AWS Service Catalog

AWS Service Catalog

February 27, 2017 1 By Eric Shanks

Many cloud initiatives require having a portal for users to choose which workloads can be deployed. Think of this as a supermarket full of servers, networks, databases, or all of the above. There are product offerings from VMware, Cisco, RightScale and Redhat, used for these deployment methodologies. If you’re an AWS customer though, you’ve got your own catalog available from the native AWS tools called the “Service Catalog” service. This service enables you to deploy and publish CloudFormation templates for your users so that they don’t have to know how RDS, or EC2 instances work. They can select from the catalog and deploy anything you can build in an Amazon CFT. Think of the possibilities.

Building a Catalog

If you open up the Service Catalog service for the first time you’ll get a pretty familiar “Get Started” page where you can click the button to start building.

Add a Portfolio

The first step is to create a portfolio. The portfolio will be a list of available offerings to our users. For example, I might have one portfolio for the production environment and another for development. Or maybe I have a different portfolio by business unit. Really however you feel like you should group your products together will work here. Fill out a name, description and an owner for future reference, and then click “Create”

At this point you’ll see a portfolio listed in your AWS console.

Add a Product

Go back to the “Service Catalog” drop down and look for “Products list”.

From here we’ll add a new product. The products are the items that will be listed in the dashboard. For instance, here you might have an EC2 instance or an entire VPC with VMs, Databases, Security Groups, NACLs, and custom applications. Whatever items you want your users to be able to request will be added as a product. If you haven’t guessed yet, we’ll later add these products to our portfolio. Click the “Upload new product” button to get started.

The first step to adding a product is to give it some product details. Enter a descriptive product name, a description, the person who publishes the product and a vendor if applicable. When you’ve named your product, click “next”.

The next screen we want to add some support details. You can totally skip over this page if it’s a lab, but some support information is good for handling issues later and being able to get the right help for the product deployments. I highly recommend adding info here. When you’re done, click “next”.

The version details screen is where the magic happens. On this screen you’ll need to either upload a new template file, or specify an S3 bucket URL where your CloudFormation template lives. Give the product a version and a description. The version might not seem to important right now, but you can guess later on you’ll need to update this CloudFormation template with an additional version and you’ll want your users to be informed. Once done, click “next”.

Review the summary screen and click the “create” button.

Once the product has been uploaded, you’ll see it in your products list.

Add the Product to the Portfolio

Now that we’ve got a product and a portfolio built, we want to go back into our portfolio and add our products. Once you open your portfolio screen, click the “Upload new product” button.

Select the products that should belong in the portfolio and click the “Add product to portfolio” button.

Adding Constraints

Once you’ve added your product to the portfolio, we can add constraints for it. Constraints are rules applied when a user launches a product from the portfolio. For instance, here we’ll add a launch constraint that specifies what IAM role will be used to do the deployment. Think of it this way, you may not let your end users deploy a brand new VPC, but if you specify how the VPC is deployed as part of a CloudFormation template, it might be OK. In that case you need to make sure the product launches with the correct permissions to add a new VPC while still not granting those permissions to your end users. Click the “constraints” section to add a new contraint.

Select a product and a constraint type from the dropdown. In my case I’m worries about the launch permissions. Click the “continue” button when ready.

The launch constraint I’ve selected requires some additional permissions so I’ve selected my VPCAdmin role.

Now in your portfolio, you should see a new launch constraint listed.

Add Permissions

The last step we need to do with our portfolio is to assign it to our users. We can specify a single user, role or group to have access to request these catalog items. In the portfolio, expand the Users, Groups and roles section and click the “Add user, group or role” button. Select the appropriate IAM object and click the “Add Access” button.

End Result

When all said and done you can have multiple products like the ones shown in the screenshot below. Users can select the product and click the “Launch product” button to deploy new CloudFormation templates in the AWS console. Any products that have been deployed will show up in the “provisioned products” section of the dashboard. From there, users will have the opportunity to update or terminate the provisioned products. I look forward to seeing future updates from AWS on the Service Catalog. Right now, it can only do CloudFormation templates but would love to see if AWS adds Step Functions or Lambda calls as part of this as well. Stay tuned for updates!