Unable to Discover with Terraform Cloud

Brent Langdon · ‎02-26-2020

I am quite new to ServiceNow. I am working with a developer instance to develop a proof of concept to integrate ServiceNow with Terraform. I got it working with a "Terraform Environment" (a Linux vm with Terraform installed). I could not get Discovery to work with Terraform Cloud. I am looking for any tips on what I might be doing wrong.

I created a Config Provider with the following settings:

Provider: Terraform Enterprise
Server Type: Cloud
Organization: my organization in Terraform Cloud
URL: https://app.terraform.io/api/v2/
Credentials: (created using API Token from Terraform Cloud)

Based on some trial and error, I think the URL is correct. I have tried using an API Token for the User, Group and Organization without any luck.

When I run this, I see some lines in my MID Server log that look valid and don't report any errors.

I don't understand what "Ensure that you create a credential alias with Type > Connection." from this page:
https://docs.servicenow.com/bundle/orlando-it-operations-management/page/product/cloud-management-v2-setup/task/terraform-enterprise-config-provider.html

Not sure if that is supposed to say "Type > Credential". I added an alias of type Credential, but I don't really know what that does. Adding an Alias of Type "Connection and Credential" generates a validation message: "Alias X is not of type Credential"

I tried upgrading my dev instance to Orlando to see if that would make a difference, but it did not.

I see the following entries in my ServiceNow System Log each time I run Discovery (messages at the bottle are generated first).

==========
Failure while processing chunk : ChunkedStepResult{correlationId='68afdebfdbcf00102655d426ca961901', error='
Outbound REST call to get TFE VCS failed StatusCode:401, ErrorCode:3, Message:Method failed: (/api/v2/organizations/ngc-cssg/oauth-clients) with code: 401 - Invalid username/password combo', output='[]', chunkNumber=1, totalChunks=1, isRouteComplete=true, exception=null}:
==========
Failure to handle chunked result: com.snc.cloud.mgmt.modules.svccatalog.orchestration.BPOException:
Outbound REST call to get TFE VCS failed StatusCode:401, ErrorCode:3, Message:Method failed: (/api/v2/organizations/ngc-cssg/oauth-clients) with code: 401 - Invalid username/password combo:
==========
Failed to parse the output of new CMPCIRelationshipUtil().getLdcAndServiceAccount('<param value removed>'), exception: : com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to map due to end-of-input
==========
Failed to parse the output of new CMPCIRelationshipUtil().getLdcAndServiceAccount('<param value removed>'), exception: : com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to map due to end-of-input
==========

I am able to call /api/v2/organizations/ngc-cssg/oauth-clients using curl (from a command prompt on my Linux based MID Server) and passing in any of the 3 API Tokens (User, Group or Org) following the Terraform Cloud API. (example here: https://www.terraform.io/docs/cloud/api/oauth-clients.html)

Any tips appreciated! Thanks!!

aniket_singh · ‎02-26-2020

Hi Brent,

Here are steps to create credentials for Terraform Enterprise:

TFE Credential key must start with Bearer<SPACE><GENERATED-KEY>. (Bearer mg20XBGc7unMUw.atlasv1.03as07OX4PbTT9WFIP8QMVbt4h8z…)

TFE credential must have alias associated to it.

New alias should be type of credential.

Key for vcs system should be like this token<SPACE>< GENERATED-KEY >. (token f59f323ae7db8bf2aa64aa6437…)
url for Terraform Cloud: https://app.terraform.io/api/v2

View solution in original post

aniket_singh · ‎05-18-2020

wait_time_minutes - (Optional) The duration, expressed in minutes, to wait for the VM instance to become available before declaring it as created. It is also the same amount of time waited for no active transactions before proceeding with an update or deletion. Default value: 90.

https://ibm-cloud.github.io/tf-ibm-docs/v0.4.0/r/compute_vm_instance.html

You do not need to do anything explicitly. You choose cloud account in order form while provisioning a catalog item. Credentials will be fetched from service account which is associated to selected Cloud Account.

have you tried terraform apply directly from terraform machine?

aniket_singh · ‎05-18-2020

One more thing to observe, Terraform connector supports following authentication mechanism for ibm:

provider "ibm" {
bluemix_api_key = "XXX"

softlayer_api_key = "XXXX"

softlayer_username = "XXXX"

region = var.region

}

but i can see you are using latest one which is not supported:

provider "ibm" {

ibmcloud_api_key = var.ibmcloud_api_key

generation = 1

region = var.region

iaas_classic_username = var.iaas_classic_username

iaas_classic_api_key = var.iaas_classic_api_key

}

To support this, we need to modify crdential mapping for ibm.

- Goto IaC Provider Settings

- select Terraform

- select ibm

- change mapping

Old Mapping

New Mapping

Old Value	New Value
softlayer_api_key	`iaas_classic_api_key`
bluemix_api_key	`ibmcloud_api_key`
softlayer_username	`iaas_classic_username`

- You need to create new catalog item after making these changes.

Kindly mark it accepted or helpful if it helps to solve your problem.

Thanks

Vivektietsood · ‎05-18-2020

First of all, many thanks to you for working on this with me. Appreciate it very much!

To answer your question - yes I have used Terraform apply from the machine running terraform. It is hosted on IBM Cloud, and it creates a VM neatly on IBM CLoud too. The configuration of sample.tf and provider.tf is exactly same as that of the one imported in ServiceNow.

The VM on IBM Cloud gets created after 2 m 21 sec, and the device becomes immediately available.

So not sure what impact the following would have:

wait_time_minutes - (Optional) The duration, expressed in minutes, to wait for the VM instance to become available before declaring it as created. It is also the same amount of time waited for no active transactions before proceeding with an update or deletion. Default value: 90.

I am planning to add this attribute in sample.tf file and setting the value as 3 (minutes) and try.

Thank you for your tip on credentials.

If you have any more ideas, please share.

aniket_singh · ‎05-18-2020

One more thing to observe, Terraform connector supports following authentication mechanism for ibm:

provider "ibm" {
bluemix_api_key = "XXX"

softlayer_api_key = "XXXX"

softlayer_username = "XXXX"

region = var.region

}

but i can see you are using latest one which is not supported:

provider "ibm" {

ibmcloud_api_key = var.ibmcloud_api_key

generation = 1

region = var.region

iaas_classic_username = var.iaas_classic_username

iaas_classic_api_key = var.iaas_classic_api_key

}

To support this, we need to modify crdential mapping for ibm.

- Goto IaC Provider Settings

- select Terraform

- select ibm

- change mapping

Old Mapping

New Mapping

Old Value	New Value
softlayer_api_key	`iaas_classic_api_key`
bluemix_api_key	`ibmcloud_api_key`
softlayer_username	`iaas_classic_username`

- You need to create new catalog item after making these changes.

Kindly mark it accepted or helpful if it helps to solve your problem.

Thanks

Vivektietsood · ‎05-18-2020

Thanks. I have changed the credentials. Changing wait time in the sample.tf does not seem to help.

Where do you suggest to change wait time ?

Given by the description below - wait time is the time till VM gets available. This does not seem to matter when provisioning through Terraform apply (I had not confirmed wait time while using apply), so not sure it should matter when provisioning through SN.

wait_time_minutes - (Optional) The duration, expressed in minutes, to wait for the VM instance to become available before declaring it as created. It is also the same amount of time waited for no active transactions before proceeding with an update or deletion. Default value: 90.