Understanding how AWS Cloud Events create VNIC Endpoint CIs and relationships via CMP Response Mappings, and known issue with VNIC endpoints not retiring on delete eventsIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } VNIC endpoint CIs (cmdb_ci_endpoint_vnic) remain at operational_status = 1 (Operational) even after the parent NIC (cmdb_ci_nic) has been deleted in AWS and retired in CMDB.Large number of VNIC endpoint CIs accumulating with no status change.The "Implements endpoint to / Implemented endpoint from" relationship exists between NIC and VNIC, but the VNIC status does not reflect the NIC retirement. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } AWS event-based cloud discovery enabled (sn_cmp.cloud_event.use_response_mapping_aws = true)VNIC endpoints do not retire on delete events Facts<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } How VNIC endpoints and relationships are created When sn_cmp.cloud_event.use_response_mapping_aws is enabled (default: true), AWS cloud events are processed through the response mapping framework. The system resolves the AWS resource type (e.g., AWS::EC2::NetworkInterface) to a CI class (e.g., cmdb_ci_nic) via sn_capi_resource_type, then uses the corresponding sn_cmp_response_mapping records to create the CI, its endpoint, and the relationship between them. The relationship type is determined by the binding_type field on the mapping record in this case "implement", which creates an "Implements endpoint to / Implemented endpoint from" relationship. Processing flow: On processEvent() in AWSEventHandler, we check if the response mapping property (sn_cmp.cloud_event.use_response_mapping_aws) is enabled (default: true).We resolve the AWS resource type to cmdb_ci_nic via sn_capi_resource_type and confirm mapping records exist in the sn_cmp_response_mapping table.The configurationItem is extracted from the SNS message. A ResponseProcessor scoped to the AWS account, region, and "Cloud Event" datasource fetches all sn_cmp_response_mapping records for cmdb_ci_nic / "Cloud Event" and processes identification and attributes for the NIC CI.The system then queries for attribute_value_type = "binding" records and finds a record in sn_cmp_response_mapping with binding_endpoint = cmdb_ci_endpoint_vnic and datasource_for_mappings = "Event NIC Payload". Mapping record: https://<instance-name>.service-now.com/sn_cmp_response_mapping.do?sys_id=06ae0347870103008de7483cf6cb0b7eUsing the "Event NIC Payload" datasource, the system builds the VNIC endpoint CI with object_id, name, operational_status, and install_status from the event payload. It reads binding_type = "implement" and attaches the VNIC endpoint to the parent NIC's bindings array. ResponseProcessor Script Include: https://<instance-name>.service-now.com/sys_script_include.do?sys_id=d93bc3359fc3220048111f80a57fcf30CloudModelProcessorScript.updateCIs() submits the payload to IRE, which creates/updates the cmdb_ci_endpoint_vnic record and creates a cmdb_rel_ci record linking the NIC to the VNIC endpoint with "Implements endpoint to / Implemented endpoint from" relationship type. Why VNIC endpoints do not retire on delete events (affected versions) When AWS Config sends a deletion event, it sets configuration = null in the payload. In affected versions, the object_id response mapping for cmdb_ci_endpoint_vnic (datasource: "Event NIC Payload") uses source_field = configuration.networkInterfaceId. Since configuration is null on deletion events, this source field returns nothing, the VNIC endpoint identification fails silently, and the entire endpoint update is skipped. Additionally, no response mapping records existed for operational_status or install_status on cmdb_ci_endpoint_vnic with the "Event NIC Payload" datasource, so even if identification succeeded, no retirement values would be set. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The PRB1677348 fix is released as part of Australia release Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Permanent fix Upgrade to the Australia release or later. The fix includes three changes to sn_cmp_response_mapping records:on the PRB1677348 ChangeRecord sys_idDescriptionModified31dfc747870103008de7483cf6cb0be0Changed source_field from configuration.networkInterfaceId to resourceId (a top-level field available on deletion events). Updated script with null safety check on sourceFieldValue.Added511acb0693a7221072ddf66fa803d6e2New scripted mapping for operational_status: returns 6 (Retired) when configurationItemStatus == 'ResourceDeleted', otherwise 1 (Operational).Added9d51960233a72210f3b6d9a32d5c7b1aNew scripted mapping for install_status: returns 7 (Retired) when configurationItemStatus == 'ResourceDeleted', otherwise 1 (Installed). Workaround for affected versions The three response mapping XML files which are attached from the Australia fix can be imported on the affected instance.For the pre-effected records:=> If pattern based cloud discovery is already configured should resolve the issue on the discovery run.=> If not we need a manual intervention to update the records to retired state.