Configuring ServiceNow - AWS Service Catalog

Configuring ServiceNow

After completing the IAM and AWS Service Catalog configurations, the next configuration area to set up is ServiceNow. Installation tasks within ServiceNow include:

  • Clear the ServiceNow platform cache.

  • Clear the web browser cache.

  • Activate two ServiceNow plugins.

  • Install the ServiceNow Connector scoped application, and upload and commit the ServiceNow Connector Update Set.

  • Configure ServiceNow platform system admin components.

  • Configure AWS Service Management Connector scoped application, including accounts, scheduled jobs sync, and permissions.

Clear the ServiceNow Platform Cache

Before installing the AWS Service Management scoped app, we recommend you clear the ServiceNow platform cache. To do so, enter this URL https://[InsertServiceNowInstanceNameHere]/cache.do.

Note

Ensure that you install the update set in a non-production/sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache.

Clear the Web Browser Cache

Clear the web browser cache to clear previous rendered product forms.

Activate Two ServiceNow Plugins (User Criteria Scoped API and Discovery, and Service Mappings Patterns)

Activate the User Criteria Scoped API Plugin

  1. From your ServiceNow dashboard, type plugins into the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the dropdown that says Name, search for User criteria.

  3. Choose User Criteria Scoped API and then choose Activate.

Activate the Discovery and Service Mappings Patterns Plugin

  1. From your ServiceNow dashboard, type plugins into the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the dropdown that says Name, search for Discovery.

  3. Choose Discovery and Service Mapping Patterns and then choose Activate.

Note

This plugin is free and is needed to align to CMDB tables available outside of ServiceNow’s family release CMDB updates.

Installing ServiceNow Connector Scoped Application

The AWS Service Management Connector for ServiceNow is released as a conventional ServiceNow scoped application through a ServiceNow Update Set.

ServiceNow update sets are code changes to the out-of-the-box platform and enable developers to move code across ServiceNow instance environments. The Connector for ServiceNow update set is available to download in the ServiceNow store.

We provide the code for Connector for ServiceNow version 3.0.5 for users who install the update set on a ServiceNow Personal Developer Instance (PDI).

You can apply the Connector for ServiceNow version 3.0.5 update set to a "Paris", "Madrid," "New York," or "Orlando" platform release of ServiceNow.

If you do not already have a ServiceNow instance, start with the first step below. If you already have a ServiceNow instance, proceed to Install the update set.

To obtain a ServiceNow instance

  1. Go to Obtaining a Personal Developer Instance.

  2. Create ServiceNow developer program credentials.

  3. Follow the instructions for requesting a ServiceNow instance.

  4. Capture your instance details, including URL, administrative ID, and temporary password credentials.

To install the update set

  1. From your ServiceNow dashboard, type update sets into the navigation panel in the upper left.

  2. Choose Retrieved Update Sets from the results.

  3. Select Import Update Set from XML and upload the release XML file.

  4. Select the AWS Service Management Connector for ServiceNow update set.

  5. Choose Preview Update Set, which makes ServiceNow validate the connector update set.

  6. Choose Update.

  7. Choose Commit Update Set to apply the update set and create the application. This procedure should complete 100%.

Configuring ServiceNow Platform System Admin Components

To enable the AWS Service Management Connector for ServiceNow scoped application named AWS Service Management, the system admin must create a discovery source, and configure specific platform tables, forms, and views.

Create a discovery source AWS Service Management Connector entry

To allow AWS to report discovered CIs into your CMDB you must create a new discovery data source called AWS Service Management Connector. Perform the following steps:

  1. Navigate to System Definition > Choice Lists.

  2. Choose New.

  3. Create a new entry with the following details:

    • Table: Configuration Item [cmdb_ci]

    • Element: discovery_source

    • Label: AWS Service Management Connector

    • Value: AWS Service Management Connector

Note

Make sure you are in Global mode in ServiceNow System Settings to modify System Definitions.

Enable permissions on ServiceNow Platform table (Catalog Item Category)

For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Catalog Item Category tables. This action is necessary because a ServiceNow scoped API is not available for the Catalog Item Category table.

  1. Enter "Tables" in the Navigator and choose System Definition, then choose Tables.

  2. In the list of tables, search for a table with label "Catalog Item Category" (or with the name "sc_cat_item_category"). The list of tables displays. Choose Category to view the form defining the table..

  3. Choose the "Application Access" tab on the form and choose the "Can Create", “Can Update, and "Can delete" checkboxes on the form. Choose the "Update" button.

ServiceNow Permissions for Administrators of the Connector Scoped App

The AWS Service Management scoped app comes with two ServiceNow roles that enable access to configure the application. This feature enables system admins to grant one or more users privileges to administer the application without having to open up full sysadmin access to them. System admins can assign this roles to either individual users or to one administrator user.

