AWS Service Catalog Validation Pipeline
AWS Service Catalog Validation Pipeline

Architecture Overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.

        AWS Service Catalog Validation Pipeline default architecture

Figure 1: AWS Service Catalog Validation Pipeline default architecture

The solution includes two AWS CloudFormation templates that automate the deployment of a validation pipeline for AWS Service Catalog product templates hosted in a customer’s existing AWS CodeCommit repository. Together, the solution templates deploy and configure AWS CodePipeline, AWS Lambda functions that manage overall testing processes, necessary AWS Identity and Access Management roles, an Amazon Simple Notification Service (Amazon SNS) topic, an Amazon DynamoDB table, an Amazon S3 bucket, AWS CloudFormation test stacks, and AWS CodeBuild (as an optional resource).

When a user commits an AWS CloudFormation template for a product to the AWS CodeCommit repository, the pipeline source action is triggered (see Working with Actions in AWS CodePipeline). This invokes a Lambda function that runs logical pre-create tests on the template code, including a default test on template syntax, an optional test that uses AWS CodeBuild to run cfn-nag rules, and any user-defined tests. The pipeline then invokes Lambda functions that provision test product portfolios and stacks and configure resources, as defined in the customer-provided configuration file. Once the testing environment is configured, the pipeline invokes another Lambda function that runs functional post-create tests on the stacks. The solution includes preconfigured test functions, but the pipeline is designed to accommodate additional functions for custom testing scenarios. You have the option to keep or automatically delete stacks after testing.

If all tests are successful, the solution sends an Amazon SNS email notification to let you know that the template is ready for manual approval in AWS CodePipeline. If you approve the action, the pipeline invokes a Lambda function that copies the template to a solution-created S3 bucket. The function uploads the product template with two different S3 prefixes: one that uses the commit ID, and one that uses a generic latest key. This allows you to overwrite an actively referenced template while preserving all previous versions.

The solution uses Amazon CloudWatch data on the solution’s Lambda functions to create a custom report on pipeline failures and manual approvals. It uploads this report to the same S3 bucket as the approved templates.