Automated account creation and management with AWS Service Catalog
TypeScriptAWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. Service Catalog allows you to centrally manage commonly deployed IT services to achieve consistent governance and meet compliance requirements, while enabling users to quickly deploy only the approved IT services they need.
In this context, account creation and management refer to the ability to create and manage AWS accounts as products through the Service Catalog. This can be helpful for large organizations that need to standardize the creation of accounts with certain permissions, roles, and resources.
Using Pulumi, we can define and deploy AWS Service Catalog products and their associated resources. Below is a TypeScript program that demonstrates how you can set up the required resources for automated account creation and management using Service Catalog. The key resources involved are:
-
ServiceCatalogAppRegistryAttributeGroup
: It organizes and aggregates information about a group of related resources in AWS. We can use it to create attribute groups that you can associate with applications in AWS Service Catalog AppRegistry. -
ServiceCatalogCloudFormationProvisionedProduct
: This resource allows you to manage products in AWS Service Catalog. It is akin to deploying a CloudFormation stack, where you define the resources that get created when someone launches a product from Service Catalog. -
ServiceCatalogProduct
: Represents a product in AWS Service Catalog that details the product particulars and can be associated with provisioning artifacts like CloudFormation templates for account creation.
We'll be using these resources to create a Service Catalog with a basic architecture for account creation and management.
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // Create a new attribute group for the Service Catalog App Registry. const attributeGroup = new aws.servicecatalogappregistry.AttributeGroup("myAttributeGroup", { name: "account-creation-group", attributes: { department: "finance", team: "account-management", }, description: "Attribute group for finance department account creation", }); // Reference to a CloudFormation template that defines account creation and management parameters. const accountCreationCfnTemplateUrl = "https://my-cloudformation-templates-bucket.s3.amazonaws.com/account-creation-template.yaml"; // Create a new product for account creation. const accountCreationProduct = new aws.servicecatalog.Product("myAccountCreationProduct", { name: "AccountCreationProduct", owner: "finance-team", description: "This product provisions a new AWS account with baseline configuration", distributor: "My Company", supportDescription: "Contact finance-team@mycompany.com for issues and questions.", supportEmail: "finance-team@mycompany.com", supportUrl: "https://support.mycompany.com", provisioningArtifactParameters: { name: "v1", xmlns: "http://example.com/schema/1.0/product", templatePhysicalId: "accountCreationCfnTemplate", templateUrl: accountCreationCfnTemplateUrl, }, }); // Define the parameters for provisioning. These would be specific to the template used. const provisioningParameters = [ { key: "AccountId", value: "123456789012" }, { key: "AccountEmail", value: "newaccount@mycompany.com" }, ]; // Launch a provisioned product with the specific parameters. const accountProvisionedProduct = new aws.servicecatalog.ProvisionedProduct("myProvisionedProduct", { productName: accountCreationProduct.name, provisioningParameters, acceptLanguage: "en", }); // Output important IDs for further management export const attributeGroupId = attributeGroup.id; export const accountCreationProductId = accountCreationProduct.id; export const provisionedProductId = accountProvisionedProduct.id;
The above program sets up a basic AWS Service Catalog for automated account creation and management. It starts by defining an attribute group for AppRegistry, which helps organize resources for operations. It then defines a product based on a CloudFormation template that someone might use to create and configure a new AWS account. Finally, it provisions a product using the product definition and a set of parameters.
When running this program with Pulumi, ensure you have the AWS provider configured with the necessary permissions to create these resources. You will also need a CloudFormation template that defines the account creation parameters accessible through the provided URL.
Remember that handling AWS accounts requires careful consideration around security and governance. Ensure all permissions and roles are adequately defined and managed, and follow the AWS best practices for account management.
-