ServiceNow

Overview

Getting started First you need to make sure that you have the necessary permissions in your AWS account and ServiceNow instance prior to installing the AWS Service Catalog Connector for ServiceNow.

AWS prerequisites

It is assumed you already have Control Tower based landing zone up and running, with an instance of service catalog hosting the Account Factory product at a minimum.

ServiceNow prerequisites

Clear you will need an running instance of ServiceNow. For the purpose of this lab activity you can signup for a free developer account and request an instance,

AWS - Baseline Permissions

You all so need to setup some baseline permissions on each account you want ServiceNow to have access to. You deploy these with the following CloudFormation templates - AWS Commercial Regions and AWS GovCloud Regions. Alternatively, see the step by step documentation here. For integrating with the Account Factory, we’ll just deploy these on the Management Account (the one hosting Control Tower). In the Parameters section set Enable Stack Set roles to false (Control Tower has already created these).

AWS - Configure AWS Service Catalog

Now that you have created two IAM users with baseline permissions in each account, the next step is to configure AWS Service Catalog. * Open Service Catalog on the management account * Open the AWS Control Tower Account Factory Portfolio portfolio * Click on Groups, roles, and users * click Add groups, roles, users * click Users * Select SCEndUsers and click Add Access

ServiceNow - Configuration

Assuming you’ve just requested a fresh instances on the developer portal you can skip the following steps: * Clear the ServiceNow platform cache. * Clear the web browser cache.

  • Activate two ServiceNow plugins.
  • Install the ServiceNow Connector scoped application, and upload and commit the ServiceNow Connector Update Set.
  • Configure ServiceNow platform system admin components.

  • Configure AWS Service Management Connector scoped application, including accounts, scheduled jobs sync, and permissions.

Clear the ServiceNow Platform Cache

Before installing the AWS Service Management scoped app, we recommend that you clear the ServiceNow platform cache by typing in the following URL: https://[InsertServiceNowInstanceNameHere]/cache.do

Clear the Web Browser Cache

Clear the web browser cache to clear previous rendered product forms.

Activate the Discovery and Service Mappings Patterns Plugin

  • Go to the ServiceNow Developer Portal and click on you account (top right), under My Instance, INSTANCE ACTION, click Activate plugin.
  • In the search field (top right) and search for Pattern Designer
  • Click on Activate
  • You now need to wait for the email confirming the installation of the plugin

Activate the User Criteria Scoped API Plugin

  • From your ServiceNow dashboard, type plugins into the navigation panel in the upper left.
  • When the System Plugins page populates, and search for User Criteria Scoped API
  • On the User Criteria Scoped API plugin click install

Activate Discovery and Service Mapping Pattern

  • Now log into your instance
  • From your ServiceNow dashboard, type plugins into the navigation panel in the upper left.
  • When the System Plugins page populates, next to the dropdown that says Name, search for Discovery.
  • Choose Discovery and Service Mapping Patterns and then choose Activate.

Install the ServiceNow Connector scoped application

To install the update set: * Download the AWS ServiceNow Connector v2.3.4 * From your ServiceNow dashboard, type update sets into the navigation panel in the upper left. * Choose Retrieved Update Sets from the results. * Select Import Update Set from XML and upload the release XML file. * Click on AWS Service Management Connector for ServiceNow update set. * Click on Preview Update Set, which makes ServiceNow validate the connector update set. * Choose Update. * Click on Commit Update Set to apply the update set and create the application. * This procedure should complete 100%.

Configure ServiceNow platform system admin components.

To enable the AWS Service Management Connector for ServiceNow scoped application named AWS Service Management, the system admin must create a discovery source, and configure specific platform tables, forms, and views.

Create a discovery source AWS Service Management Connector entry

To allow AWS to report discovered CIs into your CMDB you must create a new discovery data source called AWS Service Management Connector. Perform the following steps:

  • From your ServiceNow dashboard, type System Definition and click on Choice Lists.
  • Choose New.
  • Create a new entry with the following details:
    • Table : Configuration Item [cmdb_ci]
    • Element : discovery_source
    • Label : AWS Service Management Connector
    • Value : AWS Service Management Connector
  • Click Submit

Note Make sure you are in Global mode in ServiceNow System Settings to modify System Definitions.

Enable permissions on ServiceNow Platform table (Catalog Item Category)

For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Catalog Item Category tables. This action is necessary because a ServiceNow scoped API is not available for the Catalog Item Category table.

  • Enter Tables in the Navigator and choose System Definition, then choose Tables.
  • In the list of tables, search for a table with label “Catalog Item Category” (or with the name “sc_cat_item_category”).
  • The list of tables will be displayed, click on Catalog Item Category
  • Click on the Application Access tab on the form
    • Check Can Create
    • Check Can Update
    • Check Can delete
  • Click Updates

ServiceNow Permissions for Administrators of the Connector Scoped App.

