Create a launch constraint - Service Catalog - Alibaba Cloud Documentation Center

After you add products to a product portfolio, you can configure launch constraints for the products. Launch constraints include the required permissions to launch products. You can use the launch constraints to authorize end users to launch products. This way, you do not need to separately grant management permissions on multiple product instances to each end user. This simplifies authorization.

Prerequisites

You are granted the administrative rights of Service Catalog. For more information, see Grant permissions to the administrator.
A product portfolio is created and a product is added to the product portfolio. For more information, see Add a product to a product portfolio.

Background information

After a launch constraint is created for a product, the constraint takes effect on all versions of the product. When an end user launches the product, the end user can select a product version based on the business requirements.

In a product portfolio, a constraint is created for a single product. If end users want to launch all products in the product portfolio, you must create a constraint for each product.

Step 1: Create a launch role and grant permissions to the launch role

Before you create a constraint for a product, you must create a launch role to launch the product. The launch role must be granted the following permissions:

The management permissions on Resource Orchestration Service (ROS). You can use the AliyunROSFullAccess policy to grant the permissions.
The management permissions on the resources that are defined in the Terraform template. The template is used to create the product.

In this topic, the create_ecs template is used as an example. The create_ecs template is used to create an Elastic Compute Service (ECS) instance. The create_ecs template defines ECS and Virtual Private Cloud (VPC) resources. You must grant the launch role the management permissions on ECS (AliyunECSFullAccess) and the management permissions on VPC (AliyunVPCFullAccess).

Log on to the RAM console.
Create a RAM role named TerraformExecutionRole whose trusted entity is Service Catalog.
For more information, see Create a RAM role for a trusted Alibaba Cloud service

Attach the following system policies to the RAM role.


Policy	Description
AliyunROSFullAccess	Grants the RAM role the management permissions on Resource Orchestration Service (ROS). The policy can be used to create a stack when the RAM role launches the product.
AliyunECSFullAccess	Grants the RAM role the management permissions on ECS. The policy can be used to create an ECS instance when the RAM role launches the product.
AliyunVPCFullAccess	Grants the RAM role the management permissions on VPC. The policy can be used to create a VPC when the RAM role launches the product.

For more information, see Grant permissions to a RAM role

Step 2: Create a launch constraint

Log on to the Service Catalog console as the administrator.
In the left-side navigation pane, choose Administrator > Portfolio management.
On the Portfolio management page, click the name of the product portfolio in which you want to create a constraint.
Click the Constraints tab, and then click Create constraint.
On the Create constraint page, configure the parameters.
1. Select a product from the Products drop-down list.
2. In the Constraint description field, enter a description for the launch constraint.
3. In the Constraint type section, select Launch Constraint.
4. Select the RAM role that is created in Step 1: Create a launch role and grant permissions to the launch role from the The RAM role used to start drop-down list.
Click Confirm.