AWS Cloud Operations Blog
AWS Account vending by integrating ServiceNow with AWS Control Tower Account Factory for Terraform
AWS Control Tower makes it easy to create and manage a secure, multi-account AWS environment, ready for immediate use. However, for more customized setups, particularly using Terraform, customers can use AWS Control Tower Account Factory for Terraform (AFT). Account Factory for Terraform (AFT) sets up a Terraform pipeline to help you provision and customize accounts in AWS Control Tower.
For organizations that have adopted ServiceNow, IT operations teams can offer business teams the ability to self-service provisioning of AWS accounts through a familiar interface. Integrating AWS account provisioning with ServiceNow aligns with the broader goals of increasing efficiency, improving compliance, and enhancing the user experience, all while supporting the organization’s need for agility and innovation.
In this post, we focus on seamless and automated workflow between ServiceNow and the AFT framework using AWS CodeBuild and Amazon API Gateway. By leveraging this integration, organizations can extend their ITSM capabilities to include the automated vending of AWS accounts, streamlining cloud resource provisioning and aligning it with their established IT processes. The source code for this integration is available in our GitHub repository, so you can follow along and implement the solution in your own environment. If you’re looking to provision AWS account without any customization then you can leverage AWS Service Management Connector and my colleague had walked through the steps in Self-service Account Provisioning Using AWS Service Management Connector for ServiceNow blog.
Solution Overview
The account vending process starts with an account vending request submitted through a Service catalog request from a ServiceNow instance. This request triggers an API, which is integrated with a build automation tool that generates the necessary Infrastructure as Code (IaC) scripts and configurations for the AWS Control Tower Account Factory (AFT) framework. AFT processes this request through a pipeline to provision and configure an AWS account according to the provided specifications. Upon completion, AFT delivers a fully configured AWS account, along with an account vending response that includes the account details and the status of the provisioning.
The entire process encompasses two primary workflows:
- Account Vending Request: Involves initiating the account creation through ServiceNow and processing the request via the AFT framework.
- Account Vending Response: Consists of the AFT framework returning the final account details and provisioning status back to the ServiceNow.
Account Vending Request
Figure 1: AFT Account Vending Request Pipeline
The account vending process is started with user input (1) through ServiceNow, in the form of a Service catalog request. This input is converted into an API request in JSON format. The API Gateway (2) plays a pivotal role in this process, functioning as an intermediary that parses and interprets the JSON payload. Its primary function is to act as a bridge between the ServiceNow and AWS services, facilitating the seamless translation of the request. The API Gateway is protected with Lambda authorizer which validates the secret passed as part of the ServiceNow request.
After the request is processed by the API Gateway, it is sent to AWS CodeBuild (3) AWS CodeBuild, responsible for updating the Account Requests Repository of AFT in AWS CodeCommit. Here, AWS CodeCommit serves as a managed source control service, hosting the repository where the account provisioning requests are stored.
Subsequent to the update in the AWS CodeCommit repository of AFT (4), the AWS Control Tower Account Factory (AFT) (5) pipeline is triggered. The AFT pipeline then processes the account provisioning requests (6), based on the inputs in the Account Requests Repository. This orchestrated workflow ensures a streamlined and efficient process for provisioning new AWS accounts through the integration of ServiceNow and AWS services.
Account Vending Response
Figure 2: AFT Account Vending Response Automation
The account creation request process involving ServiceNow and the AWS Control Tower Account Factory (AFT) is asynchronous. The AFT Account provisioning Framework (1) sends a notification to aft-notifications Topic on successful account provisioning. The SNS topic invokes (2) the AWS Lambda function which is subscribed to the topic. The Lambda function is configured to retrieve ServiceNow credentials (3) from AWS Secrets manager, send account details to the ServiceNow catalog request and close the request (4) after all the customization on the provisioned account is complete.
Solution Deployment
Deployment Prerequisites
- An AWS Identity and Management (IAM) account with administrator privileges for the services used in this solution.
- Setting up Landing Zone using AWS Control Tower adhering to Multi account best practices.
- Setup Account Factory for terraform on the AFT Management account using the steps specified at deploy AWS Control tower Account factory for terraform (AFT) documentation. NOTE: For this post we have used AFT version 1.10.2
- Configure the AWS credentials of the AFT management account in the terminal. Install the AWS CDK Toolkit. If you’re unfamiliar with the steps, then review the AWS CDK workshop for help.
- A ServiceNow Instance with Administrator credentials to install the provided sample ServiceNow application into ServiceNow Studio. (Refer the following installation instructions).
ServiceNow Sample App installation
Note: This process is thoroughly documented in the ServiceNow documentation.
- Login to ServiceNow as an Administrator.
- In ServiceNow – Launch Studio.
