Automate deployments with HCP Terraform and ServiceNow Catalog

Authors: Nada Elkelani and Polina Jastrzebska

This guide details how to configure and integrate HCP Terraform with ServiceNow Service Catalog. This integration enables application teams to provision infrastructure resources through a familiar service portal interface while maintaining governance and security controls.

When you integrate Terraform with ServiceNow, you gain the following benefits:

• Standardization: Application teams can quickly provision infrastructure through the ServiceNow interface.
• Visibility: Service delivery teams have visibility into infrastructure provisioning.
• Governance: Well-organized request workflows for infrastructure provisioning.
• Security: Clear separation of roles and permissions to adhere to security and compliance standards.
• Flexibility: Customization options in the Terraform Catalog to accommodate unique business use cases.
• Auditability: Explicit trail of deployment logs posted in the ServiceNow ticket comments for reporting and compliance.

Target Audience

• ServiceNow team: Responsible for administrating ServiceNow and service catalog management.
• Platform team: Responsible for HCP Terraform, infrastructure as code templates for the ServiceNow team, and manages automated deployment pipelines and tools.
• Security team: Manages tokens, and access controls for ServiceNow accounts.

Prerequisites

To follow this guide, the following roles will need the following permissions:

ServiceNow team:

• ServiceNow administrator access

Platform and security teams:

• HCP Terraform Administrator access.
• Ability to create a team and a team token.
• Admin access to VCS repository.
• Knowledge of Terraform workflows.

Please review the following resources:

Terraform:

• Self-service enablement with HCP Terraform and ServiceNow tutorial

ServiceNow:

• ServiceNow Application installation in the ServiceNow store
• ServiceNow Integration tutorials
• ServiceNow Service Catalog for Terraform developer documentation

You should also understand the pricing model of HCP Terraform.

To use all ServiceNow Service Catalog for Terraform features, you need HCP Terraform plus tier, which includes no-code functionality, the ability to run more than one agent pool, and the creation of more than 500 workspaces. Terraform Enterprise introduced no-code modules in version v202404-1, which we consider the minimum version for this application, although VCS provisioning still works with older versions. Using the HCP Terraform ServiceNow application is free in the ServiceNow store for ServiceNow customers.

The volume of API calls between the ServiceNow instance and HCP Terraform affects pricing. ServiceNow performs regular API calls to retrieve the latest status of a Terraform run during the provisioning window, and stops polling once the run is completed. You configure the polling mechanism through the polling workers feature. The “Worker Poll Run State Flow” in the Flow Designer is the primary scheduling mechanism responsible for most API calls to HCP Terraform. By default, it runs every 5 minutes. ServiceNow administrators can adjust the frequency based on the organization’s needs. A more frequent schedule leads to greater responsiveness, quicker status changes, and more comments posted in the ServiceNow ticket during provisioning, but it also increases the number of API calls to HCP Terraform, which may impact your HCP Terraform pricing.

ServiceNow administrators can monitor all outbound HTTP traffic by navigating to All > System Logs > Outbound HTTP Requests and filtering records based on the “Terraform” application scope.

Background and best practices

This section contains best practices for configuring the ServiceNow Service Catalog for Terraform and connecting HCP Terraform to your ServiceNow instance. You must understand these concepts and best practices to manage infrastructure provisioning securely and efficiently.

People & Process

This section describes the core teams and their roles and responsibilities for managing the integration between ServiceNow Service Catalog and HCP Terraform.

The ServiceNow team:

The ServiceNow administration team is responsible for all configurations inside the organization’s ServiceNow vendor instance(s). This integration lets ServiceNow users provision cloud resources through the Service Catalog while adhering to the organization's security policies.

The ServiceNow team installs the Terraform plugin from ServiceNow Store to all relevant environments and sets up the Terraform Catalog in the Service Catalogs list. They save the HCP Terraform or Terraform Enterprise team token in the ServiceNow configuration interface, test the connection, and update the token to follow organizational policy. The team can optionally configure a MID server as a proxy between ServiceNow and Terraform Enterprise when behind a firewall.

