search

awslabs / aws-service-catalog-puppet

This is a framework where you list your AWS accounts with tags and your AWS Service Catalog products with tags or target accounts. The framework works through your lists, dedupes and spots collisions and then provisions the products into your AWS accounts for you. It handles the Portfolio sharing, its acceptance and can provision products cross account and cross region.
Apache License 2.0
76 stars 41 forks source link

Product generation - duplicate portfolio's #446

Closed benjamingambley closed 2 years ago

benjamingambley commented 3 years ago

Hi @eamonnfaherty

Looking for some guidance on how to prevent a portfolio being duplciated in a spoke when using the import product generation method.

The code appears to create a local portfolio due to the ensure_porfolio call in the CreateSpokeLocalPortfolioTask regardless of whether copy or import is specified in the manifest.

This causes an issue with intergrating to service now as we have duplicates appears across spoke accounts.

eamonnfaherty commented 3 years ago

Hi @benjamingambley, thanks for reaching out.

When using spoke-local-portfolios the solution will create a portfolio in the spoke account and then either copy or import products from the hub portfolio of the same name. This is by design.

If you wanted to create a portfolio and share it with an org you can use factory on its own to create the portfolio and then manage the sharing and associations yourself. You could do this using lambda-invocations in puppet.

I would be happy to dive deeper into the issue you are seeing with SNOW integration. Are you able to share any details on this? I would be happy having a call if that helped.

benjamingambley commented 3 years ago

NBN Classification - Restricted

Hi Eamonn,

Thank you for the quick reply.

A call might be the simplest way forward so I can show the portfolio duplication and explain the snow integration - generally online till 2200 AEDT.

Chime would work well

Regards Ben

eamonnfaherty commented 3 years ago

Hi Ben

I have checked with one of the teams that support the ITSM connector for SNOW.

They have asked would you be able to confirm if you are using an admin user in SNOW. If so, would you be able to try with a non admin user and see the behaviour is the same. They have confirmed that admin users in SNOW see all portfolios (similar to how admins in AWS see all portfolios). They have also said that a regular user should see only the portfolios they have an association for.

Please let me know how you get on.

benjamingambley commented 3 years ago

Cheers Eamon,

Thank you for the call last week - afterwards we had a second look at cloud trail and believe the issue is due to the connector making calls to both servicecatalog:ListPortfolios and servicecatalog:ListAcceptedPortfolioShares, the later shares call is followed by SearchProductsAsAdmin which results in the double up in snow as it pulls back the imported portfolio.

ListPortfolios returns the portfolio/products with the association for the sync user correctly (Local portfolio) - this has been defined permission wise as per https://docs.aws.amazon.com/servicecatalog/latest/adminguide/baseline-permissions.html. It looks like the AWSServiceCatalogAdminReadOnlyAccess is the issue here.

We have added a deny to servicecatalog:ListAcceptedPortfolioShares, resynced from snow and no duplicates were observed - so we have a work around. A few trades off's over local/imported portfolios as noted during the call.

If the snow connector team exposed enabling ListAcceptedPortfolioShares as an option for the IAM account user it would help.

Ben