Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@aws-cdk/aws-servicecatalog
Advanced tools
All classes with the
Cfn
prefix in this module (CFN Resources) are always stable and safe to use.
The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
AWS Service Catalog enables organizations to create and manage catalogs of products for their end users that are approved for use on AWS.
The @aws-cdk/aws-servicecatalog
package contains resources that enable users to automate governance and management of their AWS resources at scale.
import * as servicecatalog from '@aws-cdk/aws-servicecatalog';
AWS Service Catalog portfolios allow admins to manage products that their end users have access to.
Using the CDK, a new portfolio can be created with the Portfolio
construct:
new servicecatalog.Portfolio(this, 'MyFirstPortfolio', {
displayName: 'MyFirstPortfolio',
providerName: 'MyTeam',
});
You can also specify properties such as description
and acceptLanguage
to help better catalog and manage your portfolios.
new servicecatalog.Portfolio(this, 'MyFirstPortfolio', {
displayName: 'MyFirstPortfolio',
providerName: 'MyTeam',
description: 'Portfolio for a project',
messageLanguage: servicecatalog.MessageLanguage.EN,
});
Read more at Creating and Managing Portfolios.
A portfolio that has been created outside the stack can be imported into your CDK app.
Portfolios can be imported by their ARN via the Portfolio.fromPortfolioArn()
API:
const portfolio = servicecatalog.Portfolio.fromPortfolioArn(this, 'MyImportedPortfolio',
'arn:aws:catalog:region:account-id:portfolio/port-abcdefghi');
You can manage end user access to a portfolio by granting permissions to IAM
entities like a user, group, or role.
Once resources are deployed end users will be able to access them via the console or service catalog CLI.
import * as iam from '@aws-cdk/aws-iam';
const user = new iam.User(this, 'MyUser');
portfolio.giveAccessToUser(user);
const role = new iam.Role(this, 'MyRole', {
assumedBy: new iam.AccountRootPrincipal(),
});
portfolio.giveAccessToRole(role);
const group = new iam.Group(this, 'MyGroup');
portfolio.giveAccessToGroup(group);
A portfolio can be programatically shared with other accounts so that specified users can also access it:
portfolio.shareWithAccount('012345678901');
Products are the resources you are allowing end users to provision and utilize.
The CDK currently only supports adding products of type Cloudformation product.
Using the CDK, a new Product can be created with the CloudFormationProduct
construct.
CloudFormationTemplate.fromUrl
can be utilized to create a Product using a Cloudformation template directly from an URL:
const product = new servicecatalog.CloudFormationProduct(this, 'MyFirstProduct', {
productName: "My Product",
owner: "Product Owner",
productVersions: [
{
productVersionName: "v1",
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromUrl(
'https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml'),
},
],
});
A CloudFormationProduct
can also be created using a Cloudformation template from an Asset.
Assets are files that are uploaded to an S3 Bucket before deployment.
CloudFormationTemplate.fromAsset
can be utilized to create a Product by passing the path to a local template file on your disk:
import * as path from 'path';
const product = new servicecatalog.CloudFormationProduct(this, 'MyFirstProduct', {
productName: "My Product",
owner: "Product Owner",
productVersions: [
{
productVersionName: "v1",
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromUrl(
'https://raw.githubusercontent.com/awslabs/aws-cloudformation-templates/master/aws/services/ServiceCatalog/Product.yaml'),
},
{
productVersionName: "v2",
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromAsset(path.join(__dirname, 'development-environment.template.json')),
},
],
});
You can define a service catalog CloudFormationProduct
entirely within CDK using a service catalog ProductStack
.
A separate child stack for your product is created and you can add resources like you would for any other CDK stack,
such as an S3 Bucket, IAM roles, and EC2 instances. This stack is passed in as a product version to your
product. This will not create a separate stack during deployment.
import * as s3 from '@aws-cdk/aws-s3';
import * as cdk from '@aws-cdk/core';
class S3BucketProduct extends servicecatalog.ProductStack {
constructor(scope: cdk.Construct, id: string) {
super(scope, id);
new s3.Bucket(this, 'BucketProduct');
}
}
const product = new servicecatalog.CloudFormationProduct(this, 'MyFirstProduct', {
productName: "My Product",
owner: "Product Owner",
productVersions: [
{
productVersionName: "v1",
cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromProductStack(new S3BucketProduct(this, 'S3BucketProduct')),
},
],
});
You add products to a portfolio to manage your resources at scale. After adding a product to a portfolio, it creates a portfolio-product association, and will become visible from the portfolio side in both the console and service catalog CLI. A product can be added to multiple portfolios depending on your resource and organizational needs.
portfolio.addProduct(product);
TagOptions allow administrators to easily manage tags on provisioned products by creating a selection of tags for end users to choose from.
