Resource: awsServicecatalogConstraint

Manages a Service Catalog Constraint.

\~> NOTE: This resource does not associate a Service Catalog product and portfolio. However, the product and portfolio must be associated (see the awsServicecatalogProductPortfolioAssociation resource) prior to creating a constraint or you will receive an error.

Example Usage

Basic Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.servicecatalogConstraint.ServicecatalogConstraint(this, "example", {
  description: "Back off, man. I'm a scientist.",
  parameters:
    '${jsonencode({\n    "RoleArn" : "arn:aws:iam::123456789012:role/LaunchRole"\n  })}',
  portfolioId: "${aws_servicecatalog_portfolio.example.id}",
  productId: "${aws_servicecatalog_product.example.id}",
  type: "LAUNCH",
});

Argument Reference

The following arguments are required:

• parameters - (Required) Constraint parameters in JSON format. The syntax depends on the constraint type. See details below.
• portfolioId - (Required) Portfolio identifier.
• productId - (Required) Product identifier.
• type - (Required) Type of constraint. Valid values are launch, notification, RESOURCE_UPDATE, stackset, and template.

The following arguments are optional:

• acceptLanguage - (Optional) Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
• description - (Optional) Description of the constraint.

parameters

The type you specify determines what must be included in the parameters JSON:

• launch: You are required to specify either the RoleArn or the LocalRoleName but can't use both. If you specify the localRoleName property, when an account uses the launch constraint, the IAM role with that name in the account will be used. This allows launch-role constraints to be account-agnostic so the administrator can create fewer resources per shared account. The given role name must exist in the account used to create the launch constraint and the account of the user who launches a product with this launch constraint. You cannot have both a launch and a stackset constraint. You also cannot have more than one launch constraint on an awsServicecatalogProduct and awsServicecatalogPortfolio. Specify the roleArn and localRoleName properties as follows:

{ "RoleArn" : "arn:aws:iam::123456789012:role/LaunchRole" }

{ "LocalRoleName" : "SCBasicLaunchRole" }

• notification: Specify the notificationArns property as follows:

{ "NotificationArns" : ["arn:aws:sns:us-east-1:123456789012:Topic"] }

• RESOURCE_UPDATE: Specify the tagUpdatesOnProvisionedProduct property as follows. The tagUpdatesOnProvisionedProduct property accepts a string value of allowed or NOT_ALLOWED.

{ "Version" : "2.0","Properties" :{ "TagUpdateOnProvisionedProduct" : "String" }}

• stackset: Specify the Parameters property as follows. You cannot have both a launch and a stackset constraint. You also cannot have more than one stackset constraint on on an awsServicecatalogProduct and awsServicecatalogPortfolio. Products with a stackset constraint will launch an AWS CloudFormation stack set.

{ "Version" : "String", "Properties" : { "AccountList" : [ "String" ], "RegionList" : [ "String" ], "AdminRole" : "String", "ExecutionRole" : "String" }}

• template: Specify the Rules property. For more information, see Template Constraint Rules.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Constraint identifier.
• owner - Owner of the constraint.

Timeouts

Configuration options:

• create - (Default 3M)
• read - (Default 10M)
• update - (Default 3M)
• delete - (Default 3M)

Import

awsServicecatalogConstraint can be imported using the constraint ID, e.g.,

$ terraform import aws_servicecatalog_constraint.example cons-nmdkb6cgxfcrs