How to Create an Approval Flow for an AWS Service Catalog Product Launch Using AWS Lambda

AWS Service Catalog allows organizations to centrally manage commonly deployed IT services, achieve consistent governance, and help meet compliance requirements.

AWS Service Catalog provides a standardized landscape for product provisioning. Users browse listings of products (services or applications) that they have access to, locate the product that they want to use, and launch it on their own as a provisioned product. The AWS Service Catalog API also provides programmatic control over all user actions.

Let’s say you need to build an approval workflow for a launch request from a user. Many solutions are available that use AWS Service Catalog APIs to build complex custom workflows are available (for example, ServiceNow).

In this post, I will describe how to build a simple workflow approval process using AWS Lambda, Amazon API Gateway, AWS CloudFormation, and Amazon Simple Notification Service (Amazon SNS),  from the perspective of an AWS Service Catalog administrator.

To build this approval process, I’ll be using AWS CloudFormation features like WaitCondition and WaitHandle, along with AWS Lambda as a custom resource to create a simple approval workflow. This approach is beneficial if you are looking for an AWS native solution to extend existing AWS Service Catalog features. This will also help retain the AWS Service Catalog user interface for product launch.

Architecture Overview

1. The user launches a product from their available product list and fills in all required data  via the AWS Service Catalog interface. You can obtain the user’s email address through this input.
2. For products that require administrator approval, there will be three additional CloudFormation resources: a WaitHandle, the WaitCondition, and the custom resource. The Lambda custom resource is called to notify the admin who is responsible for approving the product launch. The stack will be in a waiting state until it receives a response from the admin.
3. The admin receives an email notification about the product launch and an approval URL to allow stack creation. The URL contains the WaitHandle pre-signed URL as a parameter for signaling the stack to continue.
4. When the admin clicks the URL, a Lambda function behind API Gateway receives the admin approval to proceed.
5. If the admin approves the product launch, the Lambda approval function sends the confirmation for the WaitHandle to proceed with stack creation. Otherwise, the stack is rolled back after the maximum wait time of 12 hours.
6. The user receives either a completion or rolled back status on the AWS Service Catalog console. Additionally, the admin could reach out to the user to ask for more information on the launch request before proceeding with the approval.

Build Steps

Now that we’ve covered the steps, let’s build the required resources for the approval flow. I have attached an AWS CloudFormation template for your convenience so you can follow along. When you launch the template, you will be prompted to enter an email address for the approval flow. After stack completion, the following resources will be created:

SNS topic: An SNS topic along with the provided email subscription. You will be getting an email to confirm your subscription. Subscribe to the topic to receive messages.

SNS notification function: A Lambda function to send the approval mail. Whenever a new product launch requires approval, this Lambda function will be called. This function will get the WaitHandle pre-signed URL and user email address as input.

Approval function: A Lambda function to notify the CloudFormation stack by sending the status of the WaitHandle pre-signed URL.

In addition to these resources, an API Gateway API and IAM roles will also be created.

Note the ARN for the Lambda function from the output. You will need this later to test the setup.

Testing

To test the setup, you can use the attached sample CloudFormation template. This is a standard template provided by Amazon that deploys WordPress on AWS, but I’ve modified it to introduce approval flow and added three additional resources: WaitCondition, WaitConditionHandle, and NotificationFunction.

WaitCondition and WaitConditionHandle are used to pause the creation of a stack and to wait for a signal before continuing to create the stack. All other resources in the template depend on WaitCondition for approval status.

  WaitHandle:
    Type: 'AWS::CloudFormation::WaitConditionHandle'
  WaitCondition:
    Type: 'AWS::CloudFormation::WaitCondition'
    Properties:
      Handle:
        Ref: 'WaitHandle'
      Timeout: '43200'

NotificationFunction is a custom resource that triggers the Lambda function responsible for sending approval email.

  NotificationFunction:
    Type: Custom::NotificationFunction
    Properties:
      ServiceToken: '<REPLACE YOUR LAMBDA ARN>'
      Region: !Ref "AWS::Region"
      WaitUrl: !Ref WaitHandle
      EmailID: !Ref UserEmail

You’ll need to download the template and modify the NotificationFunction resource’s ServiceToken parameter to specify the ARN you obtained in the previous section. Once you have updated the Lambda ARN, you can add this template as a new product to your existing catalog or test the template in the CloudFormation console.

When the template has launched successfully, you’ll receive email requesting approval to proceed, similar to this:

When you choose the approval link, the Lambda function behind the API will send a confirmation for WaitHandle to proceed with stack creation. Otherwise, the stack will be rolled back after the maximum wait time of 12 hours.

Troubleshooting

If you don’t receive the approval mail, check the SNS topic subscription status. Also, verify that you’ve specified the correct Lambda ARN in the template. Check Amazon CloudWatch logs for any exceptions or errors launching the stack.

Additionally, you can check the following sources for general troubleshooting help with services such as Amazon SNS, API Gateway, and AWS Lambda:

• Check your SNS Topic subscription
• Monitoring and Troubleshooting in API Gateway
• Accessing Amazon CloudWatch Logs for AWS Lambda

Conclusion

You can now add a simple approval workflow to your Service Catalog stack by adding the three resources from the sample test template. For more information about managing portfolios, products, and constraints from an administrator console, check this documentation.

I hope this post and sample templates were useful in helping you extend AWS Service Catalog features. Feel free to leave your feedback or suggestions in the comments.