# Managing Provisioned Products
AWS Service Catalog provides an interface for managing provisioned products. You can view, update, and terminate all provisioned products for your catalog based on access level. Refer to the following sections for example procedures.
**Topics**
+ [Managing provisioned products as the administrator](provisioned-products-admin.md)
+ [Changing Provisioned Product Owner](change-pp-owner.md)
+ [Updating templates for provisioned products](pp-templates.md)
+ [Tutorial: Identifying User Resource Allocation](provisioned-products-tutorial.md)
+ [Managing Terraform Open Source product status errors](provisioned-products-lifecycle.md)
+ [Managing the Terraform Open Source product state file](getstarted-terraform-engine-state.md)
# Managing provisioned products as the administrator
To manage all of the provisioned products for an account, you must have `AWSServiceCatalogAdminFullAccess` or an equivalent IAM permission to access provisioned-product write operations. For more information, see [Identity and Access Management in AWS Service Catalog](controlling_access.md).
**Tip**
For static provisioned-product chaining, you must reference provisioned-product outputs in a product-artifact template before the provisioned product is provisioned. For more information, including an example, see the following:
[AWS::ServiceCatalog::CloudFormationProvisionedProduct](https://amazonaws.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicecatalog-cloudformationprovisionedproduct.html#aws-resource-servicecatalog-cloudformationprovisionedproduct--examples) in the *AWS CloudFormation User Guide*.
[DescribeProvisioningParameters (ProvisioningArtifactOutputKeys)](https://amazonaws.com/servicecatalog/latest/dg/API_DescribeProvisioningParameters.html#API_DescribeProvisioningParameters_ResponseElements) in the *AWS Service Catalog Developer Guide*.
**To view and manage all provisioned products**
1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
If you are already logged in to the AWS Service Catalog console, choose **Service Catalog**, then **End user**.
1. If necessary, scroll down to the **Provisioned products** section.
1. In the **Provisioned products** section, choose the **View:** list and select the level of access you want to see: **User**, **Role**, or **Account**. This action displays all the provisioned products in the catalog.
1. Choose a provisioned product to view, update, or terminate. For more information about the information provided in this view, see [Viewing Provisioned Product Information](https://docs.aws.amazon.com/servicecatalog/latest/userguide/enduser-viewstack.html).
# Changing Provisioned Product Owner
You can change the owner of a provisioned product anytime. You need to know the ARN of the user or role you want to set as the new owner.
By default, this feature is available to administrators using the `AWSServiceCatalogAdminFullAccess` managed policy. You can enable it for end users by granting them the `servicecatalog:UpdateProvisionedProductProperties` permission in AWS Identity and Access Management (IAM).
**To change the owner of a provisioned product**
1. In the AWS Service Catalog console, choose **Provisioned products list**.
1. Locate the provisioned product you want to update, then choose the three dots beside it and choose **Change provisioned product owner. **You can also find the **Change owner** option on the provisioned product's detail page, in the **Actions** menu.
1. In the dialog box, enter the ARN of the user or role you want to set as the new owner. An ARN begins with `arn:` and includes other information separated by colons or slashes, for example, `arn:aws:iam::123456789012:user/NewOwner`.
1. Choose **Submit**. You will see a success message when the owner has been updated.
## See Also
+ [UpdateProvisionedProductProperties](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_UpdateProvisionedProductProperties.html)
# Updating templates for provisioned products
You can change the current template of a provisioned product to a different template. For example if you have an EC2 product in Service Catalog, you can update that EC2 product to retain the same provisioned product ID, but change the template to a S3 bucket.
**Note**
Updating templates is not supported for provisioned Terraform Open Source or Terraform Cloud products. If you want to use a different template for an existing Terraform product, you must delete the product and then create a new product using the desired template.
**To update a template for a provisioned product**
1. In the left navigation menu, choose **Provisioned products**.
1. In **Provisioned products**, choose a provisioned product and select **Actions**, **Update**.
Note that you can also select **Actions**, **Update** in the **Provisioned product details** page.
1. (Optional) In **Product details**, choose **Change product**.
