AWS Service Catalog connector
AWS Service Catalog allows IT administrators to create and manage product portfolios, and distribute products from these portfolios to end users. The end users use a personalized portal to access the products. Typical products include servers, databases, websites, or applications that are deployed by using the Amazon Web Services resources (for example, an Amazon EC2 instance or an Amazon RDS database).
The AWS Service Catalog connector enables catalog administrators and internal service suppliers to import services from AWS Service Catalog available in the Amazon Cloud, and provision these services to end users via the BMC Digital Workplace end user console.
AWS Service Catalog connector is connected to BMC Digital Workplace Catalog via integration with the BMC Integration Service. For more details about this integration type, see Service connector overview.
Before you begin
- Register an account in the AWS Cloud. For information about the AWS Service Catalog account creation, see in the Amazon documentation.
- Configure a connection to BMC Integration Service in the Application Settings of BMC Digital Workplace Catalog. For details about how to configure the connection, see Integrating BMC Digital Workplace Catalog with BMC Helix Integration Service.
To configure AWS Service Catalog connector
You must configure AWS Service Catalog connector before you can use its capabilities.
- In the AWS Management Console, an AWS administrator must create an AWS authentication user role and IAM user for BMC Digital Workplace Catalog.
- In the BMC Integration Studio, a tenant administrator must configure the AWS Service Catalog connector.
- In BMC Digital Workplace Catalog, a catalog administrator must configure a connection with AWS Service Catalog.
- In the AWS Management Console, the AWS administrator must add permissions for end users to use services imported from AWS Service Catalog.
Step 1: Create an AWS authentication user role and IAM user for BMC Digital Workplace Catalog
As an administrator of AWS Service Catalog, perform the following steps:
- Create an IAM user. See for details.
- Generate an Access Key ID and a Secret Access Key for the added user. See for details.
- Create an authentication role for the AWS service. See
Use the following values to create this role:
- Type of trusted entity—AWS service
- After you have the role created, update the trust policy by adding the following rows to the JSON:
"AWS": "arn:aws:iam::<Your AWS account Id>:user/<your AIM user name>"
From the Summary page of your role, select Trust Relationships > Edit Trust Relationship, and modify the JSON as shown in the following image:
The following image shows the Summary page of the added role. Review the value of the Role ARN field, and copy it to the clipboard or save it to a local file.
Step 2: Configure a connection between BMC Integration Service and AWS Service Catalog
As a tenant administrator of the BMC Integration Service, perform the following steps to configure a connection between BMC Integration Service and AWS Service Catalog:
To create a configuration for the AWS Service Catalog connector
Follow the instructions in the BMC Integration Service documentation to create the configuration for the AWS Service Catalog connector.
Additionally, configure the following fields:
- Region—The value of the AWS region.
- DWP Role—The value corresponds to the value of the Role ARN field.
The following example shows added configuration:
To add an account for the AWS Service Catalog connector
Follow the instructions in the BMC Integration Service documentation to create an account.
Complete the Access Key ID and the Secret Access Key fields with the values of your IAM user.
The following example shows an added account:
Step 3: Add and configure the AWS Service Catalog connector in BMC Digital Workplace Catalog
Follow the instructions in Configuring service connectors to create a connection with AWS Service Catalog connector.
The following table describes the parameters required to create a connection:
Configuration for us-east
Configuration of the connector added in the BMC Integration Service.
Account name created in the BMC Integration Service. It corresponds to the access key ID for the AWS Service Catalog.
Step 4: Add permissions for end users to use services imported from the AWS Service Catalog
Complete the following procedures to grant access for services to BMC Digital Workplace end users:
- Create a product portfolio in the AWS Service Catalog. See .
Add AWS Service Catalog products to your portfolio. See .
Add your IAM role to the product portfolio. See .
Add constraints to the products in your portfolio. See .
You must add the Launch constraint for each product that you add to your portfolio. Without this constraint, end users will be able to find a service in the BMC Digital Workplace end user console, but the service request will fail.
The following image shows an example of a portfolio created for BMC Digital Workplace Catalog.
When an end user uses the BMC Digital Workplace end user console to request a product specified in the Constraints section, the product is launched in the AWS console. A tag record about a user who requested a product is recorded in the AWS Console for all created resources and provisioned products.
The following screenshot shows the aws:servicecatalog:provisioningPrincipalArn tag with the value that contains the login ID of the user who requested the service:
Catalog import capabilities
After you configure the AWS Service Catalog connector, you can import services from AWS Service Catalog to BMC Digital Workplace Catalog. For information about how to import services, see Importing service catalog items from external systems.
Import only those services that are specified in the product portfolio created for BMC Digital Workplace Catalog. After you import a service, you can modify the service as required; for example, you can add an SLA or a service price. When the service is ready, make it available to end users, and publish it. For more details about these tasks, see Adding and updating services.
You can import the following details from the AWS Service Catalog:
Products in the AWS Service Catalog can have multiple versions. Each AWS Product version for BMC Digital Workplace Catalog is imported as a separate service.
For example, a Dynamo product with three versions in AWS Service Catalog is imported to BMC Digital Workplace Catalog as three services:
- DynamoDB - 1
- DynamoDB - 2
- DynamoDB - 3
The following details are imported from a product in AWS Service Catalog:
- Product - Version Description—Is mapped to the service excerpt
- Product Description—Is mapped to the service description
When a service is imported from AWS Service Catalog, it has the AWS default logo. This logo is the same for all services imported from AWS Service Catalog.
A service workflow imported from AWS Service Catalog can be viewed in the UI and JSON.
An imported workflow includes specific workflow actions available through AWS Service Catalog connector, and the common workflow actions such as Send Email, Track External Activity, Build Input Set, and Receive Task. For more information about these workflow elements, see Workflow designer elements overview.
Imported workflow can contain one or more Build Input Set elements that contain Parameters and TagOptions, and each element can have a maximum 10 of them.
If an imported service includes the Send Email workflow element, an email is sent to end users to request this service from the AWS Service Catalog. End users receive emails when services are successfully provisioned, and when services were not provisioned (failed in the AWS Console).
Emails are sent to service requesters only if the SMTP settings are configured on the BMC Digital Workplace Catalog server. For more information, see Configuring SMTP for BMC Digital Workplace Catalog.
All questions and data sets associated with the questions are imported from the AWS Service Catalog connector.
Process questions available in a questionnaire are built on a default . The questionnaire can have process questions with default values (such as ReadCapacityUnits, WriteCapacityUnits, HashKeyElementType) and without default values (requiring user input).
The following table describes some questions without default answers:
Name of a product provisioned in AWS.
Note: This value must be unique in the AWS Service Catalog console, and must not contain spaces.
|Public key of the key pair to enable SSH access|
A value of the public key required to connect to an AWS instance.
End users who request an AWS service need to generate a key pair (private and public key) by using any third-party tool. The end users must keep the private key safe, and enter the public key value into a text area (as it is shown in an example of a questionnaire with a public key question).
Name of a key pair saved in the AWS Service Catalog console. This value is required to launch an AWS instance.
During the launch of a product, a unique key pair name is created inside the EC2 Console, in the Parameters > KeyPairName section. Each time an end user requests a product by using the public key, the same pubic key name is reused.
AWS specific parameters
An imported questionnaire can include AWS specific parameters. For details about these parameters, see .
A questionnaire in BMC Digital Workplace with a selection question that should retrieve the Security Group IDs data set from the AWS Console, displays the Group Names data set. When an end user selects any security group name value from the list, the value of the group ID is displayed.
A questionnaire in BMC Digital Workplace with a selection question that should retrieve the Route 53 Hosted IDs data set from the AWS Console, displays the Route 53 Hosted Names data set. When an end user selects any hosted name value from the list, the value of the hosted ID is displayed.
TagOptions are imported from from a portfolio and a product. TagOptions are imported as questions. The TagOptions questions can have default values or a few values to select.
Workflow actions available through AWS Service Catalog connector
The AWS Service Catalog connector provides the Launch Service Catalog Product action available from the Connector workflow element. This action launches a service in the AWS Service Catalog.
This action cannot be edited, and the parameters of this action are not displayed in the UI view, but they can be viewed in the JSON view.
Default service actions
The AWS Service Catalog connector provides a predefined service action: Terminate. It is available for end users who have requested AWS services. By using this action, end users can terminate the provisioned service. When the provisioned service is terminated, it is not available to them on their My Stuff page. For more details about predefined service actions, see Setting up the My Stuff page.
Example of an imported service from the AWS Service Catalog
When a service is imported, both workflows and questionnaires are successfully imported from the AWS Service Catalog.
The following example shows an imported workflow:
The following example shows an imported questionnaire:
The following example shows a service request questionnaire displayed to an end user: