The Google Cloud Platform (GCP) Plug-in for VMware vRealize Orchestrator lets you provision and manage GCP resources using vRealize Orchestrator and VMware vRealize Automation, including Compute Engine instances, GKE clusters, Cloud Spanner and Cloud SQL instances, and Cloud Storage buckets.
The GCP Plug-in for vRealize provides a consistent management and governance experience across on-premises and GCP-based IT environments. For example, you can use Google-provided blueprints or build your own blueprints for Compute Engine resources and publish to the vRealize service catalog. This means that you can select and launch resources predictably using a tool you're already familiar with when you orchestrate VMs in your on-premises VMware environment.
You need a Google Billing account to complete the instructions in this guide. If you don't have an account, see Create, Modify, or Close Your Billing Account. New GCP users might be eligible for a free trial.
This guide assumes that you have a working knowledge of the following:
- Google Cloud Platform (GCP), especially the concepts in Google Cloud Platform for Data Center Professionals
- VMware vRealize Orchestrator
- VMware vRealize Automation
Supported GCP products
The plug-in supports the following GCP resources:
- Cloud Filestore (beta)
- Cloud KMS
- Cloud Pub/Sub
- Cloud Spanner
- Cloud SQL
- Cloud Storage
- Compute Engine
- Cloud IAM service accounts and keys
- Google Kubernetes Engine clusters
- Virtual Private Cloud networks and firewall rules
- Turnkey VM-based application servers:
- MS SQLServer Enterprise
- HA load-balanced Compute Engine VM cluster
Setting up the GCP plug-in for vRealize
This section explains how to install and configure the plug-in.
Set up your GCP environment
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
Select or create a Google Cloud Platform project.
Make sure that billing is enabled for your Google Cloud Platform project.
- Enable the Compute Engine API.
Download the plug-in
On a computer where you have access to the vRealize Orchestrator Control Center, download the latest version of the GCP plug-in for vRealize from the following location:
Create and download service account JSON
In order to have the GCP plug-in for vRealize interact with your GCP resources, the plug-in needs to have a service account credential that is used to authenticate API calls to GCP.
In the GCP Console, go to the select IAM & admin page
Select Service accounts and then click Create Service Account.
Give the service account a name and optionally provide a description.
Grant the following roles to the service account. (Use the filter box at the top to find these roles.)
- To enable the plug-in to create and manage Compute Engine instances, add the Compute Admin and Service Account User roles.
- To enable the plug-in to manage GKE clusters, add the Kubernetes Engine Admin role.
- To enable the plug-in to manage Cloud Pub/Sub topics and subscriptions, add the Pub/Sub Admin role.
To enable the plug-in to manage additional resource types, add the appropriate role. For more information, see Understanding Service Accounts.
Alternatively, to enable the plug-in to manage all GCP resource types, give the service account the Editor role on the project. However, it's a best practice to grant the fewest privileges that are necessary in order for the plug-in to manage your GCP resources.
When you've finished assigning roles, click Continue.
Click Create Key and select the JSON option.
Your browser downloads a new service account credential file in JSON format that contains the service account private key. Store this in a secure location, because you need it later to create the GCP connection in the plug-in.
Install the plug-in in vRealize Orchestrator
You can now configure the plug-in in vRealize Orchestrator.
In your browser, log in to the vRealize Orchestrator Control Center as an administrator. The URL is typically like the following:
Go to the Manage Plug-Ins page.
Browse for the plug-in file you downloaded and click Upload.
If you accept the EULA, click Install.
If you're prompted, click Save Changes.
Wait for vRealize Orchestrator to restart its services before you use the plug-in. The restart might take a few minutes. You'll know that vRealize Orchestrator has restarted when you see all green checkmarks in the Validate Configuration page.
Establish a GCP connection in vRealize Orchestrator
The final stage in the setup is to use the service account credential file you downloaded earlier to establish a connection in the vRealize Orchestrator. Doing this allows the plug-in to execute operations on behalf of any logged-in vRealize Orchestrator user.
- In the Workflows tab of vRealize Orchestrator, select Library > GCP > Configuration > Create GCP Connection.
- Provide a name for the connection.
Provide the key in either of these ways:
- Attach the service account credential file that you downloaded earlier
- Paste the credential in the Paste JSON-encoded Service Account field.
