virtuallypotato/content/posts/creating-static-records-in-microsoft-dns-from-vrealize-automation.md

20 KiB
Raw Blame History

series date tags title
vRA8
2021-08-13T00:00:00Z
vmware
vra
vro
javascript
powershell
Creating static records in Microsoft DNS from vRealize Automation

One of the requirements for my vRA deployments is the ability to automatically create a static A records for non-domain-joined systems so that users can connect without needing to know the IP address. The organization uses Microsoft DNS servers to provide resolution on the internal domain. At first glance, this shouldn't be too much of a problem: vRealize Orchestrator 8.x can run PowerShell scripts, and PowerShell can use the Add-DnsServerResourceRecord cmdlet to create the needed records.

Not so fast, though. That cmdlet is provided through the Remote Server Administration Tools package so it won't be available within the limited PowerShell environment inside of vRO. A workaround might be to add a Windows machine to vRO as a remote PowerShell host, but then you run into issues of credential hopping.

I eventually came across this blog post which described adding a Windows machine as a remote SSH host instead. I'll deviate a bit from the described configuration, but that post did at least get me pointed in the right direction. This approach would get around the complicated authentication-tunneling business while still being pretty easy to set up. So let's go!

Preparing the SSH host

I deployed a Windows Server 2019 Core VM to use as my SSH host, and I joined it to my AD domain as win02.lab.bowdre.net. Once that's taken care of, I need to install the RSAT DNS tools so that I can use the Add-DnsServerResourceRecord and associated cmdlets. I can do that through PowerShell like so:

# Install RSAT DNS tools
Add-WindowsCapability -online -name Rsat.Dns.Tools~~~~0.0.1.0

Instead of using a third-party SSH server, I'll use the OpenSSH Server that's already available in Windows 10 (1809+) and Server 2019:

# Install OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

I'll also want to set it so that the default shell upon SSH login is PowerShell (rather than the standard Command Prompt) so that I can have easy access to those DNS cmdlets:

# Set PowerShell as the default Shell (for access to DNS cmdlets)
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force

I'll be using my lab\vra service account for managing DNS. I've already given it the appropriate rights on the DNS server, but I'll also add it to the Administrators group on my SSH host:

# Add the service account as a local administrator
Add-LocalGroupMember -Group Administrators -Member "lab\vra"

And I'll modify the OpenSSH configuration so that only members of that Administrators group are permitted to log into the server via SSH:

# Restrict SSH access to members in the local Administrators group
(Get-Content "C:\ProgramData\ssh\sshd_config") -Replace "# Authentication:", "$&`nAllowGroups Administrators" | Set-Content "C:\ProgramData\ssh\sshd_config"

Finally, I'll start the sshd service and set it to start up automatically:

# Start service and set it to automatic
Set-Service -Name sshd -StartupType Automatic -Status Running

A quick test

At this point, I can log in to the server via SSH and confirm that I can create and delete records in my DNS zone:

$ ssh vra@win02.lab.bowdre.net
vra@win02.lab.bowdre.net's password: 

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\vra> Add-DnsServerResourceRecordA -ComputerName win01.lab.bowdre.net -Name testy -ZoneName lab.bowdre.net -AllowUpdateAny -IPv4Address 172.16.99.99       

PS C:\Users\vra> nslookup testy
Server:  win01.lab.bowdre.net
Address:  192.168.1.5

Name:    testy.lab.bowdre.net
Address:  172.16.99.99

PS C:\Users\vra> Remove-DnsServerResourceRecord -ComputerName win01.lab.bowdre.net -Name testy -ZoneName lab.bowdre.net -RRType A -Force

PS C:\Users\vra> nslookup testy
Server:  win01.lab.bowdre.net
Address:  192.168.1.5

*** win01.lab.bowdre.net can't find testy: Non-existent domain

Cool! Now I just need to do that same thing, but from vRealize Orchestrator. First, though, I'll update the template so the requester can choose whether or not a static record will get created.