The AWS Service Management scoped app comes with two ServiceNow roles that enable access to configure the application. This enables system admins to grant one or more users privileges to administer the application without having to open up full sysadmin access to them. These roles can be assigned either to individual users or to one administrator user.

To set up application administrator privileges:

  • Type Users in the navigator and select System Security, then click on Users.
  • Select a user to grant one or both previous roles (such as admin) to. You can also Create a User.
  • Scroll down to the bottom of the page
  • Click on the Roles tab and click Edit
  • Filter the collection of roles by the prefix “x_”.
  • Choose one or both of the following and add them to the user: x_126749_aws_sc_account_admin, x_126749_aws_sc_portfolio_manager
  • Choose Save.

To add AWS Service Catalog to ServiceNow Service Catalog categories

  • Type Self Service into the navigator and click on Service Catalog
  • Click on the + (Add content) button in the top right of the page
  • Click on the AWS Service Catalog Product entry.
  • Add it to your catalog home page by choosing the first Add Here link on the second row of the selection panel at the bottom of the page.

Create New Change Request Type

You must add a new change request type called AWS Provisioned Product Event for the scoped application to trigger an automated change request in Change Management. For instructions, see Add a new change request type. * Type Change into the navigator and click on Open * Open the context (right-click) menu on an entry in the Type column and click Show Matching * for Type and then choose Show Choice List. * Choose New and fill in the following fields: * Table: Change Request * Label: AWS Provisioned Product Event * Value: AWSProvisionedProductEvent * Sequence: pick the next unused value * Submit the form.

Configuring AWS Service Management Connector Scoped Application

Having installed and configured the AWS Service Management Connector for ServiceNow in the previous procedure, you must configure the scoped application and applicable roles.

To configure the AWS Service Management Connector scoped application permissions

  • Type user groups into the navigator and click on Administration - User Groups
  • Click New
    • Name : Order_AWS_Products
    • Description : Can request AWS Service Catalog products.
  • Click Submit
  • Click on Order_AWS_Products
  • In the Group Members tab, click Edit
  • Search for the user you gave the x_126749_aws_sc_portfolio_manager and x_126749_aws_sc_account_admin roles to earlier.

Configure the AWS Account Credentials

  • Type AWS in the navigator. Go to the AWS Service Management scoped app.
  • Click on Accounts
  • Click New In the AWS Service Management scoped app Accounts menu, create one entry for every AWS account. You need to use the keys and secret keys from the users you created in AWS. To create account entry:
    • Name : Control Tower
    • Access Key : Access key ID for the SCSyncUser
    • Secret Access Key : Secret Access key ID for the SCSyncUser
    • Type : Sync user
    • Account Regions : The region in which you deployed Control Tower
  • Click Validate Regions
  • Click Submit

  • Click New In the AWS Service Management scoped app Accounts menu, create one entry for every AWS account. You need to use the keys and secret keys from the users you created in AWS. To create account entry:

    • Name : Control Tower
    • Access Key : Access key ID for the SCEndUser
    • Secret Access Key : Secret Access key ID for the SCEndUser
    • Type : End user
    • Account Regions : The region in which you deployed Control Tower
  • Click Validate Regions

  • Click Submit

  • Click on Products

  • Select AWS Control Tower Account Factory

  • Click Activate

Granting Access to Portfolios

To grant access to AWS Service Catalog products in ServiceNow, you must establish a link between the AWS Service Catalog portfolios and the ServiceNow group (for example, Order_AWS_Products created earlier in the instructions as an installation example).

To grant access to AWS Service Catalog portfolios in ServiceNow * In the AWS Service Management scoped app, choose the Portfolios module. * Select the desired Portfolio ARN. You can double-click the AWS Service Catalog portfolio name. * Select the Allowed Groups tab. * Choose New and enter the Group named Order_AWS_Products. * Choose Submit.

Configure the AWS Service Catalog Product Widget Components Viewable to End Users

To address the varying personas of end users requesting AWS products, the Connector for ServiceNow includes a scoped app setting to enable or disable components of the AWS product widget. By default, all AWS product components are enabled.

To modify the AWS product view * In the navigator, type System Properties and select AWS Service Catalog. Note : Make sure you are in the AWS Service Management Connector scoped application mode. * Deselect any AWS product component such as: * Enable editing of the AWS Service Catalog Product name. * Enable selection of launch options for AWS Service Catalog Products. (Note that this component is only visible if the AWS product has more than one launch path.)

Enable selection of product versions for AWS Service Catalog. (Note that this component is only visible if the AWS product has more than one product version.)

  • Enable tags for AWS Service Catalog Products.
  • Enable plans (ChangeSet) creation for product. (Note that if set to false the plan section will be hidden.)
  • Choose Save.