Managing and provisioning infrastructure with vRA and Puppet

Once you have configured vRO and the Puppet vRO Plug-in, you can use vRealize Automation (vRA) to request servers using blueprints.

Note: If you haven't yet installed vRA, refer to the vRA documentation.

Designing blueprints with Puppet features

In the previous version of the starter content we shipped Blueprints that you could install via CloudClient, but with vRealize Automation 7.4 Enterprise and the Puppet plug-in for vRealize Automation 3.2, it is simpler to create a new blueprint from scratch using the new Puppet component in the GUI. Follow these instructions to create your own blueprints.

Note: You can still access the previous version of these docs for consuming those prebuilt blueprints for vRA 7.x here and download them from this branch of the starter content.

Create a Puppet Enterprise primary server and follow the instructions at the bottom of the starter content README to install the starter content.
Remove any previous Puppet plug-ins and install the Puppet plug-in for vRealize Automation 3.0 into vRO.
Follow the vRA 7.4 docs to add a Puppet endpoint (points to your primary server), and create your Puppet Enterprise blueprints using code from this repo that is now on your primary server.
- Puppet endpoint - username: vro-plugin-user
- Puppet endpoint - password: puppetlabs
- Puppet endpoint - use sudo: true
- Puppet component on blueprints - shared secret (cert autosigning): S3cr3tP@ssw0rd!

Note: For detailed information about designing vRA blueprints, consult the vRA blueprint documentation.

vRO/vRA property reference

The plug-in uses the following properties for blueprint and workflow development.

They can be used when creating traditional IaaS blueprints without the GUI component in vRA 7.4 Enterprise. There is a hierarchy of assignment for these properties. Properties that are set in the GUI override VRA properties set at the VM or tenant level. For certain properties there is a second override version of the property that takes precedence over the non-override version.

Here is a list of vRO JavaScript variables with their corresponding vRA property names, types, and override values where applicable:

puppetRoleClass: vRA property name: Puppet.RoleClass; Override value: Puppet.RoleClass.Override; Type: string; Description: The fully qualified class that implements the node's role.
puppetCodeEnvironment: vRA property name: Puppet.CodeEnvironment; Override value: Puppet.CodeEnvironment.Override; Type: string; Description: The environment on the master in which vRO should look for code.
puppetInstallMaster: vRA property name: Puppet.Master.InstallMaster; Type: string; Description: Optional FQDN or IP Address of the load balancer or compile master to install agent from. Defaults to the Puppet Master selected from vRO inventory.
puppetNodeCertname: vRA property name: Puppet.Node.Certname; Type: string; Description: The agent sets this based on the node's certname, which is based on its fully qualified domain name.
puppetNode: vRA property name: Puppet.Node.IPAddress; Type: string; Description: The IP Address of the node to install Puppet Agent on. Will default to the node name if left undefined.
ignoreChanges: vRA property name: Puppet.Node.IgnoreChanges; Type: boolean; Description: Ignores changes in the Puppet Run. If True, Puppet Runs that exits with changes (exit code 2) will still pass. Defaults to false.
puppetAutosignSharedSecret: vRA property name: Puppet.Autosign.SharedSecret; Override value: Puppet.Autosign.SharedSecret.Override; Type: secureString; Description: The shared secret that nodes should provide to the master in order to autosign certificate requests.
sshUsername: vRA property name: Puppet.SSH.Username; Override value: Puppet.SSH.Username.Override; Type: string; Description: Username used to connect to a node via SSH.
sshPassword: vRA property name: Puppet.SSH.Password; Override value: Puppet.SSH.Password.Override; Type: secureString; Description: Password used to connect to a node via SSH.
winRMUsername: vRA property name: Puppet.WinRM.Username; Override value: Puppet.WinRM.Username.Override; Type: string; Description: Username used to connect to a node via WinRM.
useSudo: vRA property name: Puppet.SSH.UseSudo; Override value: Puppet.SSH.UseSudo.Override; Type: boolean; Description: Use sudo commands run on a node via SSH. This requires NOPASSWD sudo for the user defined in sshUsername.
winRMPassword: vRA property name: Puppet.WinRM.Password; Override value: Puppet.WinRM.Password.Override; Type: secureString; Description: Password used to connect to a node via WinRM.
puppetAgentAccountUser: vRA property name: Puppet.Windows.AgentAccountUser; Override value: Puppet.Windows.AgentAccountUser.Override; Type: string; Description: User for the puppet agent service to run as rather than default of Local System
puppetAgentAccountPassword: vRA property name: Puppet.Windows.AgentAccountPassword; Override value: Puppet.Windows.AgentAccountPassword.Override; Type: secureString; Description: Password for the agent service user
puppetAgentAccountDomain: vRA property name: Puppet.Windows.AgentAccountDomain; Override value: Puppet.Windows.AgentAccountDomain.Override; Type: string; Description: Domain, if any, for the agent service user
UseHTTPS: vRA property name: Puppet.WinRM.UseHTTPS; Type: boolean; Description: If true, use HTTPS for WinRM, if false use HTTP
winRMAuthMethod: vRA property name: Puppet.WinRM.AuthMethod; Type: enum[Basic,Kerberos]; Description: Basic or Kerberos auth method for WinRM
sshKeyPath: vRA property name: Puppet.SSH.KeyPath; Override value: Puppet.SSH.KeyPath.Override; Type: string; Description: A path to the ssh key that can be used instead of password authentication
sshPassphrase: vRA property name: Puppet.SSH.Passphrase; Override value: Puppet.SSH.Passphrase.Override; Type: secureString; Description: A passphrase used for the sshKeyPath
puppetApptier: vRA property name: Puppet.Extensions.Apptier; Override value: Puppet.Extensions.Apptier.Override; Type: string; Description: pp_apptier certificate extension. For example "dev", "uat", "production" etc. Not to be confused with the Puppet code environment.
puppetDepartment: vRA property name: Puppet.Extensions.Department; Override value: Puppet.Extensions.Department.Override; Type: string; Description: pp_department certificate extension. For example, "finance", "digital", etc.
puppetService: vRA property name: Puppet.Extensions.Service; Override value: Puppet.Extensions.Service.Override; Type: string; Description: pp_service certificate extension. For example, "puppet", "corporate_web", etc.
keepFailedVMs: vRA property name: Puppet.Debug.KeepFailedVMs; Type: boolean; Description: To enable returning a successful result despite failures in the module.

vRO/vRA actions reference

The Puppet plug-in ships with several actions that can be used in workflows and integrations with vRA, for instance to populate the contents of input fields or dropdown menus.

For more information, see the vRA documentation for actions.


Action name	Description
escapeShellArgument	Used internally by the plugin to escape a string used in a shell command.
escapePowerShellValue	Used internally by the plugin to escape a string used in a PowerShell command.
escapeJSON	Used internally by the plugin to escape a JSON string for stuctured facts or other uses.
getSectionText	Used internally by the plugin for parsing Error messages.
formatShellArguments	Used internally by the plugin to format and escape a set of strings containing arguments to a shell command. Calls `escapeShellArgument`.
executeCommand	Used internally by the plugin to execute a shell command on a Linux Puppet master.
getMasters	Returns an array of strings containing the UUIDs of all of the Puppet:Master objects in the vRO inventory. Returns `[""]` if there are no Puppet:Master objects.
getMasterByUUID	Returns a Puppet:Master object given a UUID string. Returns null if there