# Repeat SAP application deployments using deployment artifacts created with AWS Launch Wizard
This section contains information about how to repeat deployments using deployment artifacts created with Launch Wizard. The artifacts include AWS Service Catalog products and AWS CloudFormation templates.
**Topics**
+ [
## How AWS Launch Wizard integration with AWS Service Catalog works
](#launch-wizard-sap-service-catalog-how-it-works)
+ [
# Launch AWS Service Catalog products created with AWS Launch Wizard
](launch-wizard-sap-service-catalog.md)
+ [
# Launch AWS Service Catalog products with ServiceNow
](launch-wizard-sap-service-catalog-servicenow.md)
+ [
# Launch AWS Service Catalog products with Jira
](launch-wizard-sap-service-catalog-jira.md)
+ [
# Launch AWS Service Catalog products with Terraform
](launch-wizard-sap-service-catalog-terraform.md)
+ [
# Launch CloudFormation templates created in Launch Wizard
](launch-wizard-sap-launch-artifacts-cloudformation.md)
## How AWS Launch Wizard integration with AWS Service Catalog works
AWS Launch Wizard creates AWS Service Catalog products from successful deployments. The AWS Service Catalog products contain CloudFormation templates and associated application configuration scripts, which are stored in Amazon S3. You can use the AWS Service Catalog products, along with integrations offered by AWS Service Catalog, with third-party products, such as ServiceNow, Jira, or Terraform. Or, you can use the CloudFormation templates and application configuration scripts saved in Amazon S3 to deploy SAP applications that meet the requirements of organizational deployment and governance policies.
In addition to supporting deployments using CloudFormation templates, AWS Service Catalog, and multiple deployment tools supported by AWS Service Catalog, AWS Launch Wizard creates a point-in-time snapshot of the code used to deploy and configure SAP applications at the time of the deployment. You can use the code "as is" for consistent repeated deployments, or you can use the code as a baseline and update it to meet specific application requirements.
AWS Launch Wizard creates a default Launch Wizard portfolio and products within the portfolio. An AWS Service Catalog product is created for each deployment and given a name that corresponds to the Launch Wizard deployment name.
![\[Deploying SAP applications with Launch Wizard, CloudFormation, AWS Service Catalog, and third-party applications\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/lw-sc-architecture.png)
# Launch AWS Service Catalog products created with AWS Launch Wizard
This section contains information to help you set up for and access AWS Service Catalog products created with AWS Launch Wizard to launch those products. It also contains information about how to create a launch constraint so that you don't have to use your own IAM credentials to launch and manage AWS Service Catalog products.
**Topics**
+ [
# Set up to launch AWS Service Catalog products created with AWS Launch Wizard
](launch-wizard-sap-service-catalog-setup.md)
+ [
# Create a launch constraint
](launch-wizard-sap-service-catalog-constraint.md)
+ [
# Access AWS Service Catalog products created with AWS Launch Wizard
](launch-wizard-sap-service-catalog-access.md)
+ [
# AWS Service Catalog deployment errors
](launch-wizard-sap-service-catalog-errors.md)
# Set up to launch AWS Service Catalog products created with AWS Launch Wizard
This section provides the required steps to grant permissions to the user group. This requirement must be met to access AWS Service Catalog products created with Launch Wizard to launch those products.
**Grant AWS Service Catalog permissions to the user group**
1. Navigate to the [AWS Identity and Access Management console](https://console.aws.amazon.com/iam).
1. Choose **User groups** from the left navigation pane.
1. Choose **Create group.**
1. For **User group name**, enter `Endusers`.
1. Enter `AWSServiceCatalog` in the search box to filter the policy list.
1. Select the check box next to the **AWSServiceCatalogEndUserFullAccess** policy. You can optionally choose **AWSServiceCatalogEndUserReadOnlyAccess** if you prefer to grant the user only read-only access. Choose **Create group**
1. To add a new user to the group, in the left navigation pane, choose **Users**.
1. Choose **Add user**.
1. Enter a **User name**.
1. Select **AWS Management Console access**.
1. Choose **Next: Permissions**.
1. Choose **Add user to group**.
1. Select the check box next to the **Endusers** group, then choose **Next:Tags**.
1. Choose **Next: Review**. On the **Review** page, choose **Create user**. Download or copy the credentials, then choose **Close**.
# Create a launch constraint
A launch constraint specifies the AWS Identity and Access Management role that AWS Service Catalog assumes when a user launches a product. It is associated with products in the portfolio. If you do not use launch constraints, you must launch and manage products using your own IAM credentials. These credentials must have permissions to use CloudFormation, AWS Service Catalog, and any other AWS services used by the products. Using a launch constraint allows you to limit the permissions of a user to the minimum required for a product.
To create a launch constraint, complete the steps in the following procedure. Perform Step 2 for each of the following listed policies.
**Create the launch role**
## AWS Service Catalog launch constraint policy 1
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "applicationinsights:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "resource-groups:List*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:ListHostedZonesByName"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:List*",
"cloudwatch:Get*",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:CreateKeyPair",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSubnet"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AllocateHosts",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:CreateDhcpOptions",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateVolume",
"ec2:CreateVpcEndpoint",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyVpcAttribute",
"ec2:AssociateDhcpOptions",
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DetachInternetGateway",
"ec2:DetachVolume",
"ec2:DeleteSnapshot",
"ec2:AssociateRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateVpcCidrBlock",
"ec2:GetLaunchTemplateData",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:GetConsoleOutput",
"ec2:GetPasswordData",
"ec2:ReleaseAddress",
"ec2:ReplaceRoute",
"ec2:ReplaceRouteTableAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:ModifyInstancePlacement",
"ec2:DeletePlacementGroup",
"ec2:CreatePlacementGroup",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"ds:AddIpRoutes",
"ds:CreateComputer",
"ds:CreateMicrosoftAD",
"ds:DeleteDirectory"
],
"Resource": "*"
}
]
}
```
------
## Service Catalog launch constraint policy 2
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStack*",
"cloudformation:Get*",
"cloudformation:ListStacks",
"cloudformation:SignalResource",
"cloudformation:DeleteStack"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/*/*",
"arn:aws:cloudformation:*:*:stack/ApplicationInsights*/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonEC2RoleForLaunchWizard*",
"arn:aws:iam::*:instance-profile/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonEC2RoleForLaunchWizard*",
"arn:aws:iam::*:role/service-role/AmazonLambdaRoleForLaunchWizard*",
"arn:aws:iam::*:instance-profile/*"
],
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:AttachInstances",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:DescribeLog*",
"logs:PutLogEvents",
"resource-groups:CreateGroup",
"resource-groups:DeleteGroup",
"sns:ListSubscriptionsByTopic",
"sns:Publish",
"ssm:DeleteDocument",
"ssm:DeleteParameter*",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:PutParameter"
],
"Resource": [
"arn:aws:resource-groups:*:*:group/*",
"arn:aws:sns:*:*:*",
"arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/LaunchWizard*",
"arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/LaunchWizard*",
"arn:aws:ssm:*:*:parameter/LaunchWizard*",
"arn:aws:ssm:*:*:document/LaunchWizard*",
"arn:aws:logs:*:*:log-group:*:*:*",
"arn:aws:logs:*:*:log-group:LaunchWizard*"
]
},
{
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": "LaunchWizard*"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:DeleteLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"ssm:AddTagsToResource",
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:ListTagsForResource",
"ssm:RemoveTagsFromResource"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*:*:*",
"arn:aws:logs:*:*:log-group:LaunchWizard*",
"arn:aws:ssm:*:*:parameter/LaunchWizard*",
"arn:aws:ssm:*:*:document/LaunchWizard*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudformation:DescribeAccountLimits",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:List*",
"cloudformation:GetTemplateSummary",
"cloudformation:ValidateTemplate",
"ds:Describe*",
"ds:ListAuthorizedApplications",
"ec2:Describe*",
"ec2:Get*",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:List*",
"logs:CreateLogGroup",
"logs:GetLogDelivery",
"logs:GetLogRecord",
"logs:ListLogDeliveries",
"resource-groups:Get*",
"resource-groups:List*",
"servicequotas:GetServiceQuota",
"servicequotas:ListServiceQuotas",
"sns:ListSubscriptions",
"sns:ListTopics",
"ssm:CreateDocument",
"ssm:DescribeAutomation*",
"ssm:DescribeInstanceInformation",
"ssm:DescribeParameters",
"ssm:GetAutomationExecution",
"ssm:GetCommandInvocation",
"ssm:GetParameter*",
"ssm:GetConnectionStatus",
"ssm:ListCommand*",
"ssm:ListDocument*",
"ssm:ListInstanceAssociations",
"ssm:SendAutomationSignal",
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"tag:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:GetLog*",
"Resource": [
"arn:aws:logs:*:*:log-group:*:*:*",
"arn:aws:logs:*:*:log-group:LaunchWizard*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:List*",
"cloudformation:Describe*"
],
"Resource": "arn:aws:cloudformation:*:*:stack/LaunchWizard*/"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"application-insights.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"sqs:TagQueue",
"sqs:GetQueueUrl",
"sqs:AddPermission",
"sqs:ListQueues",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:CreateQueue",
"sqs:SetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"iam:GetInstanceProfile",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms"
],
"Resource": [
"arn:aws:cloudwatch:*:*:alarm:*",
"arn:aws:iam::*:instance-profile/*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"route53:ListHostedZones",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups"
],
"Resource": "*"
}
]
}
```
------
## Service Catalog launch constraint policy 3
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::launchwizard*",
"arn:aws:s3:::launchwizard*/*",
"arn:aws:s3:::aws-sap-data-provider/config.properties"
]
},
{
"Effect": "Allow",
"Action": "cloudformation:TagResource",
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": "LaunchWizard*"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketVersioning",
"s3:DeleteBucket",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*",
"arn:aws:s3:::launchwizard*"
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:DeleteTable"
],
"Resource": "arn:aws:dynamodb:*:*:table/*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:CreateOpsMetadata"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:DeleteOpsMetadata",
"Resource": "arn:aws:ssm:*:*:opsmetadata/aws/ssm/LaunchWizard*"
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"fsx:UntagResource",
"fsx:TagResource",
"fsx:DeleteFileSystem",
"fsx:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/Name": "LaunchWizard*"
}
}
},
{
"Effect": "Allow",
"Action": [
"fsx:CreateFileSystem"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/Name": [
"LaunchWizard*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
}
]
}
```
------
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com//iam).
1. Perform the following substeps individually for each of the three policies previously listed.
1. In the left navigation pane, choose **Policies** > **Create policy**.
1. On the **Create policy** page, choose the **JSON** tab.
1. Copy each of the previous policies and paste each into the **Policy Document** JSON text box, replacing the placeholder text.
1. Choose **Next: Tags** > **Next: Review**.
1. Enter a **Policy Name**.
1. Choose **Create policy**.
1. In the left navigation pane, choose **Roles**, then choose **Create role**.
1. Under **Select type of trusted entity**, choose **AWS service** > **Service Catalog**.
1. Select the **Service Catalog** use case, then choose **Next:Permissions**.
1. Search for the three policies that you added in Step 2 and select the check boxes next to them.
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. Enter `LaunchWizardServiceCatalogProductsLaunchRole` for the **Role name**.
1. Choose **Create role**.
**Create launch constraint**
1. Navigate to the [AWS Service Catalog console](https://console.aws.amazon.com/servicecatalog).
1. In the left navigation pane, under **Administration**, choose **Portfolios**.
1. Choose the portfolio named **Launch Wizard Service Catalog portfolio**, which is the default portfolio.
1. Under **Constraints**, choose **Create Constraints**.
1. Select the **Product** to which to apply the constraint.
1. Select **Launch** as the **Constraint type**.
1. Select the IAM role that you created in the procedure for creating a launch role.
1. Choose **Create**.
# Access AWS Service Catalog products created with AWS Launch Wizard
Perform the following steps to access AWS Service Catalog products created with AWS Launch Wizard.
In the AWS Service Catalog administrator console, the **Portfolio details** page lists the portfolio settings. From this page, you can manage the products in a portfolio, grant users access to products, and apply `TagOptions` and constraints. You can manage products from the **Products** page.
**Access Service Catalog products as a Service Catalog Admin user**
1. Navigate to the [AWS Service Catalog console](https://console.aws.amazon.com/servicecatalog).
1. In the left navigation pane, under **Administration**, choose **Portfolios**.
1. Choose the portfolio named **AWS Launch Wizard Products**, which is the default portfolio created by Launch Wizard.
1. Choose **AWS Launch Wizard products**.
1. The product created by Launch Wizard using CloudFormation templates and user inputs is named **[LW Deployment Name]-[Deployment Type]**. You can create a new version by choosing **Create new version**.
1. You can associate tags or apply product-specific tags as needed.
**Access Service Catalog products as an IAM user**
1. Navigate to the [AWS Service Catalog console](https://console.aws.amazon.com/servicecatalog).
1. In the left navigation pane. under **Home**, choose **Products**.
1. Search for the Launch Wizard SAP product that you saved from the Launch Wizard deployment, and select it. The product, won't be visible to any user who has not been granted access to it. To grant access to the product, see [Granting Access to Users](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_users.html).
1. Choose **Launch product**.
1. You will be directed to the AWS Service Catalog **Launching** page, which resembles CloudFormation. Most of the parameters are specified using your defaults. Enter or replace the default values as you require, including passwords and SAPSIDs.
1. After you verify the parameters, choose **Launch product** to start the creation of the CloudFormation stack.
# AWS Service Catalog deployment errors
For AWS Service Catalog deployments completed prior to February 7, 2022, perform the following steps to remove the `AmazonLambdaRolePolicyForLaunchWizardSAP` policy from the `AmazonLambdaRoleForLaunchWizard` role, and add a new inline policy. Deployments completed after February 7, 2022 do not require you to perform these steps.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Choose **Roles** from the left navigation pane.
1. Search for the `AmazonLambdaRoleForLaunchWizard`. Select the policy to view the attached permissions.
1. Check whether the `AmazonLambdaRolePolicyForLaunchWizardSAP` policy is attached to this role. If it is attached, remove the policy by selecting the check box next to it, and choose **Remove**.
1. Add the following inline policy by choosing **Add permissions**>**Create inline policy**, and entering the policy in the **JSON** tab of the **Create policy** wizard.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:*::parameter/LaunchWizard*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetDocument",
"ssm:sendCommand"
],
"Resource": "arn:aws:ssm:*::document/AWS-RunShellScript"
},
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:111122223333:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/LaunchWizardApplicationType": "*"
}
}
}
]
}
```
------
1. Choose **Review policy**, enter a name for the policy, and choose **Create policy**.
# Launch AWS Service Catalog products with ServiceNow
ServiceNow users can natively browse and provision AWS Service Catalog products created with AWS Launch Wizard by using the AWS Management Connector for ServiceNow.
**Prerequisites for using ServiceNow to launch products:**
+ You must create a deployment using Launch Wizard by choosing the **Create an AWS Service Catalog product** option in the infrastructure settings in Launch Wizard. For more information, see [Define infrastructure](launch-wizard-sap-deploying-console.md#launch-wizard-sap-infrastructure).
+ You must install the AWS Service Catalog Connector for ServiceNow. For details about how to install the Connector, see [AWS Service Management Connector for ServiceNow](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/integrations-servicenow.html).
