Google Cloud plug-in for VMware vRealize

Introduction

The Google Cloud Plug-in for VMware vRealize Orchestrator lets you provision and manage Google Cloud resources using vRealize Orchestrator and VMware vRealize Automation, including Compute Engine instances, GKE clusters, Cloud Spanner and Cloud SQL instances, and Cloud Storage buckets.

Benefits

The Google Cloud Plug-in for vRealize provides a consistent management and governance experience across on-premises and Google Cloud-based IT environments. For example, you can use Google-provided blueprints or build your own blueprints for Compute Engine resources and publish to the vRealize service catalog. This means that you can select and launch resources predictably using a tool you're already familiar with when you orchestrate VMs in your on-premises VMware environment.

Prerequisites

You need a Google Billing account to complete the instructions in this guide. If you don't have an account, see Create, Modify, or Close Your Billing Account. New Google Cloud users might be eligible for a free trial.

This guide assumes that you have a working knowledge of the following:

Supported Google Cloud products

The plug-in supports the following Google Cloud resources:

  • BigQuery
  • Filestore
  • Cloud KMS
  • Pub/Sub
  • Spanner
  • Cloud SQL
  • Cloud Storage
  • Compute Engine
  • IAM service accounts and keys
  • Google Kubernetes Engine clusters
  • Virtual Private Cloud networks and firewall rules
  • Turnkey VM-based application servers:
    • ASP.NET
    • MS SQLServer Enterprise
    • WordPress
    • LAMP
    • HA load-balanced Compute Engine VM cluster

Setting up the Google Cloud plug-in for vRealize

This section explains how to install and configure the plug-in.

Set up your Google Cloud environment

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Compute Engine API.

    Enable the API

Download the plug-in

Create and download service account JSON

In order to have the Google Cloud plug-in for vRealize interact with your Google Cloud resources, the plug-in needs to have a service account credential that is used to authenticate API calls to Google Cloud.

  1. In the Cloud Console, go to the select IAM & admin page

    Go to the IAM & admin page

  2. Select Service accounts and then click Create Service Account.

  3. Give the service account a name and optionally provide a description.

  4. Click Create.

  5. Grant the following roles to the service account. (Use the filter box at the top to find these roles.)

    • To enable the plug-in to create and manage Compute Engine instances, add the Compute Admin and Service Account User roles.
    • To enable the plug-in to manage GKE clusters, add the Kubernetes Engine Admin role.
    • To enable the plug-in to manage Pub/Sub topics and subscriptions, add the Pub/Sub Admin role.

    To enable the plug-in to manage additional resource types, add the appropriate role. For more information, see Understanding Service Accounts.

  6. Alternatively, to enable the plug-in to manage all Google Cloud resource types, give the service account the Editor role on the project. However, it's a best practice to grant the fewest privileges that are necessary in order for the plug-in to manage your Google Cloud resources.

  7. When you've finished assigning roles, click Continue.

  8. Click Create Key and select the JSON option.

Your browser downloads a new service account credential file in JSON format that contains the service account private key. Store this in a secure location, because you need it later to create the Google Cloud connection in the plug-in.

Install the plug-in in vRealize Orchestrator

You can now configure the plug-in in vRealize Orchestrator.

  1. In your browser, log in to the vRealize Orchestrator Control Center as an administrator. The URL is typically like the following:

    https://hostname:8283/vco-controlcenter

  2. Go to the Manage Plug-Ins page.

  3. Browse for the plug-in file you downloaded and click Upload.

  4. If you accept the EULA, click Install.

  5. If you're prompted, click Save Changes.

    Wait for vRealize Orchestrator to restart its services before you use the plug-in. The restart might take a few minutes. You'll know that vRealize Orchestrator has restarted when you see all green checkmarks in the Validate Configuration page.

    vRealize Orchestrator Validate Configuration page, showing success for all the validation tasks

Establish a Google Cloud connection in vRealize Orchestrator

The final stage in the setup is to use the service account credential file you downloaded earlier to establish a connection in the vRealize Orchestrator. Doing this allows the plug-in to execute operations on behalf of any logged-in vRealize Orchestrator user.

