AWS tag discovery

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AWS tag discovery

    ServiceNow Discovery and Service Mapping applications leverage specialized patterns to discover AWS resource tags and populate the CMDB with this information. These tag-specific patterns complement existing AWS discovery patterns available from the ServiceNow Store and are essential for enriching AWS-related Configuration Items (CIs) with tag metadata.

    Show full answer Show less

    This capability supports a wide range of AWS resources and their corresponding CI types, including but not limited to AWS ACLs, API Gateways, Load Balancers, Cognito, DynamoDB, Lambda functions, S3 storage, and VPN connections.

    Prerequisites

    • AWS Credentials: Configure AWS credentials on the ServiceNow AI Platform using an access key and secret key.
    • Amazon Account ID: Use the exact Account ID as shown in the AWS Management Console.
    • Permissions: Ensure read-only access to the AWS Tagging API endpoint (https://tagging.<region>.amazonaws.com).
    • Discovery Schedule: Create a discovery schedule for the AWS service account within ServiceNow.

    Key Features

    • Resource Type Filtering: The pattern filters tags to include only those relevant to the CI type being discovered.
    • Cloud API Integration: Utilizes the AWS Resource Groups Tagging API to retrieve tags by making REST API calls with appropriate headers and request body.
    • Resource Name Parsing: Extracts resource names from Amazon Resource Names (ARNs), especially when the standard identification section lacks ARN data.
    • Relationship Mapping: Establishes relationships between discovered tags and their associated AWS cloud resource types.
    • Data Population: Populates key-value pairs for tags in the CMDB, associating tag keys, values, and unique AWS resource identifiers.

    Discovery Process Details

    The discovery pattern executes a series of tasks during horizontal discovery:

    • Filters tags by resource type.
    • Calls the AWS tagging API endpoint to retrieve tag data.
    • Parses and extracts resource names from ARNs when necessary.
    • Maps tags to cloud resources within the CMDB.

    The API call uses a structured URL and JSON payload to specify resource type filters, and headers ensure proper communication with AWS services.

    Discovered data includes tag keys, values, and unique AWS object IDs, which are stored in the cmdbkeyvalue table to maintain clear relationships with corresponding CIs.

    Practical Benefits for ServiceNow Customers

    By enabling AWS tag discovery, customers can:

    • Enhance CMDB accuracy and completeness with detailed AWS tag metadata.
    • Improve cloud resource management through better visibility and classification based on tags.
    • Leverage tags for governance, cost tracking, and operational insights directly within ServiceNow.
    • Maintain up-to-date AWS CI information by scheduling automated discovery runs aligned with AWS environments.

    This tag discovery capability integrates seamlessly with existing AWS discovery patterns and supports comprehensive cloud asset management strategies.

    The ServiceNow Discovery and Service Mapping applications can use patterns to discover the tags for AWS resources and configuration item (CI) types, and then populate the CMDB with these discoveries. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    This tag-specific discovery pattern is in addition to the other AWS patterns available on the ServiceNow Store.This pattern extends the ones used for discovering the respective AWS resources.

