Unable to Discover with Terraform Cloud

Brent Langdon · ‎02-26-2020

I am quite new to ServiceNow. I am working with a developer instance to develop a proof of concept to integrate ServiceNow with Terraform. I got it working with a "Terraform Environment" (a Linux vm with Terraform installed). I could not get Discovery to work with Terraform Cloud. I am looking for any tips on what I might be doing wrong.

I created a Config Provider with the following settings:

Provider: Terraform Enterprise
Server Type: Cloud
Organization: my organization in Terraform Cloud
URL: https://app.terraform.io/api/v2/
Credentials: (created using API Token from Terraform Cloud)

Based on some trial and error, I think the URL is correct. I have tried using an API Token for the User, Group and Organization without any luck.

When I run this, I see some lines in my MID Server log that look valid and don't report any errors.

I don't understand what "Ensure that you create a credential alias with Type > Connection." from this page:
https://docs.servicenow.com/bundle/orlando-it-operations-management/page/product/cloud-management-v2-setup/task/terraform-enterprise-config-provider.html

Not sure if that is supposed to say "Type > Credential". I added an alias of type Credential, but I don't really know what that does. Adding an Alias of Type "Connection and Credential" generates a validation message: "Alias X is not of type Credential"

I tried upgrading my dev instance to Orlando to see if that would make a difference, but it did not.

I see the following entries in my ServiceNow System Log each time I run Discovery (messages at the bottle are generated first).

==========
Failure while processing chunk : ChunkedStepResult{correlationId='68afdebfdbcf00102655d426ca961901', error='
Outbound REST call to get TFE VCS failed StatusCode:401, ErrorCode:3, Message:Method failed: (/api/v2/organizations/ngc-cssg/oauth-clients) with code: 401 - Invalid username/password combo', output='[]', chunkNumber=1, totalChunks=1, isRouteComplete=true, exception=null}:
==========
Failure to handle chunked result: com.snc.cloud.mgmt.modules.svccatalog.orchestration.BPOException:
Outbound REST call to get TFE VCS failed StatusCode:401, ErrorCode:3, Message:Method failed: (/api/v2/organizations/ngc-cssg/oauth-clients) with code: 401 - Invalid username/password combo:
==========
Failed to parse the output of new CMPCIRelationshipUtil().getLdcAndServiceAccount('<param value removed>'), exception: : com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to map due to end-of-input
==========
Failed to parse the output of new CMPCIRelationshipUtil().getLdcAndServiceAccount('<param value removed>'), exception: : com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to map due to end-of-input
==========

I am able to call /api/v2/organizations/ngc-cssg/oauth-clients using curl (from a command prompt on my Linux based MID Server) and passing in any of the 3 API Tokens (User, Group or Org) following the Terraform Cloud API. (example here: https://www.terraform.io/docs/cloud/api/oauth-clients.html)

Any tips appreciated! Thanks!!

aniket_singh · ‎02-26-2020

Hi Brent,

Here are steps to create credentials for Terraform Enterprise:

TFE Credential key must start with Bearer<SPACE><GENERATED-KEY>. (Bearer mg20XBGc7unMUw.atlasv1.03as07OX4PbTT9WFIP8QMVbt4h8z…)

TFE credential must have alias associated to it.

New alias should be type of credential.

Key for vcs system should be like this token<SPACE>< GENERATED-KEY >. (token f59f323ae7db8bf2aa64aa6437…)
url for Terraform Cloud: https://app.terraform.io/api/v2

View solution in original post

aniket_singh · ‎05-14-2020

Hi Vivek,

Base directory needs full path of directory. For example, Let's consider in vm( where terraform installed) have following directory structure for template files:

Base Directory will be - /home/dev/terraformtemplates
Config installable after discovery:vm/storagevolume/network

Give full path of base directory and try discovery.

Vivektietsood · ‎05-14-2020

Thank you everyone for your help on this one. I was able to configure the directory correctly and make it work. Learning for me was if /home/user/sample.tf was the directory. I needed to only give /home and the rest was automatically detected by SNOW.

Giving screenshots with the hope that it helps someone else stuck in a similar situation.

Had fun learning about it. Thanks again. Now off to creating Cloud Catalog items with it.

Vivektietsood · ‎05-16-2020

Hi All

I have one more question, please. I was able to discover terraform templates hosted on Unix server in EC 2 (Terraform is installed there). I have only one template to start with for provisioning VMs on IBM Cloud.

That template is called - sample.tf, and it has the following info

resource "ibm_compute_vm_instance" "vm1" {

hostname = "vm1"

domain = "example.com"

os_reference_code = "DEBIAN_8_64"

datacenter = "dal09"

network_speed = 10

hourly_billing = true

private_network_only = false

cores = 1

memory = 1024

disks = [25]

local_disk = false

}

There is another .tf file called provider that has the following info

provider "ibm" {

ibmcloud_api_key = var.ibmcloud_api_key

generation = 1

region = var.region

iaas_classic_username = var.iaas_classic_username

iaas_classic_api_key = var.iaas_classic_api_key

}

Now there is a third file called terraform.tfvars, and it has api key info that terraform needs to connect to IBM Cloud

ibmcloud_api_key = "XXXXXXXXXXX"

iaas_classic_username = "XXXXXXXXXXX"

iaas_classic_api_key = "XXXXXXXXXXX"

region = "us-south"

Now discovering these tf files only brings provider.tf and sample.tf. It does not bring in terraform.tfvars

So subsequently, my Cloud template does not have any info on IBM credentials:

I tried ordering the VM through the catalog item. It gives error Failed to execute API, possibly due to lack of credentials

I tried renaming terraform.tfvars file as terraform.tf and it still does not get imported, if anyone has faced a similar problem please help. Where do I need to configure IBM Cloud credentials. I searched community and could not find any answer. Please help!

aniket_singh · ‎05-18-2020

Hi Vivek,

Values of Credential keys will be passed based on selected cloud account.

Cloud Account --> Service Account --> Credentials.

.tfvars file may contain sensitive data which should not be exposed. This is reason we do not discover .tfvars file.

As per error, which you got while provisioing template, it might be issue in creation of vm. You might need increase wait_time_minutes which is by default 90 .

Vivektietsood · ‎05-18-2020

thanks. Please let me know how to increase the wait_time_ minutes. Is this at SNOW end ? I am not hopeful that it would still work as I created a specific credential for ServiceNow to use Terraform credentials. I then used these credentials to discover Terraform server (enterprise). After which I created a catalog entry using the discovered .tf files. Nowhere I instructed catalog entry to use IBM Service Account.

I created Service Account before starting this terraform project and was able to discover IBM data centers