This documentation supports the 23.3 version of BMC Helix Digital Workplace Basic and BMC Helix Digital Workplace Advanced. Icons distinguish capabilities available only for the Advanced and External license levels. For more information, see License types and features.To view an earlier version, select the version from the Product version menu.

AWS Service Catalog connector in BMC Helix Integration Service

AWS Service Catalog allows IT administrators to create and manage product portfolios, and distribute products from these portfolios to end users. The end users use a personalized portal to access the products. Typical products include servers, databases, websites, or applications that are deployed by using the Amazon Web Services resources (for example, an Amazon EC2 instance or an Amazon RDS database).

The AWS Service Catalog connector enables catalog administrators and internal service suppliers to import services from AWS Service Catalog available in the Amazon Cloud, and provision these services to end users via the BMC Helix Digital Workplace end user console.


Required license

DWP Advanced icon.png BMC Helix Digital Workplace Advanced

Related topics

AWS Service Catalog documentation

Service-connector-overview

Service-connector-capabilities

Workflows-for-service-fulfillment

Setting-up-the-My-Stuff-page

Before you begin

To configure AWS Service Catalog connector

  1. In the AWS Management Console, an AWS administrator must create an AWS authentication user role and IAM user for BMC Helix Digital Workplace Catalog
  2. In the BMC Integration Studio, a tenant administrator must configure the AWS Service Catalog connector.
  3. In BMC Helix Digital Workplace Catalog, a catalog administrator must configure a connection with AWS Service Catalog.
  4. In the AWS Management Console, the AWS administrator must add permissions for end users to use services imported from AWS Service Catalog.

Step 1: Create an AWS authentication user role and IAM user for BMC Helix Digital Workplace Catalog

As an administrator of AWS Service Catalog, perform the following steps.

Warning

Note that the list of permissions can be different as it depends on the products in your AWS Service Catalog portfolio. To successfully configure the AWS Service Catalog connector, you must identify and add all permissions that your portfolio items require. For example, if you have Amazon EC2 in your portfolio, you may need to add the AmazonEC2ReadOnlyAccess policy for your IAM user and update the Inline policy to include actions that will terminate instances for Amazon EC2. For the inline policy example, see The inline policy example when Amazon EC2 is added to the portfolio. However, note that this example is for a particular case only, and the actual list of permissions can vary based on the unique requirements of specific portfolio items, even in the case of Amazon EC2. 

  1. Create an IAM user. See IAM users for details.
    The IAM user should have the following policies:
    • AmazonS3ReadOnlyAccess
    • AWSServiceCatalogAdminReadOnlyAccess

    • Inline policy:

      {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Sid": "GetUser",
           "Effect": "Allow",
           "Action": "iam:GetUser",
           "Resource": "arn:aws:iam::<Your AWS account Id>:user/<your IAM user name>"
          },
         {
           "Sid": "TerminateInstances",
           "Effect": "Allow",
           "Action": [
             "servicecatalog:TerminateProvisionedProduct"
           ],
           "Resource": "*"
         }
       ]
      }
      The inline policy example when Amazon EC2 is added to the portfolio

      Important

      The actual inline policy can differ, and it depends on the requirements of a specific portfolio item.

      {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "GetUser",
                 "Effect": "Allow",
                 "Action": "iam:GetUser",
                 "Resource": " << arn:aws:iam::{Account}:user/{UserNameWithPath} >> " // <- should be IAM user ARN
              },
             {
                 "Sid": "TerminateInstances",
                 "Effect": "Allow",
                 "Action": [
                     "servicecatalog:TerminateProvisionedProduct",
                     "ec2:TerminateInstances",
                     "ec2:Describe*",
                     "ec2:ImportKeyPair"
                 ],
                 "Resource": "*"
             }
         ]
      }

  2. Generate an Access Key ID and a Secret Access Key for the added user. See Access keys in the AWS console for details.

  3. Create an authentication role for the AWS service. See Creating a role to delegate permissions to an IAM user for details. 
    Use the following values to create this role:
    • Policy
      • AWSServiceCatalogEndUserFullAccess
      • AmazonS3ReadOnlyAccess

      • Inline policy for the products in your AWS Service Catalog portfolio, if required. For example, if you have Amazon EC2 in your portfolio, the inline policy example might be as follows:

        {
           "Version": "2012-10-17",
           "Statement": [
               {
                   "Sid": "RunAndTerminateInstances",
                   "Effect": "Allow",
                   "Action": [
                       "ec2:TerminateInstances",
                       "ec2:Describe*",
                       "ec2:RunInstances"
                   ],
                   "Resource": "*"
               }
           ]
        }

        Important

        The actual inline policy can differ, and it depends on the requirements of a specific portfolio item.

    • Trusted entity type—AWS service
      1_trusted_entity_for_aws_role_updated.png
  4. After you have the role created, update the trust policy by adding the following rows to the JSON:
    "Service":"servicecatalog.amazonaws.com",
    "AWS": "arn:aws:iam::<Your AWS account Id>:user/<your AIM user name>"

    From the Summary page of your role, select Trust Relationships > Edit trust policy, and modify the JSON as shown in the following image:
    2_edit_role_trust_policy_updated.png

The following image shows the Summary page of the added role. Review the value of the Role ARN field, and copy it to the clipboard or save it to a local file.
3_role_summary_page.png

Important

The policies mentioned are basic ones you need. The list of policies depends on the products in your AWS Service Catalog portfolio.

Step 2: Configure a connection between BMC Helix Integration Service and AWS Service Catalog

As a tenant administrator of BMC Helix Integration Service, perform the following steps to configure a connection between BMC Helix Integration Service and AWS Service Catalog:

To create a configuration for the AWS Service Catalog connector

Follow the Adding or updating a configuration instructions in the BMC Helix Integration Service documentation to create the configuration for the AWS Service Catalog connector.

Additionally, configure the following fields: 

  • Region—The value of the AWS region.
  • DWP Role—The value corresponds to the value of the Role ARN field.

The following example shows added configuration:

4_integration_studio_config_updated1.png

To add an account for the AWS Service Catalog connector

Follow the Adding accounts instructions in the BMC Helix Integration Service documentation to create an account.

Complete the Access Key ID and the Secret Access Key fields with the values of your IAM user.

5_adding_aws_account_to_ints_updated.png

The following example shows an added account:

6_added_account_updated.png

Step 3: Add and configure the AWS Service Catalog connector in BMC Helix Digital Workplace Catalog

Follow the instructions in Configuring-service-connectors to create a connection with AWS Service Catalog connector.

The following table describes the parameters required to create a connection:

Parameter

Examples

Description

Reference topics

Configuration

Configuration for us-east


Configuration of the connector added in BMC Helix Integration Service.

Profile

IT admin


Account name created in BMC Helix Integration Service. It corresponds to the access key ID for the AWS Service Catalog.

Step 4: Add permissions for end users to use services imported from the AWS Service Catalog

Complete the following procedures to grant access for services to BMC Helix Digital Workplace end users: 

  1. Create a product portfolio in the AWS Service Catalog. See Create an AWS Service Catalog portfolio.

  2. Add AWS Service Catalog products to your portfolio. See Adding AWS Marketplace products to your portfolio.

  3. Add your IAM user and IAM role to the product portfolio. See Grant end users access to the portfolio.

  4. Add constraints to the products in your portfolio. See Using AWS Service Catalog Constraints Using AWS Service Catalog Constraints.

    Important

    You must add the Launch constraint for each product that you add to your portfolio. Without this constraint, end users will be able to find a service in the BMC Helix Integration Service end user console, but the service request will fail.

The following image shows an example of a portfolio created for BMC Helix Digital Workplace Catalog.

7_portfolio_example_updated.png

When an end user uses the BMC Helix Digital Workplace end user console to request a product specified in the Constraints section, the product is launched in the AWS console. A tag record about a user who requested a product is recorded in the AWS Console for all created resources and provisioned products. 

The following screenshot shows the aws:servicecatalog:provisioningPrincipalArn tag with the value that contains the login ID of the user who requested the service:

8_product_details_provisioningPrincipalArn.png

Catalog import capabilities

After you configure the AWS Service Catalog connector, you can import services from AWS Service Catalog to BMC Helix Digital Workplace Catalog. For information about how to import services, see Importing-service-catalog-items-from-external-systems. When a service is imported, both workflows and questionnaires are successfully imported from the AWS Service Catalog.

