In this lab you will deploy a Service Catalog pipeline for managing and deploying CloudFormation templates using the AWS Service Catalog Reference Architectures github.com repository.
Launch a Cloud9 instance and run everything via Cloud9 IDE.
Name
and Description
to choose on Next step git
and jq
packages sudo yum install git jq -y
This reference architecture creates an AWS CodeCommit Repo, CodePipeline, and CodeBuild. This pipeline will allow infrastructure engineers to use Infrastructure as Code (IaC) to manage the Portfolios and Products across multiple accounts and regions in ServiceCatalog. The pipeline includes sample template validation and cfn_nag stages. Updating a ServiceCatalog becomes as easy as git push
We use README for the AWS Service Catalog Reference Architectures CodePipeline under multi-account setup. In this case, we will use the Control Tower master account to be the hub, and an account factory account as a child.
bash
and that you have jq
, git
, AWS credentials
, and the AWS CLI
installed (Steps to deploy Cloud9 environment is listed in Prerequisites section)
PS: If you are on Mac, please install a t2.micro instance on the master account or use cloud9 on master account [instructions in Prerequisites section] for this lab. Make sure to install git and jq packages on the new instance.
# Clone the Service Catalog Reference Architecture repository to your local desktop
cd ~
git clone https://github.com/aws-samples/aws-service-catalog-reference-architectures.git
child accounts
and regions
to deploy. You
can use the master account to host the code and also as a child account. If you have created an Account Factory account, you can also specify it as a child account.
# To List all the accounts in the organizations - Runs only of Org. Root account
aws organizations list-accounts --query 'Accounts[*].{email:Email,ID:Id}' --output table
# Capture the current region of operation
aws configure get region
cd ~/aws-service-catalog-reference-architectures/codepipeline/
childAcc=""
parameter in ct_install_multi.sh
to a space delimited list for
the spoke accounts (DO NOT include the hub account here) such as:
childAcc="1234567890 0987654321"
./ct_install_multi.sh No
. Otherwise run below command. # Install the required IAM Roles, Code Pipeline, and setup Service Catalog
./ct_install_multi.sh
In this part of the lab, we are going to continue with the AWS Service Catalog Reference Architectures CodePipeline under multi-account guide.
Again, we are using the master account to host the local copy of the
repository in CodeCommit. We are also going to use temporary credentials from SSO rather than creating IAM users and using SSH.
# Setup the git credential helper
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
# Clone the empty repo
git clone https://git-codecommit.us-east-1.amazonaws.com/v1/repos/SCPortfoliosRepo
# Add content to the new repo
cd SCPortfoliosRepo
cp -r ../aws-service-catalog-reference-architectures/* .
git add *
git commit -a -m 'Initial clone of the aws-service-catalog-reference-architectures repository'
git push
ServiceCatalog-ProductPipeline
in the master account and wait for it to complete.
In this section, we will make a very simple change to one of the templates and push the change to the pipeline.
We should be able to see that the change was propagated to all of the accounts.
sc-ec2-linux-apache-nokey.json
that says “Congratulations, you have successfully — “
sc-product-ec2-demowebserver.json
to change the name of the product to “Apache v2.0 – alias@” (search for sc-ec2-linux-apache-nokey.json
)
git commit -a -m 'silly modification to sc-ec2-linux-apache-nokey.json'
git push
SCPortfoliosRepo
execute to completion
# ./ct_uninstall_multi.sh
https://github.com/aws-samples/aws-service-catalog-reference-architectures