If your vRealize Orchestrator server needs to connect to a proxy server before reaching the public internet, check the Use proxy? option and provide your proxy server details:
When workflow completes, go to the Inventory tab in the vRealize Orchestrator client.
In the Google Cloud Platform tree entry, you see a new subtree with your connection name and project ID. Unless you already have GCP resources, most of the tree nodes are empty except for the ones available by default in a project. These include Compute Regions/Zones, the default network and firewall rules, and the service account that you created and used to establish the connection from vRealize Orchestrator.
You have now completed the configuration of the plug-in, and you can run any of the other workflows available in the GCP directory.
Working with GCP resources in vRealize Orchestrator and vRealize Automation
This section provides an overview of using workflows in the GCP plug-in for vRealize.
Authenticating and authorizing users
vRealize administrators and users authenticate to vRealize Orchestrator and vRealize Automation using vRealize role-based access management. vRealize roles are not mapped to Cloud IAM permissions. Instead, all vRealize user and administrator actions are performed using the same GCP service account that was used when creating the connection. The service account must have appropriate Cloud IAM permissions to allow vRealize users to provision resources in GCP, as described earlier.
You can create more than one connection, each one using different GCP projects and service accounts. This lets you isolate user and administrator actions by granting specific user groups access to a connection. You can specify a different connection for each workflow that's used to create a new resource, and each workflow that operates on an existing resource infers the connection from the project ID where the resource is located.
Running GCP workflows in vRealize Orchestrator
The workflows included in the GCP plug-in for vRealize Orchestrator allow your users to create many common GCP resources, including Compute Engine instances, GKE clusters, Virtual Private Cloud firewall rules, Cloud Storage buckets. In general, workflows for creating these resources can be accessed within the folder for the resource type (for example, Instances for Compute Engine instances).
As an example of how to run a GCP workflow, the following section describes how to build a Compute Engine instance.
Create a Compute Engine instance
In the vRealize Orchestrator folder, open GCP > Instances, and then click Create Instance.
Select a GCP connection. This provides the authorization credential to be able to interact with GCP APIs.
Use the fields to customize the configuration of the VM instance, such as specifying the region, zone, instance name, machine type, and so on. Required fields are marked with a red asterisk.
Click Next to move to additional pages that let you specify options like a startup script, tags, an external IP address, and an SSH key.
Optionally, examine the information in the Price estimate form. This page provides an estimated calculation of the monthly cost for running the VM. This is not intended to be an exact measure of your expected billing charges, but can provide a rough estimate to use for budgeting purposes.
When you've finished specifying options, click Submit.
In the Logs tab of the workflow execution page, you see diagnostic information that indicates the status of the create operation.
The workflow completes after a few seconds. You can then reload the VM instances node to view the new instance in the vRealize Orchestrator inventory tree.
To show attributes of the new instance, click it in the listing.
Optionally, in the GCP Console, go to the VM Instances page and find your new instance.
Execute a Day 2 workflow on an existing Compute Engine instance
In VMware documentation, Day 2 operations are those that you perform after initial provisioning. This section describes how to execute an operational workflow on a GCP resource.
As an example, the following procedure shows how to run a workflow on an existing Compute Engine instance.
In vRealize Orchestrator, right-click the resource and select Run workflow.
Click on the workflow to execute, and then click Select.
The VM instance is populated in the form field.
Run the workflow to perform the action. (In this case, to reset the instance.)
A dialog appears and remains on the screen until the workflow completes. You may optionally choose to send the workflow to the background if you want to perform other tasks while it runs.
Optionally, go to the GCP Console and note the effect of running the workflow.
Using vRealize Automation with GCP
The GCP plug-in for vRealize Orchestrator enables vRealize Automation administrators to create blueprints of GCP resources and publish them to the vRealize Automation catalog. End users can request and deploy blueprints.
For more information, see Designing and Publishing Blueprints in the VMware documentation.
Creating XaaS blueprints in vRealize Automation from vRealize Orchestrator
This section describes the procedure for using workflows provided by vRealize Orchestrator and by the GCP plug-in for vRealize Orchestrator to import the XaaS resource types and blueprints that you intend to use inside of vRealize Automation.
Add a vRealize Automation host
- In vRealize Orchestrator, go to the Workflows tab and then open vRealize Automation > Configuration.
Run the Add a vRA Host workflow.
Provide the information for your vRealize Automation host. Be sure to use a user account that has IaaS administrative roles assigned to it.
Import XaaS custom resources
- In vRealize Orchestrator, go to the Workflows tab and then open GCP > vRA Blueprints.
Run the Import XaaS Custom Resources workflow.
Choose your vRealize Automation host and select the GCP resource types that you want to have available in vRealize Automation. For example, if you want to manage Cloud Storage resources in vRealize Automation, select
GCP:StorageObject. By default, all GCP types available in the plug-in are selected.
Submit the workflow.
When it completes, you see the imported custom resources in the Design > XaaS > Custom Resources section of vRealize Automation.
Import XaaS service blueprints
- In vRealize Orchestrator, go to the Workflows tab and open GCP > vRA Blueprints.
Run the Import XaaS Services Blueprints workflow.
Choose your vRealize Automation Host and select the workflows that create instances of the custom resource types that you imported in the previously. For example, the BigQuery > Create Dataset workflow is available because it is used to create a
You can select as many workflows as you want based on the custom resource types known to your vRealize Automation Host. The service name field is used to define the name of the vRealize Automation service catalog.
Submit the workflow.
When it completes, you see all of the imported blueprints under the Design > XaaS > XaaS Blueprints section in vRealize Orchestrator.
To verify the workflows, in vRealize Orchestator, go to Administration > Catalog Management > Catalog Items.
You see that the new GCP service has been added and that each of the XaaS blueprints has been added as a catalog item within the new service.
Create an entitlement for GCP service catalog items
To allow users to create and manage GCP resources, you create an entitlement that specifies the GCP service, along with the catalog items and actions that will be available.
For details, see Entitlements in the VMware documentation.
After the entitlement is created and made active, users that are a part of the assigned business group see the GCP catalog items as options.
Create actions for custom resources
Day 2 operations on custom resources need to be created as actions.
- In vRealize Orchestrator, go to the Workflows tab and then open GCP > vRA Blueprints.
Run the Create Actions for Custom Resource workflow.
Choose your vRealize Automation host and then type the name of the custom resource type you want to create actions for.
Submit the workflow.
When it completes, you see the actions as published resource actions in the Design > XaaS > Resource Actions section of vRealize Automation.
Optionally, enable the actions in the entitlement established for your users. This makes sure that they appear on created resources managed by vRealize Automation.
Manually creating XaaS blueprints in vRealize Automation
The procedures in this section describe the manual steps for configuring vRealize Automation to allow your users to run workflows from the GCP Plug-in for VMware vRealize Orchestrator in a vRealize Automation service catalog. This guide assumes you have XaaS Administrator privileges and are familiar with the instructions described in Creating XaaS Blueprints and Actions in the VMWare documentation.
For a more efficient means of building vRealize Automation XaaS artifacts, we recommend following the steps in the Creating XaaS Blueprints in vRealize Automation from vRealize Orchestrator section above.
Create a multi-resource blueprint
You can use the vRealize Automation blueprint designer to build reusable templates that consist of multiple XaaS blueprint components.
For example, you can create a blueprint that creates a Compute Engine instance that's running Microsoft SQL Server and that has the associated network and firewall rules. You can use the blueprint designer interface to add GCP resources and create custom blueprints.
Updates and release notes
To get the latest version of the GCP plug-in for vRealize, download it from the following Cloud Storage bucket:
If you are running an older version of the plug-in, you will receive a warning message when you run workflows indicating that a newer version is available.
You can use vRealize Orchestrator to download the latest version of the plug-in.
In the GCP Console, make sure the Cloud Storage JSON API is enabled.
In vRealize Orchestrator, go to the GCP > Configuration folder.
Run the Download Latest Plugin workflow and provide your GCP connection.
Running the workflow downloads the plug-in's
.darfile to a temporary folder.
Follow the steps in this VMware KB article 2151653 to copy the plug-in's file to the appropriate location on the vRealize Orchestrator server. Use
cpin place of
rmin Step 4 to move the downloaded
.darfile to the
Release notes are maintained at https://storage.googleapis.com/cpe-ti-vmware/RELEASE_NOTES.txt.
To report product defects, send an email to firstname.lastname@example.org.