Running pre-boot, post-provisioning vRO workflows in vRA.

Note: As this is more of a reminder for myself so i don’t forget next time, don’t expect too much fluff.

Last week i needed to demonstrate how to temporarily enable firewall rules using the NSX DFW for a customer use case that is pretty serious about zero trust policies. Specifically, both the VM and the guest OS required certain ports to be opened to access some administrative and deployment services, but during deployment of the system only. We have two workflows, one that adds a security tag to the machine, and another that removes it. Initially we used the buildingmachine POST and machineprovisioned PRE state to run the tag assignment workflow, and the machineprovisioned POST to remove it. However, as it turns out the machineprovisioned PRE state happens after the operating system has been sysprepped, which means it was too late for our use case.

After some time looking in the documentation, it turns out there’s a OnCloneMachineComplete (for cloning) and OnCreatingMachineComplete (for basic virtual machines) event which can be used as the lifecycle event in the vRA EBS. I don’t have any screenshots to show you, but if you’re familiar with the EBS you shouldn’t have any issues finding it. Suffice to say, our machine was configured with a security tag directly after the VM object was created in vSphere before the first power on, and the tag was removed directly after installation in the POST Machineprovisioned lifecycle.

Use this in whatever way you want, i’m sure people can come up with a lot of amazing use cases.