In **Change product**, note this warning:
*Changing the product will update this provisioned product to a different product template. This may terminate resources and create new resources.*
You can update a provisioned product to a different version within the same product.
1. (Optional) In **Products**, choose the product you want to update with a different template. Then choose **Change**.
In **Product details**, note this warning:
*[Product name] will be updated from [current template name] to [new template name]. However, the name of your provisioned product, [Provisioned Product name], will not change.*
You can update a provisioned product to a different version within the same product.
1. In **Product versions**, choose the version of the product you want.
1. In **Parameters**, choose the appropriate parameters.
1. Choose **Update**.
In **Provisioned product details**, you can see the details of the update. The provisioned product name does not change, but the provisioned product now has a different template.
# Tutorial: Identifying User Resource Allocation
You can identify the user who provisioned a product and resources associated with the product using the AWS Service Catalog console. This tutorial helps translate this example to your own specific provisioned products.
To manage all provisioned products for the account, you need `AWSServiceCatalogAdminFullAccess` or equivalent access to the provisioned product write operations. For more information, see [ Identity and Access Management](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/controlling_access.html) in the *AWS Service Catalog Administrator Guide.*
**To identify the user who provisioned a product and the associated resources**
1. Open [https://console.aws.amazon.com/servicecatalog](https://console.aws.amazon.com/servicecatalog).
1. In the left navigation menu, choose **Provisioned product**.
1. In the **Access Filter** dropdown menu, choose **Account**.
![\[Provisioned products interface with search bar, access filter dropdown, and table columns.\]](http://docs.aws.amazon.com/servicecatalog/latest/adminguide/images/access-filter-dropdown.png)
1. In the **Account** view, choose and open a provisioned product to display its details.
![\[Provisioned products table showing one S3 bucket product with its creation date and status.\]](http://docs.aws.amazon.com/servicecatalog/latest/adminguide/images/account-view.png)
You can see the details of the provisioned product.
![\[Provisioned product details page showing status, ID, name, creation date, and other information.\]](http://docs.aws.amazon.com/servicecatalog/latest/adminguide/images/details-pp.png)
1. Scroll down to expand the **Events** section. Note the `Provisioned product ID` and `CloudformationStackARN` values.
![\[Events section showing UPDATE_PROVISIONED_PRODUCT with CloudFormationStackARN details.\]](http://docs.aws.amazon.com/servicecatalog/latest/adminguide/images/events-container.png)
1. Use the provisioned product ID to identify the AWS CloudTrail record that corresponds to this launch and identify the requesting user (typically, you enter an email address during federation). In this example, it is "steve".
```
{
"eventVersion":"1.03","userIdentity":
{
"type":"AssumedRole",
"principalId":"[id]:steve",
"arn":"arn:aws:sts::[account number]:assumed-role/SC-usertest/steve",
"accountId":[account number],
"accessKeyId":[access key],
"sessionContext":
{
"attributes":
{
"mfaAuthenticated":[boolean],
"creationDate":[timestamp]
},
"sessionIssuer":
{
"type":"Role",
"principalId":"AROAJEXAMPLELH3QXY",
"arn":"arn:aws:iam::[account number]:role/[name]",
"accountId":[account number],
"userName":[username]
}
}
},
"eventTime":"2016-08-17T19:20:58Z","eventSource":"servicecatalog.amazonaws.com",
"eventName":"ProvisionProduct",
"awsRegion":"us-west-2",
"sourceIPAddress":[ip address],
"userAgent":"Coral/Netty",
"requestParameters":
{
"provisioningArtifactId":[id],
"productId":[id],
"provisioningParameters":[Shows all the parameters that the end user entered],
"provisionToken":[token],
"pathId":[id],
"provisionedProductName":[name],
"tags":[],
"notificationArns":[]
},
"responseElements":
{
"recordDetail":
{
"provisioningArtifactId":[id],
"status":"IN_PROGRESS",
"recordId":[id],
"createdTime":"Aug 17, 2016 7:20:58 PM",
"recordTags":[],
"recordType":"PROVISION_PRODUCT",
"provisionedProductType":"CFN_STACK",
"pathId":[id],
"productId":[id],
"provisionedProductName":"testSCproduct",
"recordErrors":[],
"provisionedProductId":[id]
}
},
"requestID":[id],
"eventID":[id],
"eventType":"AwsApiCall",
"recipientAccountId":[account number]
}
```
1. Use the `CloudformationStackARN` value to identify CloudFormation events to find information about the created resources. You can also use the CloudFormation API to obtain this information. For more information, see [AWS CloudFormation API Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/).
You can perform steps 1 through 4 using the AWS Service Catalog API or the AWS CLI. For more information, see [AWS Service Catalog Developer Guide. ](https://docs.aws.amazon.com/servicecatalog/latest/dg/what-is-service-catalog.html) and [AWS Service Catalog Command Line Reference. ](https://docs.aws.amazon.com/cli/latest/reference/servicecatalog/)
# Managing Terraform Open Source product status errors
Terraform Open Source `ProvisionProduct` failures are routed to the `TAINTED` state, allowing each provisioned product to proceed to `UpdateProvisionedProduct`. When this occurs:
+ `UpdateProvisionedProduct` does **not** make an attempt to update or correct tags, or to create or modify a resource group.
+ `UpdateProvisionedProduct` does **not** consider failures from previous provisioning operations when deciding if the provisioned product should be set to `AVAILABLE` or `TAINTED`.
AWS Service Catalog only applies Tags during `ProvisionProduct`. Any failed tagging that results from a failure of the `ProvisionProduct` operation are **not** automatically resolved.
## Status error examples
**Example 1: AWS Service Catalog does not create a resource group during** `ProvisionProduct`
In the scenario below, you have a provisioned product in the `AVAILABLE` state even if there is not a supporting resource group, and without any tags applied to the resources.
1. Your action initiates `ProvisionProduct`.
1. The Terraform provisioning engine responds to `ProvisionProduct` with a workflow failure and does not provide a `ResourceIdentifier`.
1. The `ProvisionProduct` workflow does not create a resource group, and then sets the provisioned product state to `ERROR`.
1. You then initiate the `UpdateProvisionedproduct` operation.
1. The Terraform provisioning engine responds indicating "success."
1. As a result, the `UpdateprovisionedProduct` workflow sets the provisioned product state to `AVAILABLE`, but does **not** create a resource group, or attempt to apply any Tags.
**Example 2: AWS Service Catalog creates new resources during** `UpdateProvisionedProduct`
In the scenario below, you have a provisioned product in the `AVAILABLE` state even if new resources do **not** have any tags applied.
1. Your action initiates `ProvisionProduct`.
1. The Terraform provisioning engine responds indicating "success" and provides a `ResourceIdentifier`.
1. The `ProvisionProduct` workflow creates a resource group and applies tags to all of the identified resources.
1. You initiate `UpdateProvisionedProduct` on a new artifact that creates new resources.
1. The Terraform provisioning engine responds indicating "success."
1. The `UpdateProvisionedProduct` workflow sets the provisioned product state to `AVAILABLE` but does **not** attempt to apply any additional tags to the new resources.
### Status error solution
AWS Service Catalog ensures that a resource group is created for all provisioned products set to `TAINTED` from `ProvisionProduct`. If the Terraform provisioning engine does not return a `ResourceIdentifier`, or if AWS Service Catalog fails to create a resource group, then the provisioned product is set to the `ERROR` state, forcing you to terminate.
# Managing the Terraform Open Source product state file
Every Terraform Open Source provisioned product has a **single-state file**. There is a 1:1 relationship between the provisioned product and its state file. The files are stored in an Amazon S3 bucket named `sc-terraform-engine-state-${AWS::AccountId}-${AWS::Region}`. The state file is saved under the `AccountID` or `ProvisionedProductID` object key.
State file access is limited to the `GetStateFile` AWS Lambda and Amazon EC2 launch templates. AWS Service Catalog administrators do **not** have direct access to the state files in Amazon S3. Administrators must access the files using Amazon EC2. By default, AWS Service Catalog administrators can see the list of state files, but cannot read or write the file contents. Only the Terraform provisioning engine can read or write the file contents.