Service Catalog Puppet

What is Service Catalog Puppet

Service Catalog Puppet is the second of the Service Catalog tools. It is an AWS Solution designed to help you manage a multi account environment. Using the solution you can provision resources, share portfolios, execute functions and execute assertions on the configuration of your environment. The configuration for the solution is stored in git and changes made to the configuration trigger a run of the solution.


When installing Service Catalog Puppet you create a pipeline named servicecatalog-puppet-pipeline. This pipeline can use AWS CodeStar connections, Amazon S3 or AWS CodeCommit as its source. The source contains descriptions of the actions you want to happen.

When the pipeline runs it will verify all existing provisioning and sharing is configured as expected. Any manual actions applied since the last run are overridden and any new changes are applied. If you change the value of a parameter used for provisioning the provisioned resources will be updated.

Spoke Execution Mode

When your pipeline takes 45+ mins to run we recommend switching to spoke execution mode. Instead of all operations occurring in the hub account some of the operations are delegated to the spokes where they run in parallel across each spoke. When using spoke execution mode the solution will still check if each action was performed correctly.

When using spoke execution mode the hub account generates a manifest file for the spoke - which is very similar to the one used in the hub. The hub account also generates a cache of data to share with the spoke - this contains any AWS Systems Manager parameters stored in the hub and used in the spoke as well as the AWS Service Catalog portfolio, product and provisioning artefact ids. The cache is stored in the hub within an Amazon S3 bucket and a signed url is shared with the spoke so it can retrieve the artefact.

What Can I Do With The Solution

The solution allows you to easily build out a workflow. You specify (using YAML) how you want your multi account environment to be configured and the solution will configure it as such. The solution will ensure the right actions are performed in the right order and that no API throttling limits are exceeded. Using the solution you can perform the following actions:


You can provision a stack in one or more regions of one or more accounts:


You can provision a product in one or more regions of one or more accounts:

Spoke Local Portfolios

You can share a portfolio in one or more regions of one or more accounts:

AWS Lambda Invokes

You can invoke a lambda function for one or more regions of one or more accounts:

AWS CodeBuild Runs

You can start a Code Build project for one or more regions of one or more accounts:


You can create an assertion for one or more regions of one or more accounts: