AWS provides a really a lot of services, which can be customized in diverse ways. In this environment, it is not easy for each team to manage its AWS resources consistently within the organization.
AWS Service Catalog can create and manage templates (product lists or a portfolio) across teams.
Structure
- Admin Tasks
- Create and Manage “Product“, which is a CloudFormation Template
- Manage “Portfolio“, which is a collection of “Products”
- Assign IAM Permission to access Portfolio
- User Tasks
- Choose the product for your team
- Provision the product
Features
- Products, which are created by admins, ensure that all resources are consistent and standardized.
- All deployed products are centrally managed.
- Benefits
- Governance, Compliance, and Consistency
- A “Product” is a CloudFormation Template.
- A “Portfolio” is a collection of products.
Constraints
StackSet Constraints
You can configure the product using CloudFormation StackSets.
You can control:
- Accounts
- Regions
- Permissions
Launch Constraints
- IAM Role assigned to a product
- A user only need to access Service Catalog
- All other permissions required are attached to the Launch Constraint IAM role.
- The IAM role must have the following permissions:
- Full CloudFormation permission
- S3 Read access
- Permissions to create resources in the template
Integration with CI/CD using CodePipeline
- Create a portfolio (mapping.yaml)
- Commit and push the file to CodeCommit
- CodePipeline Stage 1 : CodeCommit
- Invoke the CodeBuild
- CodePipeline Stage 2 : CodeBuild
- Create CloudFormation templates and push them to S3
- CodePipeline Stage 3: Invoke a Lambda Function
- Read the portfolio file
- Read corresponding CloudFormation templates (products) from S3
- Verify and push new versions of products into the AWS Service Catalog
Scriptorium 