Terraform
Self-service enablement with HCP Terraform and ServiceNow
No-code modules in HCP Terraform allow users to deploy infrastructure without writing Terraform configuration. The Terraform ServiceNow Service Catalog integration lets users self-provision infrastructure from ServiceNow with HCP Terraform. The Service Catalog can deploy Terraform configuration from version control repositories or from no-code modules.
The Terraform ServiceNow Service Catalog comes with two catalog items preconfigured to deploy and update no-code module workspaces.
- Provision No-Code Workspace and Deploy Resources: creates a new Terraform workspace based on a no-code module with user-supplied variable values.
- Update No-Code Workspace and Deploy Resources: updates an existing no-code workspace to the most recent no-code module version, updates the workspace variables, then starts a new Terraform apply run.
In this tutorial you will publish a no-code module to your HCP Terraform registry and deploy it with the ServiceNow Service Catalog. Then you will update the module and create a new Service Catalog item that you can use to update workspaces to the new version of the module.
Prerequisites
This tutorial assumes that you are familiar with the Terraform and HCP Terraform workflows. If you are new to Terraform, complete the Get Started collection first. If you are new to HCP Terraform, complete the HCP Terraform Get Started tutorials first.
If you have not done so already, install and configure the Terraform ServiceNow Service Catalog integration by following the steps outlined in the documentation.
To complete this tutorial you will need:
- An HCP Terraform Plus or Terraform Enterprise v202404-1 or newer account and organization with access to create and manage teams.
- An AWS account.
- An HCP Terraform variable set configured with your AWS credentials.
- Administrator access to a ServiceNow vendor instance.
- Terraform Service Catalog 2.5.0 or newer installed and connected to HCP Terraform or Terraform Enterprise.
Fork the example repository
Fork the example repository for this tutorial, and rename the repository to terraform-aws-rds
to match the required format for repositories that contain Terraform modules. Leave the other options at their default values.
This repository contains the Terraform configuration for a no-code module to deploy an AWS RDS database as well as the networking infrastructure it requires.
Next, clone your fork of the repository, replacing USER
with your own username.
$ git clone git@github.com:USER/terraform-aws-rds.git
Review the configuration
Navigate to the repository directory.
$ cd terraform-aws-rds
Open main.tf
and review the no-code module configuration. This module definition uses the public VPC module to create networking resources, then deploys an RDS instance, subnet group, and security group within that VPC.
Notice that the module configuration includes the AWS provider block. Unlike standard modules, you must include your provider configuration within your module definitions to enable no-code deployment.
main.tf
provider "aws" {
region = us-east-2
}
data "aws_availability_zones" "available" {}
##...
The RDS instance configuration uses multiple variables to set the name, username, and password of the database.
main.tf
resource "aws_db_instance" "education" {
identifier = "${var.db_name}-${random_pet.random.id}"
instance_class = "db.t3.micro"
allocated_storage = 5
engine = "postgres"
engine_version = "15.6"
username = var.db_username
password = var.db_password
db_subnet_group_name = aws_db_subnet_group.education.name
vpc_security_group_ids = [aws_security_group.rds.id]
parameter_group_name = aws_db_parameter_group.education.name
publicly_accessible = true
skip_final_snapshot = true
}
Open variables.tf
to review the variable configuration. These are the variable values that users must set to deploy the module.
Tip
The example repository contains Terraform configuration for demo purposes only. Refer to Security best practices for Amazon RDS for production workloads.
variables.tf
variable "db_name" {
description = "Unique name to assign to RDS instance"
}
variable "db_username" {
description = "RDS root username"
}
variable "db_password" {
description = "RDS root user password"
sensitive = true
}
Publish the no-code module
This tutorial uses tag-based publishing for the module, so your repository must have semantically versioned tags associated with releases.
First, create a tag for your module.
$ git tag 1.0.0
Then, push the tag.
$ git push --tags
* [new tag] 1.0.0 -> 1.0.0
Next, log into HCP Terraform with your user credentials and select the organization you will use for this tutorial. Click Registry in the left navigation menu in your organization to go to your organization's HCP Terraform registry. Click Publish, then select Module.
Select your version control provider, then select your terraform-aws-rds
repository.
On the Add Module screen, check Add Module to no-code provision allowlist. Then, click Publish module.
When you enable no-code provisioning on a module, HCP Terraform displays a No-Code Ready
badge next to the module name and adds a Provision Workspace
button to the details page.
The no-code module is now available for you to deploy in your organization.
Create a project
When you deploy a no-code module, HCP Terraform automatically creates a new workspace for the module and kicks off a new run to provision your infrastructure. This requires immediate access to provider credentials to avoid a failed initial run. Project-scoped variable sets let you set variable values for all workspaces in a project. You can also grant a new workspace credential access through global variables, but this approach is less secure.
