AWS Cloud Operations Blog
Automate preapproved operations with AWS Service Catalog service actions
Most of my enterprise customers have the need to allow their users to execute self-service operational tasks while restricting access to a minimum set of services. With AWS Service Catalog, you can provision pre-approved products, when combined with AWS Service Catalog service actions, you can provide simple predefined actions associated with the AWS Service Catalog products that their users can execute.
Some examples include: Rebooting an Amazon Elastic Compute Cloud (Amazon EC2) instance like SAP clusters and database servers. Rotating SSH public keys and AWS Key Management Service (AWS KMS) keys. Replacing AWS Identity and Access Management (IAM) instance profile. Removing a node from an Amazon Elastic Map Reduce (Amazon EMR) cluster.
When you use AWS Service Catalog with service actions, the user only requires AWS Service Catalog user permissions. Service actions allow administrators to invoke AWS Systems Manager Automation documents that define the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 preconfigured documents that you can use by specifying parameters at runtime. You can also write your own documents using JavaScript Object Notation (JSON) or YAML. You can associate one or more service actions to each product version to allow a range of AWS Service Catalog operations on your provisioned products. Any of these actions can integrate with Ansible or other automation tools. You can use service actions in the AWS Service Catalog console after a product has been provisioned or in the AWS Service Catalog API for seamless integration with pipeline tools.
Every product has a Launch action when its first launched and a Terminate action when the provisioned product is terminated. A product can have any number of service action operations in between. These service actions are optional.
Solution overview
In this blog post, I will show how to use AWS Service Catalog service actions from CloudFormation templates to accelerate deployment and implementation across your IT catalog.
This solution makes use of a single AWS Service Catalog product. The product will create a managed EC2 instance, and you will configure service actions that are uniquely applied during operations of Ec2 instances.
Solution components
This solution contains the following components:
- Network VPC
- AWS Service Catalog portfolio
- AWS Service Catalog product (a managed instance)
- A service action to reboot the instance
- A service action to perform an EBS volume snapshot
You’ll use CloudFormation templates and the AWS Service Catalog and CloudFormation service consoles to create the structure required to deploy the solution. I chose this deployment method to show you how service actions fit into the lifecycle of a product.
Before you begin
The steps in this post are written with the assumption you have an empty account. You can skip the “Set up the network” and “Create an AWS Service Catalog portfolio” sections if you already have them built.
- You need the administrator’s role ARN to allow usage on the portfolio. The following managed policies should be attached to this role: The following managed policies should be attached to this role: AWSCloudFormationFullAccess, AmazonSSMFullAccess, AmazonS3FullAccess, AWSServiceCatalogAdminFullAccess, AmazonEC2FullAccess, IAMFullAccess, AmazonVPCFullAccess
- You need an EC2 key pair to allow SSH or password retrieval for RDP connectivity.
- You need your IP address to create an allow rule in the security group.
- Download the ZIP file with all templates:
- ZIP file: Archive.zip
Set up the network
Set up the network so that you can deploy the EC2 managed instance product.
- Open the CloudFormation console at https://console.aws.amazon.com/cloudformation.
- Choose Create stack and then choose from new resources (standard).
- Choose Template is ready. For template source, choose Upload a template file.
- Download Network.yaml and then upload this template file.
- This simplified network stack will create a VPC in a single AZ and a few endpoints. Enter a stack name (for example, network) and enter the default values for the template.
Create an AWS Service Catalog portfolio
In this section, you’ll create the AWS Service Catalog portfolio and allow access based on the ARN provided during template deployment. If you have an AWS Service Catalog portfolio, you can skip this step.
- In the CloudFormation console, choose Create stack and then choose from new resources (standard).
- Choose Template is ready. For template source, choose Upload a template file.
- Use the portfolio.yaml file that you downloaded earlier.
- Enter a stack name (for example, portfolio).
- Under Parameters, for LabelAdminRole, enter the ARN of the administrator role.
Figure 1: Specify stack details for the portfolio
Create an AWS Service Catalog product
Although this step can be easily automated, I’ll show you how to build a product manually to better explain how it fits into service actions. You’ll create one product with two versions. One version will have two service actions. The other version will have one service action.
- Open the AWS Service Catalog Management console, and from the left navigation pane, choose Products.
- Choose Upload new product.
- In Enter product details, for Product name, enter EC2 with Service Actions.
- In Version details, for Choose a method, choose Use a template file.
- Under Upload a template file, choose the simple_ec2_ebs.yaml file you downloaded earlier.
- For Version name, enter v1.0.
- You can complete the optional fields or leave them blank.
- Choose Review product and then choose Create product.
- Refresh the products list.
Figure 2: AWS Service Catalog Products list
Now, copy the IDs you’ll need to deploy the CloudFormation template for service actions.
-
- In the AWS Service Catalog console, choose Products.
- Choose the product and then copy the product ID and product version ID. You need these IDs in the next section.
Figure 3: AWS Service Catalog admin product view
Now, add the product to the portfolio that was created by CloudFormation.
-
- Choose the Portfolios tab.
- Choose Add product to portfolio.
- Choose the portfolio and then choose Add Product to Portfolio.
Figure 4: Add product to portfolio
-
- In the left navigation pane, choose Products and then find your product ready to be launched.
Figure 5: Products page
Deploy service actions
In this section, you’ll deploy the service actions using a CloudFormation template.
-
- Open the CloudFormation console at https://console.aws.amazon.com/cloudformation.
- Choose Create stack and then choose from new resources (standard).
- Choose Template is ready. For template source, choose Upload a template file.
- Use the ServiceActions.yaml file you downloaded earlier, and then choose Next.
- In Specify stack details, enter a name for the stack. In Parameters, enter the IDs you copied earlier into the ProductId and ProductProvArtifact field.
Figure 6: CloudFormation service action template deployment
-
- In the AWS Service Catalog console, choose Service Actions to see the two service actions that are deployed using CloudFormation.
Figure 7: Service Actions page
Launch the EC2 product
-
- Go to your product, and then choose Launch.
- In Product versions, choose product version v1.0. The Parameters section will be displayed.
Figure 8: Product parameters
The product version simplifies all configuration with preconfigured values, but you must provide all parameter values to successfully launch the managed EC2 instance.
-
- Make sure all parameters are correct and click Launch.
- The Provisioned product details page is now shown.
- In the left navigation pane, choose Provisioned products and then verify the launch status.
Figure 9: Provisioned products page
- Wait for Available to be displayed in the Status column.
Create service actions for the provisioned product
-
- Open the AWS Service Catalog console.
- From the left navigation pane, choose Provisioned products.
- Search for and then choose your launched product, Simple Linux with Service Actions v1.0.
- The following options should now be available from the Actions menu:
- Reboot_instance
- snapshot_volume
Figure 10: Available service actions for the product
When you perform an action that requires a parameter, AWS Service Catalog will detect the parameter and complete the form for you. For example, to reboot the instance, you need the instance ID:
Figure 11: Reboot_instance service action
- After the service action is started, the events on the provisioned product are added:
Figure 12: Provisioned product stacked details
-
- After the action has been completed successfully, the status of the event changes to Succeeded.
Figure 13: Collapsed view of provisioned product
-
- When you perform the create snapshot action, the VolumeId field is filled in for you.
Figure 14: Service action snapshot volume
-
- As you perform actions on your provisioned product, you’ll see the events of the provisioned product:
Figure 15: Stacked detailed view of a provisioned product
-
- After the service action is complete, the SSM document returns the ID of the created object.
Figure 16: Service action output
Terminate the environment
To avoid ongoing charges in your account, delete the resources you created.
- Terminate all provisioned products in AWS Service Catalog.
- Delete the CloudFormation stack that you created from the service action CloudFormation template.
- In the AWS Service Catalog console, disassociate the product from the portfolio.
- Remove the AWS Service Catalog product. You don’t have to remove all product versions. As long as you remove the service action associations, you can remove the product.
- If you manually added any users or roles to the portfolio, you must remove them before you remove the portfolio.
- Delete the other CloudFormation templates in the account.
Conclusion
The integration of AWS Service Catalog with AWS Systems Manager actions enables operations with least privileged constraints and ownership of the provisioned resources. This enables administrators to define actions that will allow end-users, such as developers, to have full control of their provisioned resources while staying within the security guardrails. For more information, see the How to manage AWS Auto Scaling groups and Amazon Redshift with AWS Service Catalog service actions blog post and AWS Service Catalog Service Actions in the AWS Service Catalog Administrator Guide.