AWS Service Catalog Hub and Spoke Model: How to Automate the Deployment and Management of Service Catalog to Many Accounts
Many organizations may have tens to hundreds of accounts and thousands of users that require services in AWS. Enforcing organizational governance controls for deploying services requires time and resources to build the necessary guardrails, security controls, and auditing. Using the AWS Service Catalog hub and spoke model and launch constraints, I’ll show you how to centrally manage Service Catalog deployments in a master/child account relationship. I’ll also show you how to enforce service constraints that allow users to self-provision AWS products, often reducing deployment costs, time, and management.
Before diving into the details, first I’ll discuss the Service Catalog components.
Service Catalog components
An AWS Service Catalog product is an IT service (VPC, web server, n-tier environment, database, etc.) that you want to make available for deployment on AWS.
An AWS Service Catalog portfolio is a collection of products and their configuration information, plus launch and access controls.
An AWS Service Catalog constraint is a restriction on the ways that specific AWS resources can be deployed for a product, e.g., template constraints to allow only certain EC2 instance sizes.
An AWS Service Catalog product is launched using an AWS CloudFormation process. The collection of launched services is called a provisioned product. You might also see this collection of launched services referred to as a landscape.
If you need to centrally manage AWS Service Catalog portfolios and products and then deploy across multiple accounts you can use a master Service Catalog account. Use this account to deploy the minimum portfolio, products, and constraints. Then you can share the master portfolios to child accounts where they are imported. Products that form the imported master portfolios are added to local portfolios in the child account. Constraints, tags, and users for these products can be added so that users in the child account can deploy any AWS CloudFormation stack implemented as a product.
This is called the AWS Service Catalog hub and spoke model.
Hub and spoke model
- One master account – Creates baseline products and shares the portfolio
- Multiple child accounts – Import portfolios and leverage the products
AWS Service Catalog administration
The hub-spoke model allows you to deploy Service Catalog portfolios and products centrally and locally in an account.
Two methods of leveraging shared portfolios
Imported portfolio – leverage the imported portfolio
- Launch and template constraints are inherited (Only set Launch constraints in the Child account)
- Constraints cannot be modified
Local Portfolios – Create a local portfolio and import products from the shared portfolio.
- Only template constraints are inherited
- You can create and assign additional template constraints
- You have to assign launch constraints
- Two AWS Accounts
- Administrator IAM permissions to each account
- Access keys or AWS STS Credentials for CLI access to each account
- Download the python scripts from here.
Note: Before running the following Python scripts, make sure that your AWS_DEFAULT_PROFILE is set to the correct account for deployment and that you have the proper administrative permissions.
Files included in the repo:
- Python script that creates a Service Catalog portfolio, two products for the portfolio from the CloudFormation scripts that follow, template constraints, and tagging to enforce organization governance controls. The script shares the portfolio with selected child accounts.
- Python script that creates a local Service Catalog portfolio in a child account and imports the two products created in the master account, discussed previously. Creates launch constraints for each product to limit launching resources to a single IAM role and appropriate tagging.
A link to the python code can be found here.
Master Service Catalog deployment
$ export AWS_DEFAULT_PROFILE=Master_Service_Catalog_Profile
1. Upload CFTs and constraint files to the Amazon S3 bucket that the Service Catalog master account has access to:
2. Run the master deployment script with the bucket name from step 1 as a command line argument. Additional command line arguments can be any AWS accounts that you want to share the Master Portfolio and Products with:
$ python Master_SC_Single_Portfolio_Deploy_v1.py bucketname share_account_1 share_account_2
3. Copy the portfolio ID provided by this script for deploying Service Catalog in the child account.
Your Linux Portfolio ID is: port-xxxxxxxxxxxxx
Child Service Catalog deployment
4. For each child account that you shared with in the previous master Service catalog section, do the following steps:
$ export AWS_DEFAULT_PROFILE=Child_Service_Catalog_Profile
5. Run the child deployment script with the portfolio ID of the master Service Catalog portfolio that you created in step 1:
$ python Child_SC_Single_Portfolio_Deploy_v1.py port-xxxxxxxxxxxxx
6. To ensure that everything deployed properly, check your master and child accounts for portfolios, products, and constraints.
7. Add users in the child account to use the portfolio that you created.
8. Test launching products in the child account. Users must have an Amazon EC2 key pair to deploy products.
a. Notice when deploying the LAMP Instance that users are constrained to specific parameter values. When deploying the Linux single instance users are restricted to specific Security Groups (“WebServerSecurityGroup”) that were created by the LAMP instance product.
In this blog post I demonstrate the value of deploying the AWS Service Catalog in a hub and spoke model. In addition, I explain the process and have provided code samples. These samples show you how to automate a deployment across many AWS accounts and constrain users to specific AWS resource values to meet organization governance controls.
About the Author
Jason Norton is a Sr. Consultant with Professional Services who loves showing his customers the possibilities.