- You can copy to your own git repository for ServiceNow application installation. Note: This is a copy of a sample application exported from a ServiceNow Personal Development Instance (PDI) used for testing.
- You should now be able to leverage the AWS Account Creation form in ServiceNow.
AWS Organization Structure
Every customer will have a unique structure. Also, will have different account customization enabled as part of the AFT. For the purpose of the post, we will be using the below AWS Organization structure and have single account customization called “WORKLOAD_Account_Customization” that will be applied to all the Workload AWS accounts vended from the AFT.
Figure 3: AWS Organization Structure
Deployment Steps
For this post, we will be provisioning resources associated with both the ‘Account Vending Request’ and ‘Account Vending Response’ processes. These resources are part of the single AWS CDK (Cloud Development Kit) application which are available in the GitHub Repository and should be provisioned in the AFT Management Account.
- Clone the repository and bootstrap the application in your local machine by running the following AWS Command Line Interface (AWS CLI) commands from a terminal window.
- Update cdk.json with your AFT Account repository name, ServiceNow Endpoint URL, AFT Account Request Repository Committer email and Name. Once configured, deploy the aft-account-integration Application
Figure 4: CDK Json Input Update
- Once the application is successfully deployed you will get the API Gateway URL, AFT integration Repository, Secrets manager arn and AWS Systems Manager Parameter store arn on the output. The API Gateway URL should be used for the ServiceNow Integration. AFT integration repository will be required to host the configuration files that will be used by the AWS CodeBuild. The SSM parameter store arn holds the API key value that you will use in the authorization header as part of ServiceNow request. The Secrets Manager should be updated with your ServiceNow username and password.
Figure 5: CDK Deployment Output
- Update the Secrets Manager created in the previous step with the ServiceNow username and the password.
Figure 6: Secrets Manager for Service NOW Credentials
- Clone the CodeCommit repository (aft_integration_pipeline) created in the previous step outside the cdk application.
NOTE: The above step requires setting up git-remote-codecommit setup.
- Copy all the files from the aft_build_scripts folder present in the aft-account-integration repository to the cloned repository.
Figure 7: Build scripts consumed by AWS CodeBuild Project
- The file ‘config_map.json’ file acts as an integration configuration, mapping the input payload from ServiceNow to the input parameters required by AFT. In the config_map.json, servicenow_to_tfvars contains the payload that will be received from ServiceNow. The businessunit_to_requestype that has the Business unit and its corresponding Organizational Unit. The OU ID should be updated on the business unit to request type.
NOTE: Based on your requirement the config_map.json file and generate_tfvars_payload should be modified to support your AWS Organization Structure and AFT account customization requirement.
Figure 8: config_map file update with OU details
- Add the code to the repository by running the following commands:
Validating Account Vending Request
- From the ServiceNow Instance submit a catalog request to vend an AWS account.
Figure 9: the Service Now request form submission
- Once the Catalog Item is submitted, ServiceNow will invoke the API hosted in your configured AWS vending account with the information submitted in the Catalog Item.
- Validate the AWS CodeBuild “aft-integration-build” ran successfully.
Figure 10: Validating AFT Integration AWS CodeBuild Run
- Validate the entry for the account request in the AFT account request repository.
NOTE: For every Business unit and its corresponding account type you will find a corresponding requests.tf and auto.tfvars.json
Figure 11: Validating AFT Integration AWS CodeBuild Run
5. Navigate to AWS CodePipeline and observe the aft-account-request pipeline running. You should see the pipeline completed successfully and your latest commit message.
Figure 12: Validating AFT Account Request pipeline execution.
- The AFT account vending pipeline sends back the response with the details of the account (account Id and account name), providing the information as a Note. The ServiceNow Catalog Item request is then closed by a script in the ServiceNow installed application.
NOTE: Depending on the customization resources the response could take time to close the service now catalog account request.
Figure 13: ServiceNow ticket closure.
Cleanup
If you are following along the post and would want to terminate the resources to avoid incurring future charges, follow the below steps:
- To close the account provisioned part of the post, follow the steps mentioned in remove the account from AFT.
- Destroy the CDK Application by running the following commands:
Conclusion
In this post, we’ve demonstrated how to integrate ServiceNow, a popular IT Service Management (ITSM) tool, with the AWS Control Tower Account Factory for Terraform (AFT) using AWS CodeBuild and AWS API Gateway. This integration allows organizations to extend their ITSM capabilities to include the automated provisioning of AWS accounts, streamlining cloud resource management and aligning it with their established IT processes. By following the step-by-step guide and using the provided source code from our GitHub repository, you can set up this integration in your own environment. This will enable your business teams to easily request and provision new AWS accounts through the familiar ServiceNow interface, while maintaining the necessary governance and control provided by the AFT framework. If you need help in the design and implementation of such solution, feel free to reach out to us or your local AWS Professional Services team.