile JSON
  • Run ccwb deploy hub — verify monitoring stacks deploy to hub (skip auth)
  • Run ccwb deploy spoke-stackset — verify StackSet created, stack instances deployed to test accounts
  • Run ccwb status — verify StackSet status shows in output
  • Run ccwb package — verify per-account config files generated in dist/spoke-configs/
  • Test end-to-end: developer installs package with spoke config, authenticates via IdP, gets Bedrock access in their own account

🤖 Generated with Claude Code

@kuentzm @claude
feat: add hub-and-spoke multi-account support for StackSet deployments
1d92447 
Enable scaling from single-account to multi-account deployments via
CloudFormation StackSets. Hub mode deploys monitoring/dashboards centrally
while auth infrastructure is pushed to spoke accounts via StackSets.

- Add deployment_mode, spoke_ou_id, spoke_account_ids, stackset_name to Profile
- Add 'hub' deploy target (monitoring stacks only, skips auth)
- Add 'spoke-stackset' deploy target (auth via StackSet to spoke accounts)
- Add hub mode wizard flow in init (OU ID or explicit account targeting)
- Add per-account config generation in package for spoke accounts
- Add StackSet status display in status command

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kuentzm kuentzm requested a review from a team as a code owner March 17, 2026 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kuentzm