AWS Service Catalog and Terraform Terminology
This solution requires that a Terraform server be deployed and available. You can use an existing Terraform server, or you can deploy a new Terraform server using the supplied CloudFormation templates. The supplied CloudFormation templates will create a new Amazon Elastic Compute Cloud (Amazon EC2) instance and install Terraform.
You can use one Terraform server to target resources across multiple AWS accounts. For the purposes of this lab, we will name the AWS account where the Terraform server resides the “hub account”. Accounts that send requests to the server and contain the provisioned resource will be called “spoke accounts”. For the Terraform server to operate, you must create AWS Identity and Access Management (IAM) roles in each of the spoke accounts and create an AWS Lambda launch function in each desired region of each spoke account. For example, a deployment for 3 accounts that each use us-east-1 and us-east-2 regions will result in 1 Terraform server account, 3 spoke account roles, and 6 Lambda launch functions. The hub account and region containing the Terraform server may also be a spoke account, in which case you must also deploy the IAM role and Lambda launch functions in the hub account and region.
The key to the solution is a CloudFormation template that acts as a proxy to Terraform. The CloudFormation template uses a custom resource, implemented via an AWS Lambda function to call the Terraform APIs. The CloudFormation template can then be customized to capture specific parameters and used to create an AWS Service Catalog product.
The Terraform files are placed in an Amazon Simple Storage Service (Amazon S3) bucket that can be accessed from AWS Service Catalog.
Once the solution is deployed, end users in each spoke account can launch AWS Service Catalog products. Information about which Terraform file to use, input parameters, and an IAM permission role is passed to the Terraform server from the CloudFormation template. The Terraform server uses this information to manage AWS resources in the originating spoke account. The outputs of the Terraform server are stored in the Amazon S3 Output State Files bucket. The end user has access to this bucket via the AWS Service Catalog GUI or API.
Login using a user with an administrator role.
It is assumed that the user has Administrative privileges in IAM for S3, CloudFormation, EC2, VPC, Lambda, and Service Catalog.
Unzip the file into a folder so that the aws-service-catalog-terraform-reference-architecture folder is created
Sign in to the AWS Console and navigate to the S3 console.
Verify the region.
Choose the Create bucket button.
Enter scterraform-[YOUR-ACCOUNT-ID] for the Bucket Name
Choose Next
On the Properties page choose Next
On the Set permissions page choose Next
On the Review page choose Create Bucket
Choose the scterraform-[YOUR-ACCOUNT-ID]
Choose the Upload button
Use the file explorer opened earlier to drag over the following folders
Wait until the Status changes to CREATE_COMPLETE the stack is created.
The stack output will look similar to the image below:
Select and drag over the following files
Choose Upload
In the S3 Bucket, choose the sc-sample-port-product-setup.json file
Righ click and Copy the URL
Navigate to the CloudFormation console
Verify the region.
Choose Create Stack.
Under Choose a template, select Specify an Amazon S3 template URL.
Paste the URL you copied in the step above.
For Stack name, type SCTFportfoliosetup.
For all the other parameters use the defaults.
Choose Next.
Choose Create Stack to create the Service Catalog Sample Terraform Portfolio.
When the stack is complete
Get info on who you are logged in as
Add access to the Service Catalog portfolio.
Each Service Catalog product Terraform will launch needs permissions. The default setup creates the TerraformResourceCreationRole You need to give it enough permission to manage the resources.
First you need to ensure that Terraform has the appropriate permissions to launch the CloudFormation stack.
Note that it is an AWS best practice to abide by the principle of least privilege, granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks. For the sake of this lab, granting AdministratorAccess to this role is okay but is typically is not advised.
You have completed setting up the Service Catalog Terraform Reference Architecture components in a single account. Congratulations!
Service Catalog
CloudFormation