feat(client-service-catalog): This release 1. adds support for Princi…

…pal Name Sharing with Service Catalog portfolio sharing. 2. Introduces repo sourced products which are created and managed with existing SC APIs. These products are synced to external repos and auto create new product versions based on changes in the repo.
aws · Nov 18, 2022 · 9f5ff1d · 9f5ff1d
1 parent 59b8b63
commit 9f5ff1d
Show file tree

Hide file tree

Showing 12 changed files with 1,686 additions and 791 deletions.
diff --git a/clients/client-service-catalog/README.md b/clients/client-service-catalog/README.md
@@ -9,10 +9,10 @@
 
 AWS SDK for JavaScript ServiceCatalog Client for Node.js, Browser and React Native.
 
-<fullname>AWS Service Catalog</fullname>
+<fullname>Service Catalog</fullname>
 
 <p>
-<a href="https://aws.amazon.com/servicecatalog/">Service Catalog</a> enables
+<a href="http://aws.amazon.com/servicecatalog">Service Catalog</a> enables
 organizations to create and manage catalogs of IT services that are approved for Amazon Web Services. To
 get the most out of this documentation, you should be familiar with the terminology
 discussed in <a href="http://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html">Service Catalog

diff --git a/clients/client-service-catalog/src/ServiceCatalog.ts b/clients/client-service-catalog/src/ServiceCatalog.ts
@@ -435,9 +435,9 @@ import {
 import { ServiceCatalogClient } from "./ServiceCatalogClient";
 
 /**
- * <fullname>AWS Service Catalog</fullname>
+ * <fullname>Service Catalog</fullname>
  *          <p>
- *             <a href="https://aws.amazon.com/servicecatalog/">Service Catalog</a> enables
+ *             <a href="http://aws.amazon.com/servicecatalog">Service Catalog</a> enables
  *          organizations to create and manage catalogs of IT services that are approved for Amazon Web Services. To
  *          get the most out of this documentation, you should be familiar with the terminology
  *          discussed in <a href="http://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html">Service Catalog
@@ -510,6 +510,22 @@ export class ServiceCatalog extends ServiceCatalogClient {
 
   /**
    * <p>Associates the specified principal ARN with the specified portfolio.</p>
+   *          <p>If you share the portfolio with principal name sharing enabled, the <code>PrincipalARN</code> association is
+   *          included in the share. </p>
+   *          <p>The <code>PortfolioID</code>, <code>PrincipalARN</code>, and <code>PrincipalType</code> parameters are
+   *       required. </p>
+   *          <p>You can associate a maximum of 10 Principals with a portfolio using <code>PrincipalType</code> as <code>IAM_PATTERN</code>
+   *          </p>
+   *
+   *          <note>
+   *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+   *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+   *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+   *          name association for the portfolio. Although this user may not know which principal names are associated through
+   *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+   *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+   *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+   *          </note>
    */
   public associatePrincipalWithPortfolio(
     args: AssociatePrincipalWithPortfolioCommandInput,
@@ -814,7 +830,18 @@ export class ServiceCatalog extends ServiceCatalogClient {
    *         <p>
    *             <code>AWSOrganizationsAccess</code> must be enabled in order to create a portfolio share to an organization node.</p>
    *          <p>You can't share a shared resource, including portfolios that contain a shared product.</p>
-   *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead.</p>
+   *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect
+   *          and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead. </p>
+   *
+   *          <note>
+   *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+   *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+   *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+   *          name association for the portfolio. Although this user may not know which principal names are associated through
+   *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+   *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+   *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+   *          </note>
    */
   public createPortfolioShare(
     args: CreatePortfolioShareCommandInput,
@@ -1906,6 +1933,13 @@ export class ServiceCatalog extends ServiceCatalogClient {
   /**
    * <p>Disassociates a previously associated principal ARN from a specified
    *          portfolio.</p>
+   *          <p>The <code>PrincipalType</code> and <code>PrincipalARN</code> must match the
+   *          <code>AssociatePrincipalWithPortfolio</code> call request details. For example,
+   *          to disassociate an association created with a <code>PrincipalARN</code> of <code>PrincipalType</code>
+   *          IAM you must use the <code>PrincipalType</code> IAM when calling <code>DisassociatePrincipalFromPortfolio</code>. </p>
+   *          <p>For portfolios that have been shared with principal name sharing enabled: after disassociating a principal,
+   *    share recipient accounts will no longer be able to provision products in this portfolio using a role matching the name
+   *    of the associated principal. </p>
    */
   public disassociatePrincipalFromPortfolio(
     args: DisassociatePrincipalFromPortfolioCommandInput,
@@ -2211,17 +2245,17 @@ export class ServiceCatalog extends ServiceCatalogClient {
   }
 
   /**
-   * <p>Requests the import of a resource as a Amazon Web Services Service Catalog provisioned product that is
-   *          associated to a Amazon Web Services Service Catalog product and provisioning artifact. Once imported, all
-   *          supported Amazon Web Services Service Catalog governance actions are supported on the provisioned
+   * <p>Requests the import of a resource as an Service Catalog provisioned product that is
+   *          associated to an Service Catalog product and provisioning artifact. Once imported, all
+   *          supported Service Catalog governance actions are supported on the provisioned
    *          product.</p>
    *          <p>Resource import only supports CloudFormation stack ARNs. CloudFormation StackSets and
    *          non-root nested stacks are not supported.</p>
    *          <p>The CloudFormation stack must have one of the following statuses to be imported:
    *          <code>CREATE_COMPLETE</code>, <code>UPDATE_COMPLETE</code>, <code>UPDATE_ROLLBACK_COMPLETE</code>, <code>IMPORT_COMPLETE</code>,
    *          <code>IMPORT_ROLLBACK_COMPLETE</code>.</p>
    *          <p>Import of the resource requires that the CloudFormation stack template matches the
-   *          associated Amazon Web Services Service Catalog product provisioning artifact. </p>
+   *          associated Service Catalog product provisioning artifact. </p>
    *
    *          <p>The user or role that performs this operation must have the <code>cloudformation:GetTemplate</code>
    *          and <code>cloudformation:DescribeStacks</code> IAM policy permissions. </p>
@@ -2520,7 +2554,7 @@ export class ServiceCatalog extends ServiceCatalogClient {
   }
 
   /**
-   * <p>Lists all principal ARNs associated with the specified portfolio.</p>
+   * <p>Lists all <code>PrincipalARN</code>s and corresponding <code>PrincipalType</code>s associated with the specified portfolio.</p>
    */
   public listPrincipalsForPortfolio(
     args: ListPrincipalsForPortfolioCommandInput,
@@ -3156,15 +3190,26 @@ export class ServiceCatalog extends ServiceCatalogClient {
   }
 
   /**
-   * <p>Updates the specified portfolio share. You can use this API to enable or disable TagOptions sharing for an existing portfolio share. </p>
+   * <p>Updates the specified portfolio share. You can use this API to enable or disable <code>TagOptions</code> sharing
+   *          or Principal sharing for an existing portfolio share. </p>
    *
-   *          <p>The portfolio share cannot be updated if the <code> CreatePortfolioShare</code> operation is <code>IN_PROGRESS</code>, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be COMPLETED.</p>
+   *          <p>The portfolio share cannot be updated if the <code>CreatePortfolioShare</code> operation is <code>IN_PROGRESS</code>, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be COMPLETED.</p>
    *
    *          <p>You must provide the <code>accountId</code> or organization node in the input, but not both.</p>
    *
    *          <p>If the portfolio is shared to both an external account and an organization node, and both shares need to be updated, you must invoke <code>UpdatePortfolioShare</code> separately for each share type. </p>
    *
    *          <p>This API cannot be used for removing the portfolio share. You must use <code>DeletePortfolioShare</code> API for that action. </p>
+   *
+   *          <note>
+   *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+   *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+   *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+   *          name association for the portfolio. Although this user may not know which principal names are associated through
+   *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+   *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+   *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+   *          </note>
    */
   public updatePortfolioShare(
     args: UpdatePortfolioShareCommandInput,

diff --git a/clients/client-service-catalog/src/ServiceCatalogClient.ts b/clients/client-service-catalog/src/ServiceCatalogClient.ts
@@ -656,9 +656,9 @@ type ServiceCatalogClientResolvedConfigType = __SmithyResolvedConfiguration<__Ht
 export interface ServiceCatalogClientResolvedConfig extends ServiceCatalogClientResolvedConfigType {}
 
 /**
- * <fullname>AWS Service Catalog</fullname>
+ * <fullname>Service Catalog</fullname>
  *          <p>
- *             <a href="https://aws.amazon.com/servicecatalog/">Service Catalog</a> enables
+ *             <a href="http://aws.amazon.com/servicecatalog">Service Catalog</a> enables
  *          organizations to create and manage catalogs of IT services that are approved for Amazon Web Services. To
  *          get the most out of this documentation, you should be familiar with the terminology
  *          discussed in <a href="http://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html">Service Catalog

diff --git a/clients/client-service-catalog/src/commands/AssociatePrincipalWithPortfolioCommand.ts b/clients/client-service-catalog/src/commands/AssociatePrincipalWithPortfolioCommand.ts
@@ -32,6 +32,22 @@ export interface AssociatePrincipalWithPortfolioCommandOutput
 
