AWS Service Catalog Reference Architecture
AWS Service Catalog allows you to centrally manage commonly deployed AWS services, and helps you achieve consistent governance which meets your compliance requirements, while enabling users to quickly deploy only the approved AWS services they need.
This guide will help you deploy and manage your AWS ServiceCatalog using Infrastructure as Code (IaC). Read the documentation for more information on ServiceCatalog and CloudFormation.
The portfolio templates in each section will create a ServiceCatalog Portfolio with various products, a launch constraint and linked roles for provisioning.
- IAM Templates
- Virtual Private Cloud (VPC)
- Elastic Compute Cloud (EC2)
- Simple Storage Service (S3)
- Relational Database Service (RDS)
- Elastic MapReduce (EMR)
- Fargate Elastic Container Service (ECS)
- Glue
- Elastic Beanstalk
- Automated CodePipeline
Assumptions
- You have the required permissions to execute CloudFormation templates: Controlling Cloudformation Access with IAM.
- You have the required admin permissions to manage ServiceCatalog: Authentication and Access Control for AWS Service Catalog
Installation
To get started now, just sign in to your AWS account and click the button to create a Service Catalog Portfolio with sample EC2 products in your AWS account:
To get started quickly in a single account and region you can click the "Launch Stack" button in each section. Or, if you wish to modify files and execute from your own S3 bucket then follow the instructions below. If you wish to use an automated pipeline in a multi-account multi-region setup look at the codepipeline section.
- Clone this git repo
git clone [email protected]:aws-samples/aws-service-catalog-reference-architectures.git
- Copy the templates in the repo to an S3 bucket
cd aws-service-catalog-reference-architectures
aws s3 cp . s3://[YOUR-BUCKET-NAME-HERE] --exclude "*" --include "*.json" --include "*.yml" --recursive
- In the AWS CloudFormation console choose "Create Stack" and supply the Portfolio's S3 url.
For example, the EC2 portfolio would be:
https://s3.amazonaws.com/[YOUR-BUCKET-NAME-HERE]/ec2/sc-portfolio-ec2.json
- Leave LaunchRoleName blank to allow CloudFormation to create the launchconstraint role for you.
- The VPC and EC2 portfolios share the SCEC2LaunchRole; if you have already run a VPC or EC2 portfolio template, you should use the LaunchRoleName output value of the first in the second's input. If you leave it blank you will get a role already exists error.
- All other templates create their own launchconstraint role, you should leave the LaunchRoleName blank unless you are using a pre-existing role which you have setup separately.
- Set the LinkedRole1 and LinkedRole2 parameters to any additional end user roles you may want to link to the Portfolio.
- Change the RepoRootURL parameter to your bucket's root url:
https://s3.amazonaws.com/[YOUR-BUCKET-NAME-HERE]/
AWS Service Catalog Product Launch
After creating the Cloudformation Stacks you will have a ServiceCatalog Portfolio with products, launch constraints, and associated user roles. Your end users may now launch products from the ServiceCatalog dashboard. To learn more about the end user dashboard for AWS Service Catalog, see Using the End User Console View
Warning
Before you distribute the CloudFormation template to your organization, review the template.
Check IAM permissions, Deletion policies, update stack behavior, other aspects of the template,
and ensure that they are as per your expectations and processes.
These sample CloudFormation templates may need updates before you can use them in production.
Running these templates may result in charges to your AWS account.
Provisioning the supplied Products through ServiceCatalog will create AWS Services which will be billed to your account.
License
This project is licensed under the Apache 2.0 license - see the LICENSE file for details