Using the CLI

The following utils will help you manage your AWS Accounts when using ServiceCatalog-Puppet:

reset-provisioned-product-owner

Note

This was added in version 0.19.0

You can use the servicecatalog-puppet cli to update the Service Catalog Puppet managed provisioned product owner for each provisioned product across all of your accounts:

servicecatalog-puppet reset-provisioned-product-owner <path_to_expanded_manifest>

Will call the following function for each provisioned product you have:

service_catalog.update_provisioned_product_properties(
    ProvisionedProductId=provisioned_product_id,
    ProvisionedProductProperties={
        'OWNER': f"arn:aws:iam::{self.account_id}:role/servicecatalog-puppet/PuppetRole"
    }
)

add-to-accounts

Note

This was added in version 0.18.0

You can use the servicecatalog-puppet cli to see add an account or ou to your accounts list:

servicecatalog-puppet add-to-accounts <path_to_file_containing_account_or_ou>

The file containing the account or ou should be structured like this:

account_id: '753572411233'
default_region: eu-west-1
name: '753572411233'
regions_enabled:
  - eu-west-1
  - eu-west-2
tags:
  - type:prod
  - partition:eu
  - scope:pci

remove-from-accounts

Note

This was added in version 0.18.0

You can use the servicecatalog-puppet cli to remove an account or ou to your accounts list:

servicecatalog-puppet remove-from-accounts <account_id_or_ou_id_or_ou_path>

The library will look for the given account id, ou id or ou path and remove it, if found. If it is missing an exception will be raised.

add-to-launches

Note

This was added in version 0.18.0

You can use the servicecatalog-puppet cli to see add a launch to your launches list:

servicecatalog-puppet add-to-launches <launch-name-to-add> <path_to_file_containing_launch>

The file containing the launch should be structured like this:

portfolio: example-simple-central-it-team-portfolio
product: aws-iam-assume-roles-spoke
version: v1
parameters:
  SecurityAccountId:
    default: '753572411233'
deploy_to:
  tags:
    - regions: default_region
      tag: type:prod

remove-from-launches

Note

This was added in version 0.18.0

You can use the servicecatalog-puppet cli to see remove a launch from your launches list:

servicecatalog-puppet remove-from-launches <launch-name-to-remove>

dry-run

Note

This was added in version 0.8.0

You can use the servicecatalog-puppet cli to see the effect of your next pipeline run before it happens

servicecatalog-puppet dry-run ServiceCatalogPuppet/manifest.yaml

You must specify the path to the manifest file you want to add execute a dry run on.

import-product-set

Note

This was added in version 0.8.0

You can use the servicecatalog-puppet cli to import products from the aws-service-catalog-products shared repo.

This will update your manifest file.

servicecatalog-puppet import-product-set ServiceCatalogPuppet/manifest.yaml aws-iam central-it-team-portfolio

You must specify the path to the manifest file you want to add the product set to, the name of the product set and the name of the portfolio where was added.

list-resources

Note

This was added in version 0.7.0

You can use the servicecatalog-puppet cli to list all the resources that will be created to bootstrap the framework

servicecatalog-puppet list-resources

Will return the following markdown:

