Using the CLI¶
The following utils will help you manage your AWS Accounts when using ServiceCatalog-Puppet:
reset-provisioned-product-owner¶
Note
This was added in version 0.19.0
You can use the servicecatalog-puppet cli to update the Service Catalog Puppet managed provisioned product owner
for each provisioned product across all of your accounts:
servicecatalog-puppet reset-provisioned-product-owner <path_to_expanded_manifest>
Will call the following function for each provisioned product you have:
service_catalog.update_provisioned_product_properties(
ProvisionedProductId=provisioned_product_id,
ProvisionedProductProperties={
'OWNER': f"arn:aws:iam::{self.account_id}:role/servicecatalog-puppet/PuppetRole"
}
)
add-to-accounts¶
Note
This was added in version 0.18.0
You can use the servicecatalog-puppet cli to see add an account or ou to your accounts list:
servicecatalog-puppet add-to-accounts <path_to_file_containing_account_or_ou>
The file containing the account or ou should be structured like this:
account_id: '753572411233'
default_region: eu-west-1
name: '753572411233'
regions_enabled:
- eu-west-1
- eu-west-2
tags:
- type:prod
- partition:eu
- scope:pci
remove-from-accounts¶
Note
This was added in version 0.18.0
You can use the servicecatalog-puppet cli to remove an account or ou to your accounts list:
servicecatalog-puppet remove-from-accounts <account_id_or_ou_id_or_ou_path>
The library will look for the given account id, ou id or ou path and remove it, if found. If it is missing an exception will be raised.
add-to-launches¶
Note
This was added in version 0.18.0
You can use the servicecatalog-puppet cli to see add a launch to your launches list:
servicecatalog-puppet add-to-launches <launch-name-to-add> <path_to_file_containing_launch>
The file containing the launch should be structured like this:
portfolio: example-simple-central-it-team-portfolio
product: aws-iam-assume-roles-spoke
version: v1
parameters:
SecurityAccountId:
default: '753572411233'
deploy_to:
tags:
- regions: default_region
tag: type:prod
remove-from-launches¶
Note
This was added in version 0.18.0
You can use the servicecatalog-puppet cli to see remove a launch from your launches list:
servicecatalog-puppet remove-from-launches <launch-name-to-remove>
dry-run¶
Note
This was added in version 0.8.0
You can use the servicecatalog-puppet cli to see the effect of your next pipeline run before it happens
servicecatalog-puppet dry-run ServiceCatalogPuppet/manifest.yaml
You must specify the path to the manifest file you want to add execute a dry run on.
import-product-set¶
Note
This was added in version 0.8.0
You can use the servicecatalog-puppet cli to import products from the aws-service-catalog-products shared repo.
This will update your manifest file.
servicecatalog-puppet import-product-set ServiceCatalogPuppet/manifest.yaml aws-iam central-it-team-portfolio
You must specify the path to the manifest file you want to add the product set to, the name of the product set and the name of the portfolio where was added.
list-resources¶
Note
This was added in version 0.7.0
You can use the servicecatalog-puppet cli to list all the resources that will be created to bootstrap the framework
servicecatalog-puppet list-resources
Will return the following markdown:
# Framework resources
## SSM Parameters used
- /servicecatalog-puppet/config
## Resources for stack: servicecatalog-puppet-org-master
┌─────────────────────────┬─────────────────────┬───────────────────────────────────────────┐
│ Logical Name │ Resource Type │ Name │
├─────────────────────────┼─────────────────────┼───────────────────────────────────────────┤
│ Param │ AWS::SSM::Parameter │ service-catalog-puppet-org-master-version │
│ PuppetOrgRoleForExpands │ AWS::IAM::Role │ PuppetOrgRoleForExpands │
└─────────────────────────┴─────────────────────┴───────────────────────────────────────────┘
## Resources for stack: servicecatalog-puppet-regional
┌────────────────────────┬─────────────────────┬────────────────────────────────────────────────────────────────────────┐
│ Logical Name │ Resource Type │ Name │
├────────────────────────┼─────────────────────┼────────────────────────────────────────────────────────────────────────┤
│ DefaultRegionParam │ AWS::SSM::Parameter │ /servicecatalog-puppet/home-region │