Template changes

Cloud Template

Similar to the template changes I made for optionally joining deployed servers to the Active Directory domain, I'll just be adding a simple boolean checkbox to the inputs section of the template in Cloud Assembly:

formatVersion: 1
inputs:
  [...]
  staticDns:
    title: Create static DNS record
    type: boolean
    default: false
  [...]

Unlike the AD piece, in the resources section I'll just bind a custom property called staticDns to the input with the same name:

resources:
  Cloud_vSphere_Machine_1:
    type: Cloud.vSphere.Machine
    properties:
      [...]
      staticDns: '${input.staticDns}'
      [...]

So here's the complete cloud template that I've been working on:

formatVersion: 1
inputs:
  site:
    type: string
    title: Site
    enum:
      - BOW
      - DRE
  image:
    type: string
    title: Operating System
    oneOf:
      - title: Windows Server 2019
        const: ws2019
    default: ws2019
  size:
    title: Resource Size
    type: string
    oneOf:
      - title: 'Micro [1vCPU|1GB]'
        const: micro
      - title: 'Tiny [1vCPU|2GB]'
        const: tiny
      - title: 'Small [2vCPU|2GB]'
        const: small
    default: small
  network:
    title: Network
    type: string
  adJoin:
    title: Join to AD domain
    type: boolean
    default: true
  staticDns:
    title: Create static DNS record
    type: boolean
    default: false
  environment:
    type: string
    title: Environment
    oneOf:
      - title: Development
        const: D
      - title: Testing
        const: T
      - title: Production
        const: P
    default: D
  function:
    type: string
    title: Function Code
    oneOf:
      - title: Application (APP)
        const: APP
      - title: Desktop (DSK)
        const: DSK
      - title: Network (NET)
        const: NET
      - title: Service (SVS)
        const: SVS
      - title: Testing (TST)
        const: TST
    default: TST
  app:
    type: string
    title: Application Code
    minLength: 3
    maxLength: 3
    default: xxx
  description:
    type: string
    title: Description
    description: Server function/purpose
    default: Testing and evaluation
  poc_name:
    type: string
    title: Point of Contact Name
    default: Jack Shephard
  poc_email:
    type: string
    title: Point of Contact Email
    default: jack.shephard@virtuallypotato.com
    pattern: '^[^\s@]+@[^\s@]+\.[^\s@]+$'
  ticket:
    type: string
    title: Ticket/Request Number
    default: 4815162342
resources:
  Cloud_vSphere_Machine_1:
    type: Cloud.vSphere.Machine
    properties:
      image: '${input.image}'
      flavor: '${input.size}'
      site: '${input.site}'
      environment: '${input.environment}'
      function: '${input.function}'
      app: '${input.app}'
      ignoreActiveDirectory: '${!input.adJoin}'
      activeDirectory:
        relativeDN: '${"OU=Servers,OU=Computers,OU=" + input.site + ",OU=LAB"}'
      customizationSpec: '${input.adJoin ? "vra-win-domain" : "vra-win-workgroup"}'
      staticDns: '${input.staticDns}'
      dnsDomain: lab.bowdre.net
      poc: '${input.poc_name + " (" + input.poc_email + ")"}'
      ticket: '${input.ticket}'
      description: '${input.description}'
      networks:
        - network: '${resource.Cloud_vSphere_Network_1.id}'
          assignment: static
      constraints:
        - tag: 'comp:${to_lower(input.site)}'
  Cloud_vSphere_Network_1:
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
      constraints:
        - tag: 'net:${input.network}'

I save the template, and then also hit the "Version" button to publish a new version to the catalog: Releasing new version

Service Broker Custom Form

I switch over to the Service Broker UI to update the custom form - but first I stop off at Content & Policies > Content Sources, select my Content Source, and hit the Save & Import button to force a sync of the cloud templates. I can then move on to the Content & Policies > Content section, click the 3-dot menu next to my template name, and select the option to Customize Form.

I'll just drag the new Schema Element called Create static DNS record from the Request Inputs panel and on to the form canvas. I'll drop it right below the Join to AD domain field: Adding the field to the form

And then I'll hit the Save button so that my efforts are preserved.

