Provision accounts through AWS Service Catalog - AWS Control Tower
Transition to External product type

Provision accounts through AWS Service Catalog

AWS Service Catalog enables IT administrators to create, manage, and distribute portfolios of approved products to end users, who then have access to the products they need in a personalized portal. Typical products include servers, databases, websites, or applications that are deployed using AWS resources.

You can control the users that have access to specific products, which allows you to enforce compliance with organizational business standards, manage product lifecycles, and help users find and launch products with confidence. For more information, see Service Catalog Administrator Guide.

In AWS Control Tower, your central cloud administrators and your end users can provision custom accounts in your landing zone using AWS Service Catalog products, called "custom blueprints". For more information, see Step2. Create the AWS Service Catalog product.

AWS Control Tower also can make use of the Service Catalog APIs to further automate account provisioning and updating. For details, see the AWS Service Catalog Developer Guide.

Transition to the AWS Service Catalog External product type

AWS Service Catalog changed support for Terraform Open Source products and provisioned products to a new product type, called External. To learn more about this transition, review Updating existing Terraform Open Source products and provisioned products to the External product type in the AWS Service Catalog administrator guide.

This change effects existing accounts that you created or enrolled with AWS Control Tower account factory customization. To transition these accounts to the External product type, you need to make changes in both AWS Service Catalog and AWS Control Tower.

To transition to the External product type

  1. Upgrade your existing Terraform Reference Engine for AWS Service Catalog to include support for both External and Terraform Open Source product types. For instructions about updating your Terraform Reference Engine, review the AWS Service Catalog GitHub Repository.

  2. In AWS Service Catalog, duplicate any existing Terraform Open Source products (blueprints), with the duplicates using the new External product type. Do not terminate the existing Terraform Open Source blueprints.

  3. In AWS Control Tower, update each account using a Terraform Open Source blueprint to use the new External blueprint.

    1. To update a blueprint, you must first remove the Terraform Open Source blueprint completely. For more details, review Remove a blueprint from an account.

    2. Add the new External blueprint to the same account. For more details, review Add a blueprint to an AWS Control Tower account.

  4. After all accounts using Terraform Open Source blueprints are updated to External blueprints, return to AWS Service Catalog and terminate any products that use Terraform Open Source as the product type.

  5. Going forward, all accounts created or enrolled using AWS Control Tower account factory customization must reference blueprints using the AWS CloudFormation or External product type.

    For blueprints created using the External product type, AWS Control Tower only supports account customizations that use Terraform templates and the Terraform reference engine. To learn more, review Set up for customization.

Note

AWS Control Tower does not support Terraform Open Source as a product type when creating new accounts. To learn more about these changes, review Updating existing Terraform Open Source products and provisioned products to the External product type in the AWS Service Catalog administrator guide. AWS Service Catalog will support customers through this product type transition, as needed. Contact your account representative to request assistance.