Prerequisites Best practices Create repos Set up the factory Delete the factory

Setting up the Enterprise Blueprint Factory

This section helps you set up the Enterprise Blueprint Factory in your AWS environment. It includes detailed instructions for setting up the required repositories and the AWS resources for the Enterprise Blueprint Factory.

Prerequisites

The following are the prerequisites for setting up the Enterprise Blueprint Factory in your AWS environment:

The following AWS accounts:
- An account that is used to administrate the Enterprise Blueprint Factory and to release products
- One or more accounts that consume the released product
All accounts are:
- Managed as an organization in AWS Organizations
- Located in the same organizational unit (OU)
- The organization follows the account-per-tenant model
AWS Command Line Interface (AWS CLI), installed and configured
Permissions to deploy an AWS CloudFormation stack that creates the following AWS resources:
- Amazon CloudWatch Logs log group
- AWS CodePipeline pipelines
- AWS CodeBuild projects
- Amazon EventBridge event bus policy and rule
- AWS Identity and Access Management (IAM) role and policy
- AWS Key Management Service (AWS KMS) key and key policy
- AWS Service Catalog portfolios, products, and provisioned products
- Amazon Simple Notification Service (Amazon SNS) topic, topic policy, and subscription
- Amazon Simple Storage Service (Amazon S3) buckets
- AWS Systems Manager Parameter Store parameters
For more information about setting up these permissions, see the CloudFormation documentation and Implementing policies for least-privilege permissions for AWS CloudFormation.
A GitHub account

Best practices

We recommend that you follow these best practices when setting up the Enterprise Blueprint Factory in your AWS environment:

When configuring the permissions necessary to deploy the Enterprise Blueprint Factory, follow the principle of least privilege and grant the minimum permissions required. For more information, see Grant least privilege and Security best practices in the IAM documentation.
When configuring access to Service Catalog portfolios, follow the principle of least privilege and grant access only to specific roles, users, or administrators. Follow the security best practices for Service Catalog.

Creating the repositories

This section helps you set up the configuration repository and the product repository for the Enterprise Blueprint Factory. To set up your repositories, you fork the provided repositories in GitHub. Then, you use AWS CodeConnections to create a connection to your GitHub repository. Then, you clone the GitHub repositories to your local machine.

To fork the GitHub repositories

Log in to GitHub.
Navigate to the Configuration repo GitHub repository.
Choose Fork.
On the Create a new fork page, in the Repository name box, enter ServiceCatalog-ConfigRepo.
(Optional) Enter a description.
Select Copy the main branch only.
Choose Create fork.
Repeat these steps to fork the Code repo GitHub repository. Enter the name ServiceCatalog-CodeRepo for this repository.
Repeat these steps to fork the Product repo GitHub repository. Enter the name ServiceCatalog-BlueprintProductRepo for this repository.

To create the CodeConnections connection

In the AWS CLI, enter the following command to create an CodeConnections connection to GitHub:
```
aws codeconnections create-connection --provider-type GitHub --connection-name <MyConnection>
```
Use the AWS Developer Tools console to complete the connection. For more information, see Update a pending connection.

To clone the forked repositories

Enter the following commands to clone the GitHub repositories to your local workstation:


git clone git@github.com:<user>/aws-enterprise-blueprint-factory-config-repo ServiceCatalog-ConfigRepo
git clone git@github.com:<user>/aws-enterprise-blueprint-factory-blueprint-repo ServiceCatalog-BlueprintProductRepo
git clone git@github.com:<user>/aws-enterprise-blueprint-factory-code-repo ServiceCatalog-CodeRepo

Setting up the Enterprise Blueprint Factory

The instructions in this section describe how to set up the Enterprise Blueprint Factory in your target account. The product repo that you cloned from GitHub contains two sample CloudFormation templates, BP-S3 and BP-SNS. By following these instructions, you deploy these two sample blueprints as products in Service Catalog.

To set up the roles

In the Blueprint Developer's account, create the following trust policy, and then save it as sc-enduserrole-trust-policy.json:


{ 
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::123456789012:role/ServiceCatalogEndUserRole"
    },
    "Action": "sts:AssumeRole"
  }
}

Enter the following command to create the ServiceCatalogEndUserRole IAM role:
```
aws iam create-role \
--role-name ServiceCatalogEndUserRole \
--assume-role-policy-document file://sc-enduserrole-trust-policy.json  
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess \
-- role-name ServiceCatalogEndUserRole
```
Note
Developers use the ServiceCatalogEndUserRole role to provision the Service Catalog product. This role does not need permissions to create the resources defined in the blueprint. This follows the best practices of least privileged permissions and segregation of duties.

Create the following trust policy and then save it as sc-launchconstraintrole-trust-policy.json:


{ 
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "Service": "servicecatalog.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }
}

Enter the following command to create the ServiceCataloglogLaunchConstraintRole IAM role:


aws iam create-role \
--role-name ServiceCataloglogLaunchConstraintRole \
--assume-role-policy-document file://sc-launchconstraintrole-trust-policy.json  
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonSNSFullAccess \
--role-name ServiceCataloglogLaunchConstraintRole
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSCloudFormationFullAccess \
--role-name ServiceCataloglogLaunchConstraintRole

Add the following policy to the ServiceCataloglogLaunchConstraintRole IAM role. Include any other permissions that are required for the product resources, as described in Configuring a Launch Role in the Service Catalog documentation:
```
{
          "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject"
         ],
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "s3:ExistingObjectTag/servicecatalog:provisioning":"true"
            }
         }
   ]
}
```
Note
Service Catalog uses this role to deploy the CloudFormation stack as a product in Service Catalog. The trust policy for this role makes sure that only Service Catalog can assume it. Other users or services cannot assume this role. This follows the best practice of segregation of duties.

Create the following trust policy, and then save it as sc-codebuild-trust-policy.json:


{ 
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "Service": "codebuild.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }
}

Enter the following command to create the codebuild-servicecatalog-admin-role IAM role:


aws iam create-role \
--role-name codebuild-servicecatalog-admin-role \
--assume-role-policy-document file://sc-codebuild-trust-policy.json  
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess \
--role-name codebuild-servicecatalog-admin-role

Note

The CodeBuild jobs in the config pipeline use this role.

To set up the Amazon S3 bucket

To create an Amazon Simple Storage Service (Amazon S3) bucket that is used to store the CodePipeline artifacts, follow the instructions in Creating a bucket in the Amazon S3 documentation. Follow the Security best practices for Amazon S3.

To set up the AWS Systems Manager parameters

Follow the instructions in Creating Parameter Store parameters in Systems Manager in order to create the Systems Manager parameters in the following table. These parameters are used in the CloudFormation template that deploys the configuration pipeline.

Parameter name	Type	Description
`/blueprints/resources/vpc_id`	String	Parameter that stores the ID of the target virtual private cloud (VPC).
`/blueprints/resources/subnets`	StringList	Parameter that stores the IDs of the target subnets.
`/blueprints/resources/securitygroups`	StringList	Parameter that stores the IDs of the target security groups.
`/blueprints/resources/artifacts-bucket-name`	String	Parameter that stores the Amazon S3 bucket name that is used for CodePipeline artifacts.
`/blueprints/resources/BlueprintRepo`	String	Parameter that stores the GitHub repo where the Enterprise Blueprint Factory blueprints are stored. The default value is `<user>/aws-enterprise-blueprint-factory-blueprint-repo`.
`/blueprints/resources/CodeRepo`	String	Parameter that stores the GitHub repo where the Enterprise Blueprint Factory configuration pipeline code and the `Bootstrapping-Admin-Product` code are stored. The default value is `<user>/aws-enterprise-blueprint-factory-code-repo`.
`/blueprints/resources/ConfigRepo`	String	Parameter that stores the GitHub repo where the Enterprise Blueprint Factory configuration files are stored. The default value is `<user>/aws-enterprise-blueprint-factory-config-repo`.

To update the CloudFormation templates

In the code repository (ServiceCatalog-CodeRepo), open the ServiceCatalog-Pipeline.yml file.
Edit the default values for the following parameters in this file:
- ConfigRepositoryName is the Systems Manager parameter that stores the GitHub repo where the Enterprise Blueprint Factory configuration files are stored. The default value is /blueprints/resources/ConfigRepo.
- CodeRepositoryName is the Systems Manager parameter that stores the GitHub repo where the Enterprise Blueprint Factory configuration pipeline code and the Bootstrapping-Admin-Product code are stored. The default value is /blueprints/resources/CodeRepo.
- BlueprintRepositoryName is the Systems Manager parameter that stores the GitHub repo where the Enterprise Blueprint Factory blueprints are stored. The default value is /blueprints/resources/BlueprintRepo.
- BranchName is the branch of the config repository where the config file is stored. The default value is main.
- VPCID is the Systems Manager parameter that stores the ID of the target VPC. The default value is /blueprints/resources/vpc_id.
- Subnets is the Systems Manager parameter that stores the IDs of the target subnets. The default value is /blueprints/resources/subnets.
- SecurityGroupIds is the Systems Manager parameter that stores the IDs of the target security groups. The default value is /blueprints/resources/securitygroups.
- IamRoleName is the name of the IAM role that the CodeBuild jobs use. The default value is codebuild-servicecatalog-admin-role.
- EnvironmentType is the environment where you are deploying the Enterprise Blueprint Factory. The default value is DEV.
- ArtifactBucket is the Systems Manager parameter that stores the Amazon S3 bucket where CodePipeline stores artifacts. The default value is /blueprints/resources/artifacts-bucket-name.
- CodeConnectionArn is the Amazon Resource Name (ARN) of the CodeConnections connection to GitHub.
Save and close the ServiceCatalog-Pipeline.yml file.

Enter the following commands to merge the changes into the code repository:


cd ServiceCatalog-CodeRepo
git add ServiceCatalog-Pipeline.yml
git commit -m "<description of change>"
git push origin main

In the configuration repository (ServiceCatalog-ConfigRepo), open the bp_config.yml file.
Update the values in the portfolio section as needed for your organization. For example, update the portfolio_access_roles and share_to_ou attributes. For more information, see Configuration file in this guide.
Save and close the bp_config.yml file.

Enter the following commands to merge the changes into the code repository:


cd ServiceCatalog-ConfigRepo
git add bp_config.yml
git commit -m "<description of change>"
git push origin main

To deploy the CloudFormation stack

Sign in to the Enterprise Blueprint Factory administrative account.
Switch to an IAM role that has administrative permissions.
Open the CloudFormation console.
On the navigation bar at the top of the screen, choose the target AWS Region.
On the Stacks page, choose Create stack at top right, and then choose With new resources (standard).
For Prepare template, choose Template is ready.
Under Specify template, choose Upload a template file.
Choose Choose File, navigate to the ServiceCatalog-CodeRepo folder, and then choose ServiceCatalog-Pipeline.yml.
Choose Next to continue and to validate the template.
For Stack name, enter a name for the stack.
In the Parameters section, do not change the default values.
Choose Next.
On the Configure stack options page, do not change the default values, and then choose Next.
On the Review and create page, verify the template and stack details, and then choose Submit.
Monitor the progress of the stack deployment. For more information, see the CloudFormation documentation.
Wait for the status to change to CREATE_COMPLETE.

To validate the deployment

Open the AWS Service Catalog console.
In the navigation pane, choose Products.
Confirm that ServiceCatalog-Pipeline is available in the list of products.
Open the AWS CodePipeline console.
In Name, choose the configuration pipeline. By default, the pipeline name is ServiceCatalog-Pipeline.
Choose View history.
View the status of the pipeline and stage execution. For more information about the status, see View execution status in the CodePipeline documentation.
Wait until the configuration pipeline status is Succeeded.
Open the Service Catalog console.
In the navigation pane, choose Products.
Confirm that the BP-S3-Product and BP-SNS-Product products are available. This indicates that the product release pipelines for the sample blueprints completed successfully.
If you want to delete the sample blueprints that you deployed when setting up the Enterprise Blueprint Factory, follow the instructions in Deleting a blueprint.

Delete the Enterprise Blueprint Factory

If you are not using the Enterprise Blueprint Factory, you can delete it to stop incurring the costs associated with its AWS resources.

To delete the resources

Enter the following commands to delete the IAM roles that were deployed in the Enterprise Blueprint Factory administrative account:


aws iam detach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess \
--role-name ServiceCatalogEndUserRole
aws iam delete-role --role-name ServiceCatalogEndUserRole
aws iam detach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonSNSFullAccess \
--role-name ServiceCataloglogLaunchConstraintRole
aws iam delete-role --role-name ServiceCataloglogLaunchConstraintRole

Delete the CloudFormation stack for the Enterprise Blueprint Factory. For instructions, see Delete a stack from the CloudFormation console or Delete a stack from the AWS CLI.
Delete the Amazon S3 bucket that is used to store the CodePipeline artifacts. For instructions, see Deleting a bucket in the Amazon S3 documentation.
Delete the following Systems Manager parameters from Parameter Store:
- /blueprints/resources/vpc_id
- /blueprints/resources/subnets
- /blueprints/resources/securitygroups
- /blueprints/resources/artifacts-bucket-name
- /blueprints/resources/BlueprintRepo
- /blueprints/resources/CodeRepo
- /blueprints/resources/ConfigRepo
For instructions, see Deleting parameters from Parameter Store in the Systems Manager documentation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Blueprint life cycle

Using the factory