Automating vCenter inventory configuration

For one of my customers I had to come up with a solution to automate the vCenter inventory creation. The solution needed to:

  • Support multiple vCenters
  • Standardise the vCenter inventory configuration
  • Support multiple vCenter environments eg. Production, Lab.
  • vCenter permissions depend on the environment, each environment uses different AD groups.
  • Engineers without extensive PowerCLI knowledge need to be able to make changes to the vCenter configuration
  • Support regular changes eg. additional folders, permissions

A static PowerCLI script would not have been verry usefull so I had to come up with a different solution. Instead I stored the configuration data in a JSON file. Which is then imported and used to create the vCenter inventory.

The JSON file is structured in such way that the VM folder structure and roles are identical accross all vCenters regardless of the environment. The permissions are environment specific, each environment uses its own set of AD groups to configure the permissions on the vCenter inventory structure. Datacenters, clusters, vDswitches are vCenter specific. By using the JSON file to store the configuration data only this file needs to be updated when vCenter inventory modifications are needed. This removes the need for PowerCLI knowledge and makes it easy for the operational teams to implement the modifications.

The JSON file consists of following elements, which are discussed in more detail below:

  • Folders
  • Roles
  • Permnissions
  • vCenters
  • Settings

Folders

The Folders sections contains an array of folder items. The folder structure will be identical accross all vCenters and environments. Each folder element consists of

  • Name: Name of the folder
  • Type: Contains the type of vCenter folder to create eg. VM/HostAndCluster/Storage/Network/Datacenter.
  • Level: Contains the number on which the folder needs to be created. Toplevel folders start at number 2. The script has been created with 2 folders levels in mind.
  • Parent: Contains an array of folder names in which this folder needs to be created. A new folder will be created in each of the specified parent folders.
"Folders": [
    {
        "Name": "<Folder Name A>",
        "Type": "VM",
        "level": "<2/3>",
        "Parent": []
    },
    {
        "Name": "<Folder Name B>",
        "Type": "VM",
        "level": "<2/3>",
        "Parent": [
            "Folder Name A",
            "Folder Name C",
        ]
    },
    <...>
]

Roles

The Roles section contains the info reaquired to create the vCenter server roles. For each role a name and an array of privilege IDs needed for this role are required. You can get the Privilege IDs of a role by executing Get-VIRole -Name <roleName> |Get-VIPrivilege |select id from an existing role.

"Roles": [
    {
        "Name": "Homelab - VMadmin",
        "PrivilegeIDs": [
            "System.Anonymous",
            "System.View",
            "System.Read",
            "VirtualMachine.Interact.PowerOn",
            "VirtualMachine.Interact.PowerOff",
            "VirtualMachine.Interact.Reset",
            "VirtualMachine.Interact.AnswerQuestion",
            "VirtualMachine.Interact.ConsoleInteract",
            "VirtualMachine.Interact.DeviceConnection",
            "VirtualMachine.Interact.SetCDMedia",
            "VirtualMachine.Interact.SetFloppyMedia",
            "VirtualMachine.Interact.ToolsInstall"
        ]
    },
    {
        "Name": "Homelab - VMadminNoReboot",
        "PrivilegeIDs": [
            "System.Anonymous",
            "System.View",
            "System.Read",
            "VirtualMachine.Interact.PowerOn",     
            "VirtualMachine.Interact.AnswerQuestion",
            "VirtualMachine.Interact.ConsoleInteract",
            "VirtualMachine.Interact.DeviceConnection",
            "VirtualMachine.Interact.SetCDMedia",
            "VirtualMachine.Interact.SetFloppyMedia",
            "VirtualMachine.Interact.ToolsInstall"
        ]
    },
    {
        "Name": "Homelab - VMware LogInsight user",
        "PrivilegeIDs": [
            "System.Anonymous",
            "System.View",
            "System.Read"
        ]
    },
    <...>
    ]

Permissions

The permissions section contains the data required to configure the permissions on the different inventory items. Each item of the permissions array looks as follows:

"Permissions": [
    {
        "InventoryItem": "<Inventory item name>",
        "ItemType": "<vCenter/Datacenter/vmFolder>",
        "Parent": "<Parent Name>",
        "level": "<# level>",
        "ItemPermissions": [
            {
                "AdGroup": "<AD Group Name A>",
                "Environment": "<Production/Design>",
                "AdDomain": "<AD Domain>",
                "Role": "<vCenter role name 1>",
                "Propagate": <true/false>
            },
            {
                "AdGroup": "<AD Group Name B>",
                "Environment": "<Production/Design>",
                "AdDomain": "<AD Domain>",
                "Role": "<vCenter role name 2>",
                "Propagate": <true/false>
            }
        ]
    }

Each inventory item requiring permissions needs to be added to the permissions JSON array. Each of these permissions array elements consists of following items:

  • Inventory item: The name of the item on which it needs to be configured. This can be the name of the vCenter, Datacenter or vmFolder on which the permissions need to be configured.
  • Item Type: The type of item on which the permissions need to be configured. This can be vCenter, Datacenter or vmFolder. Other item types have not been implemented.
  • Parent:
    • Parent can be empty in case the item is vCenter.
    • Parent contains “vCenter” in case item type is datacenter.
    • Parent contains “Datacenter” in case the item is a top level vmFolder.
    • Parent needs to contain the name of the parent vmFolder when it is a subfolder of a top level vmFolder.
  • Level: Contains a number indicating the items structure level.
    • vCenter = 0
    • Datacenter = 1
    • Top level vmFolder = 2
    • Sublevel vmFolder = 3
  • Item Permissions: This contains an array of items listing the permissions who need to be applied to the item. Each array element contains following information.
    • AD group: AD group name who needs to be granted permissions on the item
    • Environment: Indicates in which environment the permissions need to be granted.
    • AD Domain: AD domain in which the AD group is located
    • Role: The vCenter role that needs to be used to assign the permissions
  • Propagate:
    • True: The permissions will be propagated to the underlying inventory items.
    • False: The permission will not be propagated to the underlying inventory items. The AD group will not have any permission on the child items, unless configured seperately.

vCenters

The vCenters section contains an element for each vCenter. Each vCenter element consists of four sections:

  • vCenter specific information
  • DvSwitches
    • The vLANgroups array element allows to specify multiple portgroup name prefixes. For each vLANgroup element in the array the script will iterate on the vLANs and/or vLAN ranges specified and will create a dedicated portgroup.
  • Clusters
  • Datastore clusters Each of these parts contain the data required to create the vCenter specific inventory items. The DvSwitches, Clusters and Datastore clusters will create empty vCenter elements, no hosts, VMs or datastores will be linked to them.
"vCenters": [
    {
        "<vcenter hostname>": [
            {
                "Datacenter": "<Physical datacenter name>",
                "Site": "<Pysical datacenter site>",
                "Domain": "<vCenter domain name eg. homelab.local>",
                "Environment": "<vCenter Environment eg. Production, Design, Lab>",
                "Country": "<Country>",
                "PSC": "<PSC FQDN>",
                "vDataCenters": [<list of vCenter datacenters seperated by commas>],
                "DvSwitches": [
                    {
                        "Name": "<DvSwitch name>",
                        "Datacenter": "<vDatacenter name in which it needs to be created>",
                        "NumOfUplinks": "<# of uplinks>",
                        "LinkDiscoveryProtocol": "<CDP/LLDP>",
                        "LinkDiscoveryProtocolOperation": "<listen/advertise/both>",
                        "Version": "<DvSitch version eg. 6.5.0>",
                        "mtu": "<MTU size>",
                        "TeamingPolicy": "",
                        "vLANgroups": [
                            {
                                "Name": "<Portgroup name prefix. The VLANID will be added to create the full portgroup name.>",
                                "GroupType": "<Portgroup type identifier eg. LAN, used to distinguish between multiple types of portgroups>",
                                "vlanType": "VLANID",
                                "vLANs": "<vlan IDs seperated by commas, vlan ranges can be supplied with a "-" eg. 1000,1001,1002-1010>",
                                "LoadBalancingPolicy": "<Loadbalancing mechanism>"
                            },
                                                            {
                                "Name": "<Portgroup name prefix. The VLANID will be added to create the full portgroup name.>",
                                "GroupType": "<Portgroup type identifier eg. BACKUP, used to distinguish between multiple types of portgroups>",
                                "vlanType": "VLANID",
                                "vLANs": "<vlan IDs seperated by commas, vlan ranges can be supplied with a "-" eg. 2000,2001,2002-2010>",
                                "LoadBalancingPolicy": "<Loadbalancing mechanism>"
                            }
                        ]
                    }
                ],
                "Clusters": [
                    {
                        "Name": "<Cluster name>",
                        "Datacenter": "<Parent datacenter name>",
                        "EVCmode": "<EVC mode>",
                        "HAEnabled": <true/false>,
                        "HAAdmissionControlEnabled": <true/false>,
                        "HAFailoverLevel": "1",
                        "HAIsolationResponse": "",
                        "DrsEnabled": <true/false>,
                        "DrsAutomationLevel": "<DRS automation level eg. FullyAutomated>"
                    }
                ],
                "DatastoreClusters": [
                    {
                        "Name": "<Datastore cluster name>",
                        "Datacenter": "<Parent datacenter>",
                        "SDRS": <true/false>,
                        "IOLoadBalanceEnabled": <true/false>,
                        "SdrsAutomationLevel": "Enabled/Disabled"
                    }
                ]
            }
        ]
    }

Settings

The settings sections contains a number of (advanced) vCenter settings which will be configured on each vCenter.

"Settings": [
    {
        "vCenter": [
            {
                "StatisticslevelPastDay": "4",
                "StatisticslevelPastWeek": "4",
                "StatisticslevelPastMonth": "4",
                "StatisticslevelPastYear": "4",
                "task_maxAgeEnabled": true,
                "task_maxAge": "90",
                "event_maxAgeEnabled": true,
                "event_maxAge": "90",
                "config_log_outputToSyslog": true,
                "config_log_level": "info"
            }
        ]
    }
]

The script and json file can be found at https://github.com/svermoes/Automate-vCenter-configuration. The supplied JSON file is empty and needs to be adapted to align with your environment before it can be used.

Share this post:

Social