│ Param │ AWS::SSM::Parameter │ service-catalog-puppet-regional-version │
│ PipelineArtifactBucket │ AWS::S3::Bucket │ Fn::Sub: sc-puppet-pipeline-artifacts-${AWS::AccountId}-${AWS::Region} │
│ │ │ │
│ RegionalProductTopic │ AWS::SNS::Topic │ servicecatalog-puppet-cloudformation-regional-events │
└────────────────────────┴─────────────────────┴────────────────────────────────────────────────────────────────────────┘
## Resources for stack: servicecatalog-puppet-spoke
┌──────────────┬─────────────────────┬──────────────────────────────────────┐
│ Logical Name │ Resource Type │ Name │
├──────────────┼─────────────────────┼──────────────────────────────────────┤
│ Param │ AWS::SSM::Parameter │ service-catalog-puppet-spoke-version │
│ PuppetRole │ AWS::IAM::Role │ PuppetRole │
└──────────────┴─────────────────────┴──────────────────────────────────────┘
## Resources for stack: servicecatalog-puppet
┌─────────────────────────────────┬─────────────────────────────┬─────────────────────────────────────────────┐
│ Logical Name │ Resource Type │ Name │
├─────────────────────────────────┼─────────────────────────────┼─────────────────────────────────────────────┤
│ Param │ AWS::SSM::Parameter │ service-catalog-puppet-version │
│ ShareAcceptFunctionRole │ AWS::IAM::Role │ ShareAcceptFunctionRole │
│ ProvisioningRole │ AWS::IAM::Role │ PuppetProvisioningRole │
│ CloudFormationDeployRole │ AWS::IAM::Role │ CloudFormationDeployRole │
│ PipelineRole │ AWS::IAM::Role │ PuppetCodePipelineRole │
│ SourceRole │ AWS::IAM::Role │ PuppetSourceRole │
│ CodeRepo │ AWS::CodeCommit::Repository │ ServiceCatalogPuppet │
│ Pipeline │ AWS::CodePipeline::Pipeline │ Fn::Sub: ${AWS::StackName}-pipeline │
│ │ │ │
│ GenerateRole │ AWS::IAM::Role │ PuppetGenerateRole │
│ DeployRole │ AWS::IAM::Role │ PuppetDeployRole │
│ GenerateSharesProject │ AWS::CodeBuild::Project │ servicecatalog-puppet-generate │
│ DeployProject │ AWS::CodeBuild::Project │ servicecatalog-puppet-deploy │
│ SingleAccountRunProject │ AWS::CodeBuild::Project │ servicecatalog-puppet-single-account-run │
│ CloudFormationEventsQueue │ AWS::SQS::Queue │ servicecatalog-puppet-cloudformation-events │
│ CloudFormationEventsQueuePolicy │ AWS::SQS::QueuePolicy │ - │
└─────────────────────────────────┴─────────────────────────────┴─────────────────────────────────────────────┘
n.b. AWS::StackName evaluates to servicecatalog-puppet
run¶
Note
This was added in version 0.3.0
The run command will run the main AWS CodePipeline servicecatalog-puppet-pipeline
servicecatalog-puppet run
You can also tail the command to watch the progress of the pipeline. It is a little underwhelming at the moment.
servicecatalog-puppet run --tail
list-launches¶
The list-launches command can currently only be invoked on an expanded manifest.yaml file. To expand your manifest you must run the following:
servicecatalog-puppet expand manifest.yaml
This will create a file named manifest-expanded.yaml in the same directory.
You can then run list-launches:
servicecatalog-puppet list-launches manifest-expanded.yaml
Here is an example table produced by running the command:
+--------------+-----------+------------------------------+------------------------------------------+---------------------------------+------------------+----------------+--------+-----------+
| account_id | region | launch | portfolio | product | expected_version | actual_version | active | status |
+--------------+-----------+------------------------------+------------------------------------------+---------------------------------+------------------+----------------+--------+-----------+
| 012345678901 | eu-west-1 | iam-assume-roles-spoke | example-simple-central-it-team-portfolio | aws-iam-assume-roles-spoke | v1 | v1 | True | AVAILABLE |
| 012345678901 | eu-west-1 | iam-groups-security-account | example-simple-central-it-team-portfolio | aws-iam-groups-security-account | v1 | v1 | True | AVAILABLE |
+--------------+-----------+------------------------------+------------------------------------------+---------------------------------+------------------+----------------+--------+-----------+
Note
This was added in version 0.15.0
You can specify the format of the output. Currently you can choose between json and table. The default is
table.
servicecatalog-puppet list-launches manifest-expanded.yaml --format json