GCP plug-in for VMware vRealize

Introduction

The Google Cloud Platform (GCP) Plug-in for VMware vRealize Orchestrator lets you provision and manage GCP resources using vRealize Orchestrator and VMware vRealize Automation, including Compute Engine instances, GKE clusters, Cloud Spanner and Cloud SQL instances, and Cloud Storage buckets.

Benefits

The GCP Plug-in for vRealize provides a consistent management and governance experience across on-premises and GCP-based IT environments. For example, you can use Google-provided blueprints or build your own blueprints for Compute Engine resources and publish to the vRealize service catalog. This means that you can select and launch resources predictably using a tool you're already familiar with when you orchestrate VMs in your on-premises VMware environment.

Prerequisites

You need a Google Billing account to complete the instructions in this guide. If you don't have an account, see Create, Modify, or Close Your Billing Account. New GCP users might be eligible for a free trial.

This guide assumes that you have a working knowledge of the following:

Supported GCP products

The plug-in supports the following GCP resources:

  • BigQuery
  • Cloud Filestore (beta)
  • Cloud KMS
  • Cloud Pub/Sub
  • Cloud Spanner
  • Cloud SQL
  • Cloud Storage
  • Compute Engine
  • Cloud IAM service accounts and keys
  • Google Kubernetes Engine clusters
  • Virtual Private Cloud networks and firewall rules
  • Turnkey VM-based application servers:
    • ASP.NET
    • MS SQLServer Enterprise
    • WordPress
    • LAMP
    • HA load-balanced Compute Engine VM cluster

Setting up the GCP plug-in for vRealize

This section explains how to install and configure the plug-in.

Set up your GCP environment

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a Google Cloud Platform project.

    Go to the Manage resources page

  3. Make sure that billing is enabled for your Google Cloud Platform project.

    Learn how to enable billing

  4. Enable the Compute Engine API.

    Enable the API

Download the plug-in

Create and download service account JSON

In order to have the GCP plug-in for vRealize interact with your GCP resources, the plug-in needs to have a service account credential that is used to authenticate API calls to GCP.

  1. In the GCP Console, go to the select IAM & admin page

    Go to the IAM & admin page

  2. Select Service accounts and then click Create Service Account.

  3. Give the service account a name and optionally provide a description.

  4. Click Create.

  5. Grant the following roles to the service account. (Use the filter box at the top to find these roles.)

    • To enable the plug-in to create and manage Compute Engine instances, add the Compute Admin and Service Account User roles.
    • To enable the plug-in to manage GKE clusters, add the Kubernetes Engine Admin role.
    • To enable the plug-in to manage Cloud Pub/Sub topics and subscriptions, add the Pub/Sub Admin role.

    To enable the plug-in to manage additional resource types, add the appropriate role. For more information, see Understanding Service Accounts.

  6. Alternatively, to enable the plug-in to manage all GCP resource types, give the service account the Editor role on the project. However, it's a best practice to grant the fewest privileges that are necessary in order for the plug-in to manage your GCP resources.

  7. When you've finished assigning roles, click Continue.

  8. Click Create Key and select the JSON option.

Your browser downloads a new service account credential file in JSON format that contains the service account private key. Store this in a secure location, because you need it later to create the GCP connection in the plug-in.

Install the plug-in in vRealize Orchestrator

You can now configure the plug-in in vRealize Orchestrator.

  1. In your browser, log in to the vRealize Orchestrator Control Center as an administrator. The URL is typically like the following:

    https://hostname:8283/vco-controlcenter
  2. Go to the Manage Plug-Ins page.

  3. Browse for the plug-in file you downloaded and click Upload.

  4. If you accept the EULA, click Install.

  5. If you're prompted, click Save Changes.

    Wait for vRealize Orchestrator to restart its services before you use the plug-in. The restart might take a few minutes. You'll know that vRealize Orchestrator has restarted when you see all green checkmarks in the Validate Configuration page.

    vRealize Orchestrator Validate Configuration page, showing success for
all the validation
tasks

Establish a GCP connection in vRealize Orchestrator

The final stage in the setup is to use the service account credential file you downloaded earlier to establish a connection in the vRealize Orchestrator. Doing this allows the plug-in to execute operations on behalf of any logged-in vRealize Orchestrator user.