+ You must complete the [set up steps to launch AWS Service Catalog products](launch-wizard-sap-service-catalog-setup.md).
+ You must [create a launch constraint](launch-wizard-sap-service-catalog-constraint.md).
For more information about how to integrate AWS products into your ServiceNow Portal using the AWS Service Catalog Connector, watch the following video.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/YCvNK-fzgoc)
# Launch AWS Service Catalog products with Jira
AWS Service Catalog products created with AWS Launch Wizard can be integrated with Jira workflows. You can use the AWS Service Catalog Connector for Jira to natively provision and operate AWS Service Catalog products created with Launch Wizard by using Atlassian's Jira Service Management. This workflow simplifies product request actions for Jira Service Management users and provides Jira Service Management governance and oversight over AWS products.
**To use Jira to launch products, you must follow these prerequisites:**
+ Create a deployment using Launch Wizard by choosing the **Create an AWS Service Catalog product** option in the infrastructure settings in Launch Wizard. For more information, see [Define infrastructure](launch-wizard-sap-deploying-console.md#launch-wizard-sap-infrastructure).
+ Install the AWS Service Catalog Connector for Jira. For information about how to install the Connector, see [AWS Service Management Connector for ServiceNow](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/integrations-jiraservicedesk.html).
+ Complete the [set up steps to launch AWS Service Catalog products](launch-wizard-sap-service-catalog-setup.md).
+ Complete the steps to [create a launch constraint](launch-wizard-sap-service-catalog-constraint.md).
For more information about how to integrate AWS products into your Jira Service Management portal using the AWS Service Catalog Connector, watch the following video.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/1AODGjhqufo)
# Launch AWS Service Catalog products with Terraform
The official HashiCorp AWS provider supports AWS Service Catalog resources. You can launch products created with Launch Wizard and saved to AWS Service Catalog using Terraform. Or, you can integrate the products with their existing Terraform workflows. Administrators can create AWS Service Catalog portfolios and add Launch Wizard products to them using Terraform.
**Prerequisites for using Terraform to launch products:**
+ You must create a deployment using Launch Wizard by choosing the **Create an AWS Service Catalog product** option in the infrastructure settings in Launch Wizard. For more information, see [Define infrastructure](launch-wizard-sap-deploying-console.md#launch-wizard-sap-infrastructure).
+ The Terraform user that authenticates the AWS account must have access to the AWS Service Catalog products. For more information, see [AWS Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) in the Terraform documentation.
+ The IAM user that authenticates the AWS account must have permissions to use the AWS Service Catalog products created by Launch Wizard. For steps to grant access to users, see [Granting Access to Users](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_users.html) in the *AWS Service Catalog User Guide*.
The Terraform resource named [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicecatalog_provisioned_product](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicecatalog_provisioned_product) is used to launch the AWS Service Catalog product created with Launch Wizard.
**Example Terraform script**
The following example Terraform script launches a single node HANA database instance with a single node HANA product (`prod-abc1234546`) created with Launch Wizard using the product version ID (`pa-xyz12345`). In this example, the hostname for HANA and the SID for HANA DB are passed to override the defaults, and the remaining parameters are set to the defaults in the AWS Service Catalog product.
```
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.54.0"
}
}
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "random_id" "id" {
byte_length = 8
}
#Confirm user can launch product - No launch paths has many reasons for failure.
resource "aws_servicecatalog_provisioned_product" "singlenodehana" {
name = "tef-${random_id.id.hex}"
product_id = "prod-abc1234546"
provisioning_artifact_id = "pa-xyz12345"
provisioning_parameters {
key = "HANASID"
value = "HDB"
}
provisioning_parameters {
key = "HANAHostname"
value = "saphanadev"
}
tags = {
TFLaunched= "True"
}
}
```
Note that the environment variables authentication mechanism is used in this example.
# Launch CloudFormation templates created in Launch Wizard
You can launch CloudFormation stacks from the CloudFormation templates that you saved from your successful Launch Wizard deployments. Perform the following steps to find and launch your CloudFormation templates created with Launch Wizard.
To create a launch constraint, complete the steps in the following procedure. Perform Step 2 for each of the following listed policies.
**Attach required policies to IAM user**
## Service Catalog launch constraint policy 1
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "applicationinsights:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "resource-groups:List*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:ListHostedZonesByName"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:List*",
"cloudwatch:Get*",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:CreateKeyPair",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSubnet"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AllocateHosts",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:CreateDhcpOptions",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateVolume",
"ec2:CreateVpcEndpoint",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyVpcAttribute",
"ec2:AssociateDhcpOptions",
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DetachInternetGateway",
"ec2:DetachVolume",
"ec2:DeleteSnapshot",
"ec2:AssociateRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateVpcCidrBlock",
"ec2:GetLaunchTemplateData",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:GetConsoleOutput",
"ec2:GetPasswordData",
"ec2:ReleaseAddress",
"ec2:ReplaceRoute",
"ec2:ReplaceRouteTableAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:ModifyInstancePlacement",
"ec2:DeletePlacementGroup",
"ec2:CreatePlacementGroup",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"ds:AddIpRoutes",
"ds:CreateComputer",
"ds:CreateMicrosoftAD",
"ds:DeleteDirectory"
],
"Resource": "*"
}
]
}
```
------
## Service Catalog launch constraint policy 2
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStack*",
"cloudformation:Get*",
"cloudformation:ListStacks",
"cloudformation:SignalResource",
"cloudformation:DeleteStack"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/*/*",
"arn:aws:cloudformation:*:*:stack/ApplicationInsights*/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonEC2RoleForLaunchWizard*",
"arn:aws:iam::*:instance-profile/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/service-role/AmazonEC2RoleForLaunchWizard*",
"arn:aws:iam::*:role/service-role/AmazonLambdaRoleForLaunchWizard*",
"arn:aws:iam::*:instance-profile/*"
],
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:AttachInstances",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:DeleteLogStream",
"logs:DescribeLog*",
"logs:PutLogEvents",
"resource-groups:CreateGroup",
"resource-groups:DeleteGroup",
"sns:ListSubscriptionsByTopic",
"sns:Publish",
"ssm:DeleteDocument",
"ssm:DeleteParameter*",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:PutParameter"
],
"Resource": [
"arn:aws:resource-groups:*:*:group/*",
"arn:aws:sns:*:*:*",
"arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/LaunchWizard*",
"arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/LaunchWizard*",
"arn:aws:ssm:*:*:parameter/LaunchWizard*",
"arn:aws:ssm:*:*:document/LaunchWizard*",
"arn:aws:logs:*:*:log-group:*:*:*",
"arn:aws:logs:*:*:log-group:LaunchWizard*"
]
},
{
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": "LaunchWizard*"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:DeleteLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"ssm:AddTagsToResource",
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:ListTagsForResource",
"ssm:RemoveTagsFromResource"
],
"Resource": [
"arn:aws:logs:*:*:log-group:*:*:*",
"arn:aws:logs:*:*:log-group:LaunchWizard*",
"arn:aws:ssm:*:*:parameter/LaunchWizard*",
"arn:aws:ssm:*:*:document/LaunchWizard*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"cloudformation:DescribeAccountLimits",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:List*",
"cloudformation:GetTemplateSummary",
"cloudformation:ValidateTemplate",
"ds:Describe*",
"ds:ListAuthorizedApplications",
"ec2:Describe*",
"ec2:Get*",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:List*",
"logs:CreateLogGroup",
"logs:GetLogDelivery",
"logs:GetLogRecord",
"logs:ListLogDeliveries",
"resource-groups:Get*",
"resource-groups:List*",
"servicequotas:GetServiceQuota",
"servicequotas:ListServiceQuotas",
"sns:ListSubscriptions",
"sns:ListTopics",
"ssm:CreateDocument",
"ssm:DescribeAutomation*",
"ssm:DescribeInstanceInformation",
"ssm:DescribeParameters",
"ssm:GetAutomationExecution",
"ssm:GetCommandInvocation",
"ssm:GetParameter*",
"ssm:GetConnectionStatus",
"ssm:ListCommand*",
"ssm:ListDocument*",
"ssm:ListInstanceAssociations",
"ssm:SendAutomationSignal",
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"tag:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:GetLog*",
"Resource": [
"arn:aws:logs:*:*:log-group:*:*:*",
"arn:aws:logs:*:*:log-group:LaunchWizard*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:List*",
"cloudformation:Describe*"
],
"Resource": "arn:aws:cloudformation:*:*:stack/LaunchWizard*/"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"application-insights.amazonaws.com",
"events.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"sqs:TagQueue",
"sqs:GetQueueUrl",
"sqs:AddPermission",
"sqs:ListQueues",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:CreateQueue",
"sqs:SetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"iam:GetInstanceProfile",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms"
],
"Resource": [
"arn:aws:cloudwatch:*:*:alarm:*",
"arn:aws:iam::*:instance-profile/*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"route53:ListHostedZones",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups"
],
"Resource": "*"
}
]
}
```
------
## Service Catalog launch constraint policy 3
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::launchwizard*",
"arn:aws:s3:::launchwizard*/*",
"arn:aws:s3:::aws-sap-data-provider/config.properties"
]
},
{
"Effect": "Allow",
"Action": "cloudformation:TagResource",
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": "LaunchWizard*"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketVersioning",
"s3:DeleteBucket",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:*:*:function:*",
"arn:aws:s3:::launchwizard*"
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:DeleteTable"
],
"Resource": "arn:aws:dynamodb:*:*:table/*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:CreateOpsMetadata"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:DeleteOpsMetadata",
"Resource": "arn:aws:ssm:*:*:opsmetadata/aws/ssm/LaunchWizard*"
},
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"fsx:UntagResource",
"fsx:TagResource",
"fsx:DeleteFileSystem",
"fsx:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/Name": "LaunchWizard*"
}
}
},
{
"Effect": "Allow",
"Action": [
"fsx:CreateFileSystem"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/Name": [
"LaunchWizard*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/servicecatalog:provisioning": "true"
}
}
}
]
}
```
------
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com//iam).
1. Perform the following substeps for each of the three policies listed above.
1. In the left navigation pane, choose **Policies** > **Create policy**.
1. On the **Create policy** page, choose the **JSON** tab.
1. Copy each policy above and paste it into the **Policy Document** JSON text field, replacing the placeholder text (perform these substeps individually for each of the three policies listed above).
1. Choose **Next: Tags** > **Next: Review**.
1. Enter a **Policy Name**.
1. Choose **Create policy**.
1. Attach the three policies you just created to the IAM user you use to launch CloudFormation templates.
**Find and launch your templates**
1. Navigate to the [Amazon S3 console](https://console.aws.amazon.com/s3).
1. Locate the name of the location within the Amazon S3 bucket that you specified when you [defined the infrastructure for your Launch Wizard deployment](launch-wizard-sap-deploying-console.md#launch-wizard-sap-infrastructure).
1. Under the folder that you specified, locate and choose a new folder named `-`. This is the folder to which the Launch Wizard service copies the CloudFormation templates and deployment artifacts.
1. After you choose the new folder, you will see an `sap/` folder and a JSON file named `--template.json`. This is the root CloudFormation template file. Select the check box next to this file and choose **Copy URL**.
1. Navigate to the [CloudFormation console](https://console.aws.amazon.com/cloudformation) to create a stack with the URL that you copied.
For more information about CloudFormation templates, see [Working with AWS CloudFormation templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-guide.html) in the *AWS CloudFormation User Guide*.