  1. In the Workflows tab of vRealize Orchestrator, select Library > GCP > Configuration > Create GCP Connection.
  2. Provide a name for the connection.

  3. Provide the key in either of these ways:

    • Attach the service account credential file that you downloaded earlier
    • Paste the credential in the Paste JSON-encoded Service Account field.

    Create Google Cloud Connection page, showing a .json file for upload

  4. If your vRealize Orchestrator server needs to connect to a proxy server before reaching the public internet, check the Use proxy? option and provide your proxy server details:

    Page showing the option to use a proxy enabled, the proxy port (2832), Basic authentication selected, and a username and masked password

  5. When workflow completes, go to the Inventory tab in the vRealize Orchestrator client.

    In the Google Cloud Platform tree entry, you see a new subtree with your connection name and project ID. Unless you already have Google Cloud resources, most of the tree nodes are empty except for the ones available by default in a project. These include Compute Regions/Zones, the default network and firewall rules, and the service account that you created and used to establish the connection from vRealize Orchestrator.

    vRealize Orchestrator image client, showing the Inventory tab with "VM Instances" selected

You have now completed the configuration of the plug-in, and you can run any of the other workflows available in the Google Cloud directory.

Working with Google Cloud resources in vRealize Orchestrator and vRealize Automation

This section provides an overview of using workflows in the Google Cloud plug-in for vRealize.

Authenticating and authorizing users

vRealize administrators and users authenticate to vRealize Orchestrator and vRealize Automation using vRealize role-based access management. vRealize roles are not mapped to IAM permissions. Instead, all vRealize user and administrator actions are performed using the same Google Cloud service account that was used when creating the connection. The service account must have appropriate IAM permissions to allow vRealize users to provision resources in Google Cloud, as described earlier.

You can create more than one connection, each one using different Google Cloud projects and service accounts. This lets you isolate user and administrator actions by granting specific user groups access to a connection. You can specify a different connection for each workflow that's used to create a new resource, and each workflow that operates on an existing resource infers the connection from the project ID where the resource is located.

Running Google Cloud workflows in vRealize Orchestrator

The workflows included in the Google Cloud plug-in for vRealize Orchestrator allow your users to create many common Google Cloud resources, including Compute Engine instances, GKE clusters, Virtual Private Cloud firewall rules, Cloud Storage buckets. In general, workflows for creating these resources can be accessed within the folder for the resource type (for example, Instances for Compute Engine instances).

As an example of how to run a Google Cloud workflow, the following section describes how to build a Compute Engine instance.

Create a Compute Engine instance

  1. In the vRealize Orchestrator folder, open GCP > Instances, and then click Create Instance.

    vRealize Orchestrator folder, with "Instances" > "Create Instance" selected

  2. Select a Google Cloud connection. This provides the authorization credential to be able to interact with Google Cloud APIs.

    "Select Google Cloud Connection" dialog in the "Create Network" step of starting a workflow

  3. Use the fields to customize the configuration of the VM instance, such as specifying the region, zone, instance name, machine type, and so on. Required fields are marked with a red asterisk.

    Specifying Google Cloud VM instance options, like name, machine type, and OS

  4. Click Next to move to additional pages that let you specify options like a startup script, tags, an external IP address, and an SSH key.

    Specifying Google Cloud VM instance options, like startup script

  5. Optionally, examine the information in the Price estimate form. This page provides an estimated calculation of the monthly cost for running the VM. This is not intended to be an exact measure of your expected billing charges, but can provide a rough estimate to use for budgeting purposes.

    Price estimator showing a monthly cost of $24.67

  6. When you've finished specifying options, click Submit.

    In the Logs tab of the workflow execution page, you see diagnostic information that indicates the status of the create operation.

    A log listing showing the outcome of creating an instance, with multiple entries that read "RUNNING"

    The workflow completes after a few seconds. You can then reload the VM instances node to view the new instance in the vRealize Orchestrator inventory tree.

    Folder tree with "Google Cloud" > "Default" > "VM Instances" > "instance-1" selected

  7. To show attributes of the new instance, click it in the listing.

    Dialog showing attributes of the new instance, like creation time, external IP address, and zone

  8. Optionally, in the Cloud Console, go to the VM Instances page and find your new instance.

    Cloud Console showing the new VM image

Execute a Day 2 workflow on an existing Compute Engine instance

In VMware documentation, Day 2 operations are those that you perform after initial provisioning. This section describes how to execute an operational workflow on a Google Cloud resource.

As an example, the following procedure shows how to run a workflow on an existing Compute Engine instance.

  1. In vRealize Orchestrator, right-click the resource and select Run workflow.

    Right-click menu with "Run workflow" selected

  2. Click on the workflow to execute, and then click Select.

    vRealize Orchestrator "Chooser" dialog, showing the "Reset Instance" workflow selected

    The VM instance is populated in the form field.

  3. Run the workflow to perform the action. (In this case, to reset the instance.)

    "Reset Instance" step of the "Start Workflow" flow, showing "instance-1" selected

    A dialog appears and remains on the screen until the workflow completes. You may optionally choose to send the workflow to the background if you want to perform other tasks while it runs.

  4. Optionally, go to the Cloud Console and note the effect of running the workflow.

    Cloud Console, showing result (stop image) of workflow in vRealize Orchestrator

Using vRealize Automation with Google Cloud

The Google Cloud plug-in for vRealize Orchestrator enables vRealize Automation administrators to create blueprints of Google Cloud resources and publish them to the vRealize Automation catalog. End users can request and deploy blueprints.

For more information, see Designing and Publishing Blueprints in the VMware documentation.

Creating XaaS blueprints in vRealize Automation from vRealize Orchestrator

This section describes the procedure for using workflows provided by vRealize Orchestrator and by the Google Cloud plug-in for vRealize Orchestrator to import the XaaS resource types and blueprints that you intend to use inside of vRealize Automation.

Add a vRealize Automation host

  1. In vRealize Orchestrator, go to the Workflows tab and then open vRealize Automation > Configuration.

  2. Run the Add a vRA Host workflow.

    Folder tree with "vRealize Automation" > "Configuration" > "Add a vRA host" selected

  3. Provide the information for your vRealize Automation host. Be sure to use a user account that has IaaS administrative roles assigned to it.

Import XaaS custom resources

  1. In vRealize Orchestrator, go to the Workflows tab and then open GCP > vRA Blueprints.

  2. Run the Import XaaS Custom Resources workflow.

    Folder tree with "vRA Blueprints" > "Import XaaS Custom Resources" selected

  3. Choose your vRealize Automation host and select the Google Cloud resource types that you want to have available in vRealize Automation. For example, if you want to manage Cloud Storage resources in vRealize Automation, select Google Cloud:Bucket and Google Cloud:StorageObject. By default, all Google Cloud types available in the plug-in are selected.

    Dialog showing a vRA host, Google Cloud types, and "Google Cloud:Bucket" selected

  4. Submit the workflow.

    When it completes, you see the imported custom resources in the Design > XaaS > Custom Resources section of vRealize Automation.

    vRealize Automation Development page, showing the "Custom Resources" pane and various Google Cloud bucket attributes

Import XaaS service blueprints

  1. In vRealize Orchestrator, go to the Workflows tab and open GCP > vRA Blueprints.

  2. Run the Import XaaS Services Blueprints workflow.

    Folder tree with "vRA Blueprints" > "Import XaaS Services Blueprints" selected

  3. Choose your vRealize Automation Host and select the workflows that create instances of the custom resource types that you imported in the previously. For example, the BigQuery > Create Dataset workflow is available because it is used to create a Google Cloud:Dataset.

    You can select as many workflows as you want based on the custom resource types known to your vRealize Automation Host. The service name field is used to define the name of the vRealize Automation service catalog.

    "Array of string" dialog, showing a listing of workflows

  4. Submit the workflow.

    When it completes, you see all of the imported blueprints under the Design > XaaS > XaaS Blueprints section in vRealize Orchestrator.

