{ServiceCatalog}ご利用スタートにあたって

AWS

https://www.yamamanx.com/aws-service-catalog-tutorial/

https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted.html

 

前提:
エンドユーザとしてコンソール権限を有するtestuserを作成し、AWSServiceCatalogEndUserFullAccess 付与済み


-- 1. コマンド等のインストール

-- 1.1 aws cli version 2 インストール

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

-- 1.2 jqインストール
sudo yum -y install jq

-- 2. IAMポリシー作成
vim policy01.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplateSummary",
                "cloudformation:SetStackPolicy",
                "cloudformation:ValidateTemplate",
                "cloudformation:UpdateStack",
                "ec2:*",
                "s3:GetObject",
                "servicecatalog:*",
                "sns:*"
            ],
            "Resource": "*"
        }
    ]
}

aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json

-- 3. IAMロール作成
vim role01.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "servicecatalog.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json

-- 4. ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01 \
--role-name role01

 


-- 5. S3 バケットを作成する

aws s3 mb s3://bucket123

aws s3 ls

wget https://awsdocs.s3.amazonaws.com/servicecatalog/development-environment.template

aws s3 cp development-environment.template s3://bucket123

aws s3 ls s3://bucket123 --recursive

 


-- 6. ポートフォリオの作成

aws servicecatalog create-portfolio \
--display-name pf01 \
--description pf01 \
--provider-name provider01


aws servicecatalog list-portfolios

aws servicecatalog describe-portfolio \
--id port-1111111111111

 

-- 7. 製品の作成

vim a.json

{
    "AcceptLanguage": "en",
    "Name": "product01",
    "Owner": "owner01",
    "Description": "product01",
    "SupportDescription": "support01",
    "SupportEmail": "hoge@example.com",
    "SupportUrl": "http://example.com/hoge",
    "ProductType": "CLOUD_FORMATION_TEMPLATE",
    "ProvisioningArtifactParameters": {
        "Name": "v1.0",
        "Description": "v1.0",
        "Info": {
            "LoadTemplateFromURL": "https://bucket123.s3.ap-northeast-1.amazonaws.com/development-environment.template"
        },
        "Type": "CLOUD_FORMATION_TEMPLATE"
    }
}

aws servicecatalog create-product \
--cli-input-json file://a.json

aws servicecatalog associate-product-with-portfolio \
--product-id prod-2222222222222 \
--portfolio-id port-1111111111111

 

aws servicecatalog describe-product-as-admin \
--name product01

 

 


-- 8. テンプレート制約の追加


aws servicecatalog create-constraint \
--portfolio-id port-1111111111111 \
--product-id prod-2222222222222 \
--parameters '{
  "Rules": {
    "Rule1": {
      "Assertions": [
        {
          "Assert" : {"Fn::Contains": [["t2.micro", "t2.small"], {"Ref": "InstanceType"}]},
          "AssertDescription": "Instance type should be t2.micro or t2.small"
        }
      ]
    }
  }
}' \
--type TEMPLATE \
--description constraint01


aws servicecatalog list-constraints-for-portfolio \
--portfolio-id port-1111111111111

aws servicecatalog describe-constraint \
--id cons-3333333333333

 

-- 9. 起動制約の追加

aws servicecatalog create-constraint \
--portfolio-id port-1111111111111 \
--product-id prod-2222222222222 \
--parameters '{"RoleArn" : "arn:aws:iam::999999999999:role/role01"}' \
--type LAUNCH \
--description constraint02


aws servicecatalog list-constraints-for-portfolio \
--portfolio-id port-1111111111111

aws servicecatalog describe-constraint \
--id cons-4444444444444

 

-- 10. ポートフォリオへのアクセス権限をエンドユーザへ付与


aws servicecatalog associate-principal-with-portfolio \
--portfolio-id port-1111111111111 \
--principal-arn arn:aws:iam::999999999999:user/testuser \
--principal-type IAM

aws servicecatalog list-principals-for-portfolio \
--portfolio-id port-1111111111111

 

 

-- 11. エンドユーザーで動作確認

サービスカタログではt2.microかt2.smallしか選べない

 


-- 12. クリーンアップ

-- プロビジョニングされた製品の終了

-- ポートフォリオからユーザを削除

aws servicecatalog list-principals-for-portfolio \
--portfolio-id port-1111111111111

aws servicecatalog disassociate-principal-from-portfolio \
--portfolio-id port-1111111111111 \
--principal-arn arn:aws:iam::999999999999:user/testuser


-- ポートフォリオから制約を削除

aws servicecatalog list-constraints-for-portfolio \
--portfolio-id port-1111111111111


aws servicecatalog delete-constraint \
--id cons-3333333333333


aws servicecatalog delete-constraint \
--id cons-4444444444444

-- ポートフォリオから製品を削除

aws servicecatalog disassociate-product-from-portfolio \
--product-id prod-2222222222222 \
--portfolio-id port-1111111111111

 

-- 製品の削除

aws servicecatalog describe-product-as-admin \
--name product01

aws servicecatalog delete-product \
--id prod-2222222222222

 

 


-- ポートフォリオの削除


aws servicecatalog list-portfolios

aws servicecatalog describe-portfolio \
--id port-1111111111111

aws servicecatalog delete-portfolio \
--id port-1111111111111


-- バケットの削除

aws s3 ls
aws s3 rb s3://bucket123  --force


-- IAMロールの削除
aws iam list-roles | grep role01

aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01

aws iam delete-role --role-name role01


-- IAMポリシーの削除
aws iam list-policies | grep policy01

aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01