# Framework resources
## SSM Parameters used
- /servicecatalog-puppet/config
## Resources for stack: servicecatalog-puppet-org-master
┌─────────────────────────┬─────────────────────┬───────────────────────────────────────────┐
│ Logical Name            │ Resource Type       │ Name                                      │
├─────────────────────────┼─────────────────────┼───────────────────────────────────────────┤
│ Param                   │ AWS::SSM::Parameter │ service-catalog-puppet-org-master-version │
│ PuppetOrgRoleForExpands │ AWS::IAM::Role      │ PuppetOrgRoleForExpands                   │
└─────────────────────────┴─────────────────────┴───────────────────────────────────────────┘
## Resources for stack: servicecatalog-puppet-regional
┌────────────────────────┬─────────────────────┬────────────────────────────────────────────────────────────────────────┐
│ Logical Name           │ Resource Type       │ Name                                                                   │
├────────────────────────┼─────────────────────┼────────────────────────────────────────────────────────────────────────┤
│ DefaultRegionParam     │ AWS::SSM::Parameter │ /servicecatalog-puppet/home-region                                     │
│ Param                  │ AWS::SSM::Parameter │ service-catalog-puppet-regional-version                                │
│ PipelineArtifactBucket │ AWS::S3::Bucket     │ Fn::Sub: sc-puppet-pipeline-artifacts-${AWS::AccountId}-${AWS::Region} │
│                        │                     │                                                                        │
│ RegionalProductTopic   │ AWS::SNS::Topic     │ servicecatalog-puppet-cloudformation-regional-events                   │
└────────────────────────┴─────────────────────┴────────────────────────────────────────────────────────────────────────┘
## Resources for stack: servicecatalog-puppet-spoke
┌──────────────┬─────────────────────┬──────────────────────────────────────┐
│ Logical Name │ Resource Type       │ Name                                 │
├──────────────┼─────────────────────┼──────────────────────────────────────┤
│ Param        │ AWS::SSM::Parameter │ service-catalog-puppet-spoke-version │
│ PuppetRole   │ AWS::IAM::Role      │ PuppetRole                           │
└──────────────┴─────────────────────┴──────────────────────────────────────┘
## Resources for stack: servicecatalog-puppet
┌─────────────────────────────────┬─────────────────────────────┬─────────────────────────────────────────────┐
│ Logical Name                    │ Resource Type               │ Name                                        │
├─────────────────────────────────┼─────────────────────────────┼─────────────────────────────────────────────┤
│ Param                           │ AWS::SSM::Parameter         │ service-catalog-puppet-version              │
│ ShareAcceptFunctionRole         │ AWS::IAM::Role              │ ShareAcceptFunctionRole                     │
│ ProvisioningRole                │ AWS::IAM::Role              │ PuppetProvisioningRole                      │
│ CloudFormationDeployRole        │ AWS::IAM::Role              │ CloudFormationDeployRole                    │
│ PipelineRole                    │ AWS::IAM::Role              │ PuppetCodePipelineRole                      │
│ SourceRole                      │ AWS::IAM::Role              │ PuppetSourceRole                            │
│ CodeRepo                        │ AWS::CodeCommit::Repository │ ServiceCatalogPuppet                        │
│ Pipeline                        │ AWS::CodePipeline::Pipeline │ Fn::Sub: ${AWS::StackName}-pipeline         │
│                                 │                             │                                             │
│ GenerateRole                    │ AWS::IAM::Role              │ PuppetGenerateRole                          │
│ DeployRole                      │ AWS::IAM::Role              │ PuppetDeployRole                            │
│ GenerateSharesProject           │ AWS::CodeBuild::Project     │ servicecatalog-puppet-generate              │
│ DeployProject                   │ AWS::CodeBuild::Project     │ servicecatalog-puppet-deploy                │
│ SingleAccountRunProject         │ AWS::CodeBuild::Project     │ servicecatalog-puppet-single-account-run    │
│ CloudFormationEventsQueue       │ AWS::SQS::Queue             │ servicecatalog-puppet-cloudformation-events │
│ CloudFormationEventsQueuePolicy │ AWS::SQS::QueuePolicy       │ -                                           │
└─────────────────────────────────┴─────────────────────────────┴─────────────────────────────────────────────┘

n.b. AWS::StackName evaluates to servicecatalog-puppet

run

Note

This was added in version 0.3.0

The run command will run the main AWS CodePipeline servicecatalog-puppet-pipeline

servicecatalog-puppet run

You can also tail the command to watch the progress of the pipeline. It is a little underwhelming at the moment.

servicecatalog-puppet run --tail

list-launches

The list-launches command can currently only be invoked on an expanded manifest.yaml file. To expand your manifest you must run the following:

servicecatalog-puppet expand manifest.yaml

This will create a file named manifest-expanded.yaml in the same directory.

You can then run list-launches:

servicecatalog-puppet list-launches manifest-expanded.yaml

Here is an example table produced by running the command:

+--------------+-----------+------------------------------+------------------------------------------+---------------------------------+------------------+----------------+--------+-----------+
| account_id   | region    | launch                       | portfolio                                | product                         | expected_version | actual_version | active | status    |
+--------------+-----------+------------------------------+------------------------------------------+---------------------------------+------------------+----------------+--------+-----------+
| 012345678901 | eu-west-1 | iam-assume-roles-spoke       | example-simple-central-it-team-portfolio | aws-iam-assume-roles-spoke      | v1               | v1             | True   | AVAILABLE |
| 012345678901 | eu-west-1 | iam-groups-security-account  | example-simple-central-it-team-portfolio | aws-iam-groups-security-account | v1               | v1             | True   | AVAILABLE |
+--------------+-----------+------------------------------+------------------------------------------+---------------------------------+------------------+----------------+--------+-----------+

Note

This was added in version 0.15.0

You can specify the format of the output. Currently you can choose between json and table. The default is table.

servicecatalog-puppet list-launches manifest-expanded.yaml --format json

export-puppet-pipeline-logs

The export-puppet-pipeline-logs takes a pipeline execution id and outputs a log file containing the AWS CloudWatch logs for each AWS CodeBuild step within the pipeline. This is useful for sharing these outputs when debugging:

servicecatalog-puppet export-puppet-pipeline-logs qwertyui-qwer-qwer-qwer-qwertyuiopqw

Note

This was added in version 0.47.0

graph

The graph command takes an expanded manifest as a parameter and generates a graphviz formated graph representing the actions the framework will perform

servicecatalog-puppet graph <path_to_expanded_manifest>

Note

This was added in version 0.49.0

Validate

The validate command will check your manifest file is of the correct structure and it will also ensure you are not using depends_on or deploy_to.tags that do not exist.

servicecatalog-puppet validate <path_to_manifest>

Note

This only works with the non expanded manifest file