BrandonStiff/Add-BoshVCenterAccount.ps1

## Add-BoshVCenterAccount.ps1
function Add-BoshVCenterAccount()
{
  <#
    .SYNOPSIS
    Grants the correct vSphere permissions to the specified service user/group for BOSH director to function.

    .DESCRIPTION
    This function creates a new vSphere role called PKS Administrators if it does not exist already.  It then assigns the specified local or domain user/group to the role at the root vCenter server object.

    .PARAMETER Group
    Specifies the Group to assign the role to.

    .PARAMETER User
    Specifies the User to assign the role to.

    .PARAMETER Domain
    If specified, then the User or Group specified is assumed to be a domain object.  Specify the AD Domain the user/group is a member of.

    .OUTPUTS
    [VMware.VimAutomation.ViCore.Impl.V1.PermissionManagement.PermissionImpl]
    The resultant permission.

    .LINK
    https://docs.pivotal.io/pivotalcf/2-0/customizing/vsphere-service-account.html

    .EXAMPLE
    Connect-ViServer -Server myvcenter.domain.com
    Add-BoshVCenterAccount -Domain mydomain -User user1
  #>
  [CmdletBinding(SupportsShouldProcess,DefaultParameterSetName="user")]
  param
  (
    [Parameter(Mandatory,ParameterSetName="user")]
    [string] $User,

    [Parameter(Mandatory,ParameterSetName="group")]
    [string] $Group,

    [string] $Domain
  )

  $version = $Null
  if ( (Get-Variable | Where-Object { $_.Name -ieq "global:DefaultViServer" }) -and $DefaultViServer )
  {
    $version = $defaultViServer.Version
  }
  else
  {
    throw ("Use Connect-ViSever first!")
  }

  #  Permissions for 6.5+:
  $privileges = @( `
    "Manage custom attributes",
    "Allocate space",
    "Browse datastore",
    "Low level file operations",
    "Remove file",
    "Update virtual machine files",
    "Delete folder",
    "Create folder",
    "Move folder",
    "Rename folder",
    "Set custom attribute",
    "Modify cluster",
    "CreateTag",
    "EditTag",
    "DeleteTag",
    "Assign network",
    "Assign virtual machine to resource pool",
    "Migrate powered off virtual machine",
    "Migrate powered on virtual machine",
    "Add existing disk",
    "Add new disk",
    "Add or remove device",
    "Advanced",
    "Change CPU count",
    "Change resource",
    "Configure managedBy",
    "Disk change tracking",
    "Disk lease",
    "Display connection settings",
    "Extend virtual disk",
    "Memory",
    "Modify device settings",
    "Raw device",
    "Reload from path",
    "Remove disk",
    "Rename",
    "Reset guest information",
    "Set annotation",
    "Settings",
    "Swapfile placement",
    "Unlock virtual machine",
    "Guest Operation Program Execution",
    "Guest Operation Modifications",
    "Guest Operation Queries",
    "Answer question",
    "Configure CD media",
    "Console interaction",
    "Defragment all disks",
    "Device connection",
    "Guest operating system management by VIX API",
    "Power Off",
    "Power On",
    "Reset",
    "Suspend",
    "VMware Tools install",
    "Create from existing",
    "Create new",
    "Move",
    "Register",
    "Remove",
    "Unregister",
    "Allow disk access",
    "Allow read-only disk access",
    "Allow virtual machine download",
    "Allow virtual machine files upload",
    "Clone template",
    "Clone virtual machine",
    "Customize",
    "Deploy template",
    "Mark as template",
    "Mark as virtual machine",
    "Modify customization specification",
    "Promote disks",
    "Read customization specifications",
    "Create snapshot",
    "Remove Snapshot",
    "Rename Snapshot",
    "Revert to snapshot",
    "Import",
    "vApp application configuration"
  )

  if ( $version -ilike "6.0*" )
  {
    #  Version 6.0 permissions:
    $privileges = $privileges | Where-Object { $_ -inotmatch '^(Create|Edit|Delete)Tag$' }
    $privileges += "Create Inventory Service Tag"
    $privileges += "Edit Inventory Service Tag"
    $privileges += "Delete Inventory Service Tag"
  }

  $role = Get-ViRole | Where-Object { $_.Name -ieq "PKS Administrators" }

  if ( !$role )
  {
    $role = New-VIRole -Name "PKS Administrators" -Privilege $privileges
  }

  $principalParam = @{}
  $idFieldName = "Name"

  if ( $Domain )
  {
    $principalParam.Add("Domain", $Domain)
    $idFieldName = "Id"
  }

  if ( $PSCmdlet.ParameterSetName -ieq "user" )
  {
    $principalParam.Add($idFieldName, $User)
    $principalParam.Add("User", $true)
  }
  else
  {
    $principalParam.Add($idFieldName, $Group)
    $principalParam.Add("Group", $true)
  }

  $principal = Get-VIAccount @principalParam

  if ( $PSCmdlet.ShouldProcess($DefaultViServer.Name, "Add permission to root Vcenter for domain account $($principal.Name) and role PKS Administrators") )
  {
    New-VIPermission -Entity "Datacenters" -Principal $principal -Role $role
  }
}
	function Add-BoshVCenterAccount()
	{
	<#
	.SYNOPSIS
	Grants the correct vSphere permissions to the specified service user/group for BOSH director to function.

