Last active
May 16, 2018 22:49
-
-
Save BrandonStiff/f56e4a5c8a093bc87068f39d01aa213b to your computer and use it in GitHub Desktop.
Grants the correct vSphere permissions to the specified service user/group for BOSH director to function.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Add-BoshVCenterAccount() | |
{ | |
<# | |
.SYNOPSIS | |
Grants the correct vSphere permissions to the specified service user/group for BOSH director to function. | |
.DESCRIPTION | |
This function creates a new vSphere role called PKS Administrators if it does not exist already. It then assigns the specified local or domain user/group to the role at the root vCenter server object. | |
.PARAMETER Group | |
Specifies the Group to assign the role to. | |
.PARAMETER User | |
Specifies the User to assign the role to. | |
.PARAMETER Domain | |
If specified, then the User or Group specified is assumed to be a domain object. Specify the AD Domain the user/group is a member of. | |
.OUTPUTS | |
[VMware.VimAutomation.ViCore.Impl.V1.PermissionManagement.PermissionImpl] | |
The resultant permission. | |
.LINK | |
https://docs.pivotal.io/pivotalcf/2-0/customizing/vsphere-service-account.html | |
.EXAMPLE | |
Connect-ViServer -Server myvcenter.domain.com | |
Add-BoshVCenterAccount -Domain mydomain -User user1 | |
#> | |
[CmdletBinding(SupportsShouldProcess,DefaultParameterSetName="user")] | |
param | |
( | |
[Parameter(Mandatory,ParameterSetName="user")] | |
[string] $User, | |
[Parameter(Mandatory,ParameterSetName="group")] | |
[string] $Group, | |
[string] $Domain | |
) | |
$version = $Null | |
if ( (Get-Variable | Where-Object { $_.Name -ieq "global:DefaultViServer" }) -and $DefaultViServer ) | |
{ | |
$version = $defaultViServer.Version | |
} | |
else | |
{ | |
throw ("Use Connect-ViSever first!") | |
} | |
# Permissions for 6.5+: | |
$privileges = @( ` | |
"Manage custom attributes", | |
"Allocate space", | |
"Browse datastore", | |
"Low level file operations", | |
"Remove file", | |
"Update virtual machine files", | |
"Delete folder", | |
"Create folder", | |
"Move folder", | |
"Rename folder", | |
"Set custom attribute", | |
"Modify cluster", | |
"CreateTag", | |
"EditTag", | |
"DeleteTag", | |
"Assign network", | |
"Assign virtual machine to resource pool", | |
"Migrate powered off virtual machine", | |
"Migrate powered on virtual machine", | |
"Add existing disk", | |
"Add new disk", | |
"Add or remove device", | |
"Advanced", | |
"Change CPU count", | |
"Change resource", | |
"Configure managedBy", | |
"Disk change tracking", | |
"Disk lease", | |
"Display connection settings", | |
"Extend virtual disk", | |
"Memory", | |
"Modify device settings", | |
"Raw device", | |
"Reload from path", | |
"Remove disk", | |
"Rename", | |
"Reset guest information", | |
"Set annotation", | |
"Settings", | |
"Swapfile placement", | |
"Unlock virtual machine", | |
"Guest Operation Program Execution", | |
"Guest Operation Modifications", | |
"Guest Operation Queries", | |
"Answer question", | |
"Configure CD media", | |
"Console interaction", | |
"Defragment all disks", | |
"Device connection", | |
"Guest operating system management by VIX API", | |
"Power Off", | |
"Power On", | |
"Reset", | |
"Suspend", | |
"VMware Tools install", | |
"Create from existing", | |
"Create new", | |
"Move", | |
"Register", | |
"Remove", | |
"Unregister", | |
"Allow disk access", | |
"Allow read-only disk access", | |
"Allow virtual machine download", | |
"Allow virtual machine files upload", | |
"Clone template", | |
"Clone virtual machine", | |
"Customize", | |
"Deploy template", | |
"Mark as template", | |
"Mark as virtual machine", | |
"Modify customization specification", | |
"Promote disks", | |
"Read customization specifications", | |
"Create snapshot", | |
"Remove Snapshot", | |
"Rename Snapshot", | |
"Revert to snapshot", | |
"Import", | |
"vApp application configuration" | |
) | |
if ( $version -ilike "6.0*" ) | |
{ | |
# Version 6.0 permissions: | |
$privileges = $privileges | Where-Object { $_ -inotmatch '^(Create|Edit|Delete)Tag$' } | |
$privileges += "Create Inventory Service Tag" | |
$privileges += "Edit Inventory Service Tag" | |
$privileges += "Delete Inventory Service Tag" | |
} | |
$role = Get-ViRole | Where-Object { $_.Name -ieq "PKS Administrators" } | |
if ( !$role ) | |
{ | |
$role = New-VIRole -Name "PKS Administrators" -Privilege $privileges | |
} | |
$principalParam = @{} | |
$idFieldName = "Name" | |
if ( $Domain ) | |
{ | |
$principalParam.Add("Domain", $Domain) | |
$idFieldName = "Id" | |
} | |
if ( $PSCmdlet.ParameterSetName -ieq "user" ) | |
{ | |
$principalParam.Add($idFieldName, $User) | |
$principalParam.Add("User", $true) | |
} | |
else | |
{ | |
$principalParam.Add($idFieldName, $Group) | |
$principalParam.Add("Group", $true) | |
} | |
$principal = Get-VIAccount @principalParam | |
if ( $PSCmdlet.ShouldProcess($DefaultViServer.Name, "Add permission to root Vcenter for domain account $($principal.Name) and role PKS Administrators") ) | |
{ | |
New-VIPermission -Entity "Datacenters" -Principal $principal -Role $role | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment