logo

NJP

← Back to News

Cloud Tag Governance - Policy Customization, Auto-Remediation

Import · Apr 08, 2023 · article
Narsing1

Tag Governance for Cloud discovery is a very useful plugin provided by Servicenow. It facilitates the creation of different policies to properly govern how the tags are going to be certified based on a set of parameters. This Article helps you to understand how to customize Policies based on your requirement and also how Auto-Remediation works along with updating Tags in your cloud resource as well.

Once you install the plugin, under the Tag Governance Module, you will have a Dashboard, Policies and Remediation options as follows.

Narsing1_0-1680950121345.png

OOTB solution for Policy provides 3 Policy Types

  • Tag Key Policy - This deals with what are the Tags that are required/mandatory for a given CI. For example: Name,Location etc., When you configure this, it checks all the CI’s based on the condition provided and check whether all mentioned tags exists/not.
  • Tag Count Policy: This deals with how many Tags must be there for a CI.
  • Tag Key & Value Policy: This deals with what value/values are permitted for a Tag to be certified. Here you have the facility to write a script / can just place a value under Tag Key & Value Checks. This policy checks and mark as Certified when all the Tag Values are meeting its required value based on the Script/Value that you have written under Tag Key & Value Checks. Note: This policy expects a value for all the Keys.

Let's check this case where you don’t want to allow any CI Tag with an empty value. The above OOTB solution will not be able to address this particular scenario. But you can develop your own Policy type and make this happen.

Note: I am using the AWS Cloud, but it is the same process for other cloud providers as well.

Step by Step Guide to Customize based on the above scenario

Before you begin, here are the keywords for your reference. These keywords are going to be used in the scripts i.e. ready to use objects.

  • ciTags - While executing the audit, it collects all the key value pairs for the CI and make it as a GlideRecord
  • policy - A Tag Policy entry i.e. policy GlideRecord
  • tagValues - While writing a script to get the tag values, we use this. This will be used when evaluating your script via “TagPolicyUtil” script include.
  • ci - A GlideRecord that points to the current CI while executing the audit.

Steps

  1. Point your Application to “Tag Governance”
  2. On the Filter Navigator ⇒ sn_itom_tag_policy_type.list ⇒ Open “Tag Key Policy” Narsing1_0-1680950597710.png
  3. Do the “Insert and Stay” and provide a relevant name for it and copy the below code. Narsing1_1-1680950597716.png

Tag Policy Type Audit Script

var policyDefinition = policy.expected_tag_keys;
var requiredTags = policyDefinition.split(',').map(function(tagKey) {
    return tagKey.trim();
});
var arrayUtil = new global.ArrayUtil();
while (ciTags.next()) {
    var key = ciTags.getValue('key') + '';
    var tagIndex = arrayUtil.indexOf(requiredTags, key);
    if (tagIndex >= 0) {
        var keyval = ciTags.value + '';
        if (keyval != "") {
            requiredTags.splice(tagIndex, 1);
            //Exit loop when all required tags are presented with values
            if (requiredTags.length === 0)
                break;
        }
    }
}
var complianceState = (requiredTags.length === 0);
if (!complianceState) {
    discrepancyValue = requiredTags.length;
    complianceDescription = 'Empty tags: ' + requiredTags.toString();
}

4. Go to Tag Governance ==> Policies ==> Create a New Policy with a condition "Class=Virtual Machine Instance"

Narsing1_1-1680955672333.png

Now, you are ready to test this. Here a sample Virtual Machine where "Business" Tag has an Empty Value.

Narsing1_2-1680958346808.png

Now, Run the audit by clicking on "Run Audit". Observe the results under the Related List "Latest Policy Run Findings" like this.

Narsing1_1-1680956910829.png

Remediation

If we want to Remediate the Failures occurred on the Audit Runs, You have the Auto-Remediate Option as well along with the manual one. In this case, when there is an Empty value on the Business Tag, I would like to update that as "NSS" in the Key Value Table. Also, Update with the same value in the Cloud. (Here its AWS) Let's see how it can be done.

Note: To use "Update Tags in Cloud" option, you need to have permission in AWS called "ResourceGroupsandTagEditorFullAccess" to the user that you are using.

(IAM ==> Users ==> ==> Permissions)

Now, Create a Remediation like this and save the record.

Narsing1_0-1680957974118.png

Under the Related Links "Tag Remediation Keys", click on New and create an entry like this.

(Note: You can also use a script based assignment, but for demo purpose am using a static value)

Narsing1_1-1680958185431.png

Here is how the Tags will update in Key Value Table as well as in your Cloud (AWS)

Note: First use "Preview Remediation" and make sure you have a policy failure and then use "Remediate Tags"

Before executing "Remediate Tags" (Under the Related Links)

Narsing1_2-1680958346808.png

AWS Console

Narsing1_3-1680958440233.png

After Execution

Narsing1_4-1680958744303.png

Narsing1_5-1680958809334.png

That's all about the different options available in Tag Governance Customization.

Feel free to post a comment.

Thanks,

Narsing

View original source

https://www.servicenow.com/community/itom-articles/cloud-tag-governance-policy-customization-auto-remediation/ta-p/2529413