    "XaaS Blueprints" dialog, showing a listing of available blueprints

  5. To verify the workflows, in vRealize Orchestator, go to Administration > Catalog Management > Catalog Items.

    You see that the new Google Cloud service has been added and that each of the XaaS blueprints has been added as a catalog item within the new service.

    vRealize Automation Development page, showing the "Catalog Items" pane and a listing of catalog items

Create an entitlement for Google Cloud service catalog items

To allow users to create and manage Google Cloud resources, you create an entitlement that specifies the Google Cloud service, along with the catalog items and actions that will be available.

For details, see Entitlements in the VMware documentation.

After the entitlement is created and made active, users that are a part of the assigned business group see the Google Cloud catalog items as options.

vRealize Automation Development page, showing the "Catalog" pane and various catalog items as cards

Create actions for custom resources

Day 2 operations on custom resources need to be created as actions.

  1. In vRealize Orchestrator, go to the Workflows tab and then open GCP > vRA Blueprints.

  2. Run the Create Actions for Custom Resource workflow.

    Folder tree with "vRealize Blueprints" > "Create Actions For Custom Resource" selected

  3. Choose your vRealize Automation host and then type the name of the custom resource type you want to create actions for.

    Dialog showing parameters for the workflow, showing a host name and resource type

  4. Submit the workflow.

    When it completes, you see the actions as published resource actions in the Design > XaaS > Resource Actions section of vRealize Automation.

    vRealize Automation Development page, showing the "Resource Actions" pane and a listing of actions, like "Delete Dataset" and "Update Cluster"

  5. Optionally, enable the actions in the entitlement established for your users. This makes sure that they appear on created resources managed by vRealize Automation.

    "Entitled Actions" dialog, showing a listing of actions, like "Create Table" and corresponding approval policies

Manually creating XaaS blueprints in vRealize Automation

The procedures in this section describe the manual steps for configuring vRealize Automation to allow your users to run workflows from the Google Cloud Plug-in for VMware vRealize Orchestrator in a vRealize Automation service catalog. This guide assumes you have XaaS Administrator privileges and are familiar with the instructions described in Creating XaaS Blueprints and Actions in the VMware documentation.

For a more efficient means of building vRealize Automation XaaS artifacts, we recommend following the steps in the Creating XaaS Blueprints in vRealize Automation from vRealize Orchestrator section above.

Create a multi-resource blueprint

You can use the vRealize Automation blueprint designer to build reusable templates that consist of multiple XaaS blueprint components.

For example, you can create a blueprint that creates a Compute Engine instance that's running Microsoft SQL Server and that has the associated network and firewall rules. You can use the blueprint designer interface to add Google Cloud resources and create custom blueprints.

Blueprint designer showing boxes, with arrows going from "Network" to "SQL Server" to "Firewall Rules"

Updates and release notes

To get the latest version of the Google Cloud plug-in for vRealize, download it from the following Cloud Storage bucket:

https://storage.googleapis.com/cpe-ti-vmware/signed/o11nplug-in-gcp-plug-in-for-vro.vmoapp

If you are running an older version of the plug-in, you will receive a warning message when you run workflows indicating that a newer version is available.

You can use vRealize Orchestrator to download the latest version of the plug-in.

  1. In the Cloud Console, make sure the Cloud Storage JSON API is enabled.

    Go to the Cloud Storage JSON API page

  2. In vRealize Orchestrator, go to the GCP > Configuration folder.

  3. Run the Download Latest Plugin workflow and provide your Google Cloud connection.

    Folder tree with "Google Cloud" > "Configuration" > "Download Latest Plugin" selected

    Running the workflow downloads the plug-in's .dar file to a temporary folder.

  4. Follow the steps in this VMware KB article 2151653 to copy the plug-in's file to the appropriate location on the vRealize Orchestrator server. Use cp in place of rm in Step 4 to move the downloaded .dar file to the /usr/lib/vco/app-server/plugins/ folder.

    Listing showing the .dar file copied to the "plugins" folder

Release notes are maintained at https://storage.googleapis.com/cpe-ti-vmware/RELEASE_NOTES.txt.

Issues

To report product defects, send an email to gcp-vrealize-feedback@google.com.