Summary Prerequisites and limitations Architecture Tools Epics Related resources Attachments

Copy AWS Service Catalog products across different AWS accounts and AWS Regions

Created by Sachin Vighe (AWS) and Santosh Kale (AWS)

Environment: Production	Technologies: Management & governance; Serverless	Workload: All other workloads
AWS services: AWS Service Catalog; AWS Lambda

Summary

AWS Service Catalog is a Regional service and this means that AWS Service Catalog portfolios and products are only visible in the AWS Region where they are created. If you set up an AWS Service Catalog hub in a new Region, you must recreate your existing products and this can be a time-consuming process.

This pattern's approach helps simplify this process by describing how to copy products from an AWS Service Catalog hub in a source AWS account or Region to a new hub in a destination account or Region. For more information about the AWS Service Catalog hub and spoke model, see AWS Service Catalog hub and spoke model: How to automate the deployment and management of AWS Service Catalog to many accounts on the AWS Management and Governance Blog.

The pattern also provides the separate code packages required to copy AWS Service Catalog products across accounts or to other Regions. By using this pattern, your organization can save time, make existing and previous product versions available in a new AWS Service Catalog hub, minimize the risk of manual errors, and scale the approach across multiple accounts or Regions.

Note: This pattern's Epics section provides two options for copying products. You can use Option 1 to copy products across accounts or choose Option 2 to copy products across Regions.

Prerequisites and limitations

Prerequisites

An active AWS account.
Existing AWS Service Catalog products in a source account or Region.
An existing AWS Service Catalog hub in a destination account or Region.
If you want to copy products across accounts, you must share and then import the AWS Service Catalog portfolio containing the products into your destination account. For more information about this, see Sharing and importing portfolios in the AWS Service Catalog documentation.

Limitations

AWS Service Catalog products that you want to copy across Regions or accounts cannot belong to more than one portfolio.

Architecture

The following diagram shows the copying of AWS Service Catalog products from a source account to a destination account.

The following diagram shows the copying of AWS Service Catalog products from a source Region to a destination Region.

A cross-account role in Region 1, a Lambda execution role and a Lambda function in Region 2.

Products copied by using the Lambda scProductCopy function in Region 2.

Technology stack

Amazon CloudWatch
AWS Identity and Access Management (IAM)
AWS Lambda
AWS Service Catalog

Automation and scale

You can scale this pattern’s approach by using a Lambda function that can be scaled depending on the number of requests received or how many AWS Service Catalog products you need to copy. For more information about this, see Lambda function scaling in the AWS Lambda documentation.

Tools

AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
AWS Service Catalog helps you centrally manage catalogs of IT services that are approved for AWS. End users can quickly deploy only the approved IT services they need, following the constraints set by your organization.

Code

You can use the cross-account-copy package (attached) to copy AWS Service Catalog products across accounts or the cross-region-copy package (attached) to copy products across Regions.

The cross-account-copy package contains the following files:

copyconf.properties – The configuration file that contains the Region and AWS account ID parameters for copying products across accounts.
scProductCopyLambda.py – The Python function for copying products across accounts.
createDestAccountRole.sh – The script to create an IAM role in the destination account.
createSrcAccountRole.sh – The script to create an IAM role in the source account.
copyProduct.sh – The script to create and invoke the Lambda function for copying products across accounts.

The cross-region-copy package contains the following files:

copyconf.properties – The configuration file that contains the Region and AWS account ID parameters for copying products across Regions.
scProductCopyLambda.py – The Python function for copying products across Regions.
copyProduct.sh – The script to create an IAM role and create and invoke the Lambda function for copying products across Regions.

