AWS Management Tools Blog

How to dynamically constrain parameter options in AWS Service Catalog based on specific tag values

In this blog post, I’ll show you how to dynamically constrain AWS Service Catalog product parameter options for AWS Service Catalog end users based on specific tag values.

In many enterprises, the AWS environment is continually changing. There are always new subnets, security groups, and other infrastructure components that need to be created. The ability to allow end users, such as the operations team, to correctly provision AWS resources without having to know all of the detailed nuances of the AWS infrastructure becomes a challenge.

I’ll show you an example of how you can create a Service Catalog template constraint that is based on the tag values of a subnet. The service catalog product will only show the subnets that have the following tag key and value pair: Key is Environment, and Value is TestApps. You can apply these same concepts to other taggable AWS resources.

Before I get into how it works, let’s first review a few key AWS Service Catalog concepts:

In the AWS Service Catalog Hub-Spoke model, shared portfolios are created in a hub account and then can be imported into another AWS account (spoke). Local portfolios then can be created at the spoke account where products from the shared/imported portfolio can be added into the local portfolios. The use case in this blog post will show you how you can control the parameter options available based on resource tagging within a template constraint as part of the AWS Service Catalog Hub-Spoke model:

Step 1. Set up hub account with a Shared Portfolio/product

To set up the hub account with a shared portfolio, please refer to the following:

Step 2. Create a Local Portfolio in the Spoke account

For the use case in this blog post, create a local portfolio. This portfolio will be used to import a product from the hub account shared portfolio. To create a local portfolio:

  1. Sign in to the AWS Management Console and then open https://console.aws.amazon.com/servicecatalog/.
  2. In the AWS Service Catalog console, choose Create Portfolio.
  3. Enter the following values:
    • Portfolio name – Local Portfolio
    • Description – Local Portfolio for Spoke Account
    • Owner – Spoke Account


4.   Choose Create

Now, let’s add a product from the Shared Portfolio in to the Local Portfolio.

Step 3. Add the shared product to the Local Portfolio

In this example, the shared product being used is an Amazon EC2 Linux product. A copy of the product can be found here. To add a product to the Local Portfolio from the shared/imported portfolio:

  1. Open https://console.aws.amazon.com/servicecatalog/.
  2. Choose Local Portfolio to open the portfolio details page, and then choose Add product.
  3. On the Products page, under Select product group choose Imported Portfolios.
  4. Under the Select portfolio drop-down menu, choose Shared Portfolio.

5. Select LinuxEC2, choose Add Product To Portfolio.

Step 4. Add launch role and IAM user/role/group to Local Portfolio

To add launch constraint and IAM role/user/group to local portfolio, please refer to:

Now, that we have a launch constraint and a service catalog user/role/group to provision the product, you can provision the product to see what happens to the parameter options before you apply any template constraints.

Step 5. Provision product in Local Portfolio

In this step, you can provision the product in the Local Portfolio. To provision the product in the Local Portfolio:

  1. Log in to the user or role that was assigned in Step 4 to the Local Portfolio.
  2. Open https://console.aws.amazon.com/servicecatalog/.
  3. You should be placed at the Dashboard for AWS Service Catalog.

4. On the Products page, choose LinuxEC2 and choose Launch product.
5. On the Launch – LinuxEC2 page, fill in the following:

  • Name – LinuxEC2
  • Version – v1.0

6. Choose Next.
7. On the Launch – LinuxEC2 page, scroll down and look at the parameter options for PrivateSubnet.

8. Too many options can be confusing. Choose Cancel

Now we will use tags and template constraints to fine tune and filter what we see as parameter options for subnets. Log out as the provisioning user.

Step 6. Use tags and template constraints to filter subnets

In this step, you can add a template constraint to use tags associated with a subnet. To add a template constraint to the product:

  1. Open https://console.aws.amazon.com/servicecatalog/. (Make sure you are logged in as the Service Catalog Administrator)
  2. Choose Local Portfolio to open the portfolio details page, and then choose the triangle next to Constraints.
  3. Under Constraints, select Add constraints.
  4. On the Select product and type page, choose the following:
  • Name – LinuxEC2
  • Constraint type – Template

5. Choose Continue.
6. On the Template constraint builder page, fill in the Description with “LinuxEC2 Subnet Filter”.
7. On the Template constraint builder page, remove the empty brackets and copy the contents that follow :

{
  “Rules”: {
    “SubnetList”: {
      “Assertions”: [
        {
          “Assert”: { “Fn::EachMemberEquals”: [ { “Fn::ValueOfAll”: [ “AWS::EC2::Subnet::Id”, “Tags.Environment” ] }, “TestApps”] },
          “AssertDescription”: “Only display subnets that have the Environment Tag set to TestApps”
        }
      ]
    }
  }
}

 

This template constraint will produce a list of subnets whose tag is the following:

  • Environment – TestApps

The following list includes the subnets that should be filtered as a result of this tag:

8. Choose Submit

Now that we have the template constraint in place, you can log back in as a Service Catalog user/role and try and provision the product.

Step 7. Provision product in Local Portfolio (With Template Constraint)

In this step, you can provision the product in the Local Portfolio. To provision the product in the Local Portfolio:

  1. Basically repeat Step 5 (items 1-6) to provision the product in the Local Portfolio.
  2. On the Launch – LinuxEC2 page, scroll down and look at the parameter options for PrivateSubnet.

3.  The template constraint has now filtered the choices. Choose Cancel

Conclusion
In this blog post, I demonstrated, in an AWS Service Catalog Hub-Spoke model, how to apply AWS Service Catalog template constraints to filter parameter options based on tags associated with an AWS resource. This filtering of parameters options can be utilized for all taggable AWS resources that template constraints currently support. In addition, this method of filtering parameter options can also be utilized for non AWS Service Catalog Hub-Spoke models too.

I hope the methods outlined here, give you some ideas on how to handle a continually changing and dynamic AWS environment for your AWS Service Catalog users. In addition, I hope this provides some thoughts on how to manage and govern your AWS environment.

I welcome your comments or questions.

About the Author

Joe Milligan is a Cloud Infrastructure Architect with Professional Services and prides himself on collaborating with his customers to provide the best possible solution.