Navigate to your organization's Projects landing page. Click + New Project. Name the project "ServiceNow Deployments" and click Create.
Next, associate the variable set that has your AWS credentials with the ServiceNow Deployments
project. If you do not have a variable set already, refer to the variable sets documentation.
Navigate to your organization's settings page, click Variable sets, then click the name of your variable set.
If your variable set is configured to Apply globally, your "ServiceNow Deployments" project will automatically access it and you can proceed to the next step.
If it is configured to Apply to specific projects and workspaces, you must add the variable set to your project. Under Apply to projects, click the list of projects, search for "ServiceNow Deployments", and click on it to add it to the list of projects.
Scroll to the bottom of the page and click Save variable set.
Deploy the no-code module
After you publish the no-code module, ServiceNow users can deploy it from the Service Catalog. The Terraform ServiceNow Service Catalog integration has a preconfigured Provision No-Code Workspace and Deploy Resources
catalog item that already has the required variable set for the example no-code module, so you can deploy it without any changes.
Navigate to the Terraform Catalog in ServiceNow by clicking on All, then click on Catalogs under Service Catalog. Click the Terraform Catalog, then View all items to show all catalog items.
Open the Provision No-Code Workspace and Deploy Resources
catalog item and set the following values:
Field | Value |
---|---|
Workspace name | dev-db |
No-code module name | rds |
Terraform project name | ServiceNow Deployments |
Description of request | Development database |
Database Name | dev-db |
Database Username | terraformeducation |
Database Password | education |
The No-code module name and Terraform project name must match the names of the module and project you created in the previous steps.
Click Order Now to create the database.
Review the no-code workspace
When you made the Service Catalog request in ServiceNow, HCP Terraform created a new workspace from the no-code module and started a new run to create your infrastructure. This workflow lets ServiceNow users to quickly deploy the infrastructure they need without writing any Terraform configuration.
Open the workspace that ServiceNow created. In HCP Terraform, click Projects, then click the ServiceNow Deployments
project. The project now contains a single workspace named similarly to dev-db_RITM0123456
, a combination of the workspace name that you specified earlier and the ServiceNow request number. Open the workspace.
The Resources tab lists the resources that HCP Terraform created for your RDS database, and the Outputs tab lists the database hostname, port, and username.
HCP Terraform reports every run stage and output back to the original ServiceNow ticket. You can find the workspace name in ServiceNow by navigating to All > Terraform > Terraform Resources. To review workspace variables, click All > Terraform > Terraform Variables.
Update the no-code module
Over time, you may need to release new versions of your modules to add features or fix bugs in your configuration. ServiceNow users can update their workspaces when you create a new version of the no-code module. In this section, you will publish a new version of the module which gives users the option to encrypt their database.
Open the variables.tf
file and add a new variable.
variables.tf
variable "db_encrypted" {
description = "Encrypt the database storage"
type = bool
}
Next, open main.tf
and set the aws_db_instance
resource's storage_encrypted
attribute to reference the new variable value.
main.tf
resource "aws_db_instance" "education" {
identifier = "${var.db_name}-${random_pet.random.id}"
instance_class = "db.t3.micro"
allocated_storage = 5
engine = "postgres"
engine_version = "15.6"
username = var.db_username
password = var.db_password
db_subnet_group_name = aws_db_subnet_group.education.name
vpc_security_group_ids = [aws_security_group.rds.id]
parameter_group_name = aws_db_parameter_group.education.name
publicly_accessible = true
skip_final_snapshot = true
storage_encrypted = var.db_encrypted
}
Commit the changes to your git repository.
$ git commit main.tf variables.tf -m "Add variable to choose if database is encrypted"
[main 00bd925] Add variable to choose if database is encrypted
2 files changed, 6 insertions(+)
Next, create a new tag.
$ git tag 1.0.1
Push the code changes and the new tag to your GitHub repository.
$ git push origin main --tags
efcd2b4..00bd925 main -> main
* [new tag] 1.0.1 -> 1.0.1
HCP Terraform will continue to use version 1.0.0
of the module for no-code deployments until you configure it to use the new version. Go to your organization's HCP Terraform registry, click your rds module, and click Configure Settings.
Click Edit version and variable options. Under Module version, select 1.0.1 (latest) and click Save.
Open your workspace and notice that HCP Terraform triggered a notification that a no-code module version update is available.
Create the catalog item to update the no-code module
The preconfigured Update No-Code Workspace and Deploy Resources
catalog item does not have define a db_encrypted
variable, so you must create a new custom catalog item. We recommend that you copy and modify the existing catalog items any time that you need to create a custom one.
Tip
For detailed guidance on customizing a Service Catalog item, refer to the Example Customizations documentation.
First, make a copy of the Update No-Code Workspace and Deploy Resources
catalog item. Refer to the Make a copy of the existing Catalog Item documentation for a fully detailed list of steps.
