New – Self-Service Provisioning of Terraform Open-Supply Configurations with AWS Service Catalog
![]() |
With AWS Service Catalog, you possibly can create, govern, and handle a catalog of infrastructure as code (IaC) templates which can be authorised to be used on AWS. These IaC templates can embody every little thing from digital machine pictures, servers, software program, and databases to finish multi-tier software architectures. You possibly can management which IaC templates and variations can be found, what’s configured by every model, and who can entry every template based mostly on particular person, group, division, or value middle. Finish customers corresponding to engineers, database directors, and information scientists can then rapidly uncover and self-service provision authorised AWS assets that they should use to carry out their every day job capabilities.
When utilizing Service Catalog, step one is to create merchandise based mostly in your IaC templates. You possibly can then acquire merchandise, along with configuration info, in a portfolio.
Beginning as we speak, you possibly can outline Service Catalog merchandise and their assets utilizing both AWS CloudFormation or Hashicorp Terraform and select the instrument that higher aligns along with your processes and experience. Now you can combine your present Terraform configurations into Service Catalog to have them a part of a centrally authorised portfolio of merchandise and share it with the AWS accounts utilized by your finish customers. On this approach, you possibly can stop inconsistencies and mitigate the danger of noncompliance.
When assets are deployed by Service Catalog, you possibly can keep least privilege entry throughout provisioning and govern tagging on the deployed assets. Finish customers of Service Catalog choose and select what they want from the listing of merchandise and variations they’ve entry to. Then, they will provision merchandise in a single motion whatever the know-how (CloudFormation or Terraform) used for the deployment.
The Service Catalog hub-and-spoke mannequin that permits organizations to manipulate at scale can now be prolonged to incorporate Terraform configurations. With the Service Catalog hub and spoke mannequin, you possibly can centrally handle deployments utilizing a administration/person account relationship:
- One administration account – Used to create Service Catalog merchandise, set up them into portfolios, and share portfolios with person accounts
- A number of person accounts (as much as hundreds) – A person account is any AWS account by which the top customers of Service Catalog are provisioning assets.
Let’s see how this works in follow.
Creating an AWS Service Catalog Product Utilizing Terraform
To get began, I set up the Terraform Reference Engine (provided by AWS on GitHub) that configures the code and infrastructure required for the Terraform open-source engine to work with AWS Service Catalog. I solely want to do that as soon as, within the administration account for Service Catalog, and the setup takes simply minutes. I take advantage of the automated set up script:
./deploy-tre.sh -r us-east-1
To maintain issues easy for this publish, I create a product deploying a single EC2 occasion utilizing AWS Graviton processors and the Amazon Linux 2023 working system. Right here’s the content material of my primary.tf
file:
I register to the AWS Administration Console within the administration account for Service Catalog. Within the Service Catalog console, I select Product listing within the Administration part of the navigation pane. There, I select Create product.
In Product particulars, I choose Terraform open supply as Product sort. I enter a product identify and outline and the identify of the proprietor.
Within the Model particulars, I select to Add a template file (utilizing a tar.gz archive). Optionally, I can specify the template utilizing an S3 URL or an exterior code repository (on GitHub, GitHub Enterprise Server, or Bitbucket) utilizing an AWS CodeStar supplier.
I enter assist particulars and customized tags. Word that tags can be utilized to categorize your assets and likewise to verify permissions to create a useful resource. Then, I full the creation of the product.
Including an AWS Service Catalog Product Utilizing Terraform to a Portfolio
Now that the Terraform product is prepared, I add it to my portfolio. A portfolio can embody each Terraform and CloudFormation merchandise. I select Portfolios from the Administrator part of the navigation pane. There, I seek for my portfolio by identify and open it. I select Add product to portfolio. I seek for the Terraform product by identify and choose it.
Terraform merchandise require a launch constraint. The launch constraint specifies the identify of an AWS Id and Entry Administration (IAM) function that’s used to deploy the product. I have to individually be sure that this function is created in each account with which the product is shared.
The launch function is assumed by the Terraform open-source engine within the administration account when an finish person launches, updates, or terminates a product. The launch function additionally comprises permissions to explain, create, and replace a useful resource group for the provisioned product and tag the product assets. On this approach, Service Catalog retains the useful resource group up-to-date and tags the assets related to the product.
The launch function permits least privilege entry for finish customers. With this function, finish customers don’t want permission to straight provision the product’s underlying assets as a result of your Terraform open-source engine assumes the launch function to provision these assets, corresponding to an authorised configuration of an Amazon Elastic Compute Cloud (Amazon EC2) occasion.
Within the Launch constraint part, I select Enter function identify to make use of a job I created earlier than for this product:
- The belief relationship of the function defines the entities that may assume the function. For this function, the belief relationship contains Service Catalog and the administration account that comprises the Terraform Reference Engine.
- For permissions, the function permits to provision, replace, and terminate the assets required by my product and to handle useful resource teams and tags on these assets.
I full the addition of the product to my portfolio. Now the product is on the market to the top customers who’ve entry to this portfolio.
Launching an AWS Service Catalog Product Utilizing Terraform
Finish customers see the listing of merchandise and variations they’ve entry to and might deploy them in a single motion. For those who already use Service Catalog, the expertise is similar as with CloudFormation merchandise.
I register to the AWS Console within the person account for Service Catalog. The portfolio I used earlier than has been shared by the administration account with this person account. Within the Service Catalog console, I select Merchandise from the Provisioning group within the navigation pane. I seek for the product by identify and select Launch product.
I let Service Catalog generate a novel identify for the provisioned product and choose the product model to deploy. Then, I launch the product.
After a couple of minutes, the product has been deployed and is on the market. The deployment has been managed by the Terraform Reference Engine.
Within the Related tags tab, I see that Service Catalog mechanically added info on the portfolio and the product.
Within the Assets tab, I see the assets created by the provisioned product. As anticipated, it’s an EC2 occasion, and I can comply with the hyperlink to open the Amazon EC2 console and get extra info.
Finish customers corresponding to engineers, database directors, and information scientists can proceed to make use of Service Catalog and launch the merchandise they want with out having to think about if they’re provisioned utilizing Terraform or CloudFormation.
Availability and Pricing
AWS Service Catalog assist for Terraform open-source configurations is on the market as we speak in all AWS Areas the place it’s provided. There isn’t any change in pricing when utilizing Terraform. With Service Catalog, you pay for the API calls you make to the service, and you can begin without spending a dime with the free tier. You additionally pay for the assets used and created by the Terraform Reference Engine. For extra info, see Service Catalog Pricing.
Allow self-service provisioning at scale to your Terraform open-source configurations.
— Danilo