(servicecatalog): ProductStack does not support Assets

Describe the feature

The feature is an improvement to the existing ProductStack construct to add support for the use of asset files.

Use Case

I’m always frustrated as a Service Catalog administrator when I try to add a Lambda function to my ProductStack in CDK because I want to reference my Lambda code from an asset file, and CDK throws an error when I attempt to synthesize this. This limitation means that I’m unable to make use of ProductStack when I want to create a Service Catalog product consisting of Lambas that run large amounts of code. This is an example of a product which I would like to deploy to Service Catalog and share with end users across AWS accounts:

class ServerlessProduct extends sc.ProductStack {
  constructor(scope: cdk.Construct, id: string) {
    super(scope, id);

    // Defines an AWS Lambda resource
    const myHandler = new lambda.Function(this, 'Handler', {
      runtime: lambda.Runtime.NODEJS_14_X,
      code: lambda.Code.fromAsset(path.join(__dirname, 'handler')),
      handler: 'index.handler'
    });

    // Defines an API Gateway REST API resource backed by the handler function
    new apigw.LambdaRestApi(this, 'Endpoint', {
      handler: myHandler
    });
  }
}

cdk synth

Error thrown: Service Catalog Product Stacks cannot use Assets

Proposed Solution

Design as of 6/9/22 by @wanjacki, @mackalex

Currently, CDK vends an asset bucket during bootstrap-time to the customer’s AWS account. This bucket can be used successfully for enabling file asset support in ProductStack with CFN outputs from the parent stack for both the S3 bucket name and object key. The major issue with this approach is that when sharing a Service Catalog portfolio across accounts, a product that makes use of file assets cannot be provisioned since the parent stack with the aforementioned outputs does not exist in the end-user account.

To solve this, we could implement the usage of a bespoke S3 Bucket to contain asset files from assets used in a Service Catalog ProductStack. The bucket could exist at the Service Catalog Portfolio level which is instantiated in a ProductStack’s parent stack. A bespoke bucket for this use case allows us to control the naming of the bucket as well as its permissions. Controlling the bucket name is important, especially at synth-time, since this will be referenced by resources that use assets, such as a Lambda function which references Python code stored in an asset file in the S3 bucket. Controlling permissions on a bucket which contains assets is important within the framework of Service Catalog since the administrator of a Service Catalog portfolio shares this portfolio across AWS accounts with end users who make use of products which reference asset files.

Other Information

Additional design considerations: We have considered making use of the bootstrap bucket which CDK vends to customers to hold assets used by resources in a ProductStack. This presents issues with cross-account sharing of Service Catalog portfolios since the assets bucket would require permissions for the end-user account to access an asset file used by a Provisioned Product, and appending permissions to an existing S3 bucket policy is nearly infeasible without overwriting the bucket policy. This is not a desirable experience, especially when the bucket policy being overwritten would be the bootstrap bucket used by many components of CDK.

Relates issues: https://github.com/aws/aws-cdk/issues/20361

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.24.1 (build 585f9ca)

Environment details (OS name and version, etc.)

macOS Big Sur Version 11.6.5 (20G527)