Deploy with Terraform¶
Use this method if your team already has Terraform pipelines, or if you manage multi-cloud infrastructure with Terraform.
PowerShell scripts still required
Terraform handles the Azure resource deployment. PowerShell scripts in deploy/scripts/ are still used for pre-deploy and post-deploy steps (MI, KV API connection, KV firewall, Action Group, enable).
Prerequisites¶
- Terraform ≥ 1.5:
- PowerShell 7+ with Az module:
- Azure CLI (for pre/post steps):
- ServiceNow instance or PDI (admin access for Business Rule setup)
One-Command Deploy¶
.\deploy\scripts\Deploy-Solution.ps1 `
-ResourceGroupName rg-azure-monitor-itsm `
-Location eastus `
-SnowInstanceUrl https://dev123456.service-now.com `
-SnowUsername azure_monitor_svc `
-DeploymentMethod Terraform
Pass -SnowPassword (ConvertTo-SecureString $env:SNOW_PW -AsPlainText -Force) for unattended / CI runs.
Pass -SkipTest to skip the end-to-end smoke test.
Manual Step-by-Step¶
# 1. Create prerequisites: resource group, MI, RBAC, KV API connection
.\deploy\scripts\New-Prerequisites.ps1 -ResourceGroupName rg-azure-monitor-itsm -Location eastus
# 2. Create Key Vault and store SNOW credentials
.\deploy\scripts\Set-KeyVaultSecrets.ps1 `
-ResourceGroupName rg-azure-monitor-itsm `
-SnowInstanceUrl https://dev123456.service-now.com `
-SnowUsername azure_monitor_svc
# 3. Deploy resources via Terraform
cd deploy/terraform
terraform init
export TF_VAR_snow_instance_url=https://dev123456.service-now.com
export TF_VAR_snow_username=azure_monitor_svc
export TF_VAR_snow_password=<your-password>
terraform plan -var="resource_group_name=rg-azure-monitor-itsm"
terraform apply -var="resource_group_name=rg-azure-monitor-itsm"
# 4. Restrict Key Vault firewall to Logic App outbound IPs only
.\deploy\scripts\Set-KeyVaultFirewall.ps1 -ResourceGroupName rg-azure-monitor-itsm
# 5. Create Action Group
.\deploy\scripts\New-ActionGroup.ps1 -ResourceGroupName rg-azure-monitor-itsm
# 6. Enable both Logic Apps
.\deploy\scripts\Enable-LogicApps.ps1 -ResourceGroupName rg-azure-monitor-itsm
Logic Apps deploy disabled
Both Logic Apps deploy in Disabled state. They remain disabled until you explicitly run Enable-LogicApps.ps1 after all configuration is complete.
Key Vault connection name
The API connection itsm-keyvault-connection-mi is referenced by name inside the Logic App ARM templates. The Terraform module sets this name — do not override it.
Terraform Variables Reference¶
| Variable | Default | Description |
|---|---|---|
resource_group_name |
rg-azure-monitor-itsm |
Resource group to deploy into |
location |
eastus |
Azure region |
managed_identity_name |
ITSM-MI |
User-assigned managed identity name |
key_vault_name |
itsm-kv |
Key Vault name (must be globally unique) |
kv_connection_name |
itsm-keyvault-connection-mi |
API connection name — do not change |
alert_logic_app_name |
Azure-Monitor-Alert-ITSM-HTTP-API |
Alert Logic App name |
close_logic_app_name |
Azure-Monitor-Close-ITSM-HTTP-API |
Close Logic App name |
action_group_name |
ag-azure-monitor-itsm |
Action Group name |
Set TF_VAR_* environment variables or a terraform.tfvars file for non-default values.
Remote State Configuration¶
For team use, configure Terraform remote state in Azure Storage:
# deploy/terraform/backend.tf
terraform {
backend "azurerm" {
resource_group_name = "rg-terraform-state"
storage_account_name = "tfstate<unique-suffix>"
container_name = "tfstate"
key = "azure-monitor-itsm.tfstate"
}
}
Initialize with:
terraform init \
-backend-config="resource_group_name=rg-terraform-state" \
-backend-config="storage_account_name=tfstate<unique-suffix>"
Verify¶
Next Steps¶
- Customize SNOW fields in the Logic App designer (company, assignment_group, caller_id) — see Step 8–9 in John Joyner's Guide
- Configure SNOW Business Rule — see Step 13 in John Joyner's Guide (manual SNOW-side step)
- Enable Secure Inputs/Outputs and Access Control — see Step 14
- Associate Action Group with alert rules — see the Deployment Overview