Managing and provisioning infrastructure with vRA and Puppet

Once you have configured vRO and the Puppet vRO Plug-in, you can use vRealize Automation (vRA) to request servers using blueprints.

Note: If you haven't yet installed vRA, refer to the vRA documentation.

Designing blueprints with Puppet features

In the previous version of the starter content we shipped Blueprints that you could install via CloudClient, but with vRealize Automation 7.4 Enterprise and the Puppet plug-in for vRealize Automation 3.2, it is simpler to create a new blueprint from scratch using the new Puppet component in the GUI. Follow these instructions to create your own blueprints.

Note: You can still access the previous version of these docs for consuming those prebuilt blueprints for vRA 7.x here and download them from this branch of the starter content.
Note: For detailed information about designing vRA blueprints, consult the vRA blueprint documentation.

vRO/vRA property reference

The plug-in uses the following properties for blueprint and workflow development.

They can be used when creating traditional IaaS blueprints without the GUI component in vRA 7.4 Enterprise. There is a hierarchy of assignment for these properties. Properties that are set in the GUI override VRA properties set at the VM or tenant level. For certain properties there is a second override version of the property that takes precedence over the non-override version.

Here is a list of vRO JavaScript variables with their corresponding vRA property names, types, and override values where applicable:


vRA property name: Puppet.RoleClass

Override value: Puppet.RoleClass.Override

Type: string

Description: The fully qualified class that implements the node's role.


vRA property name: Puppet.CodeEnvironment

Override value: Puppet.CodeEnvironment.Override

Type: string

Description: The environment on the master in which vRO should look for code.


vRA property name: Puppet.Master.InstallMaster

Type: string

Description: Optional FQDN or IP Address of the load balancer or compile master to install agent from. Defaults to the Puppet Master selected from vRO inventory.


vRA property name: Puppet.Node.Certname

Type: string

Description: The agent sets this based on the node's certname, which is based on its fully qualified domain name.


vRA property name: Puppet.Node.IPAddress

Type: string

Description: The IP Address of the node to install Puppet Agent on. Will default to the node name if left undefined.


vRA property name: Puppet.Node.IgnoreChanges

Type: boolean

Description: Ignores changes in the Puppet Run. If True, Puppet Runs that exits with changes (exit code 2) will still pass. Defaults to false.


vRA property name: Puppet.Autosign.SharedSecret

Override value: Puppet.Autosign.SharedSecret.Override

Type: secureString

Description: The shared secret that nodes should provide to the master in order to autosign certificate requests.


vRA property name: Puppet.SSH.Username

Override value: Puppet.SSH.Username.Override

Type: string

Description: Username used to connect to a node via SSH.


vRA property name: Puppet.SSH.Password

Override value: Puppet.SSH.Password.Override

Type: secureString

Description: Password used to connect to a node via SSH.


vRA property name: Puppet.WinRM.Username

Override value: Puppet.WinRM.Username.Override

Type: string

Description: Username used to connect to a node via WinRM.


vRA property name: Puppet.SSH.UseSudo

Override value: Puppet.SSH.UseSudo.Override

Type: boolean

Description: Use sudo commands run on a node via SSH. This requires NOPASSWD sudo for the user defined in sshUsername.


vRA property name: Puppet.WinRM.Password

Override value: Puppet.WinRM.Password.Override

Type: secureString

Description: Password used to connect to a node via WinRM.


vRA property name: Puppet.Windows.AgentAccountUser

Override value: Puppet.Windows.AgentAccountUser.Override

Type: string

Description: User for the puppet agent service to run as rather than default of Local System


vRA property name: Puppet.Windows.AgentAccountPassword

Override value: Puppet.Windows.AgentAccountPassword.Override

Type: secureString

Description: Password for the agent service user


vRA property name: Puppet.Windows.AgentAccountDomain

Override value: Puppet.Windows.AgentAccountDomain.Override

Type: string

Description: Domain, if any, for the agent service user


vRA property name: Puppet.WinRM.UseHTTPS

Type: boolean

Description: If true, use HTTPS for WinRM, if false use HTTP


vRA property name: Puppet.WinRM.AuthMethod

Type: enum[Basic,Kerberos]

Description: Basic or Kerberos auth method for WinRM


vRA property name: Puppet.SSH.KeyPath

Override value: Puppet.SSH.KeyPath.Override

Type: string

Description: A path to the ssh key that can be used instead of password authentication


vRA property name: Puppet.SSH.Passphrase

Override value: Puppet.SSH.Passphrase.Override

Type: secureString

Description: A passphrase used for the sshKeyPath


vRA property name: Puppet.Extensions.Apptier

Override value: Puppet.Extensions.Apptier.Override

Type: string

Description: pp_apptier certificate extension. For example "dev", "uat", "production" etc. Not to be confused with the Puppet code environment.


vRA property name: Puppet.Extensions.Department

Override value: Puppet.Extensions.Department.Override

Type: string

Description: pp_department certificate extension. For example, "finance", "digital", etc.


vRA property name: Puppet.Extensions.Service

Override value: Puppet.Extensions.Service.Override

Type: string

Description: pp_service certificate extension. For example, "puppet", "corporate_web", etc.


vRA property name: Puppet.Debug.KeepFailedVMs

Type: boolean

Description: To enable returning a successful result despite failures in the module.

vRO/vRA actions reference

The Puppet plug-in ships with several actions that can be used in workflows and integrations with vRA, for instance to populate the contents of input fields or dropdown menus.

For more information, see the vRA documentation for actions.

Action name Description
escapeShellArgument Used internally by the plugin to escape a string used in a shell command.
escapePowerShellValue Used internally by the plugin to escape a string used in a PowerShell command.
escapeJSON Used internally by the plugin to escape a JSON string for stuctured facts or other uses.
getSectionText Used internally by the plugin for parsing Error messages.
formatShellArguments Used internally by the plugin to format and escape a set of strings containing arguments to a shell command. Calls escapeShellArgument.
executeCommand Used internally by the plugin to execute a shell command on a Linux Puppet master.
getMasters Returns an array of strings containing the UUIDs of all of the Puppet:Master objects in the vRO inventory. Returns [""] if there are no Puppet:Master objects.
getMasterByUUID Returns a Puppet:Master object given a UUID string. Returns null if there is no object matching that UUID.
getEnvironments Returns an array of strings which are the environment names on the Puppet:Master specified by a UUID. Returns [""] if there are no environments.
getRoleClasses Returns an array of strings which are role class names on the Puppet:Master specified by a UUID and in a specified environment. Returns [""] if there are no role classes there.
getRoleClassesWithDescriptions Used internally, returns specially formated JSON string used by vRA 7.3 Enterprise with the role classes and their descriptions from a master's environment. Throws an error if no master UUID or environment name provided. Optionally accepts a filter regex string to limit results.

All actions are visible on the "Actions" tab of the Java vRO client when in "Design" view, where you can view the full source code of each action, including parameters and return types.

Encrypting content with eyaml

Securing passwords used in the manifest is beyond the scope of this reference implementation. As a starting point, many Puppet deployments use Hiera, a key/value lookup tool for configuration, with eyaml, or encrypted YAML, to solve this problem.

This solution not only provides secure storage for the password value, but also provides parameterization to support reuse, opening the door to easy password rotation policies across an entire network of nodes.

For information, see the Hiera documentation and the blog post Encrypt your data using Hiera-eyaml.