Running Tripwire Security Scan with REST call

I was asked to initiate Tripwire Scan on all VMs deployed by vRealize Automation. This requirement was an issue raised by compliance audit finding. After some talks to Tripwire team, we decided on an approach to assign a tag to a host in Tripwire this will force initial VM scan.

VM is registered in Tripwire during agent installation this is handled by SCCM, Salt or Ansible respectively depending on underlaying operating system.

Additionally for the code to work you will have to create a REST endpoint for a Tripwire host using basic authentication. In my case the url is just Tripwire server fqdn over https.

First we have to find the VM Id in Tripwire. I’m in a lucky situation that all VM names are unique in all vCenters. Each VM name is equal to hostname part of its fqdn. Therefore a vSphere vmname will be used to find the asset in Tripwire.

//INPUTS:
//restHost <REST:RESTHost>: Tripwire vRO endpoint 
//hostname <String>: vSphere vmname
operationUrl = "/assetview/api/assets";
request = restHost.createRequest("GET", operationUrl);
request.setHeader("Content-Type", "application/json");
request.setHeader("Accept", "application/json");
response = request.execute();
//Evaluate response
var found = false;
if(response.statusCode < 400){
	System.debug("Response Status Code: " + response.statusCode);
	devices = JSON.parse(response.contentAsString)["computing-device"];
	for each (device in devices){
		var id = device["synthetic-id"][0]["@id"];
		var curHostname = device["hostname"].split(".")[0].toLowerCase();
		if (curHostname.indexOf(hostname) == 0 ){
			found = true;
			System.log("Found hostname: " + hostname);
			System.log("id: " + id);
			break;
		}
	}
	if(!found){
		//did not found the VM 
		throw "Error can't find the VM " + hostname + " in Tripwire.";
	}
}
else {
	throw "Error invoicing REST call - Url: " + operationUrl + ", returned Status Code: " + response.statusCode + ", response: " + response.contentAsString
}
Continue reading “Running Tripwire Security Scan with REST call”

Delete Executed Orchestrator Scheduled Workflows

In my vRealize Orchestrator a lot of workflows are being scheduled to be executed automatically in future. Since i like keeping it clean I have a workflow scheduled to be executed daily to clean up all old executed workflows. This way my Scheduled Workflows tab in vRO is always clean.

Schedule settings

To use the code below you have to create a vRO REST endpoint with basic authentication and set it as a variable in the workflow.

/*
* INPUTS:
* vroHost <REST:RESTHost> - vRO rest endpoint with basic authentication 
*/
operationUrl = "/api/tasks"
request = vroHost.createRequest("GET", operationUrl);
request.setHeader("Accept", "application/json");
request.setHeader("Content-Type", "application/json");
var response = request.execute();

if(response.statusCode >= 300){
	throw 'Error while trying to execute request! response.statusCode: ' +  response.statusCode;
} 
else {
	var response = JSON.parse(response.contentAsString);
	for each (var task in response.relations.link){
		var finished = false; 
		var oneTime = false; 
		for each (var attrib in task.attributes){
			if (attrib.name == "recurrenceCycle"){
				System.debug("recurrenceCycle: " + attrib.value);
				if(attrib.value == "one-time"){
					oneTime = true;
				}
			}
			if (attrib.name == "state"){
				System.debug("state: " + attrib.value);
				if(attrib.value == "finished"){
					finished = true;
				}
			}
		}
		var id = task.href.split("/"); 
		id = id[id.length-2]; 
		if (finished && oneTime){
			System.warn("DELETE TASK: " + id);
			deleteTask(id);
		}
	}	
}

function deleteTask(id){
	operationUrl = "/api/tasks/" + id 
	request = vroHost.createRequest("DELETE", operationUrl);
	request.setHeader("Accept", "application/json");
	request.setHeader("Content-Type", "application/json");
	var response = request.execute();	
	if(response.statusCode >= 300){
		throw 'Error while trying to execute Delete request! response.statusCode: ' +  response.statusCode;
	} 
	else {
		System.debug('Delete response.statusCode: ' +  response.statusCode);
	}
}

[Quick Hint] Suspend VM monitoring in Patrol with REST call

There are situations when your workflow will have to restart a VM. This post shows a way to disable VM monitoring in Patrol using a simple REST call. This way your monitoring team will not get a false positive alarm and you will avoid unnecessary emails 😉

Disable VM Monitoring:

/***
Inputs: 
  vmName <String> - Hostname
  sleepTime <Number>  - Monitoring suspend time in sec
***/
//https://<patrolweb>/eadmin/suppress_host_bem.pl?host=<hostname>&until_ts=<time_in_sec>&action = add

System.debug("Supend VM Monitoring...");
var operationUrl = "/eadmin/suppress_host_bem.pl?host={vmName}&until_ts={sleepTime}&action=add";
operationUrl = operationUrl.replace("{vmName}", vmName);
operationUrl = operationUrl.replace("{sleepTime}", sleepTime);

request = patrol.createRequest("GET", operationUrl);
request.setHeader("Content-Type", "application/json");
var response = request.execute();
if(response.statusCode > 399){
	throw 'Error: ' + response.contentAsString;
} 
else {
	System.log(response.contentAsString);
}

Once you are done with all VM operations and restarts you can enable monitoring again.

Enable VM Monitoring:

/***
Inputs: 
  vmName <String> - Hostname
***/
//https://<patrolweb>/eadmin/suppress_host_bem.pl?host=<hostname>&action=delete

System.debug("Unsupend Monitoring...");
var operationUrl = "/eadmin/suppress_host_bem.pl?host={vmName}&action=delete";
operationUrl = operationUrl.replace("{vmName}", vmName);

request = patrol.createRequest("GET", operationUrl);
request.setHeader("Content-Type", "application/json");
var response = request.execute();
if(response.statusCode > 399){
	throw 'Error: ' + response.contentAsString;
} 
else {
	System.log(response.contentAsString);
}

[Quick Hint] How to get vRealize Orchestrator Scripting.log

If you want to debug a failing action on custom form. There is no other way to do that, but to get access to vRO Scripting.log file. But how can we do that if vRO is now hosted in container running in a pod?

Start by logging in to you vRA instance with SSH. Once there list all pods in prelude namespace.

kubectl -n prelude get pods
vRA prelude namespace pods
vRA prelude namespace pods

You are looking for a pod name starting with vco-app-xxx. This pod is hosting 3 containers. if you are interested exactly how it is build run:

kubectl describe pod/vco-app-c6588f4c5-wnf2z -n prelude

You will find three containers inside this pod: vco-polyglot-runner, vco-server-app, vco-controlcenter-app, We are interested in vco-server-app.

vRO Container

Now the trick is to access the container process witch interactive bash session. Run following commend and change your pod name (container name at the end will stay this same)

kubectl -n prelude exec -ti vco-app-c6588f4c5-wnf2z -c vco-server-app bash

Now you will se that your prompt has changed. You are in vco-server container and you can run

tail -f /usr/lib/vco/app-server/logs/scripting.log

And the logs will start flowing. To exit just hit CTRL+C and then type exit on the prompt and you will be back in your vRA SSH session.

[Quick Hint] Working with AD in vRO with plugin and ldapClient

There are two ways to get data form AD in vRealize Orchestrator with plugin and with ldapClient. Native ldapClient is much more powerful but also a bit more complicated in use. In this short post I’ll show you how to use both. First we will find user email for a known user account name and next we will find a user account name based on his email. As we all know one can bind the user name or its email on a XaaS form in vRA quite easily.

Lets start with finding user email for a known AD account name with AD plugin. First we need to clean a user name that was passed form vRA. vRA will pass user name in format user@domain we need only account name. The next step is to find a proper AD endpoint to work with. If your vRO have only one AD endpoint you can just take first one form findAllHosts function like this: var adHosts = AD_HostManager.findAllHosts()[0];

For me it is bit more complicated therefore second input to this action is domain name I want to do a search in. Once we have AD endpoint set we can use library function searchExactMatch to find the user. Using this function you can also search for groups, OUs or computer accounts. Just change the first argument form “User” to “UserGroup”, “OrganizationalUnit” or “ComputerAD” respectively. Function searchExactMatch returns an array, therefore we take only first element here. User names should be unique 😉 Once you have a AD:User object you can get any of its attributes with getAttribute function.

Working with vRO AD plugin FindUsereEmail Example:

Continue reading “[Quick Hint] Working with AD in vRO with plugin and ldapClient”

Running Ansible Tower Job with REST API

In vRealize Automation 8.x we have out of the box integration for Ansible and Ansible Tower directly build in in to a Cloud Templates designer. Still there is a way to run this integration as a part of EBS subscription. This way you will be able to detect any single Job failure and decide if you want to proceed with deployment or do you want to scrap it. Ability to run Ansible tower jobs with a REST call is also beneficial it you want to design a 2-day operation on a VM around existing Ansible automation.

So how can we achieve this goal? Lets start with ansible configuration. You will need a access token for Ansible Tower. Go to your ansible click your user settings then “tokens” and small plus sign on the right.

Ansible Token Creation 1
Continue reading “Running Ansible Tower Job with REST API”

Automatic disk resizing in vRA8 during deployment

In this post I described how to build a blueprint with multiple disk devices for MS Windows deployment. Now my Linux colleagues want a single disk with multiple LVM Virtual Groups on it. Based on this same disk form input as for Windows deployment of course.

The plan is to create one disk with a size equal to sum of all disks defined by user in an input form. Later we will create volume group structure on this disk and mount it to user defined mount points.

So lets start again with the Input definition (this is basically ^C^V form previous post):

Continue reading “Automatic disk resizing in vRA8 during deployment”

vRO Date manipulation library

This is basic date manipulation library for vRO. DateJs is an JavaScript Date library for parsing and processing dates. It allows for many operations and calculations like: comparing dates, add time spans to a given date, or get N-th day of the week in a given month etc.

If you need to calculate a date for a first Wednesday in October in two year it will help you a bit I hope.

Below you will find an examples of how to initiate the library in vRO and what you can do with it:

Continue reading “vRO Date manipulation library”

vRealize Automation 8 Rest API How To

In this blog post we will crate a set of actions which will allow us to run any vRA8 REST call. vRealize Automation 8 Swagger documentation can be found under url:

https://<vra-server-hostname>/automation-ui/api-docs/

You can find all vRA services here. In this example we will run a request to get all vRA deployments form Deployment service:

Deployment Service
Continue reading “vRealize Automation 8 Rest API How To”

[Quick Hint] Input parameters in vRealize Orchestrator 8 payload

Input paraments are available in vRO8 payload only in very early stages of deployment. For example you can easily get them in Deployment requested stage as a vRO8 payload in inputProperties variable

Payload for Deploy requested Stage

But what if you want to have access to your inputs data later in deployment process? You can of course make a REST call to vRA, get the deployment data and in deployment JSON you will find all the inputs. But REST calls also cost some time, and if you do a lot of them, this will add up to your VM deployment time.

Deployment JSON data
Continue reading “[Quick Hint] Input parameters in vRealize Orchestrator 8 payload”