Cherwell Service Management Connector on the AWS Cloud on AWS

Partner Solution Deployment Guide

QS

August 2023
Brian Terry, Segment PSA, AWS Cloud Management Tool
Tony Vattathil, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Cherwell in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide covers the information you need to deploy the Cherwell Service Management Connector on the AWS Cloud Partner Solution in the AWS Cloud.

This Partner Solution reference deployment guide provides step-by-step instructions for deploying Cherwell Service Management connector on the AWS Cloud. The connector creates a reliable and fault-tolerant integration point between your AWS account and your Cherwell Service Management system.

Cherwell Service Management connector on AWS

By launching this Partner Solution in your AWS environment, you will be able to deploy AWS Service Catalog products, monitor AWS resources, and run AWS Systems Manager Automation documents (SSM Automation documents) from your Cherwell Service Management system.

The Partner Solution architecture extends your current IT management and asset tracking process into your AWS account, to provide compliance, governance, and auto-remediation. From the Cherwell service portal, Cherwell users can request approved and tested AWS Service Catalog products, estimate the cost of each product, and view the current status of their request. When approved, products are automatically added to the user’s Cherwell Configuration Management Database (CMDB).

The Partner Solution also creates an Amazon Simple Notification Service (Amazon SNS) topic. When you associate the SNS topic with an Amazon CloudWatch alarm, it will deliver CloudWatch alarm notifications to your Cherwell Incident Management console. Finally, from the Cherwell Service Management system, you can view and run SSM Automation documents to auto-remediate known issues within your AWS account.

Costs and licenses

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

The AWS CloudFormation template for this Partner Solution includes configuration parameters that you can customize. Some of these settings, such as enabling AWS Config, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

Tip After you deploy the Partner Solution, we recommend that you enable the AWS Cost and Usage Report to track costs associated with the Partner Solution. This report delivers billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. It provides cost estimates based on usage throughout each month, and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.

To use this Partner Solution, you must have an environment with Cherwell Service Management platform version 9.4.0 or 9.5.0 and Cherwell content version 9.3.1, 9.3.2, 9.4.0, or 9.5. Visit the Cherwell website for more information about deployment and licensing.

Architecture

Deploying this Partner Solution with default parameters builds the following Cherwell Service Management connector environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Cherwell Service Management Connector on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • A highly available, serverless architecture.

  • An SNS topic that delivers CloudWatch alarm events to the Cherwell Incident Management console.

  • AWS Config and AWS Config rules in your AWS Region to monitor:

  • Storage encryption for Amazon Elastic Block Store (Amazon EBS), Amazon S3, and Amazon Relational Database Service (Amazon RDS)

  • AWS Identity and Access Management (IAM) password policy

  • Root account multi-factor authentication (MFA)

  • Amazon S3 public read and write

  • Insecure security group rules

  • Three Lambda functions:

    • An incident Lambda function that processes the CloudWatch notification and forwards it to the Cherwell Incident Management console.

    • A CMDB Lambda function that publishes AWS Config information to the Cherwell Service Management system. This function creates or updates AWS resources within the Cherwell CMDB and pushes non-compliant AWS Config rules to the Cherwell Incident Management console.

    • A cost estimate Lambda function that analyzes an AWS CloudFormation template and returns a URL estimating the monthly cost of deploying the infrastructure to the AWS Simple Monthly Calculator.

  • An AWS Service Catalog portfolio with sample products that your Cherwell users can request to provision from the Cherwell Service Catalog.

  • Amazon API Gateway with REST endpoints that are consumed by the Cherwell Service Management system.

Notes AWS Config uses a configuration recorder to continually record changes to your AWS resources, delivering notifications and updated states through a delivery channel.

AWS Config currently allows only one configuration recorder and one delivery channel per region per AWS account. If prior to launching this Quick Start you have already enabled AWS Config in the same region, you must set the parameter Deploy AWS Config Support to False.

Deployment options

This Partner Solution provides the following deployment option:

Predeployment steps

Cherwell mApp software

To take advantage of the architecture created by this Partner Solution, you must have Cherwell Service Management platform version 9.5 and install the AWS Cloud Management mApp from the Cherwell mApp Exchange. For instructions, see step 4 of the deployment steps.

The Cherwell mApp Exchange is a community-driven online marketplace where Cherwell customers and partners share and obtain pre-built applications or methods of integration that can be added to their Cherwell Service Management implementations.

Mergeable applications (mApp) use a patented packaging technique for content that is merged into the Cherwell platform. This unique approach enables easy reuse and sharing of integrations, extensions, and orchestration packs that complement and enhance the Cherwell Service Management solution.

The AWS Cloud Management mApp contains definitions and data that will be merged into your existing Cherwell Service Management installation to create a communication channel between your Cherwell Service Management system and AWS account.

Cherwell REST APIs

The Lambda functions in this architecture use the Cherwell REST APIs. Cherwell REST APIs provide programmatic access to many Cherwell Service Management functions through HTTP-based RESTful APIs. For information about completing the Cherwell Configuration parameters in step 2 of the deployment steps, see the AWS Cloud Management mApp documentation on the Cherwell website.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 15 minutes to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Cherwell Service Management Connector on the AWS Cloud deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

Locate the API key for Cherwell API calls

After you have successfully deployed the Quick Start, you can configure the AWS Cloud Management mApp. The mApp requires an API Gateway endpoint URL and an API key. Figure 2 shows the Outputs tab in the AWS CloudFormation console, which displays the API Gateway endpoint URL for configuring the mApp.

Postdeploy
Figure 2. Outputs tab after deployment

Figure 2: Outputs tab after deployment

The Outputs tab displays these keys:

  • APIKey is the API key you will use to configure the AWS Cloud Management mApp.

  • IncidentSNSTopic is the name of the SNS incident topic. When you associate this topic with a CloudWatch alarm, it will deliver notifications to your Cherwell Incident Management console.

  • ServiceEndPoint is the API Gateway endpoint URL you will need for configuring the AWS Cloud Management mApp.

To locate the API key:

  1. Sign in to the AWS Management Console and open the API Gateway console at https://console.aws.amazon.com/apigateway/.

  2. In the API Gateway main navigation pane, choose API Keys.

  3. Under API Keys, select the key that matches the APIKey displayed in the Outputs tab in the AWS CloudFormation console.

  4. Choose Show. The API key will be shown in the console, as illustrated in Figure 3.

Postdeploy
Figure 3. API Key ID

Configure the AWS Cloud Management mApp

To get the AWS Cloud Management mApp and merge it into your Cherwell environment, follow the instructions in the AWS Cloud Management mApp documentation, which is available in the Cherwell mApp Exchange.

Downloading the mApp requires signing up for community membership, which is free.

Security

Amazon API Gateway security

The API Gateway API created in the solution is protected by incorporating an API access key. This prevents unauthorized API calls. The API Gateway API can be further secured by restricting the caller’s IP address to your Cherwell Service Management system’s IP address, or by enabling AWS WAF. For more information on securing the API Gateway endpoint in this solution, see the API Gateway documentation.

AWS Service Catalog security

This Quick Start creates an AWS Service Catalog portfolio with sample products that your Cherwell users can request to launch. Permissions to launch products are abstracted by using launch constraints. A launch constraint specifies the IAM role that AWS Service Catalog assumes when a user launches a product. The launch constraints in this solution are provided as an example. We recommend that you review the constraints in the AWS Service Catalog console before you enable this solution in your production environment.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

Cherwell documentation

Cherwell mApp page

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.