Cloud Tag Governance - Policy Customization, Auto-Remediation

Narsing1
Mega Sage

‎04-08-2023 06:11 AM - edited ‎04-08-2023 06:13 AM

Tag Governance for Cloud discovery is a very useful plugin provided by Servicenow.  It facilitates the creation of different policies to properly govern how the tags are going to be certified based on a set of parameters. This Article helps you to understand how to customize Policies based on your requirement and also how Auto-Remediation works along with updating Tags in your cloud resource as well.

 

Once you install the plugin, under the Tag Governance Module, you will have a Dashboard, Policies and Remediation options as follows.

Narsing1_0-1680950121345.png

 

OOTB solution for Policy provides 3 Policy Types

  • Tag Key Policy - This deals with what are the Tags that are required/mandatory for a given CI. For example: Name,Location etc.,  When you configure this, it checks all the CI’s based on the condition provided and check whether all mentioned tags exists/not.
  • Tag Count Policy: This deals with how many Tags must be there for a CI.
  • Tag Key & Value Policy: This deals with what value/values are permitted for a Tag to be certified. Here you have the facility to write a script / can just place a value under Tag Key & Value Checks. This policy checks and mark as Certified when all the Tag Values are meeting its required value based on the Script/Value that you have written under Tag Key & Value Checks. Note: This policy expects a value for all the Keys.

Let's check this case where you don’t want to allow any CI Tag with an empty value. The above OOTB solution will not be able to address this particular scenario.  But you can develop your own Policy type and make this happen.  

Note: I am using the AWS Cloud, but it is the same process for other cloud providers as well.

 

Step by Step Guide to Customize based on the above scenario

 

Before you begin, here are the keywords for your reference.  These keywords are going to be used in the scripts i.e. ready to use objects.

  • ciTags - While executing the audit, it collects all the key value pairs for the CI and make it as a GlideRecord 
  • policy - A Tag Policy entry i.e. policy GlideRecord
  • tagValues -  While writing a script to get the tag values, we use this.  This will be used when evaluating your script via “TagPolicyUtil” script include.  
  • ci -  A GlideRecord that points to the current CI while executing the audit.

Steps

 

  1. Point your Application to “Tag Governance”
  2. On the Filter Navigator ⇒ sn_itom_tag_policy_type.list ⇒ Open “Tag Key Policy”
Narsing1_0-1680950597710.png

 

  1. Do the “Insert and Stay” and provide a relevant name for it and copy the below code.
Narsing1_1-1680950597716.png

 

Tag Policy Type Audit Script

 

 

var policyDefinition = policy.expected_tag_keys;
var requiredTags = policyDefinition.split(',').map(function(tagKey) {
    return tagKey.trim();
});
var arrayUtil = new global.ArrayUtil();
while (ciTags.next()) {
    var key = ciTags.getValue('key') + '';
    var tagIndex = arrayUtil.indexOf(requiredTags, key);
    if (tagIndex >= 0) {
		var keyval = ciTags.value + '';
        if (keyval != "") {
            requiredTags.splice(tagIndex, 1);
            //Exit loop when all required tags are presented with values
            if (requiredTags.length === 0)
                break;
        }
    }
}
var complianceState = (requiredTags.length === 0);
if (!complianceState) {
    discrepancyValue = requiredTags.length;
    complianceDescription = 'Empty tags: ' + requiredTags.toString();
}

 

 

4. Go to Tag Governance ==> Policies ==> Create a New Policy with a condition "Class=Virtual Machine Instance"

Narsing1_1-1680955672333.png

Now, you are ready to test this.  Here a sample Virtual Machine where "Business" Tag has an Empty Value. 

Narsing1_2-1680958346808.png

Now, Run the audit by clicking on "Run Audit". Observe the results under the Related List "Latest Policy Run Findings" like this.

