ServiceNow LZA Resource Provisioning - sam-app

This project contains source code and supporting files for a serverless application that you can deploy with the SAM CLI. It includes the following files and folders.

• lza_integration - Code for the application's Lambda function and Project Dockerfile.
• events - Invocation events that you can use to invoke the function, including new_account.json and new_vpc.json for account and VPC creation.
• tests - Unit tests for the application code.
• template.yaml - A template that defines the application's AWS resources.

The application uses several AWS resources, including Lambda functions. These resources are defined in the template.yaml file in this project. You can update the template to add AWS resources through the same deployment process that updates your application code.

Diagram

Create Cross account lambda execution role in Management account (Only for CodeCommit)

Follow these steps to create the required cross-account IAM role in the Management account:

1. Create IAM Policy:
   • Navigate to IAM > Policies > Create policy
   • Name the policy: LZACodeCommitPolicyForSNOWIntegration
   • Use the following JSON policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CodeCommitPermissions",
            "Effect": "Allow",
            "Action": [
                "codecommit:GitPull",
                "codecommit:GitPush",
                "codecommit:CreateBranch",
                "codecommit:CreateCommit",
                "codecommit:CreatePullRequest"
            ],
            "Resource": [
                "arn:aws:codecommit:<AWS_REGION>:<LZA_ACCOUNT_ID>:<LZA_REPO_NAME>"
            ]
        }
    ]
}

2. Create IAM Role:
   • Navigate to IAM > Roles > Create role
   • Choose "Custom trust policy"
   • Use the following trust policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<TOOLING_ACCOUNT_ID>:role/LZAIntegrationLambdaExecutionRole-StaticNameDoNotChange"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

3. Configure Role:

   • Name the role exactly: LZAAccountSNOWIntegrationLambdaPermissionRole
   • Attach the policy created in step 1: LZACodeCommitPolicyForSNOWIntegration
   • Review and create the role

4. Validate Role Configuration:

   • Verify the role name matches exactly: LZAAccountSNOWIntegrationLambdaPermissionRole
   • Confirm the trust relationship is configured correctly
   • Ensure the CodeCommit policy is attached
   • Test the role assumption from the tooling account if possible

GitHub Repository Setup (Only for GitHub)

If you're using GitHub instead of CodeCommit, follow these steps to configure your repository and authentication:

1. Repository Requirements

• Ensure your LZA configuration repository is hosted on GitHub
• The repository should contain your LZA configuration files (e.g., accounts-config.yaml, network-config.yaml)
• Note your GitHub username/organization name and repository name

2. Create GitHub Personal Access Token (PAT)

1. Navigate to GitHub Settings:

   • Go to GitHub.com → Settings → Developer settings → Personal access tokens → Tokens (classic)
   • Or visit: https://github.com/settings/tokens

2. Generate New Token:

   • Click "Generate new token (classic)"
   • Add a descriptive note (e.g., "LZA ServiceNow Integration")
   • Set expiration as needed (recommend 90 days or less for security)

3. Configure Required Permissions: Select the following scopes:

   • repo (Full control of private repositories)
     • This includes: repo:status, repo_deployment, public_repo, repo:invite, security_events
   • metadata:read (Read access to metadata)

4. Generate and Copy Token:

   • Click "Generate token"
   • Important: Copy the token immediately - you won't be able to see it again

3. Store PAT in AWS Secrets Manager

1. Create Secret in AWS Secrets Manager:

   aws secretsmanager create-secret \
     --name "GitHubTokenSecretForServiceNowSelfService" \
     --description "GitHub PAT for LZA ServiceNow Integration" \
     --secret-string '{"GitHubTokenSecretForServiceNowSelfService":"<YOUR_PAT_TOKEN_HERE>"}'

   Or using the AWS Console:

   • Navigate to AWS Secrets Manager
   • Click "Store a new secret"
   • Choose "Other type of secret"
   • Add key-value pair:
     • Key: GitHubTokenSecretForServiceNowSelfService
     • Value: <YOUR_PAT_TOKEN_HERE>
   • Name the secret: GitHubTokenSecretForServiceNowSelfService

Deploy the sample application

The Serverless Application Model Command Line Interface (SAM CLI) is an extension of the AWS CLI that adds functionality for building and testing Lambda applications. It uses Docker to run your functions in an Amazon Linux environment that matches Lambda. It can also emulate your application's build environment.