For example, an end user can choose an ec2
for the instance type size.
TagOptions are created by specifying a key with a selection of values and can be associated with both portfolios and products.
When launching a product, both the TagOptions associated with the product and the containing portfolio are made available.
At the moment, TagOptions can only be disabled in the console.
const tagOptionsForPortfolio = new servicecatalog.TagOptions({
costCenter: ['Data Insights', 'Marketing'],
});
portfolio.associateTagOptions(tagOptionsForPortfolio);
const tagOptionsForProduct = new servicecatalog.TagOptions({
ec2InstanceType: ['A1', 'M4'],
ec2InstanceSize: ['medium', 'large'],
});
product.associateTagOptions(tagOptionsForProduct);
Constraints define governance mechanisms that allow you to manage permissions, notifications, and options related to actions end users can perform on products, Constraints are applied on a portfolio-product association. Using the CDK, if you do not explicitly associate a product to a portfolio and add a constraint, it will automatically add an association for you.
There are rules around plurariliites of constraints for a portfolio and product.
For example, you can only have a single "tag update" constraint applied to a portfolio-product association.
If a misconfigured constraint is added, synth
will fail with an error message.
Read more at Service Catalog Constraints.
Tag update constraints allow or disallow end users to update tags on resources associated with an AWS Service Catalog product upon provisioning. By default, tag updating is not permitted. If tag updating is allowed, then new tags associated with the product or portfolio will be applied to provisioned resources during a provisioned product update.
portfolio.addProduct(product);
portfolio.constrainTagUpdates(product);
If you want to disable this feature later on, you can update it by setting the "allow" parameter to false
:
// to disable tag updates:
portfolio.constrainTagUpdates(product, {
allow: false,
});
Allows users to subscribe an AWS SNS
topic to the stack events of the product.
When an end user provisions a product it creates a product stack that notifies the subscribed topic on creation, edit, and delete events.
An individual SNS
topic may only be subscribed once to a portfolio-product association.
import * as sns from '@aws-cdk/aws-sns';
const topic1 = new sns.Topic(this, 'MyTopic1');
portfolio.notifyOnStackEvents(product, topic1);
const topic2 = new sns.Topic(this, 'MyTopic2');
portfolio.notifyOnStackEvents(product, topic2, {
description: 'description for this topic2', // description is an optional field.
});
CloudFormation parameters constraints allow you to configure the that are available to end users when they launch a product via defined rules.
A rule consists of one or more assertions that narrow the allowable values for parameters in a product.
You can configure multiple parameter constraints to govern the different parameters and parameter options in your products.
For example, a rule might define the various instance types that users can choose from when launching a stack that includes EC2 instances.
A parameter rule has an optional condition
field that allows ability to configure when rules are applied.
If a condition
is specified, all the assertions will be applied if the condition evalutates to true.
For information on rule-specific intrinsic functions to define rule conditions and assertions,
see AWS Rule Functions.
import * as cdk from '@aws-cdk/core';
portfolio.constrainCloudFormationParameters(product, {
rule: {
ruleName: 'testInstanceType',
condition: cdk.Fn.conditionEquals(cdk.Fn.ref('Environment'), 'test'),
assertions: [{
assert: cdk.Fn.conditionContains(['t2.micro', 't2.small'], cdk.Fn.ref('InstanceType')),
description: 'For test environment, the instance type should be small',
}],
},
});
Allows you to configure a specific AWS IAM
role that a user must assume when launching a product.
By setting this launch role, you can control what policies and privileges end users can have.
The launch role must be assumed by the service catalog principal.
You can only have one launch role set for a portfolio-product association, and you cannot set a launch role if a StackSets deployment has been configured.
import * as iam from '@aws-cdk/aws-iam';
const launchRole = new iam.Role(this, 'LaunchRole', {
assumedBy: new iam.ServicePrincipal('servicecatalog.amazonaws.com'),
});
portfolio.setLaunchRole(product, launchRole);
You can also set the launch role using just the name of a role which is locally deployed in end user accounts. This is useful for when roles and users are separately managed outside of the CDK. The given role must exist in both the account that creates the launch role constraint, as well as in any end user accounts that wish to provision a product with the launch role.