Import only those services that are specified in the product portfolio created for BMC Helix Digital Workplace Catalog. After you import a service, you can modify the service as required; for example, you can add an SLA or a service price. When the service is ready, make it available to end users, and publish it. For more details about these tasks, see Adding-and-updating-services.

You can import the following details from the AWS Service Catalog:

Important

Products in the AWS Service Catalog can have multiple versions. Each AWS Product version for BMC Helix Digital Workplace Catalog is imported as a separate service.

For example, a Dynamo product with three versions in AWS Service Catalog is imported to BMC Helix Digital Workplace Catalog as three services:

  • DynamoDB - 1
  • DynamoDB - 2
  • DynamoDB - 3

Profile details

The following details are imported from a product in AWS Service Catalog:

  • Product - Version Description—Is mapped to the service excerpt
  • Product Description—Is mapped to the service description

Important

When a service is imported from AWS Service Catalog, it has the AWS default logo. This logo is the same for all services imported from AWS Service Catalog.

Workflow

A service workflow imported from AWS Service Catalog can be viewed in the UI and JSON.

An imported workflow includes specific workflow actions available through AWS Service Catalog connector, and the common workflow actions such as Send Email, Track External Activity, Build Input Set, and Receive Task. For more information about these workflow elements, see Workflow-designer-elements-overview.

Imported workflow can contain one or more Build Input Set elements that contain Parameters and TagOptions, and each element can have a maximum 10 of them. 

If an imported service includes the Send Email workflow element, an email is sent to end users to request this service from the AWS Service Catalog. End users receive emails when services are successfully provisioned, and when services were not provisioned (failed in the AWS Console).

Important

Emails are sent to service requesters only if the SMTP settings are configured on the BMC Helix Digital Workplace Catalog server.

Questionnaire

All questions and data sets associated with the questions are imported from the AWS Service Catalog connector.

Best practice
For the imported questionnaire, we recommend that you set all questions to Required.

A questionnaire attached to an imported service can include process questions built on the following information from the AWS Console:

AWS template

Process questions available in a questionnaire are built on a default AWS Dynamo DB template. The questionnaire can have process questions with default values (such as ReadCapacityUnits, WriteCapacityUnits, HashKeyElementType) and without default values (requiring user input).

The following table describes some questions without default answers:

Imported questions

Description

ProvisionedProductName

Name of a product provisioned in AWS.

Note: This value must be unique in the AWS Service Catalog console, and must not contain spaces.

Public key of the key pair to enable SSH access

A value of the public key required to connect to an AWS instance.

End users who request an AWS service need to generate a key pair (private and public key) by using any third-party tool. The end users must keep the private key safe, and enter the public key value into a text area (as it is shown in an example of a questionnaire with a public key question).

HashKeyElementName

Name of a key pair saved in the AWS Service Catalog console. This value is required to launch an AWS instance.

During the launch of a product, a unique key pair name is created inside the EC2 Console, in the Parameters > KeyPairName section. Each time an end user requests a product by using the public key, the same pubic key name is reused.

AWS specific parameters

An imported questionnaire can include AWS specific parameters. For details about these parameters, see AWS specific parameters.

Important

A questionnaire in BMC Helix Digital Workplace with a selection question that should retrieve the Security Group IDs data set from the AWS Console, displays the Group Names data set. When an end user selects any security group name value from the list, the value of the group ID is displayed.

A questionnaire in BMC Helix Digital Workplace with a selection question that should retrieve the Route 53 Hosted IDs data set from the AWS Console, displays the Route 53 Hosted Names data set. When an end user selects any hosted name value from the list, the value of the hosted ID is displayed.

TagOptions

TagOptions are imported from from a portfolio and a product. TagOptions are imported as questions. The TagOptions questions can have default values or a few values to select.

Workflow actions available through AWS Service Catalog connector 

The AWS Service Catalog connector provides the Launch Service Catalog Product action available from the Connector workflow element. This action launches a service in the AWS Service Catalog.

This action cannot be edited, and the parameters of this action are not displayed in the UI view, but they can be viewed in the JSON view. 

Default service actions

The AWS Service Catalog connector provides a predefined service action: Terminate. It is available for end users who have requested AWS services. By using this action, end users can terminate the provisioned service. When the provisioned service is terminated, it is not available to them on their My Stuff page. For more details about predefined service actions, see Setting-up-the-My-Stuff-page.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*