Epics

Task	Description	Skills required
Update the configuration file.	Download the `cross-account-copy` package (attached) to your local machine. Update the `copyconf.properties` configuration file with the following values: `srcRegion` – Provide the source Region that contains the products. `destRegion` – Provide the destination Region for the products. `sourceAccountId` – Provide the AWS account ID for your source account. `destAccountId` – Provide the AWS account ID for your destination account.	AWS administrator, AWS systems administrator, Cloud administrator
Configure your credentials for AWS CLI in the destination account.	Configure your credentials to access AWS CLI in your destination account by running the `aws configure` command and providing the following values : `$aws configure AWS Access Key ID [None]: <your_access_key_id> AWS Secret Access Key [None]: <your_secret_access_key> Default region name [None]: Region Default output format [None]:` For more information about this, see Configuration basics in the AWS Command Line Interface documentation.	AWS administrator, AWS systems administrator, Cloud administrator
Configure your credentials for AWS CLI in the source account.	Configure your credentials to access AWS CLI in your source account by running the `aws configure` command and providing the following values: `$aws configure AWS Access Key ID [None]: <your_access_key_id> AWS Secret Access Key [None]: <your_secret_access_key> Default region name [None]: Region Default output format [None]:` For more information about this, see Configuration basics in the AWS Command Line Interface documentation.	AWS administrator, AWS systems administrator, Cloud administrator
Create a Lambda execution role in your destination account.	Run the `createDestAccountRole.sh` script in your destination account. The script implements the following actions: Creates a Lambda execution role in your destination account Creates and attaches the IAM policy for the Lambda execution role	AWS administrator, AWS systems administrator, Cloud administrator
Create the cross-account IAM role in your source account.	Run the `createSrcAccountRole.sh` script in your source account. The script implements the following actions: Creates a cross-account IAM role in your source account that is assumed by the Lambda execution role in the destination account to copy products Creates and attaches an IAM policy for the cross-account role in your source account	AWS administrator, AWS systems administrator, Cloud administrator
Run the copyProduct script in the destination account.	Run the `copyProduct.sh` script in your destination account. The script implements the following actions: Creates and invokes the Lambda function to copy products from the source account to the destination account	AWS administrator, AWS systems administrator, Cloud administrator

Task Description Skills required

Task	Description	Skills required
Update the configuration file.	Download the `cross-region-copy` package (attached) to your local machine. Update the `copyconf.properties` configuration file with the following values: `srcRegion` – Provide the source Region that contains the products. `destRegion` – Provide the destination Region for the products. `accountId` – Provide your AWS account ID.	AWS systems administrator, Cloud administrator, AWS administrator
Configure your credentials for AWS CLI.	Configure your credentials to access AWS CLI in your environment by running the `aws configure` command and providing the following values: `$aws configure AWS Access Key ID [None]: <your_access_key_id> AWS Secret Access Key [None]: <your_secret_access_key> Default region name [None]: Region Default output format [None]:` For more information about this, see Configuration basics in the AWS Command Line Interface documentation.	AWS administrator, AWS systems administrator, Cloud administrator
Run the copyProduct script.	Run the `copyProduct.sh` script in your destination Region. The script implements the following actions: Creates a Lambda execution role Creates and attaches the IAM policy for the Lambda execution role Creates and invokes the Lambda function to copy products from the source Region to the destination Region	AWS administrator, AWS systems administrator, Cloud administrator

Update the configuration file.

Download the cross-region-copy package (attached) to your local machine.
Update the copyconf.properties configuration file with the following values:
- srcRegion – Provide the source Region that contains the products.
- destRegion – Provide the destination Region for the products.
- accountId – Provide your AWS account ID.

AWS systems administrator, Cloud administrator, AWS administrator

Configure your credentials for AWS CLI.

Configure your credentials to access AWS CLI in your environment by running the aws configure command and providing the following values:


$aws configure
AWS Access Key ID [None]: <your_access_key_id>
AWS Secret Access Key [None]: <your_secret_access_key>
Default region name [None]: Region
Default output format [None]:

For more information about this, see Configuration basics in the AWS Command Line Interface documentation.

AWS administrator, AWS systems administrator, Cloud administrator

Run the copyProduct script.

Run the copyProduct.sh script in your destination Region. The script implements the following actions:

Creates a Lambda execution role
Creates and attaches the IAM policy for the Lambda execution role
Creates and invokes the Lambda function to copy products from the source Region to the destination Region

AWS administrator, AWS systems administrator, Cloud administrator

Related resources

Create a Lambda execution role (AWS Lambda documentation)
Create a Lambda function (AWS Lambda documentation)
AWS Service Catalog API reference
AWS Service Catalog documentation

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure logging for .NET applications in CloudWatch Logs

Create alarms for custom metrics using CloudWatch