Using the Enterprise Blueprint Factory
This section helps you create, update, or delete blueprints in your environment. It provides detailed instructions for managing a blueprint throughout its life cycle.
To create or update custom blueprints, you must have an understanding of how to create IaC templates, such as AWS CloudFormation templates or AWS Cloud Development Kit (AWS CDK) constructs. This guide does not include information or instructions about how to define the blueprints that you release through the Enterprise Blueprint Factory.
Prerequisites
The following are the prerequisites for using the Enterprise Blueprint Factory in your AWS environment:
-
AWS Command Line Interface (AWS CLI), installed and configured
-
Permissions to assume the
ServiceCatalogEndUserRoleAWS Identity and Access Management (IAM) role -
An CloudFormation template or AWS CDK construct
Creating a blueprint
The Enterprise Blueprint Factory pipelines deploy the blueprints that you define in
the configuration file. The developer initiates the configuration pipeline by merging
the configuration file into the configuration repository. Then, the Enterprise Blueprint
Factory uses the ServiceCatalogLaunchConstraintRole to deploy the blueprint
as a product in Service Catalog. For more information about the actions that the configuration
pipeline and release pipeline perform when you create a blueprint, see Blueprint creation in this
guide.
To add the blueprint to the product repository
-
Make sure that you have set up your Enterprise Blueprint Factory according to the instructions in Setting up the Enterprise Blueprint Factory in this guide.
-
Confirm that the policy for the
ServiceCataloglogLaunchConstraintRolerole allows you to provision the resources defined in the blueprint. -
In the product repository (
ServiceCatalog-BlueprintProductRepo), create a folder for the new blueprint. -
Paste the IaC template (CloudFormation template or AWS CDK construct) into the folder that you created.
-
Create a file named product_config.json in the folder that you created.
-
Open the product_config.json file, and paste the following into the file:
{ "SchemaVersion": "1.0", "ProductVersionName": "1.0.1", "Deprecated_Versions" : [], "ProductVersionDescription": "<description>", "ProductType": "CLOUD_FORMATION_TEMPLATE", "Properties": { "TemplateFilePath": "./<folder name>/<file name>" } }Where:
-
<description>is a brief description of the blueprint version -
<folder name>is the name of the folder you created in the product repository -
<file name>is the name of the IaC template
Note
You can update the schema version or product version names to match your organization's policies.
-
-
Save and close the product_config.json file.
-
Enter the following commands to merge the changes into the product repository:
cd ServiceCatalog-BlueprintProductRepo git add <folder name>/<file name> <folder name>\product_config.json git commit -m "The first version of <file name> blueprint" git push origin main
To update the configuration file
-
In the configuration repository (
ServiceCatalog-ConfigRepo), open the config.yml file. -
Edit the
portfoliossection andproductssection as needed for the new blueprint. For more information, see Configuration file in this guide. -
Save and close the config.yml file.
-
Enter the following commands to merge the changes into the configuration repository:
cd ServiceCatalog-ConfigRepo git add config.yml git commit -m "<description of change>" git push origin mainApproval of this pull request initiates the configuration pipeline. The configuration pipeline creates a release pipeline for the product.
To review the deployment logs
-
Sign in to the Enterprise Blueprint Factory administrative account.
-
Open the AWS CodePipeline console
. -
In Name, choose the release pipeline for the product. By default, the pipeline name is
BluePrint_<Product-Name>-<CloudFormation-Stack-Name>. -
Choose View history.
-
View the status of the pipeline and stage execution. For more information about the status, see View execution status in the CodePipeline documentation.
-
If the pipeline fails, review the cause of the failure. For instructions about how to configure monitoring for your pipelines, see Monitoring pipelines in the CodePipeline documentation. If the release pipeline failed due to a cfn-lint or cfn_nag check, correct the error in the template. Submit another pull request to the product repo. This restarts the release pipeline. For more information about correcting template errors, see the Troubleshooting section in this guide.
-
Wait until the release pipeline status is
Succeeded.
To validate the deployment
-
Sign in to a consumer account in the organization.
-
Assume the
ServiceCatalogEndUserRoleIAM role. -
Open the Service Catalog console
. -
In the navigation pane, choose Products.
-
Confirm that the new product is available in the list of products.
Updating a blueprint
For more information about the actions that the configuration pipeline and release pipeline perform when you create a blueprint, see Blueprint update in this guide.
To update a blueprint
-
In the product repository, navigate into the folder for the product.
-
Paste the updated IaC template. Make sure that the file name is the same as the previous version.
-
Open the product_config.json file.
-
For
ProductVersionName, update the version number. -
If you want to prevent the previous product version from being deployed in future, for
Deprecated_Versions, enter the previous version numbers in a comma-separated list. -
Enter the following commands to merge the changes into the product repository:
cd ServiceCatalog-BlueprintProductRepo git add <folder name>/<file name> <folder name>\product_config.json git commit -m "Version <number> of <file name> blueprint" git push origin mainApproval of this pull request initiates the release pipeline for the product.
To review the deployment logs
-
Sign in to the Enterprise Blueprint Factory administrative account.
-
Open the AWS CodePipeline console
. -
In Name, choose the release pipeline. By default, the pipeline name is
BluePrint_<Product-Name>-<CloudFormation-Stack-Name>. -
Choose View history.
-
View the status of the pipeline and stage execution. For more information about the status, see View execution status in the CodePipeline documentation.
-
If the pipeline fails, review the cause of the failure. For instructions about how to configure monitoring for your pipelines, see Monitoring pipelines in the CodePipeline documentation. If the release pipeline failed due to a cfn-lint or cfn_nag check, correct the error in the template. Submit another pull request to the product repo. This restarts the release pipeline. For more information about correcting template errors, see the Troubleshooting section in this guide.
-
Wait until the release pipeline status is
Succeeded.
To validate the update
-
Sign in to a consumer account in the organization.
-
Assume the
ServiceCatalogEndUserRoleIAM role. -
Open the Service Catalog console
. -
In the navigation pane, choose Products.
-
Confirm that the new product version is available in the list of products.
Deleting a blueprint
When you delete a product, Service Catalog removes all of product versions from every portfolio that contains the product. For more information, see Deleting products in the Service Catalog documentation. For more information about the actions that the configuration pipeline and release pipeline perform when you create a blueprint, see Blueprint deletion in this guide.
To delete a blueprint
-
In the configuration repository, open the config.yml file.
-
Edit the products section, remove or comment out the product you want to delete.
-
Save and close the config.yml file.
-
Enter the following commands to merge the changes into the configuration repository:
cd ServiceCatalog-ConfigRepo git add config.yml git commit -m "<description of change>" git push origin mainApproval of this pull request initiates the configuration pipeline. The configuration pipeline deletes the product and its release pipeline.
-
In the product repository, delete the folder for the product, including its contents.
-
Enter the following commands to merge the changes into the product repository:
cd ServiceCatalog-BlueprintProductRepo git add . git commit -m "Delete <file name> blueprint" git push origin main
To validate the deletion
-
Sign in to a consumer account in the organization.
-
Assume the
ServiceCatalogEndUserRoleIAM role. -
Open the Service Catalog console
. -
In the navigation pane, choose Products.
-
Confirm that the deleted product is no longer available.
Troubleshooting
When you create or update a blueprint, the cfn-lint and cfn-nag tools validate the blueprint. For more information about validation in the release pipeline, see Release pipeline in this guide. Any reported syntax or security errors cause the pipeline to fail. To successfully deploy the blueprint through the release pipeline, you must correct the errors in the blueprint.
The following is an example output that shows two security-related errors, a failure and a warning.
BP-SNS.yml --------------------------------------------------- BP-SNS.yml --------------------------------------------------- | WARN W47 | | Resource: ["ExampleTopic"] | Line numbers: [5] | | SNS Topic should specify KmsMasterKeyId property --------------------------------------------------- | FAIL F18 | | Resource: ["ExampleTopicPolicy"] | Line numbers: [10] | | SNS topic policy should not allow * principal Failures count: 1 Warnings count: 1
To correct these errors, in the blueprint file, you would replace the *
principal in the Amazon Simple Notification Service (Amazon SNS) topic policy and associate an AWS Key Management Service (AWS KMS) key
with the topic. The following code example demonstrates these updates.
ExampleTopic: Type: AWS::SNS::Topic Properties: TopicName: ExampleTopic ExampleTopicPolicy: Type: AWS::SNS::TopicPolicy Properties: KmsMasterKeyId: alias/aws/sns # Added KMS key PolicyDocument: Id: Id1 Version: '2012-10-17' Statement: - Sid: Sid2 Effect: Allow Principal: "Service" : "s3.amazonaws.com" # Replaced "AWS": '*' Action: 'sns:Publish' Resource: !Ref ExampleTopic Topics: - !Ref ExampleTopic
