AWS Cloud Operations Blog
Using AWS Lambda to decommission products provisioned from an AWS Service Catalog portfolio
This blog-post is part two in a two-part series of blog posts. Part one shows you how to use AWS Service Catalog to control AWS resources available to your users. Part two shows you how you can use AWS Lambda to decommission all products provisioned from any product of a Portfolio.
Sometimes you might have a business need to terminate all products provisioned in your AWS account from a specific portfolio. For example, you might want to decommission an old portfolio of products or terminate resources provisioned by your temporary users, as described in the first blog post. As an AWS Service Catalog Administrator, going through the AWS Service Catalog console and figuring out which products to terminate can be a daunting task if you are managing many portfolios. In this blog post, I share a sample Lambda function that you can use to terminate all products provisioned from a specific portfolio.
The solution explained in this post finds all products of the portfolio, and then for each product, it finds all provisioned products. Finally, it terminates all provisioned products found.
Before you begin, you need to find out the portfolio-ID of the portfolio where you want to terminate all provisioned products.
Find the portfolio ID
- Open the AWS Service Catalog console at https://console.thinkwithwp.com/servicecatalog/.
- Choose the portfolio you want to decommission provisioned products from. In this blog post series, we choose
Training Portfolio
. - On the portfolio details page, locate the Portfolio ID and make note of it for later use.
Next, you need to set up the Lambda function which will terminate provisioned products from your portfolio.
Deploy the TerminateProvisionedProducts Lambda function
To terminate all products provisioned from a portfolio, you need to set up the TerminateProvisionedProducts
Lambda function. You can set up the Lambda function by running a CloudFormation template.
- Sign in to the AWS Management Console and go to the AWS CloudFormation console.
- Next, launch the CloudFormation stack by choosing the following Launch Stack link.
- Choose Next.
- On the Specify Details page, leave Stack Name as
TerminateSCProductsProvisioned
and type PortfolioID as thePortfolio ID
you noted in the preceding section. - Choose Next.
- On the Options page, choose Next.
- On the Review page, select the check-box displayed next to the following message.
- I acknowledge that AWS CloudFormation might create IAM resources.
- Choose Create. The CloudFormation template creates the Lambda function and an AWS Identity and Access Management (IAM) role to run the Lambda function.
- On the Stacks page, select
TerminateSCProductsProvisioned
stack. - In the detail pane, choose Outputs to view the output of your stack.
After CloudFormation successfully creates a stack, the Outputs tab displays the following result:
TerminateProvisionedProductsLambdaFunction
: Value displays the name of theTerminateProvisionedProducts
Lambda function. Note the same.
You will run the TerminateProvisionedProducts
Lambda function to decommission products provisioned from your portfolio.
Run the Lambda function
Next, run the TerminateProvisionedProducts
Lambda function. This Lambda function finds all products of the portfolio, and then for each product, it finds all provisioned products. Finally, it terminates all provisioned products found.
Warning
Do not run this Lambda function if you are sharing a product between portfolios. For each product in the portfolio, the Lambda function finds and terminates all provisioned products. Running this function on a portfolio that contains a product shared with another portfolio can lead to unexpected results such as inadvertently deleting the product provisioned from other portfolios.
To run the Lambda function do the following.
- Sign in to the AWS Management Console and select Lambda in the Services menu.
- Select Functions from the navigation pane.
- In the Functions pane, choose the name of the
TerminateProvisionedProducts
Lambda function you noted earlier. - Choose the Select a test event drop-down list then select Configure test events.
- On the Configure test event page, select Create new test event, specify the event name as
TerminateSCProducts
. - Leave the text in the editor as it is. The Lambda function does not require any input.
- Choose Create.
- Next, choose Test.
After the function executes, you will see the output containing a list of terminated provisioned products.
The AWS Service Catalog uses the role specified in the launch constraint to terminate the provisioned product. The Lambda function may not be able to clean-up resources if launch constraints are not properly configured and you would need to discover all resources that did not get cleaned up.
Discover resources that did not get cleaned-up
In this step, you will use Resource Groups to discover the resources associated with the portfolio decommissioned in the previous section. In this blog post series (see Part 1), we use Portfolio-Name
as the Key and Training Portfolio
as the Value. If you are cleaning-up some other portfolio, then use tag-option you created on the portfolio you decommissioned in the previous section.
- Sign in to the AWS Management Console. On the navigation bar, choose Resource Groups, and then under Classic groups, choose Create a classic Group.
- On the Create a resource group page, for Group name, type
Training Portfolio Resources
. - For Tags, choose an appropriate key in the first box. In the box, next to the first box, select an appropriate value.
- Choose Save.
- The console will list all the resources associated with the tag you provided. Review the items displayed in the navigation pane.
AWS Service Catalog associated the tag you specified during portfolio creation to all resources provisioned, this means that you can see the resources that did not get cleaned up with the Lambda function in the navigation pane. If you see any resources, clean them up manually.
Congratulations! You have successfully decommissioned all products provisioned from your portfolio.
Summary
This blog-post is Part two of a two-part series of blog posts. It shows how you can use AWS Lambda to decommission all products provisioned from a portfolio. The series shows how you can use AWS Service Catalog to control what your IAM users can launch, and Part two shares a sample Lambda function that cleans up products provisioned from a portfolio.
AWS Service Catalog allows you to centrally manage commonly deployed IT services, and helps you achieve consistent governance and meet your compliance requirements, while enabling you to quickly deploy only the approved IT services you need.
If you have questions about implementing the solution described in this post, start a new thread on the AWS Service Catalog Forum or contact AWS Support.
About the Author
Kanchan Waikar is an AWS Marketplace Solutions Architect at Amazon Web Services. She enjoys helping customers build architectures using AWS, AWS Marketplace products, and AWS Service Catalog.