To set up application administrator privileges

  1. Type Users in the navigator and select System Security – Users.

  2. Select a user to grant one or both previous roles (such as admin) to. You can also Create a User.

  3. Choose Edit on the Roles tab of the form.

  4. Filter the collection of roles by the prefix “x_”.

  5. Choose one or both of the following and add them to the user: x_126749_aws_sc_account_admin, x_126749_aws_sc_portfolio_manager

  6. Choose Save.

To add AWS Service Catalog to ServiceNow Service Catalog categories

  1. Navigate to Self Service | Service Catalog and select the Add content icon in the upper right.

  2. Select the AWS Service Catalog Product entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

To add AWS Systems Manager automation documents to ServiceNow Service Catalog categories

  1. Navigate to Self Service | Service Catalog and select the Add content icon in the upper right.

  2. Select the AWS Systems Manager entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

Note

This Connector release displays all AWS Systems Manager documents available in the AWS account that has AWS Systems Manager selected.

System administrators can deactivate AWS Systems Manager documents requests. To deactivate requests, go to AWS Systems Manager > Automation Documents and deselect the Active button. After deactivation of the document, end users no longer see the document in the ServiceNow Service Catalog.

To add a change request type

  1. If you are upgrading from a previous version of the AWS Service Management scoped app, you must remove the AWS Product Termination change request type before you create a new change request type.

  2. You must add a new change request type called AWS Provisioned Product Event for the scoped application to trigger an automated change request in Change Management. For instructions, see Add a new change request type.

  3. Open an existing change request.

  4. Open the context (right-click) menu for Type and then choose Show Choice List.

  5. Choose New and fill in the following fields:

    • Table: Change Request

    • Label: AWS Provisioned Product Event

    • Value: AWSProvisionedProductEvent

    • Sequence: pick the next unused value

  6. Submit the form.

Configuring AWS Service Management Connector Scoped Application

Having installed and configured the AWS Service Management Connector for ServiceNow in the previous procedure, you must configure the scoped application and applicable roles.

To configure the AWS Service Management Connector scoped application permissions

  1. In your ServiceNow instance, create a user group called Order_AWS_Products. Members of this group can order AWS Service Catalog products. For instructions, see Create a user group.

  2. Grant ServiceNow permissions to the following users:

    • System Administrator (admin): For simplicity in this example, user admin is the administrator of the AWS Service Management scoped application. Grant this user both of the administrative permissions from the adapter, x_126749_aws_sc_portfolio_manager and x_126749_aws_sc_account_admin. Add System Administrator to the new ServiceNow group Order_AWS_Products. In a real scenario, these roles would likely be granted to different users or groups.

    • Abel Tuter: The user abel.tuter is chosen as an illustrative end user. Grant Abel the new role Order_AWS_Products. This allows him to order products from AWS.

ServiceNow Permissions Recap
ServiceNow Persona Scoped App Permissions ServiceNow Permission Type
Admin x_126749_aws_sc_portfolio_manager, x_126749_aws_sc_account_admin, Order_AWS_Products Role (scoped app), Role (scoped app), Group
End User (i.e. Abel Tuter) Order_AWS_Products Group

Configuring Accounts

  1. Log in as the system administrator.

  2. Type AWS in the navigator. Go to the AWS Service Management scoped app.

  3. In the AWS Service Management scoped app Accounts menu, create one entry for every AWS account. You need to use the keys and secret keys from the users you created in AWS.

To create account entry

  1. Enter the name as an account entry identifier, such as Connector_Demo (for Commercial region), or Connector_Demo_GovCloud (for GovCloud region).

  2. Enter AWS access key and secret access key from the AWS account sync user IAM configurations.

  3. Enter AWS access key and secret access key from the AWS account end user IAM configurations.

  4. Select AWS service integrations that you want visible for this AWS account. The choices include:

    • AWS Service Catalog

    • AWS Config

    • AWS Systems Manager

  5. Go to Account Regions. Select the Commercial or GovCloud Region. To see the AWS account regions, double-click on “Insert a new row…”.

  6. Repeat the step above to insert additional Regions.

  7. Save or update the account entries.

  8. Validate AWS account connectivity in the next section.

Validating Connectivity to AWS Regions

You can now validate connectivity to AWS regions between the ServiceNow Connector_Demo account and the AWS IAM SMSyncUser and SMEndUser.

To validate connectivity to AWS account

  1. In the AWS Service Management scoped app, choose Accounts.

  2. Select Connector_Demo and choose Validate Account.

  3. A successful connection result in the message, “Successfully validating AWS account in each referenced Region.”

If the AWS IAM access key or secret access key are incorrect, you will receive an error message.

Manually Syncing Scheduled Jobs

During the initial setup, manually execute the sync instead of waiting for Scheduled Jobs to run. The default sync schedule is every 31 minutes.

To sync the accounts manually

  1. Log in as system administrator.

  2. Find Scheduled Jobs in the navigator panel.

  3. Search for job Sync all Accounts, select it, and choose Execute Now.

    Note

    If you do not see Execute Now in the upper left corner, choose Configure Job Definition. Execute Now will be visible.

Data is visible in the AWS Service Management scoped app menus after the adapter’s scheduled synchronization job has run.

Granting Access to Portfolios

This release of the Connector removes the need to link AWS identities to ServiceNow roles. To grant access to AWS Service Catalog products in ServiceNow, you must establish a link between the AWS Service Catalog portfolios and the ServiceNow group (for example, Order_AWS_Products created earlier in the instructions as an installation example).

To grant access to AWS Service Catalog portfolios in ServiceNow

  1. In the AWS Service Management scoped app, choose the Portfolios module.

  2. Select the desired Portfolio ARN. You can double-click the AWS Service Catalog portfolio name.

  3. Select the Allowed Groups tab.

  4. Choose New and enter the Group named Order_AWS_Products.

  5. Choose Submit.

Configure AWS Tags Generated by ServiceNow Administrators

The AWS Service Management Connector v3.0.5 enables ServiceNow administrators to add tags (metadata) to provisioned products globally across the scoped app or granularly at the portfolio level. These tags are not visible to end users.

Two tag types are available in this release:

  • Generic tags in which the admin can enter the key and value

  • ServiceNow Request Item tags in which the admin can enter the following syntax for key and value

    Key Value
    Requested Item Number ${REQUEST_NUMBER}
    User ${USERNAME}
    Requested for ${REQUESTED_FOR}
    Opened by ${OPENED_BY}

To add generic AWS tags to AWS Service Catalog provisioned products in ServiceNow

  1. In the AWS Service Management scoped app, choose the Tags module.

  2. Choose New.

  3. For Global tags, enter the Key and Value entries and choose Submit.

  4. For Portfolio tags, deselect Global check. The Portfolio field becomes available. Select the AWS Service Catalog portfolio, enter the Key and Value entries, and choose Submit.

To add in-scope ServiceNow request item AWS tags to AWS Service Catalog provisioned products derived from ServiceNow

  1. In the AWS Service Management scoped app, choose the Tags module.

  2. Choose New.

  3. For Global tags, enter the specific Key and Value entries for either User or Request Item Number, and choose Submit.

Once products are provisioned, you can see in the AWS console that these tags are associated to the resource.

Configure the AWS Service Catalog Product Widget Components Viewable to End Users

To address the varying personas of end users requesting AWS products, the Connector for ServiceNow includes a scoped app setting to enable or disable components of the AWS product widget. By default, all AWS product components are enabled.

To modify the AWS product view

  1. In the navigator, type System Properties and select AWS Service Catalog.

    Note

    Make sure you are in the AWS Service Management Connector scoped application mode.

  2. Deselect any AWS product component such as:

    • Enable editing of the AWS Service Catalog Product name.

    • Enable selection of launch options for AWS Service Catalog Products. (Note that this component is only visible if the AWS product has more than one launch path.)

    • Enable selection of product versions for AWS Service Catalog. (Note that this component is only visible if the AWS product has more than one product version.)

    • Enable tags for AWS Service Catalog Products.

    • Enable plans (ChangeSet) creation for product. (Note that if set to false the plan section will be hidden.)

  3. Choose Save.

Add the My AWS Products Widget to the Service Portal View

We recommend ServiceNow administrators add the My AWS Products widget to the ServiceNow Portal view. The widget enables users to view their AWS product requests, view outputs, and perform post-operational actions such as update, terminate, and service actions (AWS Systems Manager documents).

To include the My AWS Products widget on the Service Portal view

  1. Log in as system administrator in the ServiceNow standard user interface (Fulfiller view).

  2. In the navigator panel, find Service Portal.

  3. Select Service Portal Configuration.

  4. Select Designer.

  5. Search for Service Portal in the filter.

  6. Select the Service Portal box with a house image and the word Index in the lower right corner.

  7. On the Widgets section in the left panel, type My AWS Products in the Filter Widget.

  8. Drag the widget onto the Service Portal edit view to your desired location.

  9. Preview your changes.

View Budgets Related to AWS Service Catalog Portfolios and Products

ServiceNow administrators can view budgets and actual costs related to AWS Service Catalog portfolios and products in the ServiceNow standard user interface.

To view portfolio budgets

  1. Log in as system administrator.

  2. In the navigator panel, search for AWS Service Catalog.

  3. Select the Portfolios module.

  4. Select the AWS Service Catalog portfolio that contains an associated budget.

  5. Choose the Budget tab.

To view product budgets

  1. Log in as system administrator.

  2. In the navigator panel, search for AWS Service Catalog.

  3. Select the Products module.

  4. Select the AWS Service Catalog product that contains an associated budget.

  5. Choose the Budget tab.