AWSTemplateFormatVersion: 2010-09-09 Description: Baseline ServiceCatalog Portfolio Resources: #portfolio creation BaselinePortfolio: Type: "AWS::ServiceCatalog::Portfolio" Properties: DisplayName: "BaselinePortfolio" AcceptLanguage: "en" Description: "A portfolio of self-service AWS products." ProviderName: "IT" #products creation # you can find samples templates on https://github.com/aws-samples/aws-service-catalog-reference-architectures Workspaces: Type: "AWS::ServiceCatalog::CloudFormationProduct" Properties: AcceptLanguage: "en" Description: "This product create a Workspace station" Distributor: "Amazon" Name: "Workspace" Owner: "IT Services" SupportEmail: "support@octank.edu.br" SupportUrl: "https://www.amazon.com" SupportDescription: "Support Description" ProvisioningArtifactParameters: - Description: "Workspace Cloudformation Template" Name: "Workspace Template" Info: # CHANGE THE S3 BUCKET HERE LoadTemplateFromURL : "https://s3.amazonaws.com/##S3VendingMachineTemplatesBucket##/workspaces-sc-template.yaml" WorkspacesAssociation: Type: "AWS::ServiceCatalog::PortfolioProductAssociation" Properties: ProductId: !Ref Workspaces PortfolioId: !Ref BaselinePortfolio # IAM group with access on portfolio to run the products provisioning EngineeringGroup: Type: "AWS::IAM::Group" Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess BaselinePortfolioPrincipalAssociation: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" Properties: PortfolioId: !Ref BaselinePortfolio PrincipalARN: !GetAtt EngineeringGroup.Arn PrincipalType: "IAM" BaselinePortfolioAWSStackSetExecutionRoleAssociation: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" Properties: PortfolioId: !Ref BaselinePortfolio PrincipalARN: !Sub "arn:aws:iam::${AWS::AccountId}:role/AWSCloudFormationStackSetExecutionRole" PrincipalType: "IAM" WorkspacesBaselineLaunchConstraint: Type: "AWS::ServiceCatalog::LaunchRoleConstraint" Properties: Description: "Allows the product to launch with the policies granted by the associated role." PortfolioId: !Ref BaselinePortfolio ProductId: !Ref Workspaces RoleArn: !GetAtt LaunchConstraintRole.Arn DependsOn: WorkspacesAssociation #constraint role with SC permission to provisioning AWS services LaunchConstraintRole: Type: "AWS::IAM::Role" Properties: Path: "/" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: "servicecatalog.amazonaws.com" Action: "sts:AssumeRole" Policies: - PolicyName: "AllowProductLaunch" PolicyDocument: Version: 2012-10-17 Statement: - Resource: '*' Effect: "Allow" Action: # Permissions required for the provisioning the products - 'workspaces:AssociateConnectionAlias' - 'workspaces:AssociateIpGroups' - 'workspaces:AuthorizeIpRules' - 'workspaces:CopyWorkspaceImage' - 'workspaces:CreateConnectionAlias' - 'workspaces:CreateIpGroup' - 'workspaces:CreateTags' - 'workspaces:CreateUpdatedWorkspaceImage' - 'workspaces:CreateWorkspaceBundle' - 'workspaces:CreateWorkspaces' - 'workspaces:DeleteTags' - 'workspaces:DeregisterWorkspaceDirectory' - 'workspaces:DescribeAccount' - 'workspaces:DescribeAccountModifications' - 'workspaces:DescribeClientProperties' - 'workspaces:DescribeConnectionAliasPermissions' - 'workspaces:DescribeConnectionAliases' - 'workspaces:DescribeIpGroups' - 'workspaces:DescribeTags' - 'workspaces:DescribeWorkspaceBundles' - 'workspaces:DescribeWorkspaceDirectories' - 'workspaces:DescribeWorkspaceImagePermissions' - 'workspaces:DescribeWorkspaceImages' - 'workspaces:DescribeWorkspaceSnapshots' - 'workspaces:DescribeWorkspaces' - 'workspaces:DescribeWorkspacesConnectionStatus' - 'workspaces:DisassociateConnectionAlias' - 'workspaces:DisassociateIpGroups' - 'workspaces:ImportWorkspaceImage' - 'workspaces:ListAvailableManagementCidrRanges' - 'workspaces:MigrateWorkspace' - 'workspaces:ModifyAccount' - 'workspaces:ModifyClientProperties' - 'workspaces:ModifySelfservicePermissions' - 'workspaces:ModifyWorkspaceAccessProperties' - 'workspaces:ModifyWorkspaceCreationProperties' - 'workspaces:ModifyWorkspaceProperties' - 'workspaces:ModifyWorkspaceState' - 'workspaces:RebootWorkspaces' - 'workspaces:RebuildWorkspaces' - 'workspaces:RegisterWorkspaceDirectory' - 'workspaces:RestoreWorkspace' - 'workspaces:RevokeIpRules' - 'workspaces:StartWorkspaces' - 'workspaces:StopWorkspaces' - 'workspaces:TerminateWorkspaces' - 'workspaces:UpdateConnectionAliasPermission' - 'workspaces:UpdateRulesOfIpGroup' - 'workspaces:UpdateWorkspaceBundle' - 'workspaces:UpdateWorkspaceImagePermission' - Resource: - "arn:aws:cloudformation:*:*:stack/SC-*" - "arn:aws:cloudformation:*:*:changeSet/SC-*" Effect: "Allow" Action: # Permissions required by AWS Service Catalog to create stack - cloudformation:CreateStack - cloudformation:DeleteStack - cloudformation:DescribeStackEvents - cloudformation:DescribeStacks - cloudformation:SetStackPolicy - cloudformation:ValidateTemplate - cloudformation:UpdateStack WorkspaceCreatedLaunchNotification: Type: "AWS::ServiceCatalog::LaunchNotificationConstraint" Properties: Description: "Publishes notifications when a Workspace is provisioned." NotificationArns: - !Ref EngineeringCreatedTopic PortfolioId: !Ref BaselinePortfolio ProductId: !Ref Workspaces DependsOn: WorkspacesAssociation