VMware Cloud Community
JohnWhyte
Contributor
Contributor
‎01-31-2018 01:34 AM

Apply NSX Security Tags via vRO workflow

I am attempting to create a workflow to use via EBS in vRA to apply some NSX security tags to VMs following provisioning. I am setting this up within the vRO Client and created a 'test' workflow that doesn't have the 'payload' as input so I can test the operation prior to subscribing the workflow.

Whenever I attempt any workflow operation against the NSX security tags, I am seeing the following error returned in the logs:

com.vmware.o11n.plugins.nsx.error.VsmException: VSM response error (202): The requested object : <security tag id> could not be found. Object identifiers are case sensitive

Now, I do know that the Security tag that I am declaring  is setup and visible and able to attach to the VM, as I can do it manually from the vSphere web client and also via PowerNSX/PowerCli.

This error is occurring when I am running the existing OOTB workflows 'Apply security tags on VM' and by 'Get Security Tag by id' manually.

The inputs to the test workflow are 1. VC:VirtualMachine (to get the managed object reference), 2. NSX:Connection (to get the NSX endpoint), 3. array/string to hold the security tag id.

Has anyone ever managed to get these workflows to operate correctly, or am I perhaps doing/supplying something incorrectly as my inputs?

Any help/thoughts greatly appreciated.

0 Kudos
6 Replies
Sivakumarb
Contributor
Contributor
‎04-11-2018 09:20 AM

Hi John,

We do have the same use case to apply NSX tag for a vm during the vm provisioning stage. I have been trying the same workflow and finally able to run successfully.

You need to insert the Security tag's object ID "securitytag-xxx" that you can find by browsing into inventory tab - NSX - Security Tags on the tag name you will ses the objectid. and you need to insert the vm managed object reference that you can by following kb - VMware Knowledge Base​(you need to have user that has MOB access to reference this id or user administrator@vsphere.local).

pastedImage_2.png

0 Kudos
Mikael_8313
Contributor
Contributor
‎06-12-2018 01:07 AM

Hello,

I have the same case. I want apply security tag in function different custom properties that inject to payload.

So my question is how to find security tag ID from security tag name?  and what's the best method  to find this element? Is there exist a workflow which queries the vCenter and or NSX to list all the security tags ?

Thanks you !

Mikael

0 Kudos
iiliev
VMware Employee
VMware Employee
‎06-12-2018 01:56 AM

Hi,

I don'thave a NSX environment to validate it, but from plug-in APIs it seems that you can retrieve the list with security tags via vRO scripting code using method listV2 of the singleton scripting object NSXSecurityTagController

0 Kudos
KThorlund
Enthusiast
Enthusiast
‎03-05-2019 11:45 PM

Hi,

can you give a few words on hour you found the MoRef. I have tried to follow the KB, but cant get it to work.

How do you receive the reference from within vRO? Is it also available in the vCAC, or have you written a workflow/action, which can retrieve the moref from the vCenter prior to using it in vRO?

Thanks, K

0 Kudos
barjinders
VMware Employee
VMware Employee
‎07-01-2019 11:41 PM

You can use  NSXSecurityTagManager API to get the tags. Once you have tags in an array, you can write a function that will parse each tag and return you the "tag.objectId". Below is a sample function.

NSXConnection is of type NSX: Connection

var nsxSecurityTags = NSXSecurityTagManager.getSecurityTags(NSXConnection);
function findTagByID(tagName, nsxSecurityTags){
     for each(nsxTag in nsxSecurityTags){
          if(tagName == nsxTag.name){
               System.log("Found NSX Security Tag Name: " + nsxTag.name);
               return nsxTag.objectId;
           }
       }
      return "";
}
0 Kudos
barjinders
VMware Employee
VMware Employee
‎07-01-2019 11:47 PM

You can get the moref from the VC VM Object. It is one of the properties of the VM. 

var vcVM     //(Type: VC:VirtualMachine)
var vmMoref = vcVM.moref.value;
0 Kudos