Deploy Resources with Terraform



AWS Service Catalog and Terraform Terminology

  • hub or fulfillment account: The account where the Terraform server or engine will live.
  • spoke account: The spoke accounts that will execute Terraform files against the Terraform engine living in the Hub account.
  • Note for this lab we will use one account

This solution requires that a Terraform server be deployed and available. You can use an existing Terraform server, or you can deploy a new Terraform server using the supplied CloudFormation templates. The supplied CloudFormation templates will create a new Amazon Elastic Compute Cloud (Amazon EC2) instance and install Terraform.

You can use one Terraform server to target resources across multiple AWS accounts. For the purposes of this lab, we will name the AWS account where the Terraform server resides the “hub account”. Accounts that send requests to the server and contain the provisioned resource will be called “spoke accounts”. For the Terraform server to operate, you must create AWS Identity and Access Management (IAM) roles in each of the spoke accounts and create an AWS Lambda launch function in each desired region of each spoke account. For example, a deployment for 3 accounts that each use us-east-1 and us-east-2 regions will result in 1 Terraform server account, 3 spoke account roles, and 6 Lambda launch functions. The hub account and region containing the Terraform server may also be a spoke account, in which case you must also deploy the IAM role and Lambda launch functions in the hub account and region.

The key to the solution is a CloudFormation template that acts as a proxy to Terraform. The CloudFormation template uses a custom resource, implemented via an AWS Lambda function to call the Terraform APIs. The CloudFormation template can then be customized to capture specific parameters and used to create an AWS Service Catalog product.



The Terraform files are placed in an Amazon Simple Storage Service (Amazon S3) bucket that can be accessed from AWS Service Catalog.

Once the solution is deployed, end users in each spoke account can launch AWS Service Catalog products. Information about which Terraform file to use, input parameters, and an IAM permission role is passed to the Terraform server from the CloudFormation template. The Terraform server uses this information to manage AWS resources in the originating spoke account. The outputs of the Terraform server are stored in the Amazon S3 Output State Files bucket. The end user has access to this bucket via the AWS Service Catalog GUI or API.



Login using a user with an administrator role.

  • Use an account being managed by Control Tower
  • Use the Contorl Tower admin account (Demo Environments only) it is best practice not to use the admin account.

It is assumed that the user has Administrative privileges in IAM for S3, CloudFormation, EC2, VPC, Lambda, and Service Catalog.

  1. Download the zip file here
  2. Unzip the file into a folder so that the aws-service-catalog-terraform-reference-architecture folder is created

  3. Sign in to the AWS Console and navigate to the S3 console.

  4. Verify the region.

  5. Choose the Create bucket button.

  6. Enter scterraform-[YOUR-ACCOUNT-ID] for the Bucket Name

  7. Choose Next

  8. On the Properties page choose Next

  9. On the Set permissions page choose Next

  10. On the Review page choose Create Bucket

  11. Choose the scterraform-[YOUR-ACCOUNT-ID]

  12. Choose the Upload button

  13. Use the file explorer opened earlier to drag over the following folders

  • TerraformScripts
  • TerraformCustomResourceHandler
  1. Choose Upload

Installing the Service Catalog Terraform reference architecture into a single account hub account

  1. Navigate to the S3 console.
  2. In the S3 Console, choose the TerraformScripts/cloudformation-templates/terraform-architecture-single-account.yaml file
  3. Copy the URL located Beneath “Object URL” (this link should begin with “https”)
  4. Now, navigate to the CloudFormation console
  5. Verify the region.
  6. Choose Create Stack.
  7. Under Choose a template, select Specify an Amazon S3 template URL.
  8. Paste the URL you copied from step 1 above
  9. Choose Next.
  10. For Stack name, type *TerraformArchitecture-SingleAccount.
  11. Note for TerraFormVersion enter 0.11.4,
  12. Leave all the other parameters as defaults.
  13. Choose Next
  14. On the Configure stack options page select Next
  15. On the Review page:
    • choose the check box for I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • choose the check box for* I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.*
  16. choose Create Stack

Wait until the Status changes to CREATE_COMPLETE the stack is created.

The stack output will look similar to the image below:


Create AWS Service Catalog portfolio and product based on Terraform

  1. Navigate to the S3 console.
  2. Choose the terraform-config-[YOUR-ACCOUNT-ID] bucket
  3. Choose Upload
  4. Use the file explorer opened earlier to open the ServiceCatalogSamples folder
  5. Select and drag over the following files

    • sc-sample-lamp.json
    • sc-sample-port-product-setup.json
    • sc-sample-S3.json
  6. Choose Upload

  7. In the S3 Bucket, choose the sc-sample-port-product-setup.json file

  8. Righ click and Copy the URL

  9. Navigate to the CloudFormation console

  10. Verify the region.

  11. Choose Create Stack.

  12. Under Choose a template, select Specify an Amazon S3 template URL.

  13. Paste the URL you copied in the step above.

  14. For Stack name, type SCTFportfoliosetup.

  15. For all the other parameters use the defaults.

  16. Choose Next.

  17. Choose Create Stack to create the Service Catalog Sample Terraform Portfolio.

  18. When the stack is complete

Grant portfolio access to user

Get info on who you are logged in as


  • Check the top right of your browser
  • The User, Group or Role can be used make a note

Add access to the Service Catalog portfolio.


  1. Choose the Outputs tab
  2. Choose the NewPortFolio right click open in new tab
  3. Choose the tab Groups,roles, and users
  4. Choose Add groups, roles, users
  5. Choose Group, role or User base on the info you made note of in the step before
  6. Select the option you made note of
  7. Choose Add access

Grant Terraform permission to launch manage AWS resources

Each Service Catalog product Terraform will launch needs permissions. The default setup creates the TerraformResourceCreationRole You need to give it enough permission to manage the resources.

First you need to ensure that Terraform has the appropriate permissions to launch the CloudFormation stack.

  1. Navigate to the IAM Console
  2. On the left pane, select Roles
  3. Search for the role entitled TerraformResourceCreationRole
  4. Click Attach Policies
  5. Select AdministratorAccess <– Demonstration only in production use least privilege best practice.

Note that it is an AWS best practice to abide by the principle of least privilege, granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks. For the sake of this lab, granting AdministratorAccess to this role is okay but is typically is not advised.

Launch Service Catalog S3 product base on Terraform

  1. Navigate to the Service Catalog Console
  2. Select Products on the top left pane
  3. Select S3 Website-TF
  4. Select Launch Product
  5. Click Generate Name for Product Name
  6. Select Launch Product
  7. Wait for the Status to change to Available
  8. You can scroll down and look at the output values or view the bucket in the S3 console.

You have completed setting up the Service Catalog Terraform Reference Architecture components in a single account. Congratulations!

Cleanup process

  • Service Catalog

    • To avoid incurring cost, please delete resources that are not needed. You can terminate the Service Catalog product deployed from the AWS Service Catalog console, select Provisioned products then select Action then Terminate.
  • CloudFormation

    • You can select the stacks you deployed and choose Delete