Tracking software licenses with AWS Service Catalog and AWS Step Functions
Enterprises have many business requirements for tracking how software product licenses are used in their organization for financial, governance, and compliance reasons. By tracking license usage, organizations can stay within budget, track expenditures, and avoid unplanned true-up bills from their vendors’ true-up processes. The goal is to track the usage licenses as resources are deployed.
In this post, you learn how to use AWS Service Catalog to deploy services and applications while tracking the licenses being consumed by end users, and how to prevent license overruns on AWS.
This solution uses the following AWS services. Most of the resources are set up for you with an AWS CloudFormation stack:
Here are some of AWS Service Catalog concepts referenced in this post. For more information, see Overview of AWS Service Catalog.
- A product is a blueprint for building the AWS resources to make available for deployment on AWS, along with the configuration information. Create a product by importing an AWS CloudFormation template, or, in case of AWS Marketplace-based products, by copying the product to AWS Service Catalog. A product can belong to multiple portfolios.
- A portfolio is a collection of products, together with the configuration information. Use portfolios to manage user access to specific products. You can grant portfolio access for an AWS Identity and Access Management (IAM) user, IAM group, or IAM role level.
- A provisioned product is an AWS CloudFormation stack; that is, the AWS resources that are created. When an end-user launches a product, AWS Service Catalog provisions the product from an AWS CloudFormation stack.
- Constraints control the way that users can deploy a product. With launch constraints, you can specify a role that AWS
The following diagram maps out the solution architecture.
Here’s the process for the license administrator:
- The cloud administrator uses the AWS Service Catalog product called License Mgmt Setup, created automatically using the setup scripts provided as part of this post.
- As part of the deployment process, AWS CloudFormation attaches the license to the AWS Service Catalog product as a tag option.
- Amazon CloudWatch detects that the License Mgmt Setup product is being deployed and triggers a Lambda function.
- The Lambda function stores the information about the license and the product to which it is attached in a DynamoDB table.
Here’s the process when the end-user launches a product:
- The end-user selects and launches an AWS Service Catalog product to which a license was attached by the license administrator.
- Behind the scene, invisible to the end-user CloudWatch detects that the product being deployed has a license attached and launches a Step Functions process to track and monitor the license.
- The Step Functions process checks the database to determine how many licenses have been used. It then compares the number of used licenses against the setting for notifying the administrator when licenses are low or if too many licenses have been used.
- When a particular product has reached its license limit, the product is deactivated.
- Notification is sent to the admin using Amazon SES that the product has been deactivated.
Step 1: Configuring an environment
I used the following steps to set up the components for this walkthrough. Use an Amazon S3 bucket to upload your Lambda functions.
To get the setup material:
- Download the sc_lic_mgr.zip file with the configuration content.
- Unzip the contents and save them to a folder. Note the folder’s location.
To create your S3 bucket:
- Log in to your AWS account as an administrator. Ensure that you have an AdministratorAccess IAM policy attached to your login because you’re going to create AWS resources, including IAM roles and users.
- In the Amazon S3 console, create a bucket. Leave the default values except as noted.
- For Bucket name, enter sclicmgr-<accountNumber>.
To upload content to the new bucket:
- Select your bucket, and choose Upload, Add files.
- Navigate to the folder that contains the configuration content. Select all the files and choose Open. Leave the default values except as noted.
- After the Review page, from the list of files, select the sc_lic_managment_setup.json file.
- Right-click the link under Object URL and choose Copy link address.
To launch the configuration stack:
- In the AWS CloudFormation console, choose Create Stack, Amazon S3 URL, paste the URL you just copied, and then choose Next.
- On the Specify stack details page, specify the following:
- Stack name: sclicmgrSetup-<accountNumber>
- S3Bucket: sclicmgrSetup-<accountNumber>
- SCEndUser: The current user name
- Leave the default values except as noted.
- On the Review page, check the box next to I acknowledge that AWS CloudFormation might create IAM resources with custom names, and choose Create.
- After the status of the stack changes to CREATE COMPLETE, select the stack and choose Outputs to see the output.
- Find the SCPrivBucket entry and copy the value. It has the format prod-xxxxx.
The SCPrivBucket is a sample AWS Service Catalog product that you use for your first test.
Congratulations! You have completed the setup. Now, test it by following the license setup process.
Step 2: Setting up a new license
In an organization, typically an administrator determines that a license must be tracked and gathers the following information:
- The email address of the person to manage the license.
- The license name.
- The notification percentage (if usage goes above this percentage, a notification is sent to the license manager).
- The deactivate percentage (if usage goes above this percentage, the product is deactivated).
- The number of licenses to start with.
- The AWS Service Catalog product ID of the product to consume the license.
Step 3: Assigning a new license
As an administrator, use the following steps to assign a new license.
- Log into the AWS Service Catalog console as an admin user.
- On the left navigation pane, choose Product list, LicenseMgtSetup, and Launch product.
- On the Launch page, for By name, enter a name and choose Next.
- On the Parameters page, enter the following values, and choose Next:
- ProductId—The value that you copied in step 2.
- OwnerEmail—The email address of the license administrator.
- LicenseName—The name of the license (for example, serverless2).
- PercentNotify—30 (A notification is sent if usage goes above 30%.)
- PercentDisable —90 (The product is removed if usage goes above 90%.)
- TotalLic—3 (The total number of licenses to track.)
- Leave the remaining default values.
- On the Review page, choose Launch.
After the product is launched, a CloudWatch process attaches the license name to the AWS Service Catalog product as a tag option, and then adds the license information in a DynamoDB table.
Step 4: Provisioning an end-user resource (license consumption)
To launch an AWS Service Catalog product to consume your first license:
- In the AWS Service Catalog console, in the left navigation pane, choose Products list.
- On the Products list page, point to the stack of dots to the left of your product name and choose Launch product.
- On the Product Version page, for Name, enter testdeployment, and choose Next.
- On the Parameters page, choose Next.
- On the TagOptions page, make sure that the LIC_Name tag is assigned, and choose Next.
- On the Review page, choose Launch.
- The product has now been successfully deployed, and one license has been used. You should see a screen like the one in the following screenshot.
Congratulations, you have deployed and used the first license.
The deployment process is initiated. A CloudWatch rule detects that the product being launched has an attached license to be tracked and increments the number of licenses being used. The process calculates the total license percentage being used, then compares the percentage being used to the percent to be notified and percent for the product to be deactivated:
- If the percent used is greater than the percent to be notified, the administrator is notified.
- If the percent used is greater than the percent to deactivate the product, the AWS Service Catalog product is deactivated. If the AWS Service Catalog product is terminated, the process recalculates the total license percentage being used.
- If the percent used is less than the percent to deactivate the product, the AWS Service Catalog product is reactivated.
Creating new licenses for other products
Follow these steps to create new licenses for other products:
- To get other product IDs, AWS Service Catalog console as an admin user.
- In the left navigation pane, choose Portfolios list.
- On the Local Portfolios page, in the Name column, select a portfolio. You see the product names and IDs.
- Copy the ID of the product to which to attach the license. Now that you have the product ID, repeat step 2 to add the license to other AWS Service Catalog products.
To avoid incurring cost, please delete resources that are not needed. You can terminate the Service Catalog product deployed the by selecting Action then Terminate.
In this post, you learned an easy way to track your license use on AWS with AWS Service Catalog. You also saw how there’s an extra layer of governance and control when you use AWS Service Catalog to deploy resources to support business objectives.
About the Author
Kenneth Walsh is a New York-based Solutions Architect focusing on AWS Marketplace. Kenneth is passionate about cloud computing and loves being a trusted advisor for his customers. When he’s not working with customers on their journey to the cloud, he enjoys cooking, audio books, movies, and spending time with his family.