    Discovery populates the CMDB with tags for the following AWS patterns and CI types:
    • Amazon AWS - ACL (LP) [cmdb_ci_network_acl]
    • Amazon AWS API Gateway [cmdb_ci_cloud_gateway]
    • Amazon AWS - Application and Network LB (LP) [cmdb_ci_cloud_load_balancer]
    • Amazon AWS Application and Network LBs Events
    • Amazon AWS - Classic LB (LP) [cmdb_ci_cloud_load_balancer]
    • Amazon AWS Classic LB Events
    • Amazon AWS Cognito [cmdb_ci_cloud_authentication]
    • Amazon AWS - Customer Gateway (LP) [cmdb_ci_customer_gateway]
    • Amazon AWS DB Cluster
    • Amazon AWS DynamoDB [cmdb_ci_dynamodb_table]
    • Amazon AWS ElastiCache
    • Amazon AWS - ECS [cmdb_ci_cloud_service_account]
    • Amazon AWS - Executable Template (LP) [cmdb_ci_os_template]
    • Amazon AWS - Host (LP)
    • Amazon AWS - Internet Gateway (LP)
    • Amazon AWS keyspace
    • Amazon AWS - Key Pair (LP)
    • Amazon AWS Lambda [cmdb_ci_cloud_function]
    • Amazon AWS - LB Pool (LP)
    • Amazon AWS - NAT Gateway (LP)
    • Amazon AWS - Network (LP)
    • Amazon AWS Network Events
    • Amazon AWS - NIC (LP)
    • Amazon AWS - Owned Template (LP)
    • Amazon AWS - Public IP Address (LP)
    • Amazon AWS Redshift
    • Amazon AWS Relational Database Service [cmdb_ci_cloud_database]
    • Amazon AWS Resource Inventory
    • Amazon AWS - Route Table (LP)
    • Amazon AWS S3 [cmdb_ci_cloud_object_storage]
    • Amazon AWS - Security Group (LP)
    • Amazon AWS Security Group Events
    • Amazon AWS Serverless Database
    • Amazon AWS - Storage (LP)
    • Amazon AWS Storage Events
    • Amazon AWS sub account discovery
    • Amazon AWS - Subnet (LP)
    • Amazon AWS - Virtual Server (LP)
    • Amazon AWS Virtual Server Events
    • Amazon AWS - VPN Connections (LP)
    • Amazon AWS - VPN Gateway (LP)
    Note:
    For more information about the tags and patterns for each of these resources, see the documentation for the specific AWS resource.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Prerequisites

    AWS Credentials
    • On the ServiceNow AI Platform, configure AWS credentials, using a secret key and an access key.
    • Have an Amazon Account ID. Use the Account ID as it appears in the AWS Management Console. You can run Discovery from the service account form.
    • Set read-only permissions for the following URL: https//tagging.<region>.amazonaws.com.
    Discovery schedule
    Create a schedule for the relevant AWS service account. For more information, see Create a discovery schedule in Cloud Discovery Workspace.

    Pattern tasks

    When discovering AWS tags, the pattern completes the following high-level tasks:
    • Sets the Resource Type filter: Filters the tags to only those tags related to the pattern CI type.
    • Initiates the Cloud API call: The API call to the cloud environment that collects the tags and parses their attributes in the Tags table.
    • Parses the resource name from the Amazon Resource Name (ARN). Each Amazon resource is assigned a name and a unique identifier.
      Note:
      Parsing the resource name is needed only for patterns where the main identification section does not work with the ARN of the AWS resource. When that is the case, a relation attribute has to be parsed from the AWS ARN.
    • Includes references to cloud resource type. Establishes the relationship between the tag and the cloud resource type.

    Cloud Rest Call

    The pattern includes an API called "Cloud Rest Call” Post Call used to collect the following data:

    • API URL used to retrieve the data — "https://tagging." + $ldc[1].object_id + ".amazonaws.com/“
    • API Body — "{\"ResourceTypeFilters\":[\"" + $resource_type + "\"]}“
    • Headers — "Content-Type:application/x-amz-json-1.1,X-Amz-Target:ResourceGroupsTaggingAPI_20170126.GetResources"

    This data displays as shown in the following window.

    Figure 1. Data from Cloud Rest Call
    Data from Cloud Rest Call

    Data collected by Discovery during horizontal discovery

    The pattern collects the following data during horizontal discovery:

    Table and field Additional information
    CI type [cmdb_key_value]
    Key Tag key
    Value Tag value
    Object_id

    Unique resource ID that identifies the resource in the AWS console.
    Class model [cmdb_key_value]
    Extends table Not applicable
    Identifier – Object_id Related entries to cloud resources
    Metadata rules Not applicable

    This data is displayed as shown in the following window:

    Figure 2. Data collected during horizontal discovery
    Data collected during horizontal discovery
    AWS discovery pattern uses the following EVAL:
    var rtrn;
var name = ${cmdb_key_value[].object_id}
name = name.substring(name.lastIndexOf("restapis/")+9,name.lastIndex);
name = name.substring(0,name.indexOf("/"));
rtrn = name;
    Similar EVALS are available for patterns where the main identification section does not include ARN information in the main CI type table. When this information is not available, the Tag Extension section must parse a unique ARN used to establish the relationship to the related cloud resource.