Manage AWS Service Catalog products in multiple AWS accounts and AWS Regions - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsEpicsRelated resourcesAdditional information

Manage AWS Service Catalog products in multiple AWS accounts and AWS Regions

Created by Ram Kandaswamy (AWS)

Environment: Production

Technologies: Management & governance; Infrastructure; Modernization

Workload: All other workloads

AWS services: AWS Service Catalog; AWS CloudFormation

Summary

Amazon Web Services (AWS) Service Catalog simplifies and accelerates the governance and distribution of infrastructure as code (IaC) templates for enterprises. You use AWS CloudFormation templates to define a collection of AWS resources (stacks) required for a product. AWS CloudFormation StackSets extends this functionality by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation.

AWS Service Catalog administrators create products by using CloudFormation templates that are authored by developers, and publish them. These products are then associated with a portfolio, and constraints are applied for governance. To make your products available to users in other AWS accounts or organizational units (OUs), you typically share your portfolio with them. This pattern describes an alternative approach for managing AWS Service Catalog product offerings that is based on AWS CloudFormation StackSets. Instead of sharing portfolios, you use stack set constraints to set AWS Regions and accounts where your product can be deployed and used. By using this approach, you can provision your AWS Service Catalog products in multiple accounts, OUs, and AWS Regions, and manage them from a central location, while meeting your governance requirements. 

Benefits of this approach:

  • The product is provisioned and managed from the primary account, and not shared with other accounts.

  • This approach provides a consolidated view of all provisioned products (stacks) that are based on a specific product.

  • Configuration with AWS Service Management Connector is easier, because it targets only one account.

  • It's easier to query and use products from AWS Service Catalog.

Prerequisites and limitations

Prerequisites

  • AWS CloudFormation templates for IaC and versioning

  • Multi-account setup and AWS Service Catalog for provisioning and managing AWS resources

Limitations 

  • This approach uses AWS CloudFormation StackSets, and the limitations of StackSets apply:

    • StackSets doesn't support CloudFormation template deployment through macros. If you're using a macro to preprocess the template, you won't be able to use a StackSets-based deployment.

    • StackSets provides the ability to disassociate a stack from the stack set, so you can target a specific stack to fix an issue. However, a disassociated stack cannot be re-associated with the stack set.

  • AWS Service Catalog autogenerates StackSet names. Customization isn't currently supported.

Architecture

Target architecture

User manages AWS Service Catalog product using AWS CloudFormation template and StackSets.

  1. The user creates an AWS CloudFormation template to provision AWS resources, in JSON or YAML format.

  2. The CloudFormation template creates a product in AWS Service Catalog, which is added to a portfolio.

  3. The user creates a provisioned product, which creates CloudFormation stacks in the target accounts.

  4. Each stack provisions the resources specified in the CloudFormation templates.

Tools

AWS services

  • AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.

  • AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.

  • AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

  • AWS Service Catalog helps you centrally manage catalogs of IT services that are approved for AWS. End users can quickly deploy only the approved IT services they need, following the constraints set by your organization.

Epics

TaskDescriptionSkills required

Create a portfolio.

A portfolio is a container that includes one or more products that are grouped together based on specific criteria. Using a portfolio for your products helps you apply common constraints across your product set.

To create a portfolio, follow the instructions in the AWS Service Catalog documentation. If you're using the AWS CLI, here's an example command:

aws servicecatalog create-portfolio --provider-name my-provider --display-name my-portfolio

For more information, see the AWS CLI documentation.

AWS Service Catalog, IAM

Create a CloudFormation template.

Create a CloudFormation template that describes the resources. Resource property values should be parameterized where applicable.

AWS CloudFormation, JSON/YAML

Create a product with version information.

The CloudFormation template becomes a product when you publish it in the AWS Service Catalog. Provide values for the optional version detail parameters, such as version title and description; this will be helpful for querying for the product later.

To create a product, follow the instructions in the AWS Service Catalog documentation. If you're using the AWS CLI, an example command is:

aws servicecatalog create-product --cli-input-json file://create-product-input.json

where create-product-input.json is the file that passes the parameters for the product. For an example of this file, see the Additional information section. For more information, see the AWS CLI documentation.

AWS Service Catalog

Apply constraints.

Apply stack set constraints to the portfolio, to configure product deployment options such as multiple AWS accounts, Regions, and permissions. For instructions, see the AWS Service Catalog documentation.

AWS Service Catalog

Add permissions.

Provide permissions to users so that they can launch the products in the portfolio. For console instructions, see the AWS Service Catalog documentation. If you're using the AWS CLI, here's an example command:

aws servicecatalog associate-principal-with-portfolio \
    --portfolio-id port-2s6abcdefwdh4 \
    --principal-arn arn:aws:iam::444455556666:role/Admin \
    --principal-type IAM

For more information, see the AWS CLI documentation.

AWS Service Catalog, IAM

Provision the product.

A provisioned product is a resourced instance of a product. Provisioning a product based on a CloudFormation template launches a CloudFormation stack and its underlying resources.

Provision the product by targeting the applicable AWS Regions and accounts, based on stack set constraints. In the AWS CLI, here's an example command:

aws servicecatalog provision-product \
    --product-id prod-abcdfz3syn2rg \
    --provisioning-artifact-id pa-abc347pcsccfm \
    --provisioned-product-name "mytestppname3"

For more information, see the AWS CLI documentation.

AWS Service Catalog

Related resources

References

Tutorials and videos 

Additional information

When you use the create-product command, the cli-input-json parameter points to a file that specifies information such as product owner, support email, and CloudFormation template details. Here's an example of such a file:

{
   "Owner": "Test admin",
      "SupportDescription": "Testing",
         "Name": "SNS",
            "SupportEmail": "example@example.com",
            "ProductType": "CLOUD_FORMATION_TEMPLATE",
               "AcceptLanguage": "en",
                  "ProvisioningArtifactParameters": {
                     "Description": "SNS product",
                        "DisableTemplateValidation": true,
                           "Info": {
                              "LoadTemplateFromURL": "<url>"
                     },
                           "Name": "version 1"
}