The ServiceNow administration team configures VCS repositories or no-code module names based on the platform set up and stores the Terraform configuration. They create and manage catalog items that trigger Terraform runs by modifying the out-of-the-box items, ensuring they pass all necessary parameters to Terraform. It's important to monitor Terraform runs for successful execution and troubleshoot issues. The ServiceNow and infrastructure teams should work together to update catalog items with the latest Terraform modules and templates.

The ServiceNow administration team manages access to the Terraform Catalog by assigning relevant ServiceNow roles to the end users. This ensures that only authorized personnel can request and deploy infrastructure resources through the Terraform ServiceNow integration.

The platform team:

The platform team owns the HCP Terraform organization, the VCS platform, and the cloud. This team manages the infrastructure and provides the necessary tools and capabilities for the ServiceNow administration team. They create the integration between HCP Terraform and ServiceNow by configuring the necessary API connections and setting up a dedicated HCP Terraform team for the ServiceNow administration team. They grant this HCP Terraform team all required permissions, generate a team token, and ensure seamless communication between the two platforms to enable automated infrastructure provisioning through ServiceNow's service catalog. If the Platform team uses VCS-based workspaces, they must configure a dedicated VCS provider in HCP Terraform and communicate that provider's OAuth token ID to the ServiceNow administrator. If they use no-code workspaces, they must configure no-code modules in the organization's private registry in HCP Terraform and share the module names with the ServiceNow administrator for further Catalog item setup.

The Platform team also configures the HCP Terraform organization and projects to host multiple workspaces that ServiceNow can use to trigger Terraform runs. Depending on the business requirements, configurations may include setting up a dedicated agent pool, a project-scoped variable set, or defining a list of tags for use by all workspaces within that organization.

The security team:

The security team generates a token for the dedicated HCP Terraform team and securely passes it to the ServiceNow administrator. They ensure this token has all the required permissions to manage Terraform workspaces and projects. If the platform team uses a VCS-based flow, the security team should create a VCS provider in HCP Terraform. They should share the OAuth token ID with the ServiceNow administrator, using a project-scoped VCS provider configuration to follow the principle of least-privilege access.

The security team implements policies for regular token rotation and sets appropriate expiry dates to minimize security risks. These protocols reduce the potential impact of compromised tokens and strengthen the overall security posture of the HCP Terraform and ServiceNow integration. They should regularly review and adjust user roles and permissions to maintain security as organizational needs evolve. Refer to the Configure HCP Terraform for ServiceNow Service Catalog integration documentation for detailed information on required access permissions.

Validated Architecture

The validated architecture provides a high-level overview of how users leverage the ServiceNow Service Catalog to plan and apply IaC to their providers, such as AWS, Azure, GCP, MongoDB, and more in our ecosystem of over 4,000 providers.

The following are descriptions of each component of the diagram:

• End User: These are the individuals who initiate requests for infrastructure resources. They interact with the system through a user-friendly Service Portal interface.
• ServiceNow Service Catalog: The ServiceNow components act as the interface where end users submit their infrastructure requests. The Service Catalog allows users to order specific infrastructure resources.
• Terraform Catalog: One of the Service Catalogs developed by HashiCorp used to place infrastructure orders and invoke Terraform operations through the standard Service Catalog interface, as well as the Service Portal of your ServiceNow instance.
• Workspace: The environment where Terraform configurations and manages state. It serves as the central point for executing Terraform commands.
• Plan: The "Plan" phase in Terraform involves generating an execution plan. This plan shows the changes that will be made to the infrastructure based on the Terraform configuration files.
• Apply: Terraform applies the changes outlined in the execution plan. This step involves making API calls to the infrastructure providers to create, modify, or delete resources specified in the Terraform configuration.
• Infrastructure Providers: Terraform supports various cloud and on-premises infrastructure providers. The diagram shows providers like AWS, Oracle, Microsoft Azure, Kubernetes, Google Cloud, and VMware. Terraform supports over 4,000 providers, allowing it to manage a wide range of resources.
• Provisioned Infrastructure: This represents the actual infrastructure resources created, modified, or deleted by Terraform and initiated through the ServiceNow portal. The checkmarks indicate successful provisioning of the requested resources.
• Outputs: Final values, such as IP addresses and DNS names, are returned to the end-user when Terraform provisions infrastructure.

The diagram shows the following workflow:

1. Order Submission: End users order infrastructure resources via the ServiceNow Service Catalog for Terraform. Upon submitting an order, ServiceNow creates a ticket with a unique RITM (Request Item).
2. Terraform Execution: The request from ServiceNow triggers actions in the Terraform workspace. Terraform reads the configuration files and prepares an execution plan.
3. Resource Provisioning: Terraform applies, interacting with various infrastructure providers to provision the requested resources. The auto-apply flag is set to true on all workspaces provisioned through the Terraform catalog by default.
4. Posting Outputs: Terraform posts deployment logs, timestamps, and outputs as comments in the related ServiceNow RITM ticket for the end user’s visibility. Workspace details are saved in the “Terraform Resources” table in ServiceNow, while Terraform stores variable values in the “Terraform Variables” table, accessible with the Terraform plugin menu.
5. Resource Validation: The final step involves validating that Terraform provisions resources correctly and operates as expected.

Configure ServiceNow access

You must set up access to connect ServiceNow with HCP Terraform or Terraform Enterprise. Setting up this connection involves creating an API token, granting permissions, and choosing between using code from a version control system (VCS) or a no-code module.

To connect ServiceNow to Terraform, you must create and safely store an API token for the HCP Terraform team. This token lets ServiceNow confirm its identity when working with Terraform. To do this, follow the Connect ServiceNow to HCP Terraform guide steps. Ensure the HCP Terraform team has permission to manage workspaces and projects and can read no-code modules. You should use a dedicated HCP Terraform team token for API interactions to ensure proper permissions, and you should regularly rotate these tokens based on your company's compliance requirements. Before full deployment, test the connectivity between your ServiceNow instance and HCP Terraform using the testing interface provided in the configuration form to verify that all components communicate correctly.

You can use a VCS (Version Control System) connection or no-code modules. No-code modules are Terraform configurations that can create your infrastructure. No-code integrations with HCP Terraform are ideal for organizations where ServiceNow users may not be familiar with HCP Terraform or the CLI. With no-code, users can run Terraform tasks without writing any code. With ServiceNow no-code provisioning, you can quickly deploy your infrastructure while complying with organizational policies. Make sure your module name accurately reflects the infrastructure provisioned by the module, as end users will need to reference the module by name when filling out the Catalog request form.

If you are using a VSC repository, make sure you use descriptive names. The repository path provided in the "Identifier" fields of the Terraform > VCS Repository record doesn't contain any spaces, as repository identifiers typically use a format like <ORGANIZATION>/<REPO_NAME>.

To learn how to use HCP Terraform no-code modules in the ServiceNow Service Catalog for Terraform, check out this hands-on tutorial.

If you write Terraform code for ServiceNow, you will need to store it in a VCS. The VCS should be associated with a Terraform workspace that ServiceNow catalog items will connect to.

Infrastructure as code (IaC) tools let you codify your resource definitions, making understanding your resource configurations and infrastructure topology easier. When you define your infrastructure as code, you can use the same engineering practices for your infrastructure for application development, such as code review, automated deployment, and phased rollout that allows you to test your configuration across environments. When you use IaC, you gain operational excellence benefits.

Integrate Terraform Runs with ServiceNow requests

Integrating Terraform with ServiceNow lets you automate infrastructure deployments through service catalog requests. This streamlines provisioning, reduces manual work and helps teams follow best practices without writing code.

First, create a ServiceNow catalog item. To do this, define a catalog item in ServiceNow that triggers Terraform runs that are linked to your HCP Terraform account by copying one of the items from the default list that best suits your business requirements. The most commonly used items are “Provision Resources with Variables Flow” for VCS connections and “Provision No-Code Workspace and Deploy Resources” for no-code modules. These items create a new Terraform workspace, initiate Terraform run, apply Terraform configuration, and report outputs to the ServiceNow ticket.

