WilliamLam.com

Custom vCenter Server Role using vSphere Terraform Provider on VMware Cloud on AWS

by // Leave a Comment

In a VMware Cloud on AWS (VMC-A) environment, a default CloudAdmin vCenter Server Role is provided to customers to manage and deploy workloads in vCenter Server. Typically, this vCenter Server Role is only granted to limited number of Cloud Administrators within your organization, which you get to control as an end user.

VMware also supports customers in creating additional custom vCenter Server Roles that limits the privileges for other usage such as auditing or workload provisioning. If you create a custom vCenter Server Role for VM provisioning and you are using vSphere Automation Tools that VMware supports including PowerCLI or even the popular vSphere Terraform Provider, you may come across the following error message during the VM deployment:

System.Read privilege required for config.distributedVirtualSwitch


As you can see from the error message, the current user does not have the Read-only privilege assigned to the Virtual Distributed Switch (VDS) which is required by the automation client, in this case the vSphere Terraform Provider, to be able to properly provisioned a VM.

Note: When using the default CloudAdmin role, VMware automatically applies the correct privileges to all applicable vSphere Inventory objects and this is the reason you do not see this problem when using an account with the default CloudAdmin role. For custom vCenter Server Roles that are created by customers, we can not apply this automation as the intention of the custom role(s) are unknown to VMware.

We can quickly fix this issue by following the instructions below which will guide you in properly assigning the correct vSphere permissions to enable VM provisioning when using a non-CloudAdmin role.

[Read more...]

Using Terraform to activate Tanzu Kubernetes Grid Service on VMware Cloud on AWS

by // 1 Comment

It has been awhile since I have played with Terraform and I was recently investigating on whether I could use Terraform to automate the activation of the Tanzu Kubernetes Grid (TKG) Service on a VMware Cloud on AWS SDDC, which is a part of VMware's new managed Kubernetes offering called VMware Cloud with Tanzu services. Although there is an existing VMware Cloud on AWS (VMC-A) Terraform provider, it currently does not support configuring or managing the TKG Service.

Today, customers can automate VMware Cloud with Tanzu services with a simple REST API and with that in mind, I was curious if calling into a REST API using Terraform was even a thing? While searching online, I not only came to find out that directly calling a REST API using Terraform was a thing but that there were actually a few Terraform providers that enabled this capability. The most popular being Mastercard's Restapi Terraform provider, which was also updated just a couple of weeks ago.

I ended up learning a ton more about Terraform through this exercise and the final solution has been contributed to Ryan Johnson's amazing VMware Terraform Examples repo. I also have to give a huge shoutout to Ryan, who I consider one of the experts in the community for all things VMware and Terraform! I was also able to bounce some ideas and also learn a few new tricks in one of our recent conversations. 

[Read more...]

Using Terraform to deploy a Tanzu Kubernetes Grid (TKG) Cluster in vSphere with Tanzu 

by // 4 Comments

A few months back I saw that HashiCorp had released a new Kubernetes (K8s) Provider for Terraform, currently in Alpha state, which enable users to deploy K8s resources using the popular Infrastructure-as-Code (IaC) tool. I thought this would be pretty cool if it works with our vSphere with Tanzu solution, since the Tanzu Kubernetes Grid (TKG) Service uses ClusterAPI via a custom VM Operator to deploy TKG Guest Clusters which is just a fancy way of saying it uses K8s API to deploy more K8s 🙂

UPDATE (04/27/21) - vSphere 7.0 Update 2a has resolved the admission webhook issue and users can now deploy TKG Guest Cluster using K8s Provider for Terraform

The setting up the new K8s provider was pretty straight forward and after spending a few minutes in figuring out how to convert my existing TKG YAML to the required HCL format for Terraform to understand, I was able to to run a terraform "plan" but quickly ran into the following error:

failed: admission webhook "default.mutating.tanzukubernetescluster.run.tanzu.vmware.com" does not support dry run

It looks like our tanzukubernetescluster admission webhooks does not currently support dry run operations which can be quite useful but also common when using Terraform. I figured this was the end of that idea and I ended up just filing a feature enhancement internally for adding this support in the future as I can see this being quite useful for our customers.

After finishing up recent pet project of getting a fully functional vSphere with Tanzu on a homelab budget and just using 32GB of memory, I decided to take another look at this and discovered the required tweak to get this working was super trivial, literally a single line change.

Disclaimer: This is not officially supported by VMware, use at your own risk.

[Read more...]