Introduction:
Using a IAC approach for provisioning cloud resources brings agility, speed and autonomy to dev team. However they need to use adapted parameters to complete the IAC templates and deploy effectively their resources into the cloud like:
- Location to deploy to
- Name of the resource to deploy
- The image of the machine to be used
- The virtual network
- The subnet
- ...
These parameters are generally unknown and are dependent one another (example: a specific image of a VM is dependent on the location your are trying to deploy to). They could generate errors if they are not applied jointly and correctly.
Furthermore some parameters shouldn't be available for some of the teams because they could trigger more costs, they could interfere with existing projets and resources...
ServiceNow Cloud Provisioning and Governance helps maintaining and managing these parameters and adapt the choices of their value according to the context of the request and the user requesting the item.
Concept:
ServiceNow provides a discovery capability that retrieve reference data and pre-existing resources in the different cloud providers. These data will be stored in specific tables in the CMDB. Example of a Azure Cloud Service Account discovery:
When connecting to a IAC provider, ServiceNow consumes the templates and generates cloud catalog items with the according parameters.
By default, all parameters are created with a "Single line text" type.
This is where ServiceNow offers the opportunity to fine-tune these parameters to consider them as drop-down choice list, select box choice type... And then enforce policies and control
How are parameters identified in a IAC template?:
This article explains how parameters are generated into ServiceNow Cloud catalog Item when consuming a IAC template:
https://community.servicenow.com/community?id=community_article&sys_id=25d5dc0adbd69090b1b102d5ca961939
What is a resource pool?:
A resource pool is a query or script that filters a table. You configure a resource pool to limit the values that are available to users when they request a catalog item.
In the following example, we'll use and create resource pools for a specific cloud catalog item: "TH Deploy AZ subnet 01". This catalog item enables the provisioning of a new subnet. To do so, the user will need to specify some values of parameters among which the resource group and the virtual network.
The virtual network is dependent to the Resource Group choice. We will implement this dependency through the resource pools.
Steps and example of a resource pool creation:
Select a cloud catalog item:
Let's take the catalog item mentioned earlier: "TH Deploy AZ subnet 01"
Here is the IAC Terraform template used to generate it:
variable "subscriptionId" {}
variable "clientId" {}
variable "clientSecret" {}
variable "tenantId" {}
variable "rgname" {}
variable "subnet_name" {}
variable "vnet_name" {}
variable "ipaddr" {}
provider "azurerm" {
subscription_id = var.subscriptionId
client_id = var.clientId
client_secret = var.clientSecret
tenant_id = var.tenantId
features {}
}
# Create subnet
resource "azurerm_subnet" "tf_subnet" {
name = var.subnet_name
resource_group_name = var.rgname
virtual_network_name = var.vnet_name
address_prefixes = [var.ipaddr]
}
We'll be concerned by two variables here:
- variable "rgname" {}
- variable "vnet_name" {}
The value of these variables need to reflect existing objects, otherwise the provisioning will fail.
When generating the catalog item, the above variables have the following format:
Set the "TH_Deploy_AZ_Subnet_01_Rgname" as a "Lookup Select Box" type:
1. Go into the "variable set" related list of the catalog item.
2. Click on the "provision" one.
3. Click on the corresponding variable: "TH_Deploy_AZ_Subnet_01_Rgname"
4. Change the type of the variable to "Lookup Select Box":
5. Go to the "Type specification" related list
6. Select "Use Pool Filter", "ResourceGroupPool", "GetByLDC" as described below (This resource pool already exists):
The "ResourceGroupPool" is a predefined script that gets the list of resource pools from the corresponding table in the CMDB (cmdb_ci_cloud_resource_group).
The "getByLDC" pool filter, filters the resource group list according to the Logical datacenter choice
7. Save and exit.
Set a reload trigger from the "Location" variable to the "TH_Deploy_AZ_Subnet_01_Rgname" variable:
In order for the resource groups list to be filtered according to the "Location", we need to create a trigger rule from the "Location" variable.