That should take care of the front-end changes. Now for the back-end stuff: I need to teach vRO how to connect to my SSH host and run the PowerShell commands, just like I tested earlier.

The vRO solution

I will be adding the DNS action on to my existing "VM Post-Provisioning" workflow (described here, which gets triggered after the VM has been successfully deployed.

Configuration Element

But first, I'm going to go to the Assets > Configurations section of the Orchestrator UI and create a new Configuration Element to store variables related to the SSH host and DNS configuration. Create a new configuration

I'll call it dnsConfig and put it in my CustomProvisioning folder. Giving it a name

And then I create the following variables:

Variable Value Type
sshHost win02.lab.bowdre.net string
sshUser vra string
sshPass ***** secureString
dnsServer [win01.lab.bowdre.net] Array/string
supportedDomains [lab.bowdre.net] Array/string

sshHost is my new win02 server that I'm going to connect to via SSH, and sshUser and sshPass should explain themselves. The dnsServer array will tell the script which DNS servers to try to create the record on; this will just be a single server in my lab, but I'm going to construct the script to support multiple servers in case one isn't reachable. And supported domains will be used to restrict where I'll be creating records; again, that's just a single domain in my lab, but I'm building this solution to account for the possibility where a VM might need to be deployed on a domain where I can't create a static record in this way so I want it to fail elegantly.

Here's what the new configuration element looks like: Variables defined

Workflow to create records

I'll need to tell my workflow about the variables held in the dnsConfig Configuration Element I just created. I do that by opening the "VM Post-Provisioning" workflow in the vRO UI, clicking the Edit button, and then switching to the Variables tab. I create a variable for each member of dnsConfig, and enable the toggle to Bind to configuration so that I can select the corresponding item. It's important to make sure that the variable type exactly matches what's in the configuration element so that you'll be able to pick it! Linking variable to config element

I repeat that for each of the remaining variables until all the members of dnsConfig are represented in the workflow: Variables added

Now we're ready for the good part: inserting a new scriptable task into the workflow schema. I'll called it Create DNS Record and place it directly after the Set Notes task. For inputs, the task will take in inputProperties (Properties) as well as everything from that dnsConfig configuration element: Task inputs

And here's the JavaScript for the task:

// JavaScript: Create DNS Record task
//    Inputs: inputProperties (Properties), dnsServers (Array/string), sshHost (string), sshUser (string), sshPass (secureString), supportedDomains (Array/string)
//    Outputs: None

var staticDns = inputProperties.customProperties.staticDns;
var hostname = inputProperties.resourceNames[0];
var dnsDomain = inputProperties.customProperties.dnsDomain;
var ipAddress = inputProperties.addresses[0];
var created = false;

// check if user requested a record to be created and if the VM's dnsDomain is in the supportedDomains array
if (staticDns == "true" && supportedDomains.indexOf(dnsDomain) >= 0) {
    System.log("Attempting to create DNS record for "+hostname+"."+dnsDomain+" at "+ipAddress+"...")
    // create the ssh session to the intermediary host
    var sshSession = new SSHSession(sshHost, sshUser);
    System.debug("Connecting to "+sshHost+"...")
    sshSession.connectWithPassword(sshPass)
    // loop through DNS servers in case the first one doesn't respond
    for each (var dnsServer in dnsServers) {
        if (created == false) {
            System.debug("Using DNS Server "+dnsServer+"...")
            // insert the PowerShell command to create A record
            var sshCommand = 'Add-DnsServerResourceRecordA -ComputerName '+dnsServer+' -ZoneName '+dnsDomain+' -Name '+hostname+' -AllowUpdateAny -IPv4Address '+ipAddress;
            System.debug("sshCommand: "+sshCommand)
            // run the command and check the result
            sshSession.executeCommand(sshCommand, true)
            var result = sshSession.exitCode;
            if (result == 0) {
                System.log("Successfully created DNS record!")
                // make a note that it was successful so we don't repeat this unnecessarily
                created = true;
            } 
        }
    }
    sshSession.disconnect()
    if (created == false) {
        System.warn("Error! Unable to create DNS record.")
    }
} else {
    System.log("Not trying to do DNS")
}

Now I can just save the workflow, and I'm done! - with this part. Of course, being able to create a static record is just one half of the fight; I also need to make sure that vRA will be able to clean up these static records when a deployment gets deleted.

