AWS Cloud Operations Blog

AWS Account vending by integrating ServiceNow with AWS Control Tower Account Factory for Terraform

AWS Control Tower makes it easy to create and manage a secure, multi-account AWS environment, ready for immediate use. However, for more customized setups, particularly using Terraform, customers can use AWS Control Tower Account Factory for Terraform (AFT). Account Factory for Terraform (AFT) sets up a Terraform pipeline to help you provision and customize accounts in AWS Control Tower.

For organizations that have adopted ServiceNow, IT operations teams can offer business teams the ability to self-service provisioning of AWS accounts through a familiar interface. Integrating AWS account provisioning with ServiceNow aligns with the broader goals of increasing efficiency, improving compliance, and enhancing the user experience, all while supporting the organization’s need for agility and innovation.

In this post, we focus on seamless and automated workflow between ServiceNow and the AFT framework using AWS CodeBuild and Amazon API Gateway. By leveraging this integration, organizations can extend their ITSM capabilities to include the automated vending of AWS accounts, streamlining cloud resource provisioning and aligning it with their established IT processes. The source code for this integration is available in our GitHub repository, so you can follow along and implement the solution in your own environment. If you’re looking to provision AWS account without any customization then you can leverage AWS Service Management Connector and my colleague had walked through the steps in Self-service Account Provisioning Using AWS Service Management Connector for ServiceNow blog.

Solution Overview

The account vending process starts with an account vending request submitted through a Service catalog request from a ServiceNow instance. This request triggers an API, which is integrated with a build automation tool that generates the necessary Infrastructure as Code (IaC) scripts and configurations for the AWS Control Tower Account Factory (AFT) framework. AFT processes this request through a pipeline to provision and configure an AWS account according to the provided specifications. Upon completion, AFT delivers a fully configured AWS account, along with an account vending response that includes the account details and the status of the provisioning.

The entire process encompasses two primary workflows:

  1. Account Vending Request: Involves initiating the account creation through ServiceNow and processing the request via the AFT framework.
  2. Account Vending Response: Consists of the AFT framework returning the final account details and provisioning status back to the ServiceNow.

Account Vending Request

Figure demonstrates architecture to provision an AWS Account based on the catalog request from the Service now Instance

Figure 1: AFT Account Vending Request Pipeline

The account vending process is started with user input (1) through ServiceNow, in the form of a Service catalog request. This input is converted into an API request in JSON format. The API Gateway (2) plays a pivotal role in this process, functioning as an intermediary that parses and interprets the JSON payload. Its primary function is to act as a bridge between the ServiceNow and AWS services, facilitating the seamless translation of the request. The API Gateway is protected with Lambda authorizer which validates the secret passed as part of the ServiceNow request.

After the request is processed by the API Gateway, it is sent to AWS CodeBuild (3) AWS CodeBuild, responsible for updating the Account Requests Repository of AFT in AWS CodeCommit. Here, AWS CodeCommit serves as a managed source control service, hosting the repository where the account provisioning requests are stored.

Subsequent to the update in the AWS CodeCommit repository of AFT (4), the AWS Control Tower Account Factory (AFT) (5) pipeline is triggered. The AFT pipeline then processes the account provisioning requests (6), based on the inputs in the Account Requests Repository. This orchestrated workflow ensures a streamlined and efficient process for provisioning new AWS accounts through the integration of ServiceNow and AWS services.

Account Vending Response

Figure demonstrates architecture to update the status of catalog request for account creationFigure 2: AFT Account Vending Response Automation

The account creation request process involving ServiceNow and the AWS Control Tower Account Factory (AFT) is asynchronous. The AFT Account provisioning Framework (1) sends a notification to aft-notifications Topic on successful account provisioning. The SNS topic invokes (2) the AWS Lambda function which is subscribed to the topic. The Lambda function is configured to retrieve ServiceNow credentials (3) from AWS Secrets manager, send account details to the ServiceNow catalog request and close the request (4) after all the customization on the provisioned account is complete.

