
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
04-08-2023 06:11 AM - edited 04-08-2023 06:13 AM
Tag Governance for Cloud discovery is a very useful plugin provided by Servicenow. It facilitates the creation of different policies to properly govern how the tags are going to be certified based on a set of parameters. This Article helps you to understand how to customize Policies based on your requirement and also how Auto-Remediation works along with updating Tags in your cloud resource as well.
Once you install the plugin, under the Tag Governance Module, you will have a Dashboard, Policies and Remediation options as follows.
OOTB solution for Policy provides 3 Policy Types
- Tag Key Policy - This deals with what are the Tags that are required/mandatory for a given CI. For example: Name,Location etc., When you configure this, it checks all the CI’s based on the condition provided and check whether all mentioned tags exists/not.
- Tag Count Policy: This deals with how many Tags must be there for a CI.
- Tag Key & Value Policy: This deals with what value/values are permitted for a Tag to be certified. Here you have the facility to write a script / can just place a value under Tag Key & Value Checks. This policy checks and mark as Certified when all the Tag Values are meeting its required value based on the Script/Value that you have written under Tag Key & Value Checks. Note: This policy expects a value for all the Keys.
Let's check this case where you don’t want to allow any CI Tag with an empty value. The above OOTB solution will not be able to address this particular scenario. But you can develop your own Policy type and make this happen.
Note: I am using the AWS Cloud, but it is the same process for other cloud providers as well.
Step by Step Guide to Customize based on the above scenario
Before you begin, here are the keywords for your reference. These keywords are going to be used in the scripts i.e. ready to use objects.
- ciTags - While executing the audit, it collects all the key value pairs for the CI and make it as a GlideRecord
- policy - A Tag Policy entry i.e. policy GlideRecord
- tagValues - While writing a script to get the tag values, we use this. This will be used when evaluating your script via “TagPolicyUtil” script include.
- ci - A GlideRecord that points to the current CI while executing the audit.
Steps
- Point your Application to “Tag Governance”
- On the Filter Navigator ⇒ sn_itom_tag_policy_type.list ⇒ Open “Tag Key Policy”
- Do the “Insert and Stay” and provide a relevant name for it and copy the below code.
Tag Policy Type Audit Script
var policyDefinition = policy.expected_tag_keys;
var requiredTags = policyDefinition.split(',').map(function(tagKey) {
return tagKey.trim();
});
var arrayUtil = new global.ArrayUtil();
while (ciTags.next()) {
var key = ciTags.getValue('key') + '';
var tagIndex = arrayUtil.indexOf(requiredTags, key);
if (tagIndex >= 0) {
var keyval = ciTags.value + '';
if (keyval != "") {
requiredTags.splice(tagIndex, 1);
//Exit loop when all required tags are presented with values
if (requiredTags.length === 0)
break;
}
}
}
var complianceState = (requiredTags.length === 0);
if (!complianceState) {
discrepancyValue = requiredTags.length;
complianceDescription = 'Empty tags: ' + requiredTags.toString();
}
4. Go to Tag Governance ==> Policies ==> Create a New Policy with a condition "Class=Virtual Machine Instance"
Now, you are ready to test this. Here a sample Virtual Machine where "Business" Tag has an Empty Value.
Now, Run the audit by clicking on "Run Audit". Observe the results under the Related List "Latest Policy Run Findings" like this.
Remediation
If we want to Remediate the Failures occurred on the Audit Runs, You have the Auto-Remediate Option as well along with the manual one. In this case, when there is an Empty value on the Business Tag, I would like to update that as "NSS" in the Key Value Table. Also, Update with the same value in the Cloud. (Here its AWS) Let's see how it can be done.
Note: To use "Update Tags in Cloud" option, you need to have permission in AWS called "ResourceGroupsandTagEditorFullAccess" to the user that you are using.
(IAM ==> Users ==> <username that you are using for integration> ==> Permissions)
Now, Create a Remediation like this and save the record.
Under the Related Links "Tag Remediation Keys", click on New and create an entry like this.
(Note: You can also use a script based assignment, but for demo purpose am using a static value)
Here is how the Tags will update in Key Value Table as well as in your Cloud (AWS)
Note: First use "Preview Remediation" and make sure you have a policy failure and then use "Remediate Tags"
Before executing "Remediate Tags" (Under the Related Links)
AWS Console
After Execution
That's all about the different options available in Tag Governance Customization.
Feel free to post a comment.
Thanks,
Narsing
- 3,301 Views
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thanks for posting. Very useful information. I did have a question on the Remediation section when you mention the "integration" and the user. Can you provide more on that or an example as I am not sure which integration you mean as the data would be coming into the CMDB from Discovery. Is there another integration that has to be used for tag governance?

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
This means the the "Cloud Accessor Account" that you are using for getting the information from AWS into Servicenow. If this Account has a role called "ResourceGroupsandTagEditorFullAccess", then it works for the auto remediation.
Few flows will be installed along with the Tag Governance plugin which is used for Auto Remediation. [Observe in the Flow Designer / in Tag Governance Application installed files for more information on this]
Thanks,
Narsing
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello Narsing,
I looked in flow and did not see any flows related to Tag Governance even though it looks like we are licensed for it. What are the names of the flows you see? I can check with our SN account to see why we may not be seeing them. Thanks.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello Narsing,
Nevermind. I see two entries under sub-flows for Tag Governance. Will check them out.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello Narsing, I have a scenario where we have multiple data source populating the same tag values and 'tag' field determines the data source. How do we do policy governance for each data source. I tried to put an encoded query on tag filter to look for Tag=<<<DB Catalog>>. But it didn't work in some sceanrios. For eg, Environment Key is populated by another Data Source, it will come as certified, even though DB Catalog record won't have that value
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello Narsing,
What role is needed for Azure cloud TAG remediation?