1. go the the "variable set" related list of the catalog item
2. Click on the "General" one
3. Click on the "Location" variable
4. In the "Rule" related list click on "New"
5. Name it "ResourceGroupTrigger" and in the "Action" related list click on "New:
6. Name the action "ResourceGroupTriggerReloadAction", select "Reload" as action type, select "Reload from pool" from the datasource, select "TH_Deploy_AZ_Subnet_01_Rgname" as the target variable and in the Key values related tab, add "Location" as key and "Location" as value:
7. Save and exit
8. If you go back on the "TH_Deploy_AZ_Subnet_01_Rgname", in the "Pool Filter Mappings" related list there is now a new entry
9. Go into the cloud user portal and test your cloud catalog item:
Create a new resource pool for the "TH_Deploy_AZ_Subnet_01_Vnet_Name":
1. Go to the "Manage/resource pools" section
2. Click new
3. Populate the field as described below and then click "new in the "Resource Pool filters" related list:
- Name of the resource pool "VnetResourcePool"
- Type "Static"
- Lookup table "Cloud network (cmdb_ci_network)". This is the table where Servicenow stores the virtual network list with discovery
- Lookup Field "Name"
- Lookup Label Field "name"
4. Name name the resource pool filter "getByResourceGroup", select "script" for the type and paste the following script:
getFilteredRecords(json);
//Do not remove function declaration
/** Input parameters
* @param json - json should have the sysId of LDC
* @returns filtered records in the format [{"value"="lookupValue",label="displayValue"}]
*/
function getFilteredRecords(json) {
var relations = [];
if(json != null && json != ""){
var map = new global.JSON().decode(json);
//The ResGroup variable gets the value from the TH_Deploy_AZ_subnet_01_rgname selected in the form
// The TH_Deploy_AZ_subnet_01_rgname is passed from the resource pool filter values below
var ResGroup = map.TH_Deploy_AZ_subnet_01_rgname;
gs.info("getByResourceGroup: the resource group is "+ResGroup);
//We need to geet the sys_id of the resource group selected above
var resgroupfilter = new GlideRecord('cmdb_ci_resource_group');
resgroupfilter.addQuery('name', ResGroup);
resgroupfilter.query();
if (resgroupfilter.next()){
var resgroupsysid = resgroupfilter.getUniqueValue();
}
relations = new sn_cmp_api.ExpressionResolverUtilScript().getMetadataRelations(resgroupsysid, 'Contains', 'cmdb_ci_network', 'flat', 1);
relations = global.JSON.parse(relations);
for (var index=0; index < relations.length; index++) {
var relation = relations[index];
relation.value = relation.label;
}
}else{
gs.error("input json is blank - "+json);
}
return global.JSON.stringify(relations);
}
For more information on the "getMetadataRelations" function, go to the following link: https://community.servicenow.com/community?id=community_question&sys_id=e03d1487db770c98feb1a851ca961988&view_source=searchResult
5. In the "Resource Pool filter values" related list, add the following entry:
We have now created a resource pool for the virtual network parameter with a filter based on the resource group choice.
6. Save and exit
Set the "TH_Deploy_AZ_Subnet_01_Vnet_Name" as a "Lookup Select Box" type:
1. Go to the "TH_Deploy_AZ_Subnet_01_Vnet_Name" variable in the catalog item
2. Change the type of the variable to "Lookup Select Box":
3. Go to the "Type specification" related list
4. Select "Use Pool Filter", "VnetResourcePool", "GetByResourceGroup" as described below :
5. Save and exit
Set a reload trigger from the "TH_Deploy_AZ_Subnet_01_Rgname" variable to the "TH_Deploy_AZ_Subnet_01_Vnet_Name" variable:
In order for the virtual network list to be filtered according to the Resource groups, we need to create a trigger rule from the "TH_Deploy_AZ_Subnet_01_Rgname" variable.
1. go the the "variable set" related list of the catalog item
2. Click on the "Provision" one
3. Click on the "TH_Deploy_AZ_Subnet_01_Rgname" variable
4. In the "Rule" related list click on "New"
5. Name it "Vnettrigger" and in the "Action" related list click on "New:
6. Name the action "VnetReloadAction", select "Reload" as action type, select "Reload from pool" from the datasource, select "TH Deploy AZ Subnet 01 Vnet Name" as the target variable and in the Key values related tab, add "TH_Deploy_AZ_Subnet_01_Rgname" as key and "TH_Deploy_AZ_Subnet_01_Rgname" as value:
7. Save and exit
8. If you go back on the "TH_Deploy_AZ_Subnet_01_Vnet_Name", in the "Pool Filter Mappings" related list there is now a new entry
9. Go into the cloud user portal and test your cloud catalog item:
