In a standard configuration of Cloud Management with Amazon Web Services, a discovery schedule is configured to run daily or semi-daily. However, things move quickly in the cloud and an organization's need for accurate Change and Configuration Management are paramount to both Service Management and IT Operations. Because of this, it is often necessary to receive updates on changes within your AWS environment between discovery schedules.
Cloud Management and Change Management actually have the same needs, but for their own reasons. Cloud Management needs the latest information on machines for placement and other operational decisions, while Change Management needs this information for Audit and Control. However, both domains increasingly require this information at near real time speeds. It is important to note that while Cloud Management does not track the intended state of a Configuration Item in AWS, the ServiceNow platform tracks changes to all Configuration Items and allows Change Managers to make decisions accordingly (unauthorized change, etc).
Cloud Management has supported SNS notifications from AWS Config since Geneva, but the powerful feature often gets overlooked in the larger context of a customer's implementation. AWS Config notifications are received through an AWS SNS topic that is created with a subscription to your ServiceNow instance, which processes each notification and drives updates directly to the CMDB view of the Amazon Web Services environment. The setup and integration with AWS Config is documented in the ServiceNow documentation, but the following steps will provide additional detail around the configuration in Helsinki.
The first step is to create a user with the aws_integration role on your instance. The aws_integration role is available once the AWS Cloud Management plugin is enabled.
Next, we'll create the SNS topic and subscription for your ServiceNow instance. From the AWS Console, navigate to SNS > Topics. If you have an existing topic you'd like to use for the subscription, feel free to use it, otherwise select "Create new topic". Specify the "Topic name" and "Display name" inputs. Once the topic is created, click on the topic name and then select "Create subscription".
Note: The Topic ARN, and Topic Owner fields are masked in the screenshots; yours will be populated with appropriate values generated by AWS.
Select HTTPS for Protocol and use your instance's fully-qualified domain name for Endpoint. The password portion of the URI will be masked by AWS SNS automatically when the subscription is created. Once the subscription is submitted, the status will change to "PendingConfirmation". Confirmation will happen automatically from your ServiceNow instance and should complete within a few seconds if the URI was entered correctly.
You can use the refresh button in the Subscriptions panel to update the subscription status. If successful, the subscription should look like the following screenshot.
AWS Config should now be sending SNS notifications to the AWS Event Processor on your instance. ServiceNow CMDB update behavior depends on the changeType property of the SNS notification payload.
- changeType: CREATE; new record is created in the CMDB for that resource
- changeType: UPDATE; update existing record in the CMDB, or create a new record if matching record is not found
- changeType: DELETE; record is not deleted from the CDMB, but is instead marked "Terminated"
Events from AWS Config are not quite "real-time" and can be delayed by up to fifteen (15) minutes.
In addition, logging of received SNS notifications is disabled by default, but can be enabled by an admin of the instance. To enable logging, update the sys_properties table record itom.aws.logEvent to true. The events will be logged to the table aws_sns_event and can be reviewed here to validate the configuration is working. You may not want to keep this on after initial configuration testing and it can be safely disabled without impacting the updates. Also, allow for the AWS Config event notification delay when watching the aws_sns_event table.
In this example, a tag value was changed on an EC2 instance from "TestTag=TestValue" to "TestTag=TestValue2". If we navigate to our EC2 instance record in Amazon AWS Cloud > Managed Resources > Virtual Machine Instances, we can observe the change was processed and the tag value updated in advance of our daily discovery schedule.
The increased rate of updates through integration with AWS Config provides a more accurate and timely CMDB view of your Cloud Management assets in AWS. Similar integrations are also available in the VMware vCenter Event Collector feature. Azure support for event based CMDB updates is currently being developed.
2 Comments
