update for AppRegistry. Updated templates and Reamdme to remove endus…

…er users and groups

AppRegistry/README.md

@@ -0,0 +1,24 @@
+# AWS Service Catalog AppRegistry reference architecture
+
+This reference architecture creates an AWS Service Catalog AppRegistry Application and Attribute group. 
+For an example of how to automatically associatge AWS Service Catalog products with AppRegistry see this [sample EC2 template with AppRegistry](https://github.com/aws-samples/aws-service-catalog-reference-architectures/blob/master/ec2/sc-ec2-linux-nginx-nokey-appreg.json).
+
+###Try this in your account:
+1. Launch the AppRegistry stack below
+2. Add the [sample EC2 template with AppRegistry](https://github.com/aws-samples/aws-service-catalog-reference-architectures/blob/master/ec2/sc-ec2-linux-nginx-nokey-appreg.json) as a version or product in AWS Service Catalog.
+3. Provision the EC2 product from [AWS Service Catalog](https://console.aws.amazon.com/servicecatalog/#products).
+4. Review the associated resources in AppRegistry found in the [AWS Service Catalog console](https://console.aws.amazon.com/servicecatalog/#applications/).
+
+
+[Admin Guide](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/appregistry.html)
+
+
+See how to create and query an AWS Service Catalog AppRegistry Application with CLI: 
+[Increase application visibility and governance using AWS Service Catalog AppRegistry](https://aws.amazon.com/blogs/mt/increase-application-visibility-governance-using-aws-service-catalog-appregistry/)
+
+
+### Install  
+Launch the AppRegistry stack:  
+[![CreateStack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=SC-RA-AppRegistryExample&templateURL=https://s3.amazonaws.com/aws-service-catalog-reference-architectures/AppRegistry/sc-appreg-example.json)  
+
+

AppRegistry/sc-appreg-example.json

@@ -0,0 +1,65 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Description": "AppRegistry sample appplicaiton and attribute group",    
+    "Parameters": {
+        "ApplicationName": {
+            "Description": "Name for your AppRegistry Applicaiton",
+            "Type": "String",
+            "Default": "myapplication"
+        },
+		"ApplicationDescription": {
+            "Description": "Description for your AppRegistry Applicaiton",
+            "Type": "String",
+            "Default": "this is a sample application"
+        },
+		"AttributeGroupName": {
+            "Description": "Name for your AppRegistry AttributeGroup",
+            "Type": "String",
+            "Default": "SampleApplication_businessServices"			
+        },		
+		"AttributeGroupDescription": {
+            "Description": "Description for your AppRegistry AttributeGroup",
+            "Type": "String",
+            "Default": "Sample Application business Services and runtime information"			
+        }
+    },
+    "Resources": {
+		"AppRegApplication":{
+		  "Type" : "AWS::ServiceCatalogAppRegistry::Application",
+		  "Properties" : {
+			  "Description" : {"Ref":"ApplicationDescription"},
+			  "Name" : {"Ref":"ApplicationName"},
+			  "Tags" : {"TeamOwner" : "Supplychain-devteam-blue"}			   
+			}
+		},
+		"AppRegAttributeGroup":{
+		  "Type" : "AWS::ServiceCatalogAppRegistry::AttributeGroup",
+		  "Properties" : {
+			  "Description" : {"Ref":"AttributeGroupDescription"},
+			  "Name" : {"Ref":"AttributeGroupName"},
+			  "Attributes": {"K8":{"helmName":"myhelm","version":"1.0"},"Team":"Supplychain","app-type":"processing","SLA":"1h","Runtime":"Python-3.8","Compliance":["SOC-1","ISO-27018"]}
+			}
+		},
+		"AppRegAttributeGroupAssoc":{
+		  "Type" : "AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation",
+		  "Properties" : {
+			  "Application" : {"Ref":"AppRegApplication"},
+			  "AttributeGroup" : {"Ref":"AppRegAttributeGroup"}
+			}
+		}
+    },
+    "Outputs": {        
+        "ApplicationId": {
+            "Value": {
+                "Fn::GetAtt": ["AppRegApplication","Id"]
+            },
+			"Export" : { "Name" : {"Fn::Sub": "AppRegApplication-Id" }}
+        },
+        "AttributeGroupId": {
+            "Value": {
+                "Fn::GetAtt": ["AppRegAttributeGroup","Id"]
+            }
+        }
+
+    }
+}

README.md

@@ -45,8 +45,7 @@ For example, the EC2 portfolio would be:
     * The VPC and EC2 portfolios share the _SCEC2LaunchRole_; if you have already run a VPC or EC2 portfolio template, you should use the _LaunchRoleName_ output value of the first in the second's input.  If you leave it blank you will get a role already exists error.  
     * All other templates create their own launchconstraint role, you should leave the _LaunchRoleName_ blank unless you are using a pre-existing role which you have setup separately.
 5. Set the _LinkedRole1_ and _LinkedRole2_ parameters to any additional end user roles you may want to link to the Portfolio.
-6. Set the _CreateEndUsers_ parameter to No if you have already run a Portfolio stack from this repo (ServiceCatalogEndusers already exists).
-7. Change the _RepoRootURL_ parameter to your bucket's root url:  
+6. Change the _RepoRootURL_ parameter to your bucket's root url:  
   ```https://s3.amazonaws.com/[YOUR-BUCKET-NAME-HERE]/```  
 
 ### AWS Service Catalog Product Launch  

codepipeline/buildspec.yml

@@ -9,7 +9,7 @@ phases:
             - /bin/bash codepipeline/run-pipelineupdate.sh
             # - /bin/bash codepipeline/run-cloudformationupdate.sh
             - aws cloudformation update-stack-set --stack-set-name SC-IAC-automated-IAMroles  --parameters "[{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"https://$DEPLOY_BUCKET.s3.amazonaws.com/\"}]" --template-url "https://$DEPLOY_BUCKET.s3.amazonaws.com/iam/sc-demosetup-iam.json" --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
-            - aws cloudformation update-stack-set --stack-set-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"LinkedRole2\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LinkedRole1\",\"UsePreviousValue\":true},{\"ParameterKey\":\"CreateEndUsers\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LaunchRoleName\",\"UsePreviousValue\":true},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"https://$DEPLOY_BUCKET.s3.amazonaws.com/\"}]" --template-url "https://$DEPLOY_BUCKET.s3.amazonaws.com/ec2/sc-portfolio-ec2demo.json" --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
+            - aws cloudformation update-stack-set --stack-set-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"LinkedRole2\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LinkedRole1\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LaunchRoleName\",\"UsePreviousValue\":true},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"https://$DEPLOY_BUCKET.s3.amazonaws.com/\"}]" --template-url "https://$DEPLOY_BUCKET.s3.amazonaws.com/ec2/sc-portfolio-ec2demo.json" --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
     post_build:
         commands:
             - echo "Deploy complete"

codepipeline/ct_install_multi.sh

@@ -71,7 +71,7 @@ SSROLEOPID=$(aws cloudformation create-stack-instances --stack-set-name SC-IAC-a
 check_stackset_status SC-IAC-automated-IAMroles $SSROLEOPID
 
 echo "creating the ServiceCatalog Portfolio StackSet"
-aws cloudformation create-stack-set --stack-set-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"PortfolioName\",\"ParameterValue\":\"SC-RA\"},{\"ParameterKey\":\"LinkedRole1\",\"ParameterValue\":\"$LinkedRole1\"},{\"ParameterKey\":\"LinkedRole2\",\"ParameterValue\":\"\"},{\"ParameterKey\":\"LaunchRoleName\",\"ParameterValue\":\"SCEC2LaunchRole\"},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"$S3RootURL/\"},{\"ParameterKey\":\"CreateEndUsers\",\"ParameterValue\":\"No\"}]" --template-url "$S3RootURL/ec2/sc-portfolio-ec2demo.json" --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
+aws cloudformation create-stack-set --stack-set-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"PortfolioName\",\"ParameterValue\":\"SC-RA\"},{\"ParameterKey\":\"LinkedRole1\",\"ParameterValue\":\"$LinkedRole1\"},{\"ParameterKey\":\"LinkedRole2\",\"ParameterValue\":\"\"},{\"ParameterKey\":\"LaunchRoleName\",\"ParameterValue\":\"SCEC2LaunchRole\"},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"$S3RootURL/\"}]" --template-url "$S3RootURL/ec2/sc-portfolio-ec2demo.json" --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
 SSROLEOPID=$(aws cloudformation create-stack-instances --stack-set-name SC-IAC-automated-portfolio --regions $allregions --accounts $allACC --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=${allACCCount} | jq '.OperationId' | tr -d '"')
 
 check_stackset_status SC-IAC-automated-portfolio $SSROLEOPID

codepipeline/install.sh

@@ -40,7 +40,7 @@ until [ "$STATUS" = "SUCCEEDED" ]; do
 done
 
 echo "creating the ServiceCatalog Portfolio StackSet"
