# AWS Service Catalog Construct Library
<!--BEGIN STABILITY BANNER-->---
> AWS CDK v1 has reached End-of-Support on 2023-06-01.
> This package is no longer being updated, and users should migrate to AWS CDK v2.
>
> For more information on how to migrate, see the [*Migrating to AWS CDK v2* guide](https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html).
---
<!--END STABILITY BANNER-->
[AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/dg/what-is-service-catalog.html)
enables organizations to create and manage catalogs of products for their end users that are approved for use on AWS.
## Table Of Contents
* [Portfolio](#portfolio)
* [Granting access to a portfolio](#granting-access-to-a-portfolio)
* [Sharing a portfolio with another AWS account](#sharing-a-portfolio-with-another-aws-account)
* [Product](#product)
* [Creating a product from a local asset](#creating-a-product-from-local-asset)
* [Creating a product from a stack](#creating-a-product-from-a-stack)
* [Creating a Product from a stack with a history of previous versions](#creating-a-product-from-a-stack-with-a-history-of-all-previous-versions)
* [Adding a product to a portfolio](#adding-a-product-to-a-portfolio)
* [TagOptions](#tag-options)
* [Constraints](#constraints)
* [Tag update constraint](#tag-update-constraint)
* [Notify on stack events](#notify-on-stack-events)
* [CloudFormation template parameters constraint](#cloudformation-template-parameters-constraint)
* [Set launch role](#set-launch-role)
* [Deploy with StackSets](#deploy-with-stacksets)
The `@aws-cdk/aws-servicecatalog` package contains resources that enable users to automate governance and management of their AWS resources at scale.
```python
import aws_cdk.aws_servicecatalog as servicecatalog
```
## Portfolio
AWS Service Catalog portfolios allow administrators to organize, manage, and distribute cloud resources for their end users.
Using the CDK, a new portfolio can be created with the `Portfolio` construct:
```python
servicecatalog.Portfolio(self, "Portfolio",
display_name="MyPortfolio",
provider_name="MyTeam"
)
```
You can also specify optional metadata properties such as `description` and `messageLanguage`
to help better catalog and manage your portfolios.
```python
servicecatalog.Portfolio(self, "Portfolio",
display_name="MyFirstPortfolio",
provider_name="SCAdmin",
description="Portfolio for a project",
message_language=servicecatalog.MessageLanguage.EN
)
```
Read more at [Creating and Managing Portfolios](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios.html).
To reference an existing portfolio into your CDK application, use the `Portfolio.fromPortfolioArn()` factory method:
```python
portfolio = servicecatalog.Portfolio.from_portfolio_arn(self, "ReferencedPortfolio", "arn:aws:catalog:region:account-id:portfolio/port-abcdefghi")
```
### Granting access to a portfolio
You can grant access to and manage the `IAM` users, groups, or roles that have access to the products within a portfolio.
Entities with granted access will be able to utilize the portfolios resources and products via the console or AWS CLI.
Once resources are deployed end users will be able to access them via the console or service catalog CLI.
```python
import aws_cdk.aws_iam as iam
# portfolio: servicecatalog.Portfolio
user = iam.User(self, "User")
portfolio.give_access_to_user(user)
role = iam.Role(self, "Role",
assumed_by=iam.AccountRootPrincipal()
)
portfolio.give_access_to_role(role)
group = iam.Group(self, "Group")
portfolio.give_access_to_group(group)
```
### Sharing a portfolio with another AWS account
You can use account-to-account sharing to distribute a reference to your portfolio to other AWS accounts by passing the recipient account number.
After the share is initiated, the recipient account can accept the share via CLI or console by importing the portfolio ID.
Changes made to the shared portfolio will automatically propagate to recipients.
```python
# portfolio: servicecatalog.Portfolio
portfolio.share_with_account("012345678901")
```
## Product
Products are version friendly infrastructure-as-code templates that admins create and add to portfolios for end users to provision and create AWS resources.
Service Catalog supports products from AWS Marketplace or ones defined by a CloudFormation template.
The CDK currently only supports adding products of type CloudFormation.
Using the CDK, a new Product can be created with the `CloudFormationProduct` construct.
You can use `CloudFormationTemplate.fromUrl` to create a Product from a CloudFormation template directly from a URL that points to the template in S3, GitHub, or CodeCommit:
```python
product = servicecatalog.CloudFormationProduct(self, "MyFirstProduct",
product_name="My Product",
owner="Product Owner",
product_versions=[servicecatalog.CloudFormationProductVersion(
product_version_name="v1",
cloud_formation_template=servicecatalog.CloudFormationTemplate.from_url("https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml")
)
]
)
```
### Creating a product from a local asset
A `CloudFormationProduct` can also be created by using a CloudFormation template held locally on disk using Assets.
Assets are files that are uploaded to an S3 Bucket before deployment.
`CloudFormationTemplate.fromAsset` can be utilized to create a Product by passing the path to a local template file on your disk:
```python
import path as path
product = servicecatalog.CloudFormationProduct(self, "Product",
product_name="My Product",
owner="Product Owner",
product_versions=[servicecatalog.CloudFormationProductVersion(
product_version_name="v1",
cloud_formation_template=servicecatalog.CloudFormationTemplate.from_url("https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml")
), servicecatalog.CloudFormationProductVersion(
product_version_name="v2",
cloud_formation_template=servicecatalog.CloudFormationTemplate.from_asset(path.join(__dirname, "development-environment.template.json"))
)
]
)
```
### Creating a product from a stack
You can create a Service Catalog `CloudFormationProduct` entirely defined with CDK code using a service catalog `ProductStack`.
A separate child stack for your product is created and you can add resources like you would for any other CDK stack,
such as an S3 Bucket, IAM roles, and EC2 instances. This stack is passed in as a product version to your
product. This will not create a separate CloudFormation stack during deployment.
```python
import aws_cdk.aws_s3 as s3
import aws_cdk.core as cdk
class S3BucketProduct(servicecatalog.ProductStack):
def __init__(self, scope, id):
super().__init__(scope, id)
s3.Bucket(self, "BucketProduct")
product = servicecatalog.CloudFormationProduct(self, "Product",
product_name="My Product",
owner="Product Owner",
product_versions=[servicecatalog.CloudFormationProductVersion(
product_version_name="v1",
cloud_formation_template=servicecatalog.CloudFormationTemplate.from_product_stack(S3BucketProduct(self, "S3BucketProduct"))
)
]
)
```
### Creating a Product from a stack with a history of previous versions
The default behavior of Service Catalog is to overwrite each product version upon deployment.
This applies to Product Stacks as well, where only the latest changes to your Product Stack will
be deployed.
To keep a history of the revisions of a ProductStack available in Service Catalog,
you would need to define a ProductStack for each historical copy.
You can instead create a `ProductStackHistory` to maintain snapshots of all previous versions.
The `ProductStackHistory` can be created by passing the base `productStack`,
a `currentVersionName` for your current version and a `locked` boolean.
The `locked` boolean which when set to true will prevent your `currentVersionName`
from being overwritten when there is an existing snapshot for that version.
```python
import aws_cdk.aws_s3 as s3
import aws_cdk.core as cdk
class S3BucketProduct(servicecatalog.ProductStack):
def __init__(self, scope, id):
super().__init__(scope, id)
s3.Bucket(self, "BucketProduct")
product_stack_history = servicecatalog.ProductStackHistory(self, "ProductStackHistory",
product_stack=S3BucketProduct(self, "S3BucketProduct"),
current_version_name="v1",
current_version_locked=True
)
```
We can deploy the current version `v1` by using `productStackHistory.currentVersion()`
```python
import aws_cdk.aws_s3 as s3
import aws_cdk.core as cdk
class S3BucketProduct(servicecatalog.ProductStack):
def __init__(self, scope, id):
super().__init__(scope, id)
s3.Bucket(self, "BucketProductV2")
product_stack_history = servicecatalog.ProductStackHistory(self, "ProductStackHistory",
product_stack=S3BucketProduct(self, "S3BucketProduct"),
current_version_name="v2",
current_version_locked=True
)
product = servicecatalog.CloudFormationProduct(self, "MyFirstProduct",
product_name="My Product",
owner="Product Owner",
product_versions=[
product_stack_history.current_version()
]
)
```
Using `ProductStackHistory` all deployed templates for the ProductStack will be written to disk,
so that they will still be available in the future as the definition of the `ProductStack` subclass changes over time.
**It is very important** that you commit these old versions to source control as these versions
determine whether a version has already been deployed and can also be deployed themselves.
After using `ProductStackHistory` to deploy version `v1` of your `ProductStack`, we
make changes to the `ProductStack` and update the `currentVersionName` to `v2`.
We still want our `v1` version to still be deployed, so we reference it by calling `productStackHistory.versionFromSnapshot('v1')`.
```python
import aws_cdk.aws_s3 as s3
import aws_cdk.core as cdk
class S3BucketProduct(servicecatalog.ProductStack):
def __init__(self, scope, id):
super().__init__(scope, id)
s3.Bucket(self, "BucketProductV2")
product_stack_history = servicecatalog.ProductStackHistory(self, "ProductStackHistory",
product_stack=S3BucketProduct(self, "S3BucketProduct"),
current_version_name="v2",
current_version_locked=True
)
product = servicecatalog.CloudFormationProduct(self, "MyFirstProduct",
product_name="My Product",
owner="Product Owner",
product_versions=[
product_stack_history.current_version(),
product_stack_history.version_from_snapshot("v1")
]
)
```
### Adding a product to a portfolio
You add products to a portfolio to organize and distribute your catalog at scale. Adding a product to a portfolio creates an association,
and the product will become visible within the portfolio side in both the Service Catalog console and AWS CLI.
You can add a product to multiple portfolios depending on your organizational structure and how you would like to group access to products.
```python
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
portfolio.add_product(product)
```
## Tag Options
TagOptions allow administrators to easily manage tags on provisioned products by providing a template for a selection of tags that end users choose from.
TagOptions are created by specifying a tag key with a set of allowed values and can be associated with both portfolios and products.
When launching a product, both the TagOptions associated with the product and the containing portfolio are made available.
At the moment, TagOptions can only be deactivated in the console.
```python
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
tag_options_for_portfolio = servicecatalog.TagOptions(self, "OrgTagOptions",
allowed_values_for_tags={
"Group": ["finance", "engineering", "marketing", "research"],
"CostCenter": ["01", "02", "03"]
}
)
portfolio.associate_tag_options(tag_options_for_portfolio)
tag_options_for_product = servicecatalog.TagOptions(self, "ProductTagOptions",
allowed_values_for_tags={
"Environment": ["dev", "alpha", "prod"]
}
)
product.associate_tag_options(tag_options_for_product)
```
## Constraints
Constraints are governance gestures that you place on product-portfolio associations that allow you to manage minimal launch permissions, notifications, and other optional actions that end users can perform on products.
Using the CDK, if you do not explicitly associate a product to a portfolio and add a constraint, it will automatically add an association for you.
There are rules around how constraints are applied to portfolio-product associations.
For example, you can only have a single "launch role" constraint applied to a portfolio-product association.
If a misconfigured constraint is added, `synth` will fail with an error message.
Read more at [Service Catalog Constraints](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints.html).
### Tag update constraint
Tag update constraints allow or disallow end users to update tags on resources associated with an AWS Service Catalog product upon provisioning.
By default, if a Tag Update constraint is not configured, tag updating is not permitted.
If tag updating is allowed, then new tags associated with the product or portfolio will be applied to provisioned resources during a provisioned product update.
```python
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
portfolio.add_product(product)
portfolio.constrain_tag_updates(product)
```
If you want to disable this feature later on, you can update it by setting the "allow" parameter to `false`:
```python
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
# to disable tag updates:
portfolio.constrain_tag_updates(product,
allow=False
)
```
### Notify on stack events
Allows users to subscribe an AWS `SNS` topic to a provisioned product's CloudFormation stack events.
When an end user provisions a product it creates a CloudFormation stack that notifies the subscribed topic on creation, edit, and delete events.
An individual `SNS` topic may only have a single subscription to any given portfolio-product association.
```python
import aws_cdk.aws_sns as sns
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
topic1 = sns.Topic(self, "Topic1")
portfolio.notify_on_stack_events(product, topic1)
topic2 = sns.Topic(self, "Topic2")
portfolio.notify_on_stack_events(product, topic2,
description="description for topic2"
)
```
### CloudFormation template parameters constraint
CloudFormation template parameter constraints allow you to configure the provisioning parameters that are available to end users when they launch a product.
Template constraint rules consist of one or more assertions that define the default and/or allowable values for a product’s provisioning parameters.
You can configure multiple parameter constraints to govern the different provisioning parameters within your products.
For example, a rule might define the `EC2` instance types that users can choose from when launching a product that includes one or more `EC2` instances.
Parameter rules have an optional `condition` field that allow for rule application to consider conditional evaluations.
If a `condition` is specified, all assertions will be applied if the condition evaluates to true.
For information on rule-specific intrinsic functions to define rule conditions and assertions,
see [AWS Rule Functions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-rules.html).
```python
import aws_cdk.core as cdk
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
portfolio.constrain_cloud_formation_parameters(product,
rule=servicecatalog.TemplateRule(
rule_name="testInstanceType",
condition=cdk.Fn.condition_equals(cdk.Fn.ref("Environment"), "test"),
assertions=[servicecatalog.TemplateRuleAssertion(
assert=cdk.Fn.condition_contains(["t2.micro", "t2.small"], cdk.Fn.ref("InstanceType")),
description="For test environment, the instance type should be small"
)]
)
)
```
### Set launch role
Allows you to configure a specific `IAM` role that Service Catalog assumes on behalf of the end user when launching a product.
By setting a launch role constraint, you can maintain least permissions for an end user when launching a product.
For example, a launch role can grant permissions for specific resource creation like an `S3` bucket that the user.
The launch role must be assumed by the Service Catalog principal.
You can only have one launch role set for a portfolio-product association,
and you cannot set a launch role on a product that already has a StackSets deployment configured.
```python
import aws_cdk.aws_iam as iam
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
launch_role = iam.Role(self, "LaunchRole",
assumed_by=iam.ServicePrincipal("servicecatalog.amazonaws.com")
)
portfolio.set_launch_role(product, launch_role)
```
You can also set the launch role using just the name of a role which is locally deployed in end user accounts.
This is useful for when roles and users are separately managed outside of the CDK.
The given role must exist in both the account that creates the launch role constraint,
as well as in any end user accounts that wish to provision a product with the launch role.
You can do this by passing in the role with an explicitly set name:
```python
import aws_cdk.aws_iam as iam
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
launch_role = iam.Role(self, "LaunchRole",
role_name="MyRole",
assumed_by=iam.ServicePrincipal("servicecatalog.amazonaws.com")
)
portfolio.set_local_launch_role(product, launch_role)
```
Or you can simply pass in a role name and CDK will create a role with that name that trusts service catalog in the account:
```python
import aws_cdk.aws_iam as iam
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
role_name = "MyRole"
launch_role = portfolio.set_local_launch_role_name(product, role_name)
```
See [Launch Constraint](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html) documentation
to understand the permissions that launch roles need.
### Deploy with StackSets
A StackSets deployment constraint allows you to configure product deployment options using
[AWS CloudFormation StackSets](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/using-stacksets.html).
You can specify one or more accounts and regions into which stack instances will launch when the product is provisioned.
There is an additional field `allowStackSetInstanceOperations` that sets ability for end users to create, edit, or delete the stacks created by the StackSet.
By default, this field is set to `false`.
When launching a StackSets product, end users can select from the list of accounts and regions configured in the constraint to determine where the Stack Instances will deploy and the order of deployment.
You can only define one StackSets deployment configuration per portfolio-product association,
and you cannot both set a launch role and StackSets deployment configuration for an assocation.
```python
import aws_cdk.aws_iam as iam
# portfolio: servicecatalog.Portfolio
# product: servicecatalog.CloudFormationProduct
admin_role = iam.Role(self, "AdminRole",
assumed_by=iam.AccountRootPrincipal()
)
portfolio.deploy_with_stack_sets(product,
accounts=["012345678901", "012345678902", "012345678903"],
regions=["us-west-1", "us-east-1", "us-west-2", "us-east-1"],
admin_role=admin_role,
execution_role_name="SCStackSetExecutionRole", # Name of role deployed in end users accounts.
allow_stack_set_instance_operations=True
)
```
Raw data
{
"_id": null,
"home_page": "https://github.com/aws/aws-cdk",
"name": "aws-cdk.aws-servicecatalog",
"maintainer": "",
"docs_url": null,
"requires_python": "~=3.7",
"maintainer_email": "",
"keywords": "",
"author": "Amazon Web Services",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/9b/27/8dcd86a5c752af571ef46a63dd768117bfc11533f99363aaa46d400abc84/aws-cdk.aws-servicecatalog-1.204.0.tar.gz",
"platform": null,
"description": "# AWS Service Catalog Construct Library\n\n<!--BEGIN STABILITY BANNER-->---\n\n\n\n\n> AWS CDK v1 has reached End-of-Support on 2023-06-01.\n> This package is no longer being updated, and users should migrate to AWS CDK v2.\n>\n> For more information on how to migrate, see the [*Migrating to AWS CDK v2* guide](https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html).\n\n---\n<!--END STABILITY BANNER-->\n\n[AWS Service Catalog](https://docs.aws.amazon.com/servicecatalog/latest/dg/what-is-service-catalog.html)\nenables organizations to create and manage catalogs of products for their end users that are approved for use on AWS.\n\n## Table Of Contents\n\n* [Portfolio](#portfolio)\n\n * [Granting access to a portfolio](#granting-access-to-a-portfolio)\n * [Sharing a portfolio with another AWS account](#sharing-a-portfolio-with-another-aws-account)\n* [Product](#product)\n\n * [Creating a product from a local asset](#creating-a-product-from-local-asset)\n * [Creating a product from a stack](#creating-a-product-from-a-stack)\n * [Creating a Product from a stack with a history of previous versions](#creating-a-product-from-a-stack-with-a-history-of-all-previous-versions)\n * [Adding a product to a portfolio](#adding-a-product-to-a-portfolio)\n* [TagOptions](#tag-options)\n* [Constraints](#constraints)\n\n * [Tag update constraint](#tag-update-constraint)\n * [Notify on stack events](#notify-on-stack-events)\n * [CloudFormation template parameters constraint](#cloudformation-template-parameters-constraint)\n * [Set launch role](#set-launch-role)\n * [Deploy with StackSets](#deploy-with-stacksets)\n\nThe `@aws-cdk/aws-servicecatalog` package contains resources that enable users to automate governance and management of their AWS resources at scale.\n\n```python\nimport aws_cdk.aws_servicecatalog as servicecatalog\n```\n\n## Portfolio\n\nAWS Service Catalog portfolios allow administrators to organize, manage, and distribute cloud resources for their end users.\nUsing the CDK, a new portfolio can be created with the `Portfolio` construct:\n\n```python\nservicecatalog.Portfolio(self, \"Portfolio\",\n display_name=\"MyPortfolio\",\n provider_name=\"MyTeam\"\n)\n```\n\nYou can also specify optional metadata properties such as `description` and `messageLanguage`\nto help better catalog and manage your portfolios.\n\n```python\nservicecatalog.Portfolio(self, \"Portfolio\",\n display_name=\"MyFirstPortfolio\",\n provider_name=\"SCAdmin\",\n description=\"Portfolio for a project\",\n message_language=servicecatalog.MessageLanguage.EN\n)\n```\n\nRead more at [Creating and Managing Portfolios](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios.html).\n\nTo reference an existing portfolio into your CDK application, use the `Portfolio.fromPortfolioArn()` factory method:\n\n```python\nportfolio = servicecatalog.Portfolio.from_portfolio_arn(self, \"ReferencedPortfolio\", \"arn:aws:catalog:region:account-id:portfolio/port-abcdefghi\")\n```\n\n### Granting access to a portfolio\n\nYou can grant access to and manage the `IAM` users, groups, or roles that have access to the products within a portfolio.\nEntities with granted access will be able to utilize the portfolios resources and products via the console or AWS CLI.\nOnce resources are deployed end users will be able to access them via the console or service catalog CLI.\n\n```python\nimport aws_cdk.aws_iam as iam\n\n# portfolio: servicecatalog.Portfolio\n\n\nuser = iam.User(self, \"User\")\nportfolio.give_access_to_user(user)\n\nrole = iam.Role(self, \"Role\",\n assumed_by=iam.AccountRootPrincipal()\n)\nportfolio.give_access_to_role(role)\n\ngroup = iam.Group(self, \"Group\")\nportfolio.give_access_to_group(group)\n```\n\n### Sharing a portfolio with another AWS account\n\nYou can use account-to-account sharing to distribute a reference to your portfolio to other AWS accounts by passing the recipient account number.\nAfter the share is initiated, the recipient account can accept the share via CLI or console by importing the portfolio ID.\nChanges made to the shared portfolio will automatically propagate to recipients.\n\n```python\n# portfolio: servicecatalog.Portfolio\n\nportfolio.share_with_account(\"012345678901\")\n```\n\n## Product\n\nProducts are version friendly infrastructure-as-code templates that admins create and add to portfolios for end users to provision and create AWS resources.\nService Catalog supports products from AWS Marketplace or ones defined by a CloudFormation template.\nThe CDK currently only supports adding products of type CloudFormation.\nUsing the CDK, a new Product can be created with the `CloudFormationProduct` construct.\nYou can use `CloudFormationTemplate.fromUrl` to create a Product from a CloudFormation template directly from a URL that points to the template in S3, GitHub, or CodeCommit:\n\n```python\nproduct = servicecatalog.CloudFormationProduct(self, \"MyFirstProduct\",\n product_name=\"My Product\",\n owner=\"Product Owner\",\n product_versions=[servicecatalog.CloudFormationProductVersion(\n product_version_name=\"v1\",\n cloud_formation_template=servicecatalog.CloudFormationTemplate.from_url(\"https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml\")\n )\n ]\n)\n```\n\n### Creating a product from a local asset\n\nA `CloudFormationProduct` can also be created by using a CloudFormation template held locally on disk using Assets.\nAssets are files that are uploaded to an S3 Bucket before deployment.\n`CloudFormationTemplate.fromAsset` can be utilized to create a Product by passing the path to a local template file on your disk:\n\n```python\nimport path as path\n\n\nproduct = servicecatalog.CloudFormationProduct(self, \"Product\",\n product_name=\"My Product\",\n owner=\"Product Owner\",\n product_versions=[servicecatalog.CloudFormationProductVersion(\n product_version_name=\"v1\",\n cloud_formation_template=servicecatalog.CloudFormationTemplate.from_url(\"https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml\")\n ), servicecatalog.CloudFormationProductVersion(\n product_version_name=\"v2\",\n cloud_formation_template=servicecatalog.CloudFormationTemplate.from_asset(path.join(__dirname, \"development-environment.template.json\"))\n )\n ]\n)\n```\n\n### Creating a product from a stack\n\nYou can create a Service Catalog `CloudFormationProduct` entirely defined with CDK code using a service catalog `ProductStack`.\nA separate child stack for your product is created and you can add resources like you would for any other CDK stack,\nsuch as an S3 Bucket, IAM roles, and EC2 instances. This stack is passed in as a product version to your\nproduct. This will not create a separate CloudFormation stack during deployment.\n\n```python\nimport aws_cdk.aws_s3 as s3\nimport aws_cdk.core as cdk\n\n\nclass S3BucketProduct(servicecatalog.ProductStack):\n def __init__(self, scope, id):\n super().__init__(scope, id)\n\n s3.Bucket(self, \"BucketProduct\")\n\nproduct = servicecatalog.CloudFormationProduct(self, \"Product\",\n product_name=\"My Product\",\n owner=\"Product Owner\",\n product_versions=[servicecatalog.CloudFormationProductVersion(\n product_version_name=\"v1\",\n cloud_formation_template=servicecatalog.CloudFormationTemplate.from_product_stack(S3BucketProduct(self, \"S3BucketProduct\"))\n )\n ]\n)\n```\n\n### Creating a Product from a stack with a history of previous versions\n\nThe default behavior of Service Catalog is to overwrite each product version upon deployment.\nThis applies to Product Stacks as well, where only the latest changes to your Product Stack will\nbe deployed.\nTo keep a history of the revisions of a ProductStack available in Service Catalog,\nyou would need to define a ProductStack for each historical copy.\n\nYou can instead create a `ProductStackHistory` to maintain snapshots of all previous versions.\nThe `ProductStackHistory` can be created by passing the base `productStack`,\na `currentVersionName` for your current version and a `locked` boolean.\nThe `locked` boolean which when set to true will prevent your `currentVersionName`\nfrom being overwritten when there is an existing snapshot for that version.\n\n```python\nimport aws_cdk.aws_s3 as s3\nimport aws_cdk.core as cdk\n\n\nclass S3BucketProduct(servicecatalog.ProductStack):\n def __init__(self, scope, id):\n super().__init__(scope, id)\n\n s3.Bucket(self, \"BucketProduct\")\n\nproduct_stack_history = servicecatalog.ProductStackHistory(self, \"ProductStackHistory\",\n product_stack=S3BucketProduct(self, \"S3BucketProduct\"),\n current_version_name=\"v1\",\n current_version_locked=True\n)\n```\n\nWe can deploy the current version `v1` by using `productStackHistory.currentVersion()`\n\n```python\nimport aws_cdk.aws_s3 as s3\nimport aws_cdk.core as cdk\n\n\nclass S3BucketProduct(servicecatalog.ProductStack):\n def __init__(self, scope, id):\n super().__init__(scope, id)\n\n s3.Bucket(self, \"BucketProductV2\")\n\nproduct_stack_history = servicecatalog.ProductStackHistory(self, \"ProductStackHistory\",\n product_stack=S3BucketProduct(self, \"S3BucketProduct\"),\n current_version_name=\"v2\",\n current_version_locked=True\n)\n\nproduct = servicecatalog.CloudFormationProduct(self, \"MyFirstProduct\",\n product_name=\"My Product\",\n owner=\"Product Owner\",\n product_versions=[\n product_stack_history.current_version()\n ]\n)\n```\n\nUsing `ProductStackHistory` all deployed templates for the ProductStack will be written to disk,\nso that they will still be available in the future as the definition of the `ProductStack` subclass changes over time.\n**It is very important** that you commit these old versions to source control as these versions\ndetermine whether a version has already been deployed and can also be deployed themselves.\n\nAfter using `ProductStackHistory` to deploy version `v1` of your `ProductStack`, we\nmake changes to the `ProductStack` and update the `currentVersionName` to `v2`.\nWe still want our `v1` version to still be deployed, so we reference it by calling `productStackHistory.versionFromSnapshot('v1')`.\n\n```python\nimport aws_cdk.aws_s3 as s3\nimport aws_cdk.core as cdk\n\n\nclass S3BucketProduct(servicecatalog.ProductStack):\n def __init__(self, scope, id):\n super().__init__(scope, id)\n\n s3.Bucket(self, \"BucketProductV2\")\n\nproduct_stack_history = servicecatalog.ProductStackHistory(self, \"ProductStackHistory\",\n product_stack=S3BucketProduct(self, \"S3BucketProduct\"),\n current_version_name=\"v2\",\n current_version_locked=True\n)\n\nproduct = servicecatalog.CloudFormationProduct(self, \"MyFirstProduct\",\n product_name=\"My Product\",\n owner=\"Product Owner\",\n product_versions=[\n product_stack_history.current_version(),\n product_stack_history.version_from_snapshot(\"v1\")\n ]\n)\n```\n\n### Adding a product to a portfolio\n\nYou add products to a portfolio to organize and distribute your catalog at scale. Adding a product to a portfolio creates an association,\nand the product will become visible within the portfolio side in both the Service Catalog console and AWS CLI.\nYou can add a product to multiple portfolios depending on your organizational structure and how you would like to group access to products.\n\n```python\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\nportfolio.add_product(product)\n```\n\n## Tag Options\n\nTagOptions allow administrators to easily manage tags on provisioned products by providing a template for a selection of tags that end users choose from.\nTagOptions are created by specifying a tag key with a set of allowed values and can be associated with both portfolios and products.\nWhen launching a product, both the TagOptions associated with the product and the containing portfolio are made available.\n\nAt the moment, TagOptions can only be deactivated in the console.\n\n```python\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\ntag_options_for_portfolio = servicecatalog.TagOptions(self, \"OrgTagOptions\",\n allowed_values_for_tags={\n \"Group\": [\"finance\", \"engineering\", \"marketing\", \"research\"],\n \"CostCenter\": [\"01\", \"02\", \"03\"]\n }\n)\nportfolio.associate_tag_options(tag_options_for_portfolio)\n\ntag_options_for_product = servicecatalog.TagOptions(self, \"ProductTagOptions\",\n allowed_values_for_tags={\n \"Environment\": [\"dev\", \"alpha\", \"prod\"]\n }\n)\nproduct.associate_tag_options(tag_options_for_product)\n```\n\n## Constraints\n\nConstraints are governance gestures that you place on product-portfolio associations that allow you to manage minimal launch permissions, notifications, and other optional actions that end users can perform on products.\nUsing the CDK, if you do not explicitly associate a product to a portfolio and add a constraint, it will automatically add an association for you.\n\nThere are rules around how constraints are applied to portfolio-product associations.\nFor example, you can only have a single \"launch role\" constraint applied to a portfolio-product association.\nIf a misconfigured constraint is added, `synth` will fail with an error message.\n\nRead more at [Service Catalog Constraints](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints.html).\n\n### Tag update constraint\n\nTag update constraints allow or disallow end users to update tags on resources associated with an AWS Service Catalog product upon provisioning.\nBy default, if a Tag Update constraint is not configured, tag updating is not permitted.\nIf tag updating is allowed, then new tags associated with the product or portfolio will be applied to provisioned resources during a provisioned product update.\n\n```python\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\nportfolio.add_product(product)\nportfolio.constrain_tag_updates(product)\n```\n\nIf you want to disable this feature later on, you can update it by setting the \"allow\" parameter to `false`:\n\n```python\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\n# to disable tag updates:\nportfolio.constrain_tag_updates(product,\n allow=False\n)\n```\n\n### Notify on stack events\n\nAllows users to subscribe an AWS `SNS` topic to a provisioned product's CloudFormation stack events.\nWhen an end user provisions a product it creates a CloudFormation stack that notifies the subscribed topic on creation, edit, and delete events.\nAn individual `SNS` topic may only have a single subscription to any given portfolio-product association.\n\n```python\nimport aws_cdk.aws_sns as sns\n\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\ntopic1 = sns.Topic(self, \"Topic1\")\nportfolio.notify_on_stack_events(product, topic1)\n\ntopic2 = sns.Topic(self, \"Topic2\")\nportfolio.notify_on_stack_events(product, topic2,\n description=\"description for topic2\"\n)\n```\n\n### CloudFormation template parameters constraint\n\nCloudFormation template parameter constraints allow you to configure the provisioning parameters that are available to end users when they launch a product.\nTemplate constraint rules consist of one or more assertions that define the default and/or allowable values for a product\u2019s provisioning parameters.\nYou can configure multiple parameter constraints to govern the different provisioning parameters within your products.\nFor example, a rule might define the `EC2` instance types that users can choose from when launching a product that includes one or more `EC2` instances.\nParameter rules have an optional `condition` field that allow for rule application to consider conditional evaluations.\nIf a `condition` is specified, all assertions will be applied if the condition evaluates to true.\nFor information on rule-specific intrinsic functions to define rule conditions and assertions,\nsee [AWS Rule Functions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-rules.html).\n\n```python\nimport aws_cdk.core as cdk\n\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\nportfolio.constrain_cloud_formation_parameters(product,\n rule=servicecatalog.TemplateRule(\n rule_name=\"testInstanceType\",\n condition=cdk.Fn.condition_equals(cdk.Fn.ref(\"Environment\"), \"test\"),\n assertions=[servicecatalog.TemplateRuleAssertion(\n assert=cdk.Fn.condition_contains([\"t2.micro\", \"t2.small\"], cdk.Fn.ref(\"InstanceType\")),\n description=\"For test environment, the instance type should be small\"\n )]\n )\n)\n```\n\n### Set launch role\n\nAllows you to configure a specific `IAM` role that Service Catalog assumes on behalf of the end user when launching a product.\nBy setting a launch role constraint, you can maintain least permissions for an end user when launching a product.\nFor example, a launch role can grant permissions for specific resource creation like an `S3` bucket that the user.\nThe launch role must be assumed by the Service Catalog principal.\nYou can only have one launch role set for a portfolio-product association,\nand you cannot set a launch role on a product that already has a StackSets deployment configured.