Open the
Update No-Code Workspace and Deploy Resources
catalog item, click ... in the top right corner, and select Configure Item.Click Copy in the top right corner to copy the catalog item and name it
Update AWS Database Workspace
.Remove the
No-Code Module Variables
variable set containing example variables from the catalog item.Create a new single-row variable set in the
Update AWS Database Workspace
catalog item with the titleAWS Database Variables
. Enter200
for the Order and create the following variables:
Name | Type | Question |
---|---|---|
tf_var_db_name | Single Line Text | Database Name |
tf_var_db_username | Single Line Text | Database Username |
sensitive_tf_var_db_password | Masked | Database Password |
tf_var_db_encrypted | Checkbox | Encrypt the database? |
Next, make a copy of the Update No-Code Workspace and Provision Resources
flow and actions. Refer to the Make a copy of the Flow and Action documentation for a fully detailed list of steps.
Open the ServiceNow Studio by navigating to All > Workflow Studio. Click Flows and open the
Update No-Code Workspace and Provision Resources
flow.Click ... in the top right corner, then click Copy flow. Name the copied flow
Update AWS Database Flow
and set the Application toTerraform
, then click Copy.In the
Update AWS Database Flow
flow, click Edit flow.Open the
Get Catalog Variables from Update No-Code Workspace and Deploy Resources
action. Move the move thetf_var_db_name
,tf_var_db_username
,sensitive_tf_var_db_password
variables from Selected to Available.Under Template Catalog Items and Variable Sets, select
Update AWS Database Workspace
and move thetf_var_db_name
,tf_var_db_username
,sensitive_tf_var_db_password
, andtf_var_db_encrypted
variables from the Available column to the Selected column. Click Done.Click the Open action in Action Designer button next to the
Terraform Update No-Code Workspace with Var
action.Click ... in the top right corner, then click Copy Action. Name the copied action
Update AWS Database Action
and set the Application toTerraform
, then click Copy.Click Create input to add a new action input. Set the Label and Name field to
tf_var_db_encrypted
and set the Type toTrue/False
.Click Script step in the left navigation menu. Click Create Variable and set the Name field to
tf_var_db_encrypted
. Drag thetf_var_db_encrypted
pill from the right navigation menu to the Value field.Click Save, then click Publish.
Return to the
Update AWS Database Flow
flow and replace theTerraform Update No-Code Workspace with Var
action with theUpdate AWS Database Action
action. Drag and drop the the following pills from the right navigation menu to the values of the action:Field Value sc_req
Requested Item Record > Request sc_req_item
Requested Item Record sc_rec_item_sys_id
Requested Item Record > Sys ID workspace_user_input_name
workspace_user_input_name
tf_var_db_name
tf_var_db_name
tf_var_db_username
tf_var_db_username
sensitive_tf_var_db_password
sensitive_tf_var_db_password
tf_var_db_encrypted
tf_var_db_encrypted
Click Done to finish editing the action.
Click Save and Activate to enable the flow.
Finally, open the Update AWS Database Workspace
catalog item. In the Process Engine tab, update the value of the Flow field to the value Update AWS Database Flow
, then click Update.
Update the no-code workspace
After creating the new catalog item, use it to upgrade your db_dev
workspace to the latest version of your no-code module.
Open the Update AWS Database Workspace catalog item and select the workspace that ServiceNow created earlier, with a name similar to dev-db_RITM0123456
. ServiceNow automatically fills in the fields for the no-code module name, project name, and description fields for the workspace.
Give the remaining fields the following values:
Field | Value |
---|---|
Database Name | dev-db |
Database Username | terraformeducation |
Database Password | education |
Encrypt the database? | Checked |
Click Order Now to start the workspace upgrade.
In HCP Terraform, open your no-code module workspace and notice that ServiceNow automatically created a new run to update the database.
Once HCP Terraform completes the run successfully, ServiceNow will update the ticket with a comment that the workspace has been successfully upgraded.
Clean up your infrastructure
Destroy the resources you created as part of this tutorial to avoid incurring unnecessary costs. Navigate to the Terraform Catalog in your ServiceNow instance and select Delete Workspace Flow. Select your workspace from the dropdown menu and click Order Now to start a destroy run in your workspace. When the destroy run finishes, ServiceNow will automatically delete the workspace from HCP Terraform.
Next steps
In this tutorial, you published and used a no-code module, which let you automatically deploy Terraform resources from ServiceNow using the Service Catalog. You also created a new catalog item to update your no-code workspaces as you create new versions of your module.
Review the following resources to learn more about how Terraform can support your organization's workflows.
- Review the documentation for no-code provisioning.
- Read the documentation for the Terraform ServiceNow Service Catalog Integration.
- Learn how dynamic credentials help users deploy no-code modules.