AWS Cloud Operations Blog

Automate preapproved operations with AWS Service Catalog service actions

Most of my enterprise customers have the need to allow their users to execute self-service operational tasks while restricting access to a minimum set of services. With AWS Service Catalog, you can provision pre-approved products, when combined with AWS Service Catalog service actions, you can provide simple predefined actions associated with the AWS Service Catalog products that their users can execute.

Some examples include: Rebooting an Amazon Elastic Compute Cloud (Amazon EC2) instance like SAP clusters and database servers. Rotating SSH public keys and AWS Key Management Service (AWS KMS) keys. Replacing AWS Identity and Access Management (IAM) instance profile. Removing a node from an Amazon Elastic Map Reduce (Amazon EMR) cluster.

When you use AWS Service Catalog with service actions, the user only requires AWS Service Catalog user permissions. Service actions allow administrators to invoke AWS Systems Manager Automation documents that define the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 preconfigured documents that you can use by specifying parameters at runtime. You can also write your own documents using JavaScript Object Notation (JSON) or YAML. You can associate one or more service actions to each product version to allow a range of AWS Service Catalog operations on your provisioned products. Any of these actions can integrate with Ansible or other automation tools. You can use service actions in the AWS Service Catalog console after a product has been provisioned or in the AWS Service Catalog API for seamless integration with pipeline tools.

Every product has a Launch action when its first launched and a Terminate action when the provisioned product is terminated. A product can have any number of service action operations in between. These service actions are optional.

Solution overview

In this blog post, I will show how to use AWS Service Catalog service actions from CloudFormation templates to accelerate deployment and implementation across your IT catalog.

This solution makes use of a single AWS Service Catalog product. The product will create a managed EC2 instance, and you will configure service actions that are uniquely applied during operations of Ec2 instances.

Solution components

This solution contains the following components:

  • Network VPC
  • AWS Service Catalog portfolio
  • AWS Service Catalog product (a managed instance)
  • A service action to reboot the instance
  • A service action to perform an EBS volume snapshot

You’ll use CloudFormation templates and the AWS Service Catalog and CloudFormation service consoles to create the structure required to deploy the solution. I chose this deployment method to show you how service actions fit into the lifecycle of a product.

Before you begin

The steps in this post are written with the assumption you have an empty account. You can skip the “Set up the network” and “Create an AWS Service Catalog portfolio” sections if you already have them built.

  • You need the administrator’s role ARN to allow usage on the portfolio. The following managed policies should be attached to this role: The following managed policies should be attached to this role: AWSCloudFormationFullAccess, AmazonSSMFullAccess, AmazonS3FullAccess, AWSServiceCatalogAdminFullAccess, AmazonEC2FullAccess, IAMFullAccess, AmazonVPCFullAccess
  • You need an EC2 key pair to allow SSH or password retrieval for RDP connectivity.
  • You need your IP address to create an allow rule in the security group.
  • Download the ZIP file with all templates:

Set up the network

Set up the network so that you can deploy the EC2 managed instance product.

  1. Open the CloudFormation console at https://console.aws.amazon.com/cloudformation.
  2. Choose Create stack and then choose from new resources (standard).
  3. Choose Template is ready. For template source, choose Upload a template file.
  4. Download Network.yaml and then upload this template file.
  5. This simplified network stack will create a VPC in a single AZ and a few endpoints. Enter a stack name (for example, network) and enter the default values for the template.

Create an AWS Service Catalog portfolio

In this section, you’ll create the AWS Service Catalog portfolio and allow access based on the ARN provided during template deployment. If you have an AWS Service Catalog portfolio, you can skip this step.

  1. In the CloudFormation console, choose Create stack and then choose from new resources (standard).
  2. Choose Template is ready. For template source, choose Upload a template file.
  3. Use the portfolio.yaml file that you downloaded earlier.
  4. Enter a stack name (for example, portfolio).
  5. Under Parameters, for LabelAdminRole, enter the ARN of the administrator role.

On Specify stack details, the name entered for the stack is portfolio. Under Parameters, an ARN for an IAM role is entered in the LabelAdmin field.

Figure 1: Specify stack details for the portfolio

Create an AWS Service Catalog product

Although this step can be easily automated, I’ll show you how to build a product manually to better explain how it fits into service actions. You’ll create one product with two versions. One version will have two service actions. The other version will have one service action.

  1. Open the AWS Service Catalog Management console, and from the left navigation pane, choose Products.
  2. Choose Upload new product.
  3. In Enter product details, for Product name, enter EC2 with Service Actions.
  4. In Version details, for Choose a method, choose Use a template file.
  5. Under Upload a template file, choose the simple_ec2_ebs.yaml file you downloaded earlier.
  6. For Version name, enter v1.0.
  7. You can complete the optional fields or leave them blank.
  8. Choose Review product and then choose Create product.
  9. Refresh the products list.

Products list displays the newly created product, Simple Linux WebServer with Service Actions.

Figure 2: AWS Service Catalog Products list

Now, copy the IDs you’ll need to deploy the CloudFormation template for service actions.

    1. In the AWS Service Catalog console, choose Products.
    2. Choose the product and then copy the product ID and product version ID. You need these IDs in the next section.

In the Product details section, the ID field is highlighted. In Product versions, the product version ID is highlighted.

Figure 3: AWS Service Catalog admin product view

Now, add the product to the portfolio that was created by CloudFormation.

    1. Choose the Portfolios tab.
    2. Choose Add product to portfolio.
    3. Choose the portfolio and then choose Add Product to Portfolio.

The “Service Catalog Portfolio portfolio” is selected on the page.

Figure 4: Add product to portfolio

    1. In the left navigation pane, choose Products and then find your product ready to be launched.

In the left navigation pane of the console, Products is highlighted.

Figure 5: Products page

Deploy service actions

In this section, you’ll deploy the service actions using a CloudFormation template.

    1. Open the CloudFormation console at https://console.aws.amazon.com/cloudformation.
    2. Choose Create stack and then choose from new resources (standard).
    3. Choose Template is ready. For template source, choose Upload a template file.
    4. Use the ServiceActions.yaml file you downloaded earlier, and then choose Next.
    5. In Specify stack details, enter a name for the stack. In Parameters, enter the IDs you copied earlier into the ProductId and ProductProvArtifact field.

On the Stack details page, ServiceActions is entered for the stack name. The product ID is entered in the Product Id field. The product version ID is entered in the ProductProvArtifact field.

Figure 6: CloudFormation service action template deployment

    1. In the AWS Service Catalog console, choose Service Actions to see the two service actions that are deployed using CloudFormation.

In Service Actions, Reboot_instance and snapshot_volume are displayed in the list.

Figure 7: Service Actions page

Launch the EC2 product

    1. Go to your product, and then choose Launch.
    2. In Product versions, choose product version v1.0. The Parameters section will be displayed.

Parameters displays the Network Configuration field set to 0.0.0.0/0. Under Linux Instance Configuration, for Key Pair, the field is blank. Under SSM key to the latest Amazon Linux AMI, the default value is displayed. In Other parameters, for InstanceType, t3.micro is selected.

Figure 8: Product parameters

The product version simplifies all configuration with preconfigured values, but you must provide all parameter values to successfully launch the managed EC2 instance.

    1. Make sure all parameters are correct and click Launch.
    2. The Provisioned product details page is now shown.
    3. In the left navigation pane, choose Provisioned products and then verify the launch status.

Provisioned products displays a list with columns for name, created, ID, product name, version name, type, status, and user name. Account is selected from the Access Filter dropdown.

Figure 9: Provisioned products page

  1. Wait for Available to be displayed in the Status column.

Create service actions for the provisioned product

    1. Open the AWS Service Catalog console.
    2. From the left navigation pane, choose Provisioned products.
    3. Search for and then choose your launched product, Simple Linux with Service Actions v1.0.
    4. The following options should now be available from the Actions menu:
      • Reboot_instance
      • snapshot_volume

      The provisioned product details page shows Reboot_instance and snapshot_volume highlighted in the Actions menu.

      Figure 10: Available service actions for the product

      When you perform an action that requires a parameter, AWS Service Catalog will detect the parameter and complete the form for you. For example, to reboot the instance, you need the instance ID:

      On Reboot_instance, the instance ID is entered in the InstanceId field.

      Figure 11: Reboot_instance service action

    5. After the service action is started, the events on the provisioned product are added:

Provisioned product details page with two expanded stacked actions, PROVISION_PRODUCT and EXECUTE_PROVISION_PRODUCT_ACTION

Figure 12: Provisioned product stacked details

    1. After the action has been completed successfully, the status of the event changes to Succeeded.

Collapsed view of the two provisioned events in a provisioned product.

Figure 13:  Collapsed view of provisioned product

    1. When you perform the create snapshot action, the VolumeId field is filled in for you.

On snapshot_volume, the volume ID is entered in the VolumeId field.

Figure 14: Service action snapshot volume

    1. As you perform actions on your provisioned product, you’ll see the events of the provisioned product:

Provisioned product page shows the product launch and two stacked service actions, one of which has a status of Updating.

Figure 15: Stacked detailed view of a provisioned product

    1. After the service action is complete, the SSM document returns the ID of the created object.

Provisioned product details page shows the outputs of a service action. The created Snapshot Payload is highlighted.

Figure 16: Service action output

Terminate the environment

To avoid ongoing charges in your account, delete the resources you created.

  1. Terminate all provisioned products in AWS Service Catalog.
  2. Delete the CloudFormation stack that you created from the service action CloudFormation template.
  3. In the AWS Service Catalog console, disassociate the product from the portfolio.
  4. Remove the AWS Service Catalog product. You don’t have to remove all product versions. As long as you remove the service action associations, you can remove the product.
  5. If you manually added any users or roles to the portfolio, you must remove them before you remove the portfolio.
  6. Delete the other CloudFormation templates in the account.

Conclusion

The integration of AWS Service Catalog with AWS Systems Manager actions enables operations with least privileged constraints and ownership of the provisioned resources. This enables administrators to define actions that will allow end-users, such as developers, to have full control of their provisioned resources while staying within the security guardrails. For more information, see the How to manage AWS Auto Scaling groups and Amazon Redshift with AWS Service Catalog service actions blog post and AWS Service Catalog Service Actions in the AWS Service Catalog Administrator Guide.

About the author

Daniel Castro

Daniel Castro is an AWS Solutions Architect based in Toronto. He helps customers across Canada transform their businesses and execute successful cloud solutions.