Grants the correct vSphere permissions to the specified service user/group for BOSH director to function.
function Add-BoshVCenterAccount() | |
{ | |
<# | |
.SYNOPSIS | |
Grants the correct vSphere permissions to the specified service user/group for BOSH director to function. | |
.DESCRIPTION | |
This function creates a new vSphere role called PKS Administrators if it does not exist already. It then assigns the specified local or domain user/group to the role at the root vCenter server object. | |
.PARAMETER Group | |
Specifies the Group to assign the role to. | |
.PARAMETER User | |
Specifies the User to assign the role to. | |
.PARAMETER Domain | |
If specified, then the User or Group specified is assumed to be a domain object. Specify the AD Domain the user/group is a member of. | |
.OUTPUTS | |
[VMware.VimAutomation.ViCore.Impl.V1.PermissionManagement.PermissionImpl] | |
The resultant permission. | |
.LINK | |
https://docs.pivotal.io/pivotalcf/2-0/customizing/vsphere-service-account.html | |
.EXAMPLE | |
Connect-ViServer -Server myvcenter.domain.com | |
Add-BoshVCenterAccount -Domain mydomain -User user1 | |
#> | |
[CmdletBinding(SupportsShouldProcess,DefaultParameterSetName="user")] | |
param | |
( | |
[Parameter(Mandatory,ParameterSetName="user")] | |
[string] $User, | |
[Parameter(Mandatory,ParameterSetName="group")] | |
[string] $Group, | |
[string] $Domain | |
) | |
$version = $Null | |
if ( (Get-Variable | Where-Object { $_.Name -ieq "global:DefaultViServer" }) -and $DefaultViServer ) | |
{ | |
$version = $defaultViServer.Version | |
} | |
else | |
{ | |
throw ("Use Connect-ViSever first!") | |
} | |
# Permissions for 6.5+: | |
$privileges = @( ` | |
"Manage custom attributes", | |
"Allocate space", | |
"Browse datastore", | |
"Low level file operations", | |
"Remove file", | |
"Update virtual machine files", | |
"Delete folder", | |
"Create folder", | |
"Move folder", | |
"Rename folder", | |
"Set custom attribute", | |
"Modify cluster", | |
"CreateTag", | |
"EditTag", | |
"DeleteTag", | |
"Assign network", | |
"Assign virtual machine to resource pool", | |
"Migrate powered off virtual machine", | |
"Migrate powered on virtual machine", | |
"Add existing disk", | |
"Add new disk", | |
"Add or remove device", | |
"Advanced", | |
"Change CPU count", | |
"Change resource", | |
"Configure managedBy", | |
"Disk change tracking", | |
"Disk lease", | |
"Display connection settings", | |
"Extend virtual disk", | |
"Memory", | |
"Modify device settings", | |
"Raw device", | |
"Reload from path", | |
"Remove disk", | |
"Rename", | |
"Reset guest information", | |
"Set annotation", | |
"Settings", | |
"Swapfile placement", | |
"Unlock virtual machine", | |
"Guest Operation Program Execution", | |
"Guest Operation Modifications", | |
"Guest Operation Queries", | |
"Answer question", | |
"Configure CD media", | |
"Console interaction", | |
"Defragment all disks", | |
"Device connection", | |
"Guest operating system management by VIX API", | |
"Power Off", | |
"Power On", | |
"Reset", | |
"Suspend", | |
"VMware Tools install", | |
"Create from existing", | |
"Create new", | |
"Move", | |
"Register", | |
"Remove", | |
"Unregister", | |
"Allow disk access", | |
"Allow read-only disk access", | |
"Allow virtual machine download", | |
"Allow virtual machine files upload", | |
"Clone template", | |
"Clone virtual machine", | |
"Customize", | |
"Deploy template", | |
"Mark as template", | |
"Mark as virtual machine", | |
"Modify customization specification", | |
"Promote disks", | |
"Read customization specifications", | |
"Create snapshot", | |
"Remove Snapshot", | |
"Rename Snapshot", | |
"Revert to snapshot", | |
"Import", | |
"vApp application configuration" | |
) | |
if ( $version -ilike "6.0*" ) | |
{ | |
# Version 6.0 permissions: | |
$privileges = $privileges | Where-Object { $_ -inotmatch '^(Create|Edit|Delete)Tag$' } | |
$privileges += "Create Inventory Service Tag" | |
$privileges += "Edit Inventory Service Tag" | |
$privileges += "Delete Inventory Service Tag" | |
} | |
$role = Get-ViRole | Where-Object { $_.Name -ieq "PKS Administrators" } | |
if ( !$role ) | |
{ | |
$role = New-VIRole -Name "PKS Administrators" -Privilege $privileges | |
} | |
$principalParam = @{} | |
$idFieldName = "Name" | |
if ( $Domain ) | |
{ | |
$principalParam.Add("Domain", $Domain) | |
$idFieldName = "Id" | |
} | |
if ( $PSCmdlet.ParameterSetName -ieq "user" ) | |
{ | |
$principalParam.Add($idFieldName, $User) | |
$principalParam.Add("User", $true) | |
} | |
else | |
{ | |
$principalParam.Add($idFieldName, $Group) | |
$principalParam.Add("Group", $true) | |
} | |
$principal = Get-VIAccount @principalParam | |
if ( $PSCmdlet.ShouldProcess($DefaultViServer.Name, "Add permission to root Vcenter for domain account $($principal.Name) and role PKS Administrators") ) | |
{ | |
New-VIPermission -Entity "Datacenters" -Principal $principal -Role $role | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment