Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@aws-cdk/aws-servicecatalog
Advanced tools
All classes with the
Cfn
prefix in this module (CFN Resources) are always stable and safe to use.
The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
AWS Service Catalog enables organizations to create and manage catalogs of products for their end users that are approved for use on AWS.
The @aws-cdk/aws-servicecatalog
package contains resources that enable users to automate governance and management of their AWS resources at scale.
import * as servicecatalog from '@aws-cdk/aws-servicecatalog';
AWS Service Catalog portfolios allow admins to manage products that their end users have access to.
Using the CDK, a new portfolio can be created with the Portfolio
construct:
new servicecatalog.Portfolio(this, 'MyFirstPortfolio', {
displayName: 'MyFirstPortfolio',
providerName: 'MyTeam',
});
You can also specify properties such as description
and acceptLanguage
to help better catalog and manage your portfolios.
new servicecatalog.Portfolio(this, 'MyFirstPortfolio', {
displayName: 'MyFirstPortfolio',
providerName: 'MyTeam',
description: 'Portfolio for a project',
messageLanguage: servicecatalog.MessageLanguage.EN,
});
Read more at Creating and Managing Portfolios.
A portfolio that has been created outside the stack can be imported into your CDK app.
Portfolios can be imported by their ARN via the Portfolio.fromPortfolioArn()
API:
const portfolio = servicecatalog.Portfolio.fromPortfolioArn(this, 'MyImportedPortfolio',
'arn:aws:catalog:region:account-id:portfolio/port-abcdefghi');
You can manage end user access to a portfolio by granting permissions to IAM
entities like a user, group, or role.
Once resources are deployed end users will be able to access them via the console or service catalog CLI.
import * as iam from '@aws-cdk/aws-iam';
const user = new iam.User(this, 'MyUser');
portfolio.giveAccessToUser(user);
const role = new iam.Role(this, 'MyRole', {
assumedBy: new iam.AccountRootPrincipal(),
});
portfolio.giveAccessToRole(role);
const group = new iam.Group(this, 'MyGroup');
portfolio.giveAccessToGroup(group);
A portfolio can be programatically shared with other accounts so that specified users can also access it:
portfolio.shareWithAccount('012345678901');
Products are the resources you are allowing end users to provision and utilize.
The CDK currently only supports adding products of type Cloudformation product.
Using the CDK, a new Product can be created with the CloudFormationProduct
construct.
CloudFormationTemplate.fromUrl
can be utilized to create a Product using a Cloudformation template directly from an URL:
const product = new servicecatalog.CloudFormationProduct(this, 'MyFirstProduct', {
productName: "My Product",
owner: "Product Owner",
productVersions: [
{
productVersionName: "v1",
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromUrl(
'https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml'),
},
]
});
A CloudFormationProduct
can also be created using a Cloudformation template from an Asset.
Assets are files that are uploaded to an S3 Bucket before deployment.
CloudFormationTemplate.fromAsset
can be utilized to create a Product by passing the path to a local template file on your disk:
import * as path from 'path';
const product = new servicecatalog.CloudFormationProduct(this, 'MyFirstProduct', {
productName: "My Product",
owner: "Product Owner",
productVersions: [
{
productVersionName: "v1",
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromUrl(
'https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml'),
},
{
productVersionName: "v2",
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromAsset(path.join(__dirname, 'development-environment.template.json')),
},
]
});
You add products to a portfolio to manage your resources at scale. After adding a product to a portfolio, it creates a portfolio-product association, and will become visible from the portfolio side in both the console and service catalog CLI. A product can be added to multiple portfolios depending on your resource and organizational needs.
portfolio.addProduct(product);
TagOptions allow administrators to easily manage tags on provisioned products by creating a selection of tags for end users to choose from.
For example, an end user can choose an ec2
for the instance type size.
TagOptions are created by specifying a key with a selection of values.
At the moment, TagOptions can only be disabled in the console.
const tagOptions = new servicecatalog.TagOptions({
ec2InstanceType: ['A1', 'M4'],
ec2InstanceSize: ['medium', 'large'],
});
portfolio.associateTagOptions(tagOptions);
Constraints define governance mechanisms that allow you to manage permissions, notifications, and options related to actions end users can perform on products, Constraints are applied on a portfolio-product association. Using the CDK, if you do not explicitly associate a product to a portfolio and add a constraint, it will automatically add an association for you.
There are rules around plurariliites of constraints for a portfolio and product.
For example, you can only have a single "tag update" constraint applied to a portfolio-product association.
If a misconfigured constraint is added, synth
will fail with an error message.
Read more at Service Catalog Constraints.
Tag update constraints allow or disallow end users to update tags on resources associated with an AWS Service Catalog product upon provisioning. By default, tag updating is not permitted. If tag updating is allowed, then new tags associated with the product or portfolio will be applied to provisioned resources during a provisioned product update.
portfolio.addProduct(product);
portfolio.constrainTagUpdates(product);
If you want to disable this feature later on, you can update it by setting the "allow" parameter to false
:
// to disable tag updates:
portfolio.constrainTagUpdates(product, {
allow: false,
});
Allows users to subscribe an AWS SNS
topic to the stack events of the product.
When an end user provisions a product it creates a product stack that notifies the subscribed topic on creation, edit, and delete events.
An individual SNS
topic may only be subscribed once to a portfolio-product association.
import * as sns from '@aws-cdk/aws-sns';
const topic1 = new sns.Topic(this, 'MyTopic1');
portfolio.notifyOnStackEvents(product, topic1);
const topic2 = new sns.Topic(this, 'MyTopic2');
portfolio.notifyOnStackEvents(product, topic2, {
description: 'description for this topic2', // description is an optional field.
});
Allows you to configure a specific AWS IAM
role that a user must assume when launching a product.
By setting this launch role, you can control what policies and privileges end users can have.
The launch role must be assumed by the service catalog principal.
You can only have one launch role set for a portfolio-product association, and you cannot set a launch role if a StackSets deployment has been configured.
import * as iam from '@aws-cdk/aws-iam';
const launchRole = new iam.Role(this, 'LaunchRole', {
assumedBy: new iam.ServicePrincipal('servicecatalog.amazonaws.com'),
});
portfolio.setLaunchRole(product, launchRole);
See Launch Constraint documentation to understand permissions roles need.
A StackSets deployment constraint allows you to configure product deployment options using
AWS CloudFormation StackSets.
You can specify multiple accounts and regions for the product launch following StackSets conventions.
There is an additional field allowStackSetInstanceOperations
that configures ability for end users to create, edit, or delete the stacks.
By default, this field is set to false
.
End users can manage those accounts and determine where products deploy and the order of deployment.
You can only define one StackSets deployment configuration per portfolio-product association,
and you cannot both set a launch role and StackSets deployment configuration for an assocation.
import * as iam from '@aws-cdk/aws-iam';
const adminRole = new iam.Role(this, 'AdminRole', {
assumedBy: new iam.AccountRootPrincipal(),
});
portfolio.deployWithStackSets(product, {
accounts: ['012345678901', '012345678902', '012345678903'],
regions: ['us-west-1', 'us-east-1', 'us-west-2', 'us-east-1'],
adminRole: adminRole,
executionRoleName: 'SCStackSetExecutionRole', // Name of role deployed in end users accounts.
allowStackSetInstanceOperations: true,
});
1.116.0 (2021-07-28)
FAQs
The CDK Construct Library for AWS::ServiceCatalog
The npm package @aws-cdk/aws-servicecatalog receives a total of 18,543 weekly downloads. As such, @aws-cdk/aws-servicecatalog popularity was classified as popular.
We found that @aws-cdk/aws-servicecatalog demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.