AWS Service Catalog is a managed service by AWS to create and manage products (AWS service) centrally. Many case studies on managing infrastructure can be found in https://aws.amazon.com/servicecatalog/. But this blog will introduce how AWS Service Catalog can be used to create, update and terminate AWS Services. How I see AWS Service Catalog is, It’s a nice-looking GUI for AWS Cloudformation. S3 Url of AWS Cloudformation template can be passed as a parameter to AWS Service Catalog Product and when the product is ready, the AWS Cloudformation will be rendered into UI. The parameters in Cloudformation can be rendered as Textbox, Dropdown with proper HTML labels. Once the values are entered on the screen, the product can be created/updated/terminated.
Core Components of AWS Service catalog
Products : Each imported cloudformation template can be termed as a product, and the cloudformation template can have as many numbers of valid AWS Resources. Multiple version of the same product is created by importing the updated cloudformation template. The cloudformation template can be stored in AWS S3 and can be imported into AWS Service Catalog by passing the S3 URL. Below is the cloudformation template of the product
CreateRoles:
Type: AWS::ServiceCatalog::CloudFormationProduct
Properties:
Owner: !Ref ProductOwner
SupportDescription: !Ref ProductSupportDescription
SupportEmail: !Ref ProductSupportEmail
SupportUrl: !Ref ProductSupportUrl
Description: Product to create IAM Roles for a Account
Name: Provision IAM Roles
ProvisioningArtifactParameters:
- Description: Create Stacket Roles
Info:
LoadTemplateFromURL: !Ref ProductTemplateUrlV1
Name: Create Roles V1
- Description: Create Stacket Roles and Kinesis role
Info:
LoadTemplateFromURL: !Ref ProductTemplateUrlV2
Name: Create Roles V2Portfolio : Multiple products can be assigned to a Portfolio. Portfolios help manage product configuration, and who can use specific products and how they can use them. Users, Roles, and Groups can be added in Portfolio for granting access to the products added in Portfolio. A portfolio can be shared with member accounts by referencing an existing organizational unit or organization ID without leaving the AWS Service Catalog. In the below cfn template, “AWS::ServiceCatalog::PortfolioPrincipalAssociation” this portfolio is been granted access to arn:aws:iam::${AWS::AccountId}:role/role-name. So any IAM Users associated with the attached roles will have access to the product.
ProvisionPortfolio:
Type: AWS::ServiceCatalog::Portfolio
Properties:
ProviderName: !Ref ProductOwner
DisplayName: Create Roles
AssociateProducttoPortfolio:
DependsOn:
- ProvisionPortfolio
Type: AWS::ServiceCatalog::PortfolioProductAssociation
Properties:
PortfolioId: !Ref ProvisionPortfolio
ProductId: !Ref CreateRoles
GrantAccessToProduct:
DependsOn:
- ProvisionPortfolio
Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation
Properties:
PrincipalARN: !Sub arn:aws:iam::${AWS::AccountId}:role/role-name
PortfolioId: !Ref ProvisionPortfolio
PrincipalType: IAMProvisioning the AWS Service Catalog using cloudformation-seed
cloudformation-seed can be used as a submodule in your project or can be installed as a binary using
$ pip3 install cloudformation-seed The purpose of using cloudformation-seed is that it can create an AWS Service catalog from the cloudformation template as well as it can create a product and portfolio for you and ready to use recipe. Below is the example repo on how to structure your project for using cloudformation-seed. https://github.com/Innablr/servicecatalog
Once the project structure is ready, you can run
$ make root Launching the product
Login to AWS Console with the IAM role which has access to the AWS Service catalog product. Search for AWS Service Catalog in the search bar. After landing in AWS Service Catalog, Click on the product list in the left panel. In the product list, “Provision IAM Roles” created by cloudformation-seed will be visible. Select the dropdown and click on the product. Select the “Create Roles V1”, enter the mandatory values and Launch product. This would create an IAM role and policy with the policy name entered on the UI.
Updating the product
Similar to AWS Cloudformation update functionality, AWS Service catalog allows updating the provisioned product. As seen in the project structure under servicecatalog, a new folder can be added and create the updated cloudformation template. Accordingly, cf-create-service-catalog.cf.yaml should be updated so that the product has a new version. Post updating of template, run bash make root cloudformation-seed would update the AWS Service catalog with the new version and lets the users update the previously launched product with the updated one. Users can select the “Provisioned products list” and click ‘Update’. It will allow users to select a version that needs to be updated.
Terminating the product
AWS Service Catalog lets the user terminate the products/services created. Select the “Provisioned products list”, it would display the list of provisioned product. Select the product and Terminate it. Adding your banner AWS Service Catalog also provides a feature to update the banner with the personal logo. Select the preference and select the logo to update the banner.
Conclusion
The blog gives a very basic use case of using AWS Service Catalog with cloudformation-seed. Using this framework, AWS Service Catalog can be used to build complex catalogs in the area of Multi-account setup, its configuration and also creating and updating AWS Services. AWS Service Catalog also gives the flexibility of governing and organizing the multiple accounts from a central (root) account.