WilliamLam.com

Automating VCF Automation (VCFA) Configuration using VCFA Terraform Provider

by // Leave a Comment

I recently rebuilt my VMware Cloud Foundation (VCF) lab environment to run the latest VCF 9.0.1 release. While most of the deployment and configuration has been fully automated, I was dreading the VMware Cloud Foundation Automation (VCFA) setup, mainly as the initial configuration can be a bit involved.


Having some experience with configuring VCFA manually, I wanted to take the opportunity to automate as much of the setup as I could, so the next that I need to rebuild, it is not an issue for me, which is typically the case as I like to automate everything!

My automation approach was going to be leveraging the newly published Terraform Provider for VCFA, this was on my todo list but I finally got a chance to play with it over the weekend in my lab.

I was blown away at how the automation was at configuring VCFA, the same manual tasks could  easily 20min+ and using the TP4VCFA, it was done in under 30 seconds! 🤯

[Read more...]

VCF Automation Provider Organization as an OIDC Identity Provider for VCFA Tenant Organizations?

by // 4 Comments

VCF 9.0 Automation (VCF) contains two types of organizations, one for the Provider (also referred to System) and one for the tenants, which are just called Organizations. Both types of VCFA Organizations can be connected to an external Identity Provider (IdP) including OIDC, LDAP and SAML.

The VCFA Provider Organization can be configured to use the new VCF Single-Sign (SSO) feature, which is a capability of VCF Operations and utilizes a deployment of vIDB (Embedded or External) which is the identity broker to your desired external IdP like PingFederate or Okta as an example. While you can connect the VCFA Provider Organization directly to an external IdP, by using VCF SSO, administrators can now seamlessly login to all VCF management components, assuming you have been granted the appropriate permissions within each component.

For VCFA Tenant Organizations, where each organization could represent a completely different customer, such as in a service provider model, each individual VCFA organization can connect to their own independent external IdP, as represented in the diagram below.


For a typical Enterprise, you might only have a single IdP that you would use for both the Provider and Tenant Organizations. If you are using an OIDC IdP, you would need to create one OIDC Client for VCF SSO and then one additional OIDC Client for each organization that you would like to connect to the same OIDC IdP as shown below.


Instead of creating multiple OIDC Clients, could we just leverage the Provider Organization as the OIDC IdP for the VCF Tenant Organizations?

Note: Depending on your external IdP capabilities, you might need to have separate OIDC Clients for controlling multi-factor authentication (MFA) or customized login screen as I have demonstrated with using Keycloak as my external IdP.

[Read more...]