AWS Service Catalog connector in Cloud Action

Service import best practices

• Identify and import only those services that are specified in the product portfolio created for BMC Helix Digital Workplace Catalog. 

• Products in AWS Service Catalog can have multiple versions. Each AWS Product version for BMC Helix Digital Workplace Catalog is imported as a separate service.

  For example, a Dynamo product with three versions in AWS Service Catalog is imported to BMC Helix Digital Workplace Catalog as three services:

  • DynamoDB - 1
  • DynamoDB - 2
  • DynamoDB - 3
• After importing services, the associated questions are not marked as required, even when provisioning requires them. Therefore, you must set the questions to Required. 

Before you begin

Make sure you register an account in the AWS Cloud. For information about the AWS Service Catalog account creation, see Create and activate the AWS Service Catalog account in the Amazon documentation.

Workflow to configure the AWS Service Catalog connector

The following table describes the tasks to configure the AWS Service Catalog connector and import the AWS catalog services in BMC Helix Digital Workplace Catalog:

Task 1: To create an AWS authentication user roles and IAM user for Catalog

1. Create an IAM user; see IAM users for details.
   The IAM user should have the following policies:
   
   • AmazonS3ReadOnlyAccess
   • AWSServiceCatalogAdminReadOnlyAccess

   • Inline policy, as shown in the following code block:
     

     Click here to expand...

     {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "GetUser",
          "Effect": "Allow",
          "Action": "iam:GetUser",
          "Resource": "arn:aws:iam::<Your AWS account Id>:user/<your IAM user name>"
         },
        {
          "Sid": "TerminateInstances",
          "Effect": "Allow",
          "Action": [
            "servicecatalog:TerminateProvisionedProduct"
          ],
          "Resource": "*"
        }
      ]
     }

     The inline policy example when Amazon EC2 is added to the portfolio

     Important

     The actual inline policy can differ, and it depends on the requirements of a specific portfolio item.

     {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "GetUser",
                "Effect": "Allow",
                "Action": "iam:GetUser",
                "Resource": " << arn:aws:iam::{Account}:user/{UserNameWithPath} >> " // <- should be IAM user ARN
            },
            {
                "Sid": "TerminateInstances",
                "Effect": "Allow",
                "Action": [
                    "servicecatalog:TerminateProvisionedProduct",
                    "ec2:TerminateInstances",
                    "ec2:Describe*",
                    "ec2:ImportKeyPair"
                ],
                "Resource": "*"
            }
        ]
     }

2. Generate an Access Key ID and a Secret Access Key for the added user.
   See Access keys in the AWS console for details.

3. Create an authentication role for the AWS service by following the instructions in Creating a role to delegate permissions to an IAM user. 
   Use the following values for the parameters:  

   Parameter	Value
   Policy	AWSServiceCatalogEndUserFullAccess AmazonS3ReadOnlyAccess Inline policy for the products in your AWS Service Catalog portfolio, if required. For example, if you have Amazon EC2 in your portfolio, the inline policy example might be as follows: {    "Version": "2012-10-17",    "Statement": [        {            "Sid": "RunAndTerminateInstances",            "Effect": "Allow",            "Action": [                "ec2:TerminateInstances",                "ec2:Describe*",                "ec2:RunInstances"            ],            "Resource": "*"        }    ] }
   Trusted entity type	AWS service

4. Update the trust policy from the Summary page of the IAM role by selecting Trust Relationships > Edit trust policy.

5. Modify the JSON by adding the following rows:
   
   

   "Service":"servicecatalog.amazonaws.com",
   "AWS": "arn:aws:iam::<Your AWS account Id>:user/<your AIM user name>"

   The following image is an example of modifying the JSON: 
   
   
   
   

6. Review the value of the Role ARN field, and copy it to the clipboard or save it to a local file.
   
   The following image shows the Summary page of the added role:
   
   
   
   

   Important

   The policies mentioned here are the basic ones you need. The list of policies depends on the products in your AWS Service Catalog portfolio.

Task 2: To add permissions for end users to use the imported services

Complete the following procedures to grant access for services to BMC Helix Digital Workplace end users: 

1. Create a product portfolio in the AWS Service Catalog; see Create an AWS Service Catalog portfolio.

2. Add AWS Service Catalog products to your portfolio; see Adding AWS Marketplace products to your portfolio.

3. Add your IAM user and IAM role to the product portfolio; see Grant end users access to the portfolio.

4. Add constraints to the products in your portfolio, see Using AWS Service Catalog Constraints Using AWS Service Catalog Constraints.

   The following image shows an example of a portfolio created for BMC Helix Digital Workplace Catalog:
   
   

   
   
   

   When an end user requests a product specified in the Constraints section, the product is launched in the AWS console. A tag record about the user who requested a product is recorded in the AWS Console for all created resources and provisioned products. 

   The following image shows the aws:servicecatalog:provisioningPrincipalArn tag with the value that contains the login ID of the user who requested the service:

   

Task 3: To configure the AWS Service Catalog connector from Cloud Action in BMC Helix Digital Workplace Catalog

1. As a Catalog administrator, log in to BMC Helix Digital Workplace Catalog. 
2. Navigate to Services > Connectors.
3. To create a connection, click New Connection.

4. In the Connection Name field, type a meaningful name. 

   Example: AWS Service Catalog

5. From the Connector list, select AWS Catalog. 
6. Click Save. 
7. In the Connection Options pane, complete the following fields:
   1. Access Key ID—Enter the Access Key ID that you generated in Task 1. 
   2. Secret access key—Enter the Secret access key that you generated in Task 1. 
   3. Role—Enter the authentication role that you created for the user in Task 1

   4. Region—Enter the region of the AWS Service Catalog instance. 

      The following image is an example of the AWS Service Catalog configuration:

      

8. Click Save. 

9. To verify the connection, on the Connector Management page, see the Status column. 

   A successful connection is denoted by the Connected status. 

Task 4: To import the product and services from AWS Service Catalog

After the connection between AWS Service Catalog and BMC Helix Digital Workplace Catalog is successful, you can import the products and services. Perform the steps in Importing-service-catalog-items-from-external-systems to import the product and services from AWS Service Catalog.

After a service is imported, both workflows and questionnaires are successfully imported from the AWS Service Catalog. For an example of a workflow, see Requesting services from AWS Service Catalog.

You can update the services or verify and publish them for the end users. For more information, see Approving-and-publishing-services. 

Results

The following components of the services are imported from AWS Service Catalog:

• Service profile details
• Workflow
• Questionnaire
• Workflow actions
  
• Default service actions

Service profile details

The service profile details from AWS Service Catalog are mapped to the following fields in BMC Helix Digital Workplace Catalog:

• Product - Version Description—Is mapped to the service excerpt
• Product Description—Is mapped to the service description

When a service is imported from AWS Service Catalog, it has the AWS default logo. This logo is the same for all services imported from AWS Service Catalog.

Workflow

An imported workflow includes the following actions:

• Specific actions available through AWS Service Catalog connector
• Common workflow actions such as Send Email, Track External Activity, Build Input Set, and Receive Task. For more information about these workflow elements, see Workflow-designer-elements-overview.

Imported workflow can contain one or more Build Input Set elements that contain Parameters and TagOptions. Each element can have a maximum of 10 of them. The Launch AWS Catalog Product element contains all answers provided to the questions to provision a new virtual machine in AWS.

If an imported service includes the Send Email workflow element, an email is sent to end users who request this service from the AWS Service Catalog. End users receive emails when services are successfully provisioned, and when services were not provisioned (failed in the AWS Console).

Emails are sent to service requesters only if the SMTP settings are configured in BMC Helix Digital Workplace. 

Questionnaire

All questions and parameters associated with the product template are imported from the AWS Service Catalog. A questionnaire attached to an imported service can include process questions from the following information in the AWS Console:

• AWS template
  Process questions available in a questionnaire are based on the template used to create the product in the AWS console.
• The questionnaire can have questions that require user input as well as questions with default values such as:
  • ReadCapacityUnits
  • WriteCapacityUnits
  • HashKeyElementType

The following table describes some questions the require user input:

• AWS specific parameters
  An imported questionnaire can include AWS specific parameters. For details about these parameters, see AWS specific parameters.

  Important

  A questionnaire in BMC Helix Digital Workplace with a selection question that should retrieve the Security Group IDs data set from the AWS Console displays the Group Names data set. When an end user selects any security group name value from the list, the value of the group ID is displayed.

  A questionnaire in BMC Helix Digital Workplace with a selection question that should retrieve the Route 53 Hosted IDs data set from the AWS Console, displays the Route 53 Hosted Names data set. When an end user selects any hosted name value from the list, the value of the hosted ID is displayed.

  
  

• Tag options
  TagOptions are imported from from a portfolio and a product. TagOptions are imported as questions. The TagOptions questions can have default values or a few values to select.

Workflow actions

The AWS Service Catalog connector provides the Launch Service Catalog Product action available from the Connector workflow element. This action launches a service in the AWS Service Catalog.

This action cannot be edited. The parameters of the action can be viewed in the JSON view. 

Default service actions

The AWS Service Catalog connector provides a predefined service action: Terminate. It is available for end users who have requested AWS services. By using this action, end users can terminate the provisioned service. When the provisioned service is terminated, it is not available to them on their My Stuff page. For more details about predefined service actions, see Setting-up-the-My-Stuff-page.