You can do this by passing in the role with an explicitly set name:
import * as iam from '@aws-cdk/aws-iam';
const launchRole = new iam.Role(this, 'LaunchRole', {
roleName: 'MyRole',
assumedBy: new iam.ServicePrincipal('servicecatalog.amazonaws.com'),
});
portfolio.setLocalLaunchRole(product, launchRole);
Or you can simply pass in a role name and CDK will create a role with that name that trusts service catalog in the account:
import * as iam from '@aws-cdk/aws-iam';
const roleName = 'MyRole';
const launchRole: iam.IRole = portfolio.setLocalLaunchRoleName(product, roleName);
See Launch Constraint documentation to understand the permissions roles need.
A StackSets deployment constraint allows you to configure product deployment options using
AWS CloudFormation StackSets.
You can specify multiple accounts and regions for the product launch following StackSets conventions.
There is an additional field allowStackSetInstanceOperations
that configures ability for end users to create, edit, or delete the stacks.
By default, this field is set to false
.
End users can manage those accounts and determine where products deploy and the order of deployment.
You can only define one StackSets deployment configuration per portfolio-product association,
and you cannot both set a launch role and StackSets deployment configuration for an assocation.
import * as iam from '@aws-cdk/aws-iam';
const adminRole = new iam.Role(this, 'AdminRole', {
assumedBy: new iam.AccountRootPrincipal(),
});
portfolio.deployWithStackSets(product, {
accounts: ['012345678901', '012345678902', '012345678903'],
regions: ['us-west-1', 'us-east-1', 'us-west-2', 'us-east-1'],
adminRole: adminRole,
executionRoleName: 'SCStackSetExecutionRole', // Name of role deployed in end users accounts.
allowStackSetInstanceOperations: true,
});
1.135.0 (2021-12-10)
authorizerName
in HttpJwtAuthorizerProps
has changed.HttpJwtAuthorizer
now takes the
construct id and the target jwt issuer as part of its constructor.HttpLambdaAuthorizer
now takes
the construct id and the target lambda function handler as part of
its constructor.authorizerName
in HttpUserPoolAuthorizerProps
has changed.HttpIntegration
and WebSocketIntegration
classes require an "id" parameter to be provided during its initialization.LambdaWebSocketIntegration
is now
renamed to WebSocketLambdaIntegration
. The new class accepts the
handler to the target lambda function directly in its constructor.HttpProxyIntegration
and
HttpProxyIntegrationProps
are now renamed to HttpUrlIntegration
and HttpUrlIntegrationProps
respectively. The new class accepts the
target url directly in its constructor.LambdaProxyIntegration
and
LambdaProxyIntegrationProps
are now renamed to
HttpLambdaIntegration
and HttpLambdaIntegrationProps
respectively.
The new class accepts the lambda function handler directly in its
constructor.HttpAlbIntegration
now accepts the
ELB listener directly in its constructor.HttpNlbIntegration
now accepts the
ELB listener directly in its constructor.HttpServiceDiscoveryIntegration
now
accepts the service discovery Service directly in its constructor.UserPoolAuthorizerProps
is now
renamed to HttpUserPoolAuthorizerProps
.IHttpRouteIntegration
is replaced by
the abstract class HttpRouteIntegration
.IWebSocketRouteIntegration
is now
replaced by the abstract class WebSocketRouteIntegration
.HttpApi
instances
(or WebSocketApi
instances). This is now disallowed, and separate
instances must be created for each instance of HttpApi
or
WebSocketApi
.fromGroupName()
for IAM groups (#17243) (29b379c)stringLike()
(#17692) (37596e6)Stage
(#17730) (f17f29e), closes #17643waitForReplicationToFinish
fails deployment (#17842) (36b8fdb), closes #16983nodeModules
(#17851) (5737c33), closes #17830nodeModules
fails with paths containing spaces (#17632) (986f291), closes #17631FAQs
The CDK Construct Library for AWS::ServiceCatalog
The npm package @aws-cdk/aws-servicecatalog receives a total of 18,543 weekly downloads. As such, @aws-cdk/aws-servicecatalog popularity was classified as popular.
We found that @aws-cdk/aws-servicecatalog demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.