Solution Deployment

Deployment Prerequisites

  1. An AWS Identity and Management (IAM) account with administrator privileges for the services used in this solution.
  2. Setting up Landing Zone using AWS Control Tower adhering to Multi account best practices.
  3. Setup Account Factory for terraform on the AFT Management account using the steps specified at deploy AWS Control tower Account factory for terraform (AFT) documentation. NOTE: For this post we have used AFT version 1.10.2
  4. Configure the AWS credentials of the AFT management account in the terminal. Install the AWS CDK Toolkit. If you’re unfamiliar with the steps, then review the AWS CDK workshop for help.
  5. A ServiceNow Instance with Administrator credentials to install the provided sample ServiceNow application into ServiceNow Studio. (Refer the following installation instructions).

ServiceNow Sample App installation

Note: This process is thoroughly documented in the ServiceNow documentation.

  1. Login to ServiceNow as an Administrator.
  2. In ServiceNow – Launch Studio.
  3. You can copy to your own git repository for ServiceNow application installation. Note: This is a copy of a sample application exported from a ServiceNow Personal Development Instance (PDI) used for testing.
  4. You should now be able to leverage the AWS Account Creation form in ServiceNow.

AWS Organization Structure

Every customer will have a unique structure. Also, will have different account customization enabled as part of the AFT. For the purpose of the post, we will be using the below AWS Organization structure and have single account customization called “WORKLOAD_Account_Customization” that will be applied to all the Workload AWS accounts vended from the AFT.

AWS Organizations structure used for the post walkthrough in the deployment steps.
Figure 3: AWS Organization Structure

Deployment Steps

For this post, we will be provisioning resources associated with both the ‘Account Vending Request’ and ‘Account Vending Response’ processes. These resources are part of the single AWS CDK (Cloud Development Kit) application which are available in the GitHub Repository and should be provisioned in the AFT Management Account.

  1. Clone the repository and bootstrap the application in your local machine by running the following AWS Command Line Interface (AWS CLI) commands from a terminal window.
git clone <repo url> aft-account-vending

cd aft-account-vending

python3 -m venv .venv

source .venv/bin/activate

pip install -r requirements.txt
  1. Update cdk.json with your AFT Account repository name, ServiceNow Endpoint URL, AFT Account Request Repository Committer email and Name. Once configured, deploy the aft-account-integration Application

Figure shows the input that should be updated in cdk Json file prior to deploying the CDK ApplicationFigure 4: CDK Json Input Update

cdk bootstrap aws://<AFT Management Account>/<AFT Primary Region>
cdk deploy --require-approval=never
  1. Once the application is successfully deployed you will get the API Gateway URL, AFT integration Repository, Secrets manager arn and AWS Systems Manager Parameter store arn on the output. The API Gateway URL should be used for the ServiceNow Integration. AFT integration repository will be required to host the configuration files that will be used by the AWS CodeBuild. The SSM parameter store arn holds the API key value that you will use in the authorization header as part of ServiceNow request. The Secrets Manager should be updated with your ServiceNow username and password.

Figure shows the CDK deployment outputs once the CDK application deployment is complete.Figure 5: CDK Deployment Output

  1. Update the Secrets Manager created in the previous step with the ServiceNow username and the password.

Figure shows the update to Secrets manager in the AWS Console with the Servicenow credentials.Figure 6: Secrets Manager for Service NOW Credentials

  1. Clone the CodeCommit repository (aft_integration_pipeline) created in the previous step outside the cdk application.
git clone codecommit::us-east-1://aft_integration_pipeline

NOTE: The above step requires setting up git-remote-codecommit setup.

  1. Copy all the files from the aft_build_scripts folder present in the aft-account-integration repository to the cloned repository.

Figure shows the file structure in the local visual studio code once the build scripts are copied to the repositoryFigure 7: Build scripts consumed by AWS CodeBuild Project

  1. The file ‘config_map.json’ file acts as an integration configuration, mapping the input payload from ServiceNow to the input parameters required by AFT. In the config_map.json, servicenow_to_tfvars contains the payload that will be received from ServiceNow. The businessunit_to_requestype that has the Business unit and its corresponding Organizational Unit. The OU ID should be updated on the business unit to request type.

NOTE: Based on your requirement the config_map.json file and generate_tfvars_payload should be modified to support your AWS Organization Structure and AFT account customization requirement.

Figure shows the update to config_map file with AWS Organization Unit update value.
Figure 8: config_map file update with OU details

  1. Add the code to the repository by running the following commands:
git add .
git commit -m "Initial AFT Integration commit"
git push

Validating Account Vending Request

  1. From the ServiceNow Instance submit a catalog request to vend an AWS account.

Figure shows the Service Now request form details that is submitted as part of Account vending request
Figure 9: the Service Now request form submission

  1. Once the Catalog Item is submitted, ServiceNow will invoke the API hosted in your configured AWS vending account with the information submitted in the Catalog Item.
  2. Validate the AWS CodeBuild “aft-integration-build” ran successfully.

Figure shows the AWS CodeBuild Run for submitted account vending catalog request from service now on AWS Console.
Figure 10: Validating AFT Integration AWS CodeBuild Run

  1. Validate the entry for the account request in the AFT account request repository.

NOTE: For every Business unit and its corresponding account type you will find a corresponding requests.tf and auto.tfvars.json

Figure shows the *.auto.tfvars file  that is generated and added to account request repository after the CodeBuild run
Figure 11: Validating AFT Integration AWS CodeBuild Run

5. Navigate to AWS CodePipeline and observe the aft-account-request pipeline running. You should see the pipeline completed successfully and your latest commit message.

Figure shows successful execution of AFT Account Figure shows successful execution of AFT Account request pipeline. pipeline.
Figure 12: Validating AFT Account Request pipeline execution.

  1. The AFT account vending pipeline sends back the response with the details of the account (account Id and account name), providing the information as a Note. The ServiceNow Catalog Item request is then closed by a script in the ServiceNow installed application.

NOTE: Depending on the customization resources the response could take time to close the service now catalog account request.

Figure shows successful closure of catalog request form in ServiceNow.
Figure 13: ServiceNow ticket closure.

Cleanup

If you are following along the post and would want to terminate the resources to avoid incurring future charges, follow the below steps:

  1. To close the account provisioned part of the post, follow the steps mentioned in remove the account from AFT.
  2. Destroy the CDK Application by running the following commands:
    cdk destroy

Conclusion

In this post, we’ve demonstrated how to integrate ServiceNow, a popular IT Service Management (ITSM) tool, with the AWS Control Tower Account Factory for Terraform (AFT) using AWS CodeBuild and AWS API Gateway. This integration allows organizations to extend their ITSM capabilities to include the automated provisioning of AWS accounts, streamlining cloud resource management and aligning it with their established IT processes. By following the step-by-step guide and using the provided source code from our GitHub repository, you can set up this integration in your own environment. This will enable your business teams to easily request and provision new AWS accounts through the familiar ServiceNow interface, while maintaining the necessary governance and control provided by the AFT framework. If you need help in the design and implementation of such solution, feel free to reach out to us or your local AWS Professional Services team.

About the Authors

Suresh Poopandi

Suresh Poopandi

Suresh is a Principal Solutions Architect at AWS, based in Chicago, Illinois, helping Healthcare Life Science customers with their cloud journey by providing architectures utilizing AWS services to achieve their business goals. He is passionate about building home automation and AI/ML solutions.

Gopinath Jagadesan

Gopinath Jagadesan

Gopi is a Senior Solution architect at AWS. In his role as solutions architect, he works with Amazon as a customer helping design, build, and deploy well architected solutions on AWS. He holds a master’s degree in electrical and computer engineering, specializing in computer networks, from the University of Illinois at Chicago. Outside of work, he enjoys playing soccer and spending time with his family and friends.

Balu Rajendran

Balu Rajendran

Balu is a DevOps Consultant at AWS, guiding and helping the healthcare and life sciences customers through their cloud journey. He focuses on implementing the effective devops practices and promote the accelerated innovation, all aimed at achieving the business objectives. He is particularly passionate about and specialized in BigData, data analytics and application modernization.

Ryan Griffin

Ryan Griffin

Ryan is a Senior Cloud Infrastructure Architect at AWS. He is a self-taught engineer and programmer who has worked in Information Technology since 2012. He lives outside of the Atlanta area and enjoys developing new innovative solutions