2.2.1.8. Implementing Infrastructure Patterns & Governance with IaC (Service Catalog, CloudFormation Modules)

2.2.1.8. Implementing Infrastructure Patterns & Governance with IaC (Service Catalog, Proton)

Organizations need guardrails that let developers provision infrastructure quickly without violating security, compliance, or cost policies.

AWS Service Catalog lets administrators create portfolios of approved CloudFormation templates (called products). Developers browse a self-service portal and launch products without needing CloudFormation knowledge or broad IAM permissions.

Key concepts:

• Portfolio: Collection of products shared with specific IAM roles, groups, or OUs
• Product: A CloudFormation template with versioning
• Constraints: Launch constraints (IAM role for provisioning), template constraints (override defaults), tag constraints (enforce mandatory tags)

AWS Proton provides managed infrastructure templates for container and serverless workloads. Platform teams define environment templates (VPC, cluster) and service templates (deployment patterns). Developers select a template and provide minimal inputs.

# Service Catalog launch constraint
- Type: AWS::ServiceCatalog::LaunchRoleConstraint
  Properties:
    RoleArn: arn:aws:iam::123456789012:role/SCProvisioningRole
    PortfolioId: !Ref Portfolio
    ProductId: !Ref Product

Governance patterns:

• Use SCPs to prevent resource creation outside of Service Catalog
• Use AWS Config rules to detect resources not provisioned through Service Catalog
• Use tag policies (Organizations) to enforce mandatory cost-allocation tags

Exam Trap: Without a launch constraint, the end user's IAM permissions provision resources — meaning they'd need ec2:RunInstances, rds:CreateDBInstance, etc. With a launch constraint, the specified role's permissions are used, and the user only needs servicecatalog:ProvisionProduct.