Narsing1_1-1680956910829.png

 

Remediation

If we want to Remediate the Failures occurred on the Audit Runs, You have the Auto-Remediate Option as well along with the manual one.  In this case, when there is an Empty value on the Business Tag, I would like to update that as "NSS" in the Key Value Table.    Also,  Update with the same value in the Cloud. (Here its AWS) Let's see how it can be done.

Note:  To use "Update Tags in Cloud" option, you need to have permission in AWS called "ResourceGroupsandTagEditorFullAccess" to the user that you are using.

(IAM ==> Users ==> <username that you are using for integration> ==> Permissions)

 

Now, Create a Remediation like this and save the record.

Narsing1_0-1680957974118.png

Under the Related Links "Tag Remediation Keys", click on New and create an entry like this.

(Note: You can also use a script based assignment, but for demo purpose am using a static value)

Narsing1_1-1680958185431.png

Here is how the Tags will update in Key Value Table as well as in your Cloud (AWS)

Note: First use "Preview Remediation" and make sure you have a policy failure and then use "Remediate Tags"

 

Before executing "Remediate Tags" (Under the Related Links)

Narsing1_2-1680958346808.png

AWS Console

Narsing1_3-1680958440233.png

 

After Execution

Narsing1_4-1680958744303.png

 

Narsing1_5-1680958809334.png

 

That's all about the different options available in Tag Governance Customization.

Feel free to post a comment.

 

Thanks,

Narsing

 

 

 

 

 

 



 

  • 3,301 Views
Comments
k_lutz
Tera Expert
‎05-12-2023 06:01 AM

Thanks for posting. Very useful information. I did have a question on the Remediation section when you mention the "integration" and the user. Can you provide more on that or an example as I am not sure which integration you mean as the data would be coming into the CMDB from Discovery. Is there another integration that has to be used for tag governance?

0 Helpfuls
Narsing1
Mega Sage
‎05-15-2023 04:40 AM

This means the the "Cloud Accessor Account" that you are using for getting the information from AWS into Servicenow.  If this Account has a role called "ResourceGroupsandTagEditorFullAccess",  then it works for the auto remediation.

Few flows will be installed along with the Tag Governance plugin which is used for Auto Remediation.  [Observe in the Flow Designer / in Tag Governance Application installed files for more information on this]

 

Thanks,

Narsing

 

k_lutz
Tera Expert
‎05-23-2023 12:09 PM

Hello Narsing,

I looked in flow and did not see any flows related to Tag Governance even though it looks like we are licensed for it. What are the names of the flows you see? I can check with our SN account to see why we may not be seeing them. Thanks.

0 Helpfuls
k_lutz
Tera Expert
‎05-23-2023 12:16 PM

Hello Narsing,

Nevermind. I see two entries under sub-flows for Tag Governance. Will check them out.

0 Helpfuls
smithap
Tera Explorer
‎08-27-2023 06:14 PM

Hello Narsing, I have a scenario where we have multiple data source populating the same tag values and 'tag' field determines the data source. How do we do policy governance for each data source. I tried to put an encoded query on tag filter to look for Tag=<<<DB Catalog>>. But it didn't work  in some sceanrios. For eg, Environment Key is populated by another Data Source, it will come as certified, even though DB Catalog record won't have that value

0 Helpfuls
kamal_gm
Tera Contributor
‎07-25-2024 03:04 AM

Hello Narsing,

What role is needed for Azure cloud TAG remediation?

0 Helpfuls
Mantautas
Tera Contributor
‎09-05-2024 12:22 AM

@kamal_gm Role needed is "sn_itom_tag.tag_governance_admin "

 

Regards,

Mantautas.

 

 

Narsing1
Mega Sage
‎10-19-2024 05:25 AM

@kamal_gm - Never tried the Azure one, but can you try with "Tag Contributor" role from the Azure

 

Thanks,

Narsing

Version history
Last update:
‎04-08-2023 06:13 AM
Updated by:
Contributors