Workflow to delete records

I haven't previously created any workflows that fire on deployment removal, so I'll create a new one and call it VM Deprovisioning: New workflow

This workflow only needs a single input (inputProperties (Properties)) so it can receive information about the deployment from vRA: Workflow input

I'll also need to bind in the variables from the dnsConfig element as before: Workflow variables

The schema will include a single scriptable task: Delete DNS Record task

And it's going to be pretty damn similar to the other one:

// JavaScript: Delete DNS Record task
//    Inputs: inputProperties (Properties), dnsServers (Array/string), sshHost (string), sshUser (string), sshPass (secureString), supportedDomains (Array/string)
//    Outputs: None

var staticDns = inputProperties.customProperties.staticDns;
var hostname = inputProperties.resourceNames[0];
var dnsDomain = inputProperties.customProperties.dnsDomain;
var ipAddress = inputProperties.addresses[0];
var deleted = false;

// check if user requested a record to be created and if the VM's dnsDomain is in the supportedDomains array
if (staticDns == "true" && supportedDomains.indexOf(dnsDomain) >= 0) {
    System.log("Attempting to remove DNS record for "+hostname+"."+dnsDomain+" at "+ipAddress+"...")
    // create the ssh session to the intermediary host
    var sshSession = new SSHSession(sshHost, sshUser);
    System.debug("Connecting to "+sshHost+"...")
    sshSession.connectWithPassword(sshPass)
    // loop through DNS servers in case the first one doesn't respond
    for each (var dnsServer in dnsServers) {
        if (deleted == false) {
            System.debug("Using DNS Server "+dnsServer+"...")
            // insert the PowerShell command to delete A record
            var sshCommand = 'Remove-DnsServerResourceRecord -ComputerName '+dnsServer+' -ZoneName '+dnsDomain+' -RRType A -Name '+hostname+' -Force';
            System.debug("sshCommand: "+sshCommand)
            // run the command and check the result
            sshSession.executeCommand(sshCommand, true)
            var result = sshSession.exitCode;
            if (result == 0) {
                System.log("Successfully deleted DNS record!")
                // make a note that it was successful so we don't repeat this unnecessarily
                deleted = true;
            } 
        }
    }
    sshSession.disconnect()
    if (created == false) {
        System.warn("Error! Unable to delete DNS record.")
    }
} else {
    System.log("No need to clean up DNS.")
}

Since this is a new workflow, I'll also need to head back to Cloud Assembly > Extensibility > Subscriptions and add a new subscription to call it when a deployment gets deleted. I'll call it "VM Deprovisioning", assign it to the "Compute Post Removal" Event Topic, and link it to my new "VM Deprovisioning" workflow. I could use the Condition option to filter this only for deployments which had a static DNS record created, but I'll later want to use this same workflow for other cleanup tasks so I'll just save it as is for now. VM Deprovisioning subscription

Testing

Now I can (finally) fire off a quick deployment to see if all this mess actually works: Test deploy request

Once the deployment completes, I go back into vRO, find the most recent item in the Workflow Runs view, and click over to the Logs tab to see how I did: Workflow success!

And I can run a quick query to make sure that name actually resolves:

 dig +short bow-ttst-xxx023.lab.bowdre.net A
172.16.30.10   

It works!

Now to test the cleanup. For that, I'll head back to Service Broker, navigate to the Deployments tab, find my deployment, click the little three-dot menu button, and select the Delete option: Deleting the deployment

Again, I'll check the Workflow Runs in vRO to see that the deprovisioning task completed successfully: VM Deprovisioning workflow

And I can dig a little more to make sure the name doesn't resolve anymore:

 dig +short bow-ttst-xxx023.lab.bowdre.net A
      

It really works!

Conclusion

So there you have it - how I've got vRA/vRO able to create and delete static DNS records as needed, using a Windows SSH host as an intermediary. Cool, right?