Then, navigate to the "Terraform Catalog" in the ServiceNow Service Catalog interface, copy an existing out-of-the-box catalog item, and modify and customize it to collect necessary inputs from the user. Make sure the custom variables attached to your new Catalog Item match the variables required by your Terraform configuration.

When creating your Catalog Items, review the list of the default items in the Terraform Catalog and make a copy of the one that suits your use case the most. Copying out-of-the-box items helps preserve all required configurations and prevents your customizations from being overwritten when you install new versions of the application in the future. Choose Catalog Items based on the Flow engine and having “Flow” in the title.

Finally, you need to link a catalog item to Terraform Run. A common customization activity is defining and attaching your variable set to the Catalog item. The variable set must correspond to the variables required by your Terraform configuration. Configuring variables in ServiceNow transforms them into editable fields in the Catalog request form where end users can provide input values. Use the variable types that best suit your use case. ServiceNow allows you to define various variable types, from simple strings to masked and encrypted values. Follow the naming convention for custom Terraform variables created in ServiceNow. Failure to follow this naming convention will result in an inability to pass the variable value to HCP Terraform by the application backend. Make sure you correctly pass all custom variables to the plugin's backend by updating the corresponding backend Flow and Action. We've provided a detailed step-by-step instruction including screenshots in ServiceNow example customizations. It is important to follow it end-to-end when configuring your Catalog items tailored to your business use cases.

Testing and Validation

Once you integrate HCP Terraform and ServiceNow, you must test and validate that ServiceNow creates your desired infrastructure.

Ensure that requests in ServiceNow create new workspaces in HCP Terraform, correctly trigger Terraform runs, and review the RITM ticket comments. All Terraform run stages and their corresponding timestamps are posted in the ticket for the end user's visibility. Terraform communicates run errors back to the corresponding RITM ticket, which presents an opportunity for further debugging when needed. You can find application log statements by navigating to All > Application Logs in your ServiceNow instance and setting the “Application scope” filter to “Terraform”.

Next, validate the workspace state and outputs. Navigate to All > Terraform > Terraform Resources. The table contains basic information about each provisioned workspace, along with the latest Terraform run status. Deleted workspaces are marked as “deleted” in this table. Then, to validate the outputs, verify that Terraform provisions the infrastructure as expected and review the relevant information in the ServiceNow RITM ticket that matches the Terraform outputs.

Day 2 Operations

ServiceNow provides functionality for modifying previously provisioned infrastructure. You can use catalog items that begin with “Update,” such as “Update Resources Flow” or “Update No-Code Workspaces and Deploy Resources.” When selecting a previously created workspace from the dropdown, the user input form is auto-populated with stored values from the ServiceNow database. You can access variable values for each workspace at any time by navigating to All > Terraform > Terraform Variables.

You can make day-2 changes, including modifying Terraform variable values, moving a workspace to a different project within HCP Terraform, and changing the workspace name or description. Submitting the update form initiates a new Terraform run, applying the infrastructure changes. Terraform posts logs and outputs in the ServiceNow RITM ticket created during the initial workspace setup.

To update a no-code workspace, order the “Update No-Code Workspace and Deploy Resources” item. This item upgrades the workspace if a new version of a no-code module is available; otherwise, Terraform redeploys the infrastructure using the updated variable values.

If the update includes new variables for the Terraform configuration, create a copy of the relevant Update item. Configure the new variables and pass them to the corresponding Update backend Flow and Action in the Flow designer, as detailed in the ServiceNow example customizations. This approach allows administrators to introduce additional input fields for end users efficiently.

Conclusion

In this guide, you learned how to integrate HCP Terraform with ServiceNow Service Catalog. This integration allows application teams to provision infrastructure resources through a familiar service portal interface while maintaining governance and security controls.

To learn more, check out the following resources:

• ServiceNow Catalog for Terraform adds no-code integration
• Set up ServiceNow Service Catalog integration for HCP Terraform
• Codify your entire infrastructure with Terraform