 /**
  * <p>Associates the specified principal ARN with the specified portfolio.</p>
+ *          <p>If you share the portfolio with principal name sharing enabled, the <code>PrincipalARN</code> association is
+ *          included in the share. </p>
+ *          <p>The <code>PortfolioID</code>, <code>PrincipalARN</code>, and <code>PrincipalType</code> parameters are
+ *       required. </p>
+ *          <p>You can associate a maximum of 10 Principals with a portfolio using <code>PrincipalType</code> as <code>IAM_PATTERN</code>
+ *          </p>
+ *
+ *          <note>
+ *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+ *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+ *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+ *          name association for the portfolio. Although this user may not know which principal names are associated through
+ *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+ *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+ *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-service-catalog/src/commands/CreatePortfolioShareCommand.ts b/clients/client-service-catalog/src/commands/CreatePortfolioShareCommand.ts
@@ -37,7 +37,18 @@ export interface CreatePortfolioShareCommandOutput extends CreatePortfolioShareO
  *         <p>
  *             <code>AWSOrganizationsAccess</code> must be enabled in order to create a portfolio share to an organization node.</p>
  *          <p>You can't share a shared resource, including portfolios that contain a shared product.</p>
- *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead.</p>
+ *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect
+ *          and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead. </p>
+ *
+ *          <note>
+ *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+ *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+ *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+ *          name association for the portfolio. Although this user may not know which principal names are associated through
+ *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+ *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+ *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-service-catalog/src/commands/DisassociatePrincipalFromPortfolioCommand.ts b/clients/client-service-catalog/src/commands/DisassociatePrincipalFromPortfolioCommand.ts
@@ -33,6 +33,13 @@ export interface DisassociatePrincipalFromPortfolioCommandOutput
 /**
  * <p>Disassociates a previously associated principal ARN from a specified
  *          portfolio.</p>
+ *          <p>The <code>PrincipalType</code> and <code>PrincipalARN</code> must match the
+ *          <code>AssociatePrincipalWithPortfolio</code> call request details. For example,
+ *          to disassociate an association created with a <code>PrincipalARN</code> of <code>PrincipalType</code>
+ *          IAM you must use the <code>PrincipalType</code> IAM when calling <code>DisassociatePrincipalFromPortfolio</code>. </p>
+ *          <p>For portfolios that have been shared with principal name sharing enabled: after disassociating a principal,
+ *    share recipient accounts will no longer be able to provision products in this portfolio using a role matching the name
+ *    of the associated principal. </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-service-catalog/src/commands/ImportAsProvisionedProductCommand.ts b/clients/client-service-catalog/src/commands/ImportAsProvisionedProductCommand.ts
@@ -29,17 +29,17 @@ export interface ImportAsProvisionedProductCommandInput extends ImportAsProvisio
 export interface ImportAsProvisionedProductCommandOutput extends ImportAsProvisionedProductOutput, __MetadataBearer {}
 
 /**
- * <p>Requests the import of a resource as a Amazon Web Services Service Catalog provisioned product that is
- *          associated to a Amazon Web Services Service Catalog product and provisioning artifact. Once imported, all
- *          supported Amazon Web Services Service Catalog governance actions are supported on the provisioned
+ * <p>Requests the import of a resource as an Service Catalog provisioned product that is
+ *          associated to an Service Catalog product and provisioning artifact. Once imported, all
+ *          supported Service Catalog governance actions are supported on the provisioned
  *          product.</p>
  *          <p>Resource import only supports CloudFormation stack ARNs. CloudFormation StackSets and
  *          non-root nested stacks are not supported.</p>
  *          <p>The CloudFormation stack must have one of the following statuses to be imported:
  *          <code>CREATE_COMPLETE</code>, <code>UPDATE_COMPLETE</code>, <code>UPDATE_ROLLBACK_COMPLETE</code>, <code>IMPORT_COMPLETE</code>,
  *          <code>IMPORT_ROLLBACK_COMPLETE</code>.</p>
  *          <p>Import of the resource requires that the CloudFormation stack template matches the
- *          associated Amazon Web Services Service Catalog product provisioning artifact. </p>
+ *          associated Service Catalog product provisioning artifact. </p>
  *
  *          <p>The user or role that performs this operation must have the <code>cloudformation:GetTemplate</code>
  *          and <code>cloudformation:DescribeStacks</code> IAM policy permissions. </p>

diff --git a/clients/client-service-catalog/src/commands/ListPrincipalsForPortfolioCommand.ts b/clients/client-service-catalog/src/commands/ListPrincipalsForPortfolioCommand.ts
@@ -29,7 +29,7 @@ export interface ListPrincipalsForPortfolioCommandInput extends ListPrincipalsFo
 export interface ListPrincipalsForPortfolioCommandOutput extends ListPrincipalsForPortfolioOutput, __MetadataBearer {}
 
 /**
- * <p>Lists all principal ARNs associated with the specified portfolio.</p>
+ * <p>Lists all <code>PrincipalARN</code>s and corresponding <code>PrincipalType</code>s associated with the specified portfolio.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript