Manages a Service Catalog Constraint.
resource "aws_servicecatalog_constraint" "example" {
description = "Back off, man. I'm a scientist."
portfolio_id = aws_servicecatalog_portfolio.example.id
product_id = aws_servicecatalog_product.example.id
type = "LAUNCH"
parameters = jsonencode({
"RoleArn" : "arn:aws:iam::123456789012:role/LaunchRole"
})
}
The following arguments are required:
parameters
- (Required) Constraint parameters in JSON format. The syntax depends on the constraint type. See details below.portfolio_id
- (Required) Portfolio identifier.product_id
- (Required) Product identifier.type
- (Required) Type of constraint. Valid values are LAUNCH
, NOTIFICATION
, RESOURCE_UPDATE
, STACKSET
, and TEMPLATE
.The following arguments are optional:
accept_language
- (Optional) Language code. Valid values: en
(English), jp
(Japanese), zh
(Chinese). Default value is en
.description
- (Optional) Description of the constraint.parameters
The type
you specify determines what must be included in the parameters
JSON:
LAUNCH
: You are required to specify either the RoleArn or the LocalRoleName but can't use both. If you specify the LocalRoleName
property, when an account uses the launch constraint, the IAM role with that name in the account will be used. This allows launch-role constraints to be account-agnostic so the administrator can create fewer resources per shared account. The given role name must exist in the account used to create the launch constraint and the account of the user who launches a product with this launch constraint. You cannot have both a LAUNCH
and a STACKSET
constraint. You also cannot have more than one LAUNCH
constraint on an aws_servicecatalog_product
and aws_servicecatalog_portfolio
. Specify the RoleArn
and LocalRoleName
properties as follows:{ "RoleArn" : "arn:aws:iam::123456789012:role/LaunchRole" }
{ "LocalRoleName" : "SCBasicLaunchRole" }
NOTIFICATION
: Specify the NotificationArns
property as follows:{ "NotificationArns" : ["arn:aws:sns:us-east-1:123456789012:Topic"] }
RESOURCE_UPDATE
: Specify the TagUpdatesOnProvisionedProduct
property as follows. The TagUpdatesOnProvisionedProduct
property accepts a string value of ALLOWED
or NOT_ALLOWED
.{ "Version" : "2.0","Properties" :{ "TagUpdateOnProvisionedProduct" : "String" }}
STACKSET
: Specify the Parameters property as follows. You cannot have both a LAUNCH
and a STACKSET
constraint. You also cannot have more than one STACKSET
constraint on on an aws_servicecatalog_product
and aws_servicecatalog_portfolio
. Products with a STACKSET
constraint will launch an AWS CloudFormation stack set.{ "Version" : "String", "Properties" : { "AccountList" : [ "String" ], "RegionList" : [ "String" ], "AdminRole" : "String", "ExecutionRole" : "String" }}
TEMPLATE
: Specify the Rules property. For more information, see Template Constraint Rules.This resource exports the following attributes in addition to the arguments above:
id
- Constraint identifier.owner
- Owner of the constraint.create
- (Default 3m
)read
- (Default 10m
)update
- (Default 3m
)delete
- (Default 3m
)In Terraform v1.5.0 and later, use an import
block to import aws_servicecatalog_constraint
using the constraint ID. For example:
import {
to = aws_servicecatalog_constraint.example
id = "cons-nmdkb6cgxfcrs"
}
Using terraform import
, import aws_servicecatalog_constraint
using the constraint ID. For example:
% terraform import aws_servicecatalog_constraint.example cons-nmdkb6cgxfcrs