	.DESCRIPTION
	This function creates a new vSphere role called PKS Administrators if it does not exist already. It then assigns the specified local or domain user/group to the role at the root vCenter server object.

	.PARAMETER Group
	Specifies the Group to assign the role to.

	.PARAMETER User
	Specifies the User to assign the role to.

	.PARAMETER Domain
	If specified, then the User or Group specified is assumed to be a domain object. Specify the AD Domain the user/group is a member of.

	.OUTPUTS
	[VMware.VimAutomation.ViCore.Impl.V1.PermissionManagement.PermissionImpl]
	The resultant permission.

	.LINK
	https://docs.pivotal.io/pivotalcf/2-0/customizing/vsphere-service-account.html

	.EXAMPLE
	Connect-ViServer -Server myvcenter.domain.com
	Add-BoshVCenterAccount -Domain mydomain -User user1
	#>
	[CmdletBinding(SupportsShouldProcess,DefaultParameterSetName="user")]
	param
	(
	[Parameter(Mandatory,ParameterSetName="user")]
	[string] $User,

	[Parameter(Mandatory,ParameterSetName="group")]
	[string] $Group,

	[string] $Domain
	)

	$version = $Null
	if ( (Get-Variable \| Where-Object { $_.Name -ieq "global:DefaultViServer" }) -and $DefaultViServer )
	{
	$version = $defaultViServer.Version
	}
	else
	{
	throw ("Use Connect-ViSever first!")
	}

	# Permissions for 6.5+:
	$privileges = @( `
	"Manage custom attributes",
	"Allocate space",
	"Browse datastore",
	"Low level file operations",
	"Remove file",
	"Update virtual machine files",
	"Delete folder",
	"Create folder",
	"Move folder",
	"Rename folder",
	"Set custom attribute",
	"Modify cluster",
	"CreateTag",
	"EditTag",
	"DeleteTag",
	"Assign network",
	"Assign virtual machine to resource pool",
	"Migrate powered off virtual machine",
	"Migrate powered on virtual machine",
	"Add existing disk",
	"Add new disk",
	"Add or remove device",
	"Advanced",
	"Change CPU count",
	"Change resource",
	"Configure managedBy",
	"Disk change tracking",
	"Disk lease",
	"Display connection settings",
	"Extend virtual disk",
	"Memory",
	"Modify device settings",
	"Raw device",
	"Reload from path",
	"Remove disk",
	"Rename",
	"Reset guest information",
	"Set annotation",
	"Settings",
	"Swapfile placement",
	"Unlock virtual machine",
	"Guest Operation Program Execution",
	"Guest Operation Modifications",
	"Guest Operation Queries",
	"Answer question",
	"Configure CD media",
	"Console interaction",
	"Defragment all disks",
	"Device connection",
	"Guest operating system management by VIX API",
	"Power Off",
	"Power On",
	"Reset",
	"Suspend",
	"VMware Tools install",
	"Create from existing",
	"Create new",
	"Move",
	"Register",
	"Remove",
	"Unregister",
	"Allow disk access",
	"Allow read-only disk access",
	"Allow virtual machine download",
	"Allow virtual machine files upload",
	"Clone template",
	"Clone virtual machine",
	"Customize",
	"Deploy template",
	"Mark as template",
	"Mark as virtual machine",
	"Modify customization specification",
	"Promote disks",
	"Read customization specifications",
	"Create snapshot",
	"Remove Snapshot",
	"Rename Snapshot",
	"Revert to snapshot",
	"Import",
	"vApp application configuration"
	)

	if ( $version -ilike "6.0*" )
	{
	# Version 6.0 permissions:
	$privileges = $privileges \| Where-Object { $_ -inotmatch '^(Create\|Edit\|Delete)Tag$' }
	$privileges += "Create Inventory Service Tag"
	$privileges += "Edit Inventory Service Tag"
	$privileges += "Delete Inventory Service Tag"
	}

	$role = Get-ViRole \| Where-Object { $_.Name -ieq "PKS Administrators" }

	if ( !$role )
	{
	$role = New-VIRole -Name "PKS Administrators" -Privilege $privileges
	}

	$principalParam = @{}
	$idFieldName = "Name"

	if ( $Domain )
	{
	$principalParam.Add("Domain", $Domain)
	$idFieldName = "Id"
	}

	if ( $PSCmdlet.ParameterSetName -ieq "user" )
	{
	$principalParam.Add($idFieldName, $User)
	$principalParam.Add("User", $true)
	}
	else
	{
	$principalParam.Add($idFieldName, $Group)
	$principalParam.Add("Group", $true)
	}

	$principal = Get-VIAccount @principalParam

	if ( $PSCmdlet.ShouldProcess($DefaultViServer.Name, "Add permission to root Vcenter for domain account $($principal.Name) and role PKS Administrators") )
	{
	New-VIPermission -Entity "Datacenters" -Principal $principal -Role $role
	}
	}