One very interesting capability that I had noticed while reading the the latest VMware Cloud Foundation (VCF) 5.2 release notes are new VCF APIs for auditing PCI Compliance.
VCF users can now use a new set of APIs that audit VCF configuration for compliance with 9 relevant PCI-DSS controls
In addition to exploring these new VCF APIs, I thought this would also be a good opportunity to contribute to the popular PowerShell Module for VMware Cloud Foundation which is also the basis for several other useful VCF modules for automation:
- PowerShell Module for VMware Cloud Foundation Reporting
- PowerShell Module for VMware Cloud Foundation Certificate Management
- PowerShell Module for VMware Cloud Foundation Password Management
- PowerShell Module for VMware Cloud Foundation Power Management
To demonstrate the new VCF Compliance Audit APIs, I crated the following new functions which I have also submitted a pull request (PR) 291 to incorporate functions in a future release of the PowerShell Module for VMware Cloud Foundation, which I hope will get merged by the time this blog post is live!
- Get-VCFComplianceStandard
- Get-VCFComplianceConfiguration
- New-VCFCompliance
- Get-VCFComplianceTask
- Get-VCFCompliance
- Get-VCFComplianceHistory
After importing the PowerShell Module for VMware Cloud Foundation, you will need to connect to SDDC Manager by using the following command:
Request-VCFToken -fqdn $sddcManagerFQDN -username $sddcManagerUsername -password $sddcManagerPassword
Using the Get-VCFComplianceStandard function, we can retrieve the list of available compliance audit standards and the Get-VCFComplianceConfiguration function will return the specific audit configurations for the supported VCF resources.
To run a new compliance audit, you will use the New-VCFCompliance function and today the supported compliance standard and version is PCI 4.0 and the resource is on SDDC Manager, which you will specify the following command along with the name of either your Management or Workload Domain:
New-VCFCompliance -ResourceType "SDDC_MANAGER" -StandardType "PCI" -StandardVersion "4.0" -WorkloadDomainName "vcf-m01"
The output from the command will be the compliance audit task and you can check the progress by using the Get-VCFComplianceTask function and provide the task ID along with the name of the Management or Workload Domain as shown in example below:
Get-VCFComplianceTask -WorkloadDomainName "vcf-m01" -ComplianceTaskId "f57f0c2a-5ab5-4e79-9034-d0bed61acf41"
Once the compliance audit has finished, you will get back a compliance audit ID and using the Get-VCFCompliance function, you can view the results of the audit:
Get-VCFCompliance -ComplianceAuditId "4c5aa3dc-3c2f-460b-ad1a-3a8f2a1a534a"
To get more information about a specific audit configuration you can refer back to the Get-VCFComplianceConfiguration function.
Lastly, you can also retrieve the history for all compliance audits using the Get-VCFComplianceHistory function which also includes the compliance audit ID in case you want to view a specific audit that had previously completely:
Get-VCFComplianceHistory
Thanks for the comment!