Desktop and Application Streaming
Automate Amazon WorkSpaces with a Self-Service Portal
Amazon WorkSpaces is a secure, and managed cloud desktop as a service. With Amazon WorkSpaces, you can provision either a Windows or Linux desktop for your users in minutes and allow them to access to desktops from any supported devices from any location.
The WorkSpaces self-service portal helps customers streamline the process to deploy WorkSpaces on a large scale. Using this portal, you can enable your workforce to provision their own WorkSpaces with an integrated approval workflow that doesn’t require IT intervention for each request. This reduces IT operational costs while helping end-users get started even faster with WorkSpaces. The additional built-in approval workflow simplifies the desktop approval process for businesses.
The portal integrates WorkSpaces with AWS application services to offer an automated tool for provisioning Windows or Linux cloud desktops. In this post, we will show you how to build a self-service portal for your organization for WorkSpaces provisioning requests.
Solution overview
The following section describes the Serverless architectural design for the portal.
- The portal front end website is hosted in an Amazon S3 bucket that has the static website hosting feature enabled. A WorkSpaces requester visits the portal from a web browser to initiate provisioning by submitting a web form. Amazon API Gateway accepts WorkSpaces provisioning requests from the requester. The WorkSpaces requester specifies the WorkSpaces request details:
- An Amazon DynamoDB table is used to record WorkSpaces provisioning requests and their status. When a provisioning request is submitted by a user, an AWS Lambda function inserts or updates a record in the DynamoDB table to track the request status. A Lambda function initiates the approval workflow by calling a Step Function to start a Step Function execution. The following is an example of a Lambda function inserting a WorkSpaces request record into a DynamoDB table and running the Step Function:
3. By this time, the execution reaches a state that requires manual approval. A unique task token is generated by the Step Function for a call back. The activity state in the Step Function is paused. The Step Function waits until CreateWorkSpace or SendRejectionEmail is called with the token. Here is the Step Function workflow:
4. At the start of the Step Functions execution, a Lambda function that runs the SendOutApprovalRequest step acquires the token associated with the ManualApproval step. It then sends an email with two embedded hyperlinks for approval and rejection. While the email is sent, the Step Function pauses and waits for a manual approval response. When the approver receives the email and chooses the “approve” hyperlink, it signals the Step Functions to continue the provisioning request. Likewise, when the approver chooses the “reject” hyperlink, it signals the Step Functions to terminate the provisioning workflow. Here is an example approval email:
The following is an example of a Lambda function that emails the approval email with the Step Function token:
5. The two hyperlinks are linked to API Gateway and the API Gateway routes the requests to a Lambda function that can relay the result back to the Step Function. Upon receiving the result, the Step Function decides whether to trigger CreateWorkSpace or SendRejectionEmail. The following code snippet shows how the Lambda function relayed the approval response to the Step Function along with a task token:
6. If the approver’s response is to approve the provisioning, the Step Function triggers a Lambda function to start the WorkSpaces provisioning process. The following Lambda function snippet shows how to provision a WorkSpace:
At this point, the Step Function completes the execution:
7. If the approver’s response is to reject the provisioning request, the Step Function sends an email to the requester and notifies that the request has been rejected. The following code snippet shows how to use SES to send a notification to the requesters:
Conclusion
In this blog post, we show you how to build a WorkSpaces self-service provisioning portal using S3 static web hosting, API Gateway, Lambda Functions, Step Functions, DynamoDB, and Simple Email Services. You can deploy this solution to enable your employee to provision their own WorkSpaces with an embedded approval workflow. This helps reduce the operational burden on IT for deploying WorkSpaces at a large scale. These same concepts could be extended to build additional self-service capabilities for common WorkSpaces management tasks such as reboot, rebuild, or decommissioning. By integrating your WorkSpaces with other AWS Application Services you can start to use automation and customization to simplify WorkSpaces administration and deliver a great experience to your end users.
– Vickie Hsu, Senior Infrastructure Architect & Kevin Yung, Cloud Architect