Sharing a portfolio

What is sharing and how does it work?

Note

This was added in version 0.1.14

This framework allows you to create portfolios in other accounts that mirror the portfolio in your hub account. The framework will create the portfolio for you and copy the products (along with their versions) from your hub account into the newly created portfolio.

In addition to this, you can specify associations for the created portfolio and add launch constraints for the products.

Warning

Once a hub product version has been copied into a spoke portfolio it will not be updated.

How can I set it up?

The following is an example of how to add the portfolio example-simple-central-it-team-portfolio to all spokes tagged scope:spoke:

spoke-local-portfolios:
  account-vending-for-spokes:
    portfolio: example-simple-central-it-team-portfolio
    depends_on:
      - account-iam-for-spokes
    associations:
      - arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole
    constraints:
      launch:
        - product: account-vending-account-creation-shared
          roles:
            - arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole
    deploy_to:
      tags:
        - tag: scope:spoke
          regions: default_region

The example above will create the portfolio once the depends_on launches have completed successfully.

The valid values for regions are: - enabled - this will deploy to each enabled region for the account - regions_enabled - this will deploy to each enabled region for the account - default_region - this will deploy to the default region specified for the account - all - this will deploy to all regions enabled in your config (whilst setting up Puppet) - list of AWS regions - you can type in a list of AWS regions (each region selected should be present in your config)

How can I add an association?

The example above will add an association for the IAM principal:

arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole

so the portfolio will be accessible for anyone assuming that role. In addition to roles, you can also specify the ARN of users and groups.

Note

Using ${AWS::AccountId} will evaluate in the spoke account.

How can I add a launch constraint?

The example above will add a launch constraint for the IAM role:

arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole

so they can launch the product account-vending-account-creation-shared in the spoke account.

Warning

You can only specify an IAM role and the role must be assumable by the AWS service principal servicecatalog.amazonaws.com

Note

Using ${AWS::AccountId} will evaluate in the spoke account.

Note

Support for using products was added in version 0.3.0.

You can use products instead of product to specify either a list of products or use a regular expression. The regular expression is matched using Python3 re.match.

Using a list:

spoke-local-portfolios:
  account-vending-for-spokes:
    portfolio: example-simple-central-it-team-portfolio
    depends_on:
      - account-iam-for-spokes
    associations:
      - arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole
    constraints:
      launch:
        - products:
            - account-vending-account-bootstrap-shared
            - account-vending-account-creation-shared
          roles:
            - arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole
    deploy_to:
      tags:
        - tag: scope:spoke
          regions: default_region

Using a regular expression:

spoke-local-portfolios:
  account-vending-for-spokes:
    portfolio: example-simple-central-it-team-portfolio
    depends_on:
      - account-iam-for-spokes
    associations:
      - arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole
    constraints:
      launch:
        - products: "account-vending-account-*"
          roles:
            - arn:aws:iam::${AWS::AccountId}:role/MyServiceCatalogAdminRole
    deploy_to:
      tags:
        - tag: scope:spoke
          regions: default_region

Is there anything else I should know?

  1. It would be good to become familar with the AWS Service Catalog pricing before using this feature.