To use the SAM CLI, you need the following tools.

• SAM CLI - Install the SAM CLI
• Docker - Install Docker community edition

You may need the following for local testing.

• Python 3.13 installed

Pre-requsites to upload the Service Catalog Cloudformation template to LZA S3 Assets folder.

account_id=$(aws sts get-caller-identity --query 'Account' --output text)
region=$(aws configure get region)
bucket_name="aws-accelerator-assets-${account_id}-${region}"
echo "Target S3 bucket: s3://${bucket_name}/LZAServiceNow/"
aws s3 sync resources/ "s3://$bucket_name/LZAServiceNow/" --exclude "*" --include "*.yaml"

To build and deploy your application for the first time, run the following in your shell:

sam build
sam deploy --capabilities CAPABILITY_NAMED_IAM --guided

The first command will build a docker image from a Dockerfile and then copy the source of your application inside the Docker image. The second command will package and deploy your application to AWS, with a series of prompts:

• Stack Name: The name of the stack to deploy to CloudFormation. This should be unique to your account and region, and a good starting point would be something matching your project name.
• AWS Region: The AWS region you want to deploy your app to.
• Confirm changes before deploy: If set to yes, any change sets will be shown to you before execution for manual review. If set to no, the AWS SAM CLI will automatically deploy application changes.
• Allow SAM CLI IAM role creation: Many AWS SAM templates, including this example, create AWS IAM roles required for the AWS Lambda function(s) included to access AWS services. By default, these are scoped down to minimum required permissions. To deploy an AWS CloudFormation stack which creates or modifies IAM roles, the CAPABILITY_IAM value for capabilities must be provided. If permission isn't provided through this prompt, to deploy this example you must explicitly pass --capabilities CAPABILITY_IAM to the sam deploy command.
• Save arguments to samconfig.toml: If set to yes, your choices will be saved to a configuration file inside the project, so that in the future you can just re-run sam deploy without parameters to deploy changes to your application.

Use the SAM CLI to build and test locally

Build your application with the sam build command and start a local lambda server using docker.

sam build
sam local start-lambda

The SAM CLI builds a docker image from a Dockerfile and then installs dependencies defined in lza_integration/requirements.txt inside the docker image. The processed template file is saved in the .aws-sam/build folder.

Test a single function by invoking it directly with a test event. An event is a JSON document that represents the input that the function receives from the event source. Test events are included in the events folder in this project.

Run functions locally and invoke them with the sam lambda invoke command.

aws lambda invoke --function-name "LZAIntegrationLambdaFunction" --cli-binary-format raw-in-base64-out --payload file://events/new_account.json --endpoint-url "http://127.0.0.1:3001" --no-verify-ssl response.json
aws lambda invoke --function-name "LZAIntegrationLambdaFunction" --cli-binary-format raw-in-base64-out --payload file://events/new_vpc.json --endpoint-url "http://127.0.0.1:3001" --no-verify-ssl response.json

Add a resource to your application

The application template uses AWS Serverless Application Model (AWS SAM) to define application resources. AWS SAM is an extension of AWS CloudFormation with a simpler syntax for configuring common serverless application resources such as functions, triggers, and APIs. For resources not included in the SAM specification, you can use standard AWS CloudFormation resource types.

Fetch, tail, and filter Lambda function logs

To simplify troubleshooting, SAM CLI has a command called sam logs. sam logs lets you fetch logs generated by your deployed Lambda function from the command line. In addition to printing the logs on the terminal, this command has several nifty features to help you quickly find the bug.

NOTE: This command works for all AWS Lambda functions; not just the ones you deploy using SAM.

sam logs -n LZAIntegrationLambdaFunction --stack-name "sam-app" --tail

You can find more information and examples about filtering Lambda function logs in the SAM CLI Documentation.

Unit tests

Tests are defined in the tests folder in this project. Use PIP to install the pytest and run unit tests from your local machine.

pip install pytest pytest-mock --user
python -m pytest tests/ -v

Cleanup

To delete the sample application that you created, use the AWS CLI. Assuming you used your project name for the stack name, you can run the following:

sam delete --stack-name "lza-snow-self-service-sam-app"

Resources

See the AWS SAM developer guide for an introduction to SAM specification, the SAM CLI, and serverless application concepts.

Next, you can use AWS Serverless Application Repository to deploy ready to use Apps that go beyond hello world samples and learn how authors developed their applications: AWS Serverless Application Repository main page