  1. In the Workflows tab of vRealize Orchestrator, select Library > GCP > Configuration > Create GCP Connection.
  2. Provide a name for the connection.
  3. Provide the key in either of these ways:

    • Attach the service account credential file that you downloaded earlier
    • Paste the credential in the Paste JSON-encoded Service Account field.

    Create GCP Connection page, showing a .json file for upload

  4. If your vRealize Orchestrator server needs to connect to a proxy server before reaching the public internet, check the Use proxy? option and provide your proxy server details:

    Page showing the option to use a proxy enabled, the proxy port (2832), Basic authentication selected, and a username and masked password

  5. When workflow completes, go to the Inventory tab in the vRealize Orchestrator client.

    In the Google Cloud Platform tree entry, you see a new subtree with your connection name and project ID. Unless you already have GCP resources, most of the tree nodes are empty except for the ones available by default in a project. These include Compute Regions/Zones, the default network and firewall rules, and the service account that you created and used to establish the connection from vRealize Orchestrator.

    vRealize Orchestrator image client, showing the Inventory tab with "VM Instances" selected

You have now completed the configuration of the plug-in, and you can run any of the other workflows available in the GCP directory.

Working with GCP resources in vRealize Orchestrator and vRealize Automation

This section provides an overview of using workflows in the GCP plug-in for vRealize.

Authenticating and authorizing users

vRealize administrators and users authenticate to vRealize Orchestrator and vRealize Automation using vRealize role-based access management. vRealize roles are not mapped to Cloud IAM permissions. Instead, all vRealize user and administrator actions are performed using the same GCP service account that was used when creating the connection. The service account must have appropriate Cloud IAM permissions to allow vRealize users to provision resources in GCP, as described earlier.

You can create more than one connection, each one using different GCP projects and service accounts. This lets you isolate user and administrator actions by granting specific user groups access to a connection. You can specify a different connection for each workflow that's used to create a new resource, and each workflow that operates on an existing resource infers the connection from the project ID where the resource is located.

Running GCP workflows in vRealize Orchestrator

The workflows included in the GCP plug-in for vRealize Orchestrator allow your users to create many common GCP resources, including Compute Engine instances, GKE clusters, Virtual Private Cloud firewall rules, Cloud Storage buckets. In general, workflows for creating these resources can be accessed within the folder for the resource type (for example, Instances for Compute Engine instances).

As an example of how to run a GCP workflow, the following section describes how to build a Compute Engine instance.

Create a Compute Engine instance

  1. In the vRealize Orchestrator folder, open GCP > Instances, and then click Create Instance.

    vRealize Orchestrator folder, with "Instances" > "Create Instance" selected

  2. Select a GCP connection. This provides the authorization credential to be able to interact with GCP APIs.

    "Select GCP Connection" dialog in the "Create Network" step of starting a workflow

  3. Use the fields to customize the configuration of the VM instance, such as specifying the region, zone, instance name, machine type, and so on. Required fields are marked with a red asterisk.

    Specifying GCP VM instance options, like name, machine type, and OS

  4. Click Next to move to additional pages that let you specify options like a startup script, tags, an external IP address, and an SSH key.

    Specifying GCP VM instance options, like startup script

  5. Optionally, examine the information in the Price estimate form. This page provides an estimated calculation of the monthly cost for running the VM. This is not intended to be an exact measure of your expected billing charges, but can provide a rough estimate to use for budgeting purposes.

    Price estimator showing a monthly cost of $24.67

  6. When you've finished specifying options, click Submit.

    In the Logs tab of the workflow execution page, you see diagnostic information that indicates the status of the create operation.

    A log listing showing the outcome of creating an instance, with multiple entries that read "RUNNING"

    The workflow completes after a few seconds. You can then reload the VM instances node to view the new instance in the vRealize Orchestrator inventory tree.

    Folder tree with "GCP" > "Default" > "VM Instances" > "instance-1" selected

  7. To show attributes of the new instance, click it in the listing.

    Dialog showing attributes of the new instance, like creation time, external IP address, and zone

  8. Optionally, in the GCP Console, go to the VM Instances page and find your new instance.

    GCP Console showing the new VM image

Execute a Day 2 workflow on an existing Compute Engine instance

In VMware documentation, Day 2 operations are those that you perform after initial provisioning. This section describes how to execute an operational workflow on a GCP resource.

As an example, the following procedure shows how to run a workflow on an existing Compute Engine instance.

  1. In vRealize Orchestrator, right-click the resource and select Run workflow.

    Right-click menu with "Run workflow" selected

  2. Click on the workflow to execute, and then click Select.

    vRealize Orchestrator "Chooser" dialog, showing teh "Reset Instance" workflow selected

    The VM instance is populated in the form field.

  3. Run the workflow to perform the action. (In this case, to reset the instance.)

    "Reset Instance" step of the "Start Workflow" flow, showing "instance-1" selected

    A dialog appears and remains on the screen until the workflow completes. You may optionally choose to send the workflow to the background if you want to perform other tasks while it runs.

  4. Optionally, go to the GCP Console and note the effect of running the workflow.

    GCP Console, showing result (stop image) of workflow in vRealize Orchestrator

Using vRealize Automation with GCP

The GCP plug-in for vRealize Orchestrator enables vRealize Automation administrators to create blueprints of GCP resources and publish them to the vRealize Automation catalog. End users can request and deploy blueprints.

For more information, see Designing and Publishing Blueprints in the VMware documentation.

Creating XaaS blueprints in vRealize Automation from vRealize Orchestrator

This section describes the procedure for using workflows provided by vRealize Orchestrator and by the GCP plug-in for vRealize Orchestrator to import the XaaS resource types and blueprints that you intend to use inside of vRealize Automation.

Add a vRealize Automation host

  1. In vRealize Orchestrator, go to the Workflows tab and then open vRealize Automation > Configuration.
  2. Run the Add a vRA Host workflow.

    Folder tree with "vRealize Automation" > "Configuration" > "Add a vRA host" selected

  3. Provide the information for your vRealize Automation host. Be sure to use a user account that has IaaS administrative roles assigned to it.

Import XaaS custom resources

  1. In vRealize Orchestrator, go to the Workflows tab and then open GCP > vRA Blueprints.
  2. Run the Import XaaS Custom Resources workflow.

    Folder tree with "vRA Blueprints" > "Import XaaS Custom Resources" selected

  3. Choose your vRealize Automation host and select the GCP resource types that you want to have available in vRealize Automation. For example, if you want to manage Cloud Storage resources in vRealize Automation, select GCP:Bucket and GCP:StorageObject. By default, all GCP types available in the plug-in are selected.

    Dialog showing a vRA host, GCP types, and "GCP:Bucket" selected

  4. Submit the workflow.

    When it completes, you see the imported custom resources in the Design > XaaS > Custom Resources section of vRealize Automation.

    vRealize Automation Development page, showing the "Custom Resources" pane and various GCP bucket attributes

Import XaaS service blueprints

  1. In vRealize Orchestrator, go to the Workflows tab and open GCP > vRA Blueprints.
  2. Run the Import XaaS Services Blueprints workflow.

    Folder tree with "vRA Blueprints" > "Import XaaS Services Blueprints" selected

  3. Choose your vRealize Automation Host and select the workflows that create instances of the custom resource types that you imported in the previously. For example, the BigQuery > Create Dataset workflow is available because it is used to create a GCP:Dataset.

    You can select as many workflows as you want based on the custom resource types known to your vRealize Automation Host. The service name field is used to define the name of the vRealize Automation service catalog.

    "Array of string" dialog, showing a listing of workflows

  4. Submit the workflow.

    When it completes, you see all of the imported blueprints under the Design > XaaS > XaaS Blueprints section in vRealize Orchestrator.

    "XaaS Blueprints" dialog, showing a listing of available blueprints

  5. To verify the workflows, in vRealize Orchestator, go to Administration > Catalog Management > Catalog Items.

    You see that the new GCP service has been added and that each of the XaaS blueprints has been added as a catalog item within the new service.

    vRealize Automation Development page, showing the "Catalog Items" pane and a listing of catalog items

Create an entitlement for GCP service catalog items

To allow users to create and manage GCP resources, you create an entitlement that specifies the GCP service, along with the catalog items and actions that will be available.

For details, see Entitlements in the VMware documentation.

After the entitlement is created and made active, users that are a part of the assigned business group see the GCP catalog items as options.

vRealize Automation Development page, showing the "Catalog" pane and various catalog items as cards

Create actions for custom resources

Day 2 operations on custom resources need to be created as actions.

  1. In vRealize Orchestrator, go to the Workflows tab and then open GCP > vRA Blueprints.
  2. Run the Create Actions for Custom Resource workflow.

    Folder tree with "vRealize Blueprints" > "Create Actions For Custom Resource" selected

  3. Choose your vRealize Automation host and then type the name of the custom resource type you want to create actions for.

    Dialog showing parameters for the workflow, showing a host name and resource type

  4. Submit the workflow.

    When it completes, you see the actions as published resource actions in the Design > XaaS > Resource Actions section of vRealize Automation.

    vRealize Automation Development page, showing the "Resource Actions" pane and a listing of actions, like "Delete Dataset" and "Update Cluster"

  5. Optionally, enable the actions in the entitlement established for your users. This makes sure that they appear on created resources managed by vRealize Automation.

    "Entitled Actions" dialog, showing a listing of actions, like "Create Table" and corresponding approval policies

Manually creating XaaS blueprints in vRealize Automation

The procedures in this section describe the manual steps for configuring vRealize Automation to allow your users to run workflows from the GCP Plug-in for VMware vRealize Orchestrator in a vRealize Automation service catalog. This guide assumes you have XaaS Administrator privileges and are familiar with the instructions described in Creating XaaS Blueprints and Actions in the VMWare documentation.

For a more efficient means of building vRealize Automation XaaS artifacts, we recommend following the steps in the Creating XaaS Blueprints in vRealize Automation from vRealize Orchestrator section above.

Create a multi-resource blueprint

You can use the vRealize Automation blueprint designer to build reusable templates that consist of multiple XaaS blueprint components.

For example, you can create a blueprint that creates a Compute Engine instance that's running Microsoft SQL Server and that has the associated network and firewall rules. You can use the blueprint designer interface to add GCP resources and create custom blueprints.

Blueprint designer showing boxes, with arrows going from "Network" to "SQL
Server" to "Firewall
Rules"

Updates and release notes

To get the latest version of the GCP plug-in for vRealize, download it from the following Cloud Storage bucket:

https://storage.googleapis.com/cpe-ti-vmware/signed/o11nplug-in-gcp-plug-in-for-vro.vmoapp

If you are running an older version of the plug-in, you will receive a warning message when you run workflows indicating that a newer version is available.

You can use vRealize Orchestrator to download the latest version of the plug-in.

  1. In the GCP Console, make sure the Cloud Storage JSON API is enabled.

    Go to the Cloud Storage JSON API page

  2. In vRealize Orchestrator, go to the GCP > Configuration folder.

  3. Run the Download Latest Plugin workflow and provide your GCP connection.

    Folder tree with "GCP" > "Configuration" > "Download Latest Plugin" selected

    Running the workflow downloads the plug-in's .dar file to a temporary folder.

  4. Follow the steps in this VMware KB article 2151653 to copy the plug-in's file to the appropriate location on the vRealize Orchestrator server. Use cp in place of rm in Step 4 to move the downloaded .dar file to the /usr/lib/vco/app-server/plugins/ folder.

    Listing showing the .dar file copied to the "plugins" folder

Release notes are maintained at https://storage.googleapis.com/cpe-ti-vmware/RELEASE_NOTES.txt.

Issues

To report product defects, send an email to gcp-vrealize-feedback@google.com.

Was this page helpful? Let us know how we did:

Send feedback about...