aws-cdk.aws-servicecatalog 1.114.0

The CDK Construct Library for AWS::ServiceCatalog

AWS Service Catalog Construct Library

---

All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

---

AWS Service Catalog enables organizations to create and manage catalogs of products for their end users that are approved for use on AWS.

Table Of Contents

• Portfolio

  • Granting access to a portfolio
  • Sharing a portfolio with another AWS account

• Product

  • Adding a product to a portfolio

• Constraints

  • Tag update constraint

The @aws-cdk/aws-servicecatalog package contains resources that enable users to automate governance and management of their AWS resources at scale.

# Example automatically generated. See https://github.com/aws/jsii/issues/826
import aws_cdk.aws_servicecatalog as servicecatalog

Portfolio

AWS Service Catalog portfolios allow admins to manage products that their end users have access to. Using the CDK, a new portfolio can be created with the Portfolio construct:

# Example automatically generated. See https://github.com/aws/jsii/issues/826
servicecatalog.Portfolio(self, "MyFirstPortfolio",
    display_name="MyFirstPortfolio",
    provider_name="MyTeam"
)

You can also specify properties such as description and acceptLanguage to help better catalog and manage your portfolios.

# Example automatically generated. See https://github.com/aws/jsii/issues/826
servicecatalog.Portfolio(self, "MyFirstPortfolio",
    display_name="MyFirstPortfolio",
    provider_name="MyTeam",
    description="Portfolio for a project",
    message_language=servicecatalog.MessageLanguage.EN
)

Read more at Creating and Managing Portfolios.

A portfolio that has been created outside the stack can be imported into your CDK app. Portfolios can be imported by their ARN via the Portfolio.fromPortfolioArn() API:

# Example automatically generated. See https://github.com/aws/jsii/issues/826
portfolio = servicecatalog.Portfolio.from_portfolio_arn(self, "MyImportedPortfolio", "arn:aws:catalog:region:account-id:portfolio/port-abcdefghi")

Granting access to a portfolio

You can manage end user access to a portfolio by granting permissions to IAM entities like a user, group, or role. Once resources are deployed end users will be able to access them via the console or service catalog CLI.

# Example automatically generated. See https://github.com/aws/jsii/issues/826
import aws_cdk.aws_iam as iam


user = iam.User(self, "MyUser")
portfolio.give_access_to_user(user)

role = iam.Role(self, "MyRole",
    assumed_by=iam.AccountRootPrincipal()
)
portfolio.give_access_to_role(role)

group = iam.Group(self, "MyGroup")
portfolio.give_access_to_group(group)

Sharing a portfolio with another AWS account

A portfolio can be programatically shared with other accounts so that specified users can also access it:

# Example automatically generated. See https://github.com/aws/jsii/issues/826
portfolio.share_with_account("012345678901")

Product

Products are the resources you are allowing end users to provision and utilize. The CDK currently only supports adding products of type Cloudformation product. Using the CDK, a new Product can be created with the CloudFormationProduct construct. CloudFormationTemplate.fromUrl can be utilized to create a Product using a Cloudformation template directly from an URL:

# Example automatically generated. See https://github.com/aws/jsii/issues/826
product = servicecatalog.CloudFormationProduct(self, "MyFirstProduct",
    product_name="My Product",
    owner="Product Owner",
    product_versions=[{
        "product_version_name": "v1",
        "cloud_formation_template": servicecatalog.CloudFormationTemplate.from_url("https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml")
    }
    ]
)

A CloudFormationProduct can also be created using a Cloudformation template from an Asset. Assets are files that are uploaded to an S3 Bucket before deployment. CloudFormationTemplate.fromAsset can be utilized to create a Product by passing the path to a local template file on your disk:

# Example automatically generated. See https://github.com/aws/jsii/issues/826
import path as path


product = servicecatalog.CloudFormationProduct(self, "MyFirstProduct",
    product_name="My Product",
    owner="Product Owner",
    product_versions=[{
        "product_version_name": "v1",
        "cloud_formation_template": servicecatalog.CloudFormationTemplate.from_url("https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml")
    }, {
        "product_version_name": "v2",
        "cloud_formation_template": servicecatalog.CloudFormationTemplate.from_asset(path.join(__dirname, "development-environment.template.json"))
    }
    ]
)

Adding a product to a portfolio

You add products to a portfolio to manage your resources at scale. After adding a product to a portfolio, it creates a portfolio-product association, and will become visible from the portfolio side in both the console and service catalog CLI. A product can be added to multiple portfolios depending on your resource and organizational needs.

# Example automatically generated. See https://github.com/aws/jsii/issues/826
portfolio.add_product(product)

Constraints

Constraints define governance mechanisms that allow you to manage permissions, notifications, and options related to actions end users can perform on products, Constraints are applied on a portfolio-product association. Using the CDK, if you do not explicitly associate a product to a portfolio and add a constraint, it will automatically add an association for you.

There are rules around plurariliites of constraints for a portfolio and product. For example, you can only have a single "tag update" constraint applied to a portfolio-product association. If a misconfigured constraint is added, synth will fail with an error message.

Read more at Service Catalog Constraints.

Tag update constraint

Tag update constraints allow or disallow end users to update tags on resources associated with an AWS Service Catalog product upon provisioning. By default, tag updating is not permitted. If tag updating is allowed, then new tags associated with the product or portfolio will be applied to provisioned resources during a provisioned product update.

# Example automatically generated. See https://github.com/aws/jsii/issues/826
portfolio.add_product(product)

portfolio.constrain_tag_updates(product)

If you want to disable this feature later on, you can update it by setting the "allow" parameter to false:

# Example automatically generated. See https://github.com/aws/jsii/issues/826
# to disable tag updates:
portfolio.constrain_tag_updates(product,
    allow=False
)