-aws cloudformation create-stack-set --stack-set-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"CreateEndUsers\",\"ParameterValue\":\"No\"},{\"ParameterKey\":\"LinkedRole1\",\"ParameterValue\":\"$LinkedRole1\"},{\"ParameterKey\":\"LinkedRole2\",\"ParameterValue\":\"\"},{\"ParameterKey\":\"LaunchRoleName\",\"ParameterValue\":\"SCEC2LaunchRole\"},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"$S3RootURL/\"}]" --template-url "$S3RootURL/ec2/sc-portfolio-ec2demo.json" --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
+aws cloudformation create-stack-set --stack-set-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"LinkedRole1\",\"ParameterValue\":\"$LinkedRole1\"},{\"ParameterKey\":\"LinkedRole2\",\"ParameterValue\":\"\"},{\"ParameterKey\":\"LaunchRoleName\",\"ParameterValue\":\"SCEC2LaunchRole\"},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"$S3RootURL/\"}]" --template-url "$S3RootURL/ec2/sc-portfolio-ec2demo.json" --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
 aws cloudformation create-stack-instances --stack-set-name SC-IAC-automated-portfolio --regions $allregions --accounts $ACC --operation-preferences FailureToleranceCount=0,MaxConcurrentCount=3
 
 date

codepipeline/run-cloudformationupdate.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 echo "Using Account:$ACCID  Region:$AWS_DEFAULT_REGION"
 ACCID=$(aws sts get-caller-identity --query 'Account' | tr -d '"')
-ESTR=$((aws cloudformation update-stack --stack-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"CreateEndUsers\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LinkedRole2\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LinkedRole1\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LaunchRoleName\",\"UsePreviousValue\":true},{\"ParameterKey\":\"CreateEndUsers\",\"UsePreviousValue\":true},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"https://$DEPLOY_BUCKET.s3.amazonaws.com/\"}]" --template-url "https://$DEPLOY_BUCKET.s3.amazonaws.com/ec2/sc-portfolio-ec2demo.json") 2>&1)
+ESTR=$((aws cloudformation update-stack --stack-name SC-IAC-automated-portfolio --parameters "[{\"ParameterKey\":\"LinkedRole2\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LinkedRole1\",\"UsePreviousValue\":true},{\"ParameterKey\":\"LaunchRoleName\",\"UsePreviousValue\":true},{\"ParameterKey\":\"RepoRootURL\",\"ParameterValue\":\"https://$DEPLOY_BUCKET.s3.amazonaws.com/\"}]" --template-url "https://$DEPLOY_BUCKET.s3.amazonaws.com/ec2/sc-portfolio-ec2demo.json") 2>&1)
 ECODE=$?
 if [[ "$ECODE" -eq "255" && "$ESTR" =~ .(No updates are to be performed\.)$ ]]
 then 

codepipeline/sc-codepipeline-ra.json

@@ -218,9 +218,7 @@
                                     {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/${AWS::StackName}-CodeBuildRole-*"},
                                     {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/SC-RA-IACPipeline-*"},
                                     {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/tcat-tag-*"},
-                                    {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:instance-profile/tcat-tag-*"},
-                                    {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:group/ServiceCatalogEndusers"},
-                                    {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/ServiceCatalogEndusers"}
+                                    {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:instance-profile/tcat-tag-*"}
                                 ]
                             }
                         ]

dynamodb/README.md

@@ -8,17 +8,3 @@ This reference architecture creates an AWS Service Catalog Portfolio called
 ### Install  
 Launch the DynamoDB portfolio stack:  
 [![CreateStack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=SC-RA-DynamoDBPortfolio&templateURL=https://s3.amazonaws.com/aws-service-catalog-reference-architectures/dynamodb/sc-portfolio-dynamodb.yml)
-
-
-### Install from your own S3 bucket  
-1. clone this git repo:  
-  ```git clone [email protected]:aws-samples/aws-service-catalog-reference-architectures.git```  
-2. Copy everything in the repo to an S3 bucket:  
-  ```cd aws-service-catalog-reference-architectures```  
-  ```aws s3 cp . s3://[YOUR-BUCKET-NAME-HERE] --exclude "*" --include "*.json" --include "*.yml" --recursive```  
-3. In the AWS [CloudFormation console](https://console.aws.amazon.com/cloudformation) choose "Create Stack" and supply the Portfolio S3 url:  
-  ```https://s3.amazonaws.com/[YOUR-BUCKET-NAME-HERE]/dynamodb/sc-portfolio-dynamodb.yml```  
-5. Set the _LinkedRole1_ parameter to any additional end user role you may want to link to the Portfolio.
-6. Set the _CreateEndUsers_ parameter to No if you have already run a Portfolio stack from this repo (ServiceCatalogEndusers already exists).
-7. Change the _RepoRootURL_ parameter to your bucket's root url:  
-  ```https://s3.amazonaws.com/[YOUR-BUCKET-NAME-HERE]/``` 

dynamodb/sc-portfolio-dynamodb.yml

@@ -25,22 +25,12 @@ Parameters:
     Type: String
     Description: Root url for the repo containing the product templates
     Default: https://s3.amazonaws.com/aws-service-catalog-reference-architectures/
-  CreateEndUsersGroup:
-    Type: String
-    Description: Select Yes to Create the ServiceCatalogEndusers IAM group. No if you have already created the group
-    AllowedValues:
-      - Yes
-      - No
-    Default: No
 
 Conditions:
   CreateLaunchConstraint: !Equals [!Ref LaunchRoleName, ""]
   CondLinkRole: !Not
     - !Equals [!Ref LinkedRole, ""]
-  CondCreateEndUsersGroup: !Equals
-    - !Ref CreateEndUsersGroup
-    - Yes
-
+
 Resources:
   SCDynamoDBportfolio:
     Type: AWS::ServiceCatalog::Portfolio
@@ -57,29 +47,6 @@ Resources:
       PortfolioId: !Ref SCDynamoDBportfolio
       PrincipalType: IAM
 
-  StackServiceCatalogEndusers:
-    Type: AWS::CloudFormation::Stack
-    Condition: CondCreateEndUsersGroup
-    Properties:
-      TemplateURL: !Sub ${RepoRootURL}iam/sc-enduser-iam.yml
-      TimeoutInMinutes: 5
-
-  LinkEndusersRole:
-    Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation
-    Condition: CondCreateEndUsersGroup
-    Properties:
-      PrincipalARN: !GetAtt ["StackServiceCatalogEndusers", "Outputs.EndUserRoleArn"]
-      PortfolioId: !Ref SCDynamoDBportfolio
-      PrincipalType: IAM
-
-  LinkEndusersGroup:
-    Type: AWS::ServiceCatalog::PortfolioPrincipalAssociation
-    Condition: CondCreateEndUsersGroup
-    Properties:
-      PrincipalARN: !GetAtt ["StackServiceCatalogEndusers", "Outputs.EndUserGroupArn"]
-      PortfolioId: !Ref SCDynamoDBportfolio
-      PrincipalType: "IAM"
-
   LaunchConstraintRole:
     Type: AWS::CloudFormation::Stack
     Condition: CreateLaunchConstraint

ec2/README.md

@@ -16,20 +16,6 @@ Launch the EC2 portfolio stack:
 Be aware, running this service as demonstrated here is non-SSL http.  In production you must protect all web traffic with SSL.  
 The example templates here cannot create and manage SSL for you, so it must be done as an additional task in your account.
 
-### Install from your own S3 bucket  
-1. clone this git repo:  
-  ```git clone [email protected]:aws-samples/aws-service-catalog-reference-architectures.git```  
-2. Copy everything in the repo to an S3 bucket:  
-  ```cd aws-service-catalog-reference-architectures```  
-  ```aws s3 cp . s3://[YOUR-BUCKET-NAME-HERE] --exclude "*" --include "*.json" --include "*.yml" --recursive```  
-3. In the AWS [CloudFormation console](https://console.aws.amazon.com/cloudformation) choose "Create Stack" and supply the Portfolio S3 url:  
-  ```https://s3.amazonaws.com/[YOUR-BUCKET-NAME-HERE]/ec2/sc-portfolio-ec2.json```  
-4. If this is the first portfolio you are creating, then leave _LaunchRoleName_ blank to allow CloudFormation to create the launchconstraint role for you.  
-    * If you have already run the VPC template, then you will put the _output.LaunchRoleName_ from the completed LaunchConstraintRole stack in the _LaunchRoleName_ field (default is SCEC2LaunchRole).  
-5. Set the _LinkedRole1_ and _LinkedRole2_ parameters to any additional end user roles you may want to link to the Portfolio.
-6. Set the _CreateEndUsers_ parameter to No if you have already run a Portfolio stack from this repo (ServiceCatalogEndusers already exists).
-7. Change the _RepoRootURL_ parameter to your bucket's root url:  
-  ```https://s3.amazonaws.com/[YOUR-BUCKET-NAME-HERE]/``` 
 
 ### EC2 Architecture with Amazon Linux and Microsoft Windows instances