Create the control


What are we going to do?

We are going to perform the following steps:

  • define a product with a version and a portfolio in a hub account
  • add the source code for the product
  • provision that product into a spoke account

The hub AWS Account is the source of truth for our AWS Service Catalog products. Spoke AWS accounts are consumers of these products, you can think of them as accounts that need governance controls applied. For this workshop, we are using the same account as both the hub and spoke for simplicity; in a multi-account setup, these could be separate AWS Accounts and Regions.

Step by step guide

Here are the steps you need to follow to “Create the control”

Define a product with a version and a portfolio

  • Copy the following snippet into the main input field:

    Schema: factory-2019-04-01
    Products:
      - Name: "aws-config-desired-instance-types"
        Owner: "budget-and-cost-governance@example.com"
        Description: "Enables AWS Config rule - desired-instance-type with our RIs"
        Distributor: "cloud-engineering"
        SupportDescription: "Speak to budget-and-cost-governance@example.com about exceptions and speak to cloud-engineering@example.com about implementation issues"
        SupportEmail: "cloud-engineering@example.com"
        SupportUrl: "https://wiki.example.com/cloud-engineering/budget-and-cost-governance/aws-config-desired-instance-types"
        Tags:
          - Key: "type"
            Value: "governance"
          - Key: "creator"
            Value: "cloud-engineering"
          - Key: "cost-center"
            Value: "governance"
        Versions:
          - Name: "v1"
            Description: "v1 of aws-config-desired-instance-types"
            Active: True
            Source:
              Provider: "CodeCommit"
              Configuration:
                RepositoryName: "aws-config-desired-instance-types"
                BranchName: "master"
        Portfolios:
          - "cloud-engineering-governance"
    Portfolios:
      - DisplayName: "cloud-engineering-governance"
        Description: "Portfolio containing the products needed to govern AWS accounts"
        ProviderName: "cloud-engineering"
        Associations:
          - "arn:aws:iam::${AWS::AccountId}:role/TeamRole"
        Tags:
          - Key: "type"
            Value: "governance"
          - Key: "creator"
            Value: "cloud-engineering"
          - Key: "cost-center"
            Value: "governance"
       
    
  • Set the File name to portfolios/reinvent.yaml

  • Set your Author name

  • Set your Email address

  • Set your Commit message

Using a good / unique commit message will help you understand what is going on later.

  • Click the Commit changes button:

What did we just do?

The YAML file we created in the CodeCommit repository told the framework to perform several actions:

  • create a product named aws-config-desired-instance-types
  • add a v1 of our product
  • create a portfolio named cloud-engineering-governance
  • add the product: aws-config-desired-instance-types to the portfolio: cloud-engineering-governance

Verify the change worked

Once you have made your changes the ServiceCatalogFactory Pipeline should have run. If you were very quick in making the change, the pipeline may still be running. If it has not yet started feel free to the hit the Release change button.

Once it has completed it should show the Source and Build stages in green to indicate they have completed successfully:

If this is failing please raise your hand for some assistance

Add the source code for our product

When you configured your product version, you specified the following version:

    Versions:
      - Name: "v1"
        Description: "v1 of aws-config-desired-instance-types"
        Active: True
        Source:
          Provider: "CodeCommit"
          Configuration:
            RepositoryName: "aws-config-desired-instance-types"
            BranchName: "master"
  

This tells the framework the source code for the product comes from the master branch of a CodeCommit repository of the name aws-config-desired-instance-types.

We now need to create the CodeCommit repository and add the AWS CloudFormation template we are going to use for our product.

  • Input the name aws-config-desired-instance-types
  • Click Create
  • Scroll down to the bottom of the page and hit the Create file button
  • Copy the following snippet into the main input field:
 AWSTemplateFormatVersion: "2010-09-09"
 Description: "Create an AWS Config rule ensuring the given instance types are the only instance types used"
 
 Parameters:
   InstanceType:
     Type: String
     Description: "Comma separated list of EC2 instance types (for example, 't2.small, m4.large')."
     Default: "t2.micro, t2.small"
 
 Resources:
   AWSConfigRule:
     Type: AWS::Config::ConfigRule
     Properties:
       ConfigRuleName: "desired-instance-type"
       Description: "Checks whether your EC2 instances are of the specified instance types."
       InputParameters:
         instanceType: !Ref InstanceType
       Scope:
         ComplianceResourceTypes:
           - "AWS::EC2::Instance"
       Source:
         Owner: AWS
         SourceIdentifier: DESIRED_INSTANCE_TYPE
 
  • Set the File name to product.template.yaml

  • Set your Author name

  • Set your Email address

  • Set your Commit message

Using a good / unique commit message will help you understand what is going on later.

Creating that file should trigger your aws-config-desired-instance-types-v1-pipeline.

Once the pipeline has completed it should show the Source, Tests, Package and Deploy stages in green to indicate they have completed successfully:

You should see your commit message on this screen, it will help you know which version of ServiceCatalogFactory repository the pipeline is processing.

If this is failing please raise your hand for some assistance

Once you have verified the pipeline has run you can go to Service Catalog products to view your newly created version.

You should see the product you created listed:

Click on the product and verify v1 is there

If you cannot see your version please raise your hand for some assistance

You have now successfully created a version for your product!

Verify the product was added to the portfolio

Now that you have verified the pipeline has run you can go to Service Catalog portfolios to view your portfolio.

  • Click on reinvent-cloud-engineering-governance
  • Click on the product aws-config-desired-instance-types

  • Click on the version v1