\n\n```python\nimport aws_cdk.aws_iam as iam\n\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\nlaunch_role = iam.Role(self, \"LaunchRole\",\n assumed_by=iam.ServicePrincipal(\"servicecatalog.amazonaws.com\")\n)\n\nportfolio.set_launch_role(product, launch_role)\n```\n\nYou can also set the launch role using just the name of a role which is locally deployed in end user accounts.\nThis is useful for when roles and users are separately managed outside of the CDK.\nThe given role must exist in both the account that creates the launch role constraint,\nas well as in any end user accounts that wish to provision a product with the launch role.\n\nYou can do this by passing in the role with an explicitly set name:\n\n```python\nimport aws_cdk.aws_iam as iam\n\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\nlaunch_role = iam.Role(self, \"LaunchRole\",\n role_name=\"MyRole\",\n assumed_by=iam.ServicePrincipal(\"servicecatalog.amazonaws.com\")\n)\n\nportfolio.set_local_launch_role(product, launch_role)\n```\n\nOr you can simply pass in a role name and CDK will create a role with that name that trusts service catalog in the account:\n\n```python\nimport aws_cdk.aws_iam as iam\n\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\nrole_name = \"MyRole\"\nlaunch_role = portfolio.set_local_launch_role_name(product, role_name)\n```\n\nSee [Launch Constraint](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-launch.html) documentation\nto understand the permissions that launch roles need.\n\n### Deploy with StackSets\n\nA StackSets deployment constraint allows you to configure product deployment options using\n[AWS CloudFormation StackSets](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/using-stacksets.html).\nYou can specify one or more accounts and regions into which stack instances will launch when the product is provisioned.\nThere is an additional field `allowStackSetInstanceOperations` that sets ability for end users to create, edit, or delete the stacks created by the StackSet.\nBy default, this field is set to `false`.\nWhen launching a StackSets product, end users can select from the list of accounts and regions configured in the constraint to determine where the Stack Instances will deploy and the order of deployment.\nYou can only define one StackSets deployment configuration per portfolio-product association,\nand you cannot both set a launch role and StackSets deployment configuration for an assocation.\n\n```python\nimport aws_cdk.aws_iam as iam\n\n# portfolio: servicecatalog.Portfolio\n# product: servicecatalog.CloudFormationProduct\n\n\nadmin_role = iam.Role(self, \"AdminRole\",\n assumed_by=iam.AccountRootPrincipal()\n)\n\nportfolio.deploy_with_stack_sets(product,\n accounts=[\"012345678901\", \"012345678902\", \"012345678903\"],\n regions=[\"us-west-1\", \"us-east-1\", \"us-west-2\", \"us-east-1\"],\n admin_role=admin_role,\n execution_role_name=\"SCStackSetExecutionRole\", # Name of role deployed in end users accounts.\n allow_stack_set_instance_operations=True\n)\n```\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "The CDK Construct Library for AWS::ServiceCatalog",
"version": "1.204.0",
"project_urls": {
"Homepage": "https://github.com/aws/aws-cdk",
"Source": "https://github.com/aws/aws-cdk.git"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "35789fa796c6c1eaef754152bcbd67d12e17b42f7c73e463af5c37c124805575",
"md5": "4d611b64a637f537359b20f09cc95a66",
"sha256": "3a5d9024682c1e6e8c99b5a3f2bd8690e891c50a081a43a1529b2d44ef3f2782"
},
"downloads": -1,
"filename": "aws_cdk.aws_servicecatalog-1.204.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "4d611b64a637f537359b20f09cc95a66",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "~=3.7",
"size": 273744,
"upload_time": "2023-06-19T21:01:17",
"upload_time_iso_8601": "2023-06-19T21:01:17.423321Z",
"url": "https://files.pythonhosted.org/packages/35/78/9fa796c6c1eaef754152bcbd67d12e17b42f7c73e463af5c37c124805575/aws_cdk.aws_servicecatalog-1.204.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "9b278dcd86a5c752af571ef46a63dd768117bfc11533f99363aaa46d400abc84",
"md5": "0742428bea6af96dc125e10c27929285",
"sha256": "d6ef1802406d202254f8939aacc487518fb3d414caff4269d4e0bdcfd221c8e8"
},
"downloads": -1,
"filename": "aws-cdk.aws-servicecatalog-1.204.0.tar.gz",
"has_sig": false,
"md5_digest": "0742428bea6af96dc125e10c27929285",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "~=3.7",
"size": 274543,
"upload_time": "2023-06-19T21:07:22",
"upload_time_iso_8601": "2023-06-19T21:07:22.744718Z",
"url": "https://files.pythonhosted.org/packages/9b/27/8dcd86a5c752af571ef46a63dd768117bfc11533f99363aaa46d400abc84/aws-cdk.aws-servicecatalog-1.204.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-06-19 21:07:22",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "aws",
"github_project": "aws-cdk",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "aws-cdk.aws-servicecatalog"
}
JSON
