AWS Action Blocks

This mApp® Solution leverages Action Blocks for the API calls made to AWS. This allows reusable components, such as the Generate Amazon Signature Action Block to be called multiple times without the need to recreate the block steps where they need to be used.


Action Blocks are reusable sets of Actions that are not associated with a Business Object. Instead, they inherit both specific details (through Parameters) and object context from a One-Step™ Action, where they are called. This allows actions that need to be repeated to be defined and maintained in a single block, but used in many places.

This topic covers the Action Blocks used in this mApp Solution and how they can be modified to suit your organization's needs, if desired. You can also use these Action Blocks as-is to cover the use cases described in How the AWS mApp® Solution Works.

Secure Authentication to AWS

To facilitate authenticated AWS requests, there are two Action Blocks used by CSM to provide secure, encrypted authentication.

Set Encryption Key

The Set Encryption Key Action Block is called by the Store Secret Key One-Step Action to set the Encryption Key stored value, if it is empty.

Store Secret Key One-Step Action

The Set Encryption Key Action Block then checks to see whether the encryption key is currently populated. If it is, the Action Block cancels, but does not stop running the rest of the Store Secret Key One-Step Action. Although there is no need to set the encryption key if the value exists for the system, we do want to continue storing the secret key.

Set Encryption Key Action Block

Generate Amazon Signature

The Generate Amazon Signature Action Block follows the standard Signature Version 4 signing process from Amazon. See Signature 4. This Action Block is the only one stored in the Blueprint scope as it is delicate and should not be changed, unless the signing process itself changes. Its reusability means that each call doesn’t need to add in these authentication steps (which can be difficult to troubleshoot), only call the Action Block and pass it the correct parameters for the specific API call.

Example: In the SearchProductsAsAdmin call, the Get Products As Admin Action Block calls the Generate Amazon Signature Action Block in step 2. See Search Products as Admin.

Get Products As Admin Action Block

It then passes header information for the SearchProductAsAdmin call, which will be used by the Generate Amazon Signature Action Block to authenticate that specific call.

Generate Amazon Signature Block

Request AWS Products

The series of API calls to request an AWS product for a particular customer uses four Action Blocks, one for each call made. It may use a fifth block if the product contains parameters, but this block does not correspond to an AWS API call.

  1. SearchProductsAsAdmin: The Get Products As Admin Action Block makes this call to obtain a list of products available for the portfolio that the Service Request customer can access.
  2. ListProvisioningArtifacts: The List Provisioning Artifacts Action Block makes this call to obtain the available provisioining artifacts, needed for the ListLaunchPaths call. It returns the currently active artifact details.
  3. ListLaunchPaths: The List Launch Paths Action Block retrieves the Launch Paths for a product to be provisioned.
  4. DescribeProvisioningParameters: The Describe Provisioning Parameters Action Block queries the AWS API for the parameters needed by a particular product to make the provisioning call.
    1. (Optional) If the AWS product contains required parameters, CSM will run the Set Provisioning Parameters Action Block to populate the details needed on the Service Request specifics form.

    The required parameters are different for any given product, and are set in the CFT of the product in the AWS Service Catalog.

Provision AWS Product

Once you have completed the request workflow above, you can submit your request for approval. Once approved, this request automatically fires the ProvisionProduct API call, stored in an Action Block of the same name. See Provision Product.

When the Service Request was created, all the details necessary for the provisioning are passed to this Action Block. If the AWS product contained required parameters, CSM will run the Update Provisioning Parameters Action Block as the first step in the Provision Product call, to gather any details that were entered by the user on the request.

Terminate AWS Product

The Terminate Provisioned Product Action Block makes the TerminateProvisionedProduct API call. See Terminate Provisioned Product. Again, this Action Block receives all specific details from the One-Step™ Action which calls it. This call terminates any resources associated to a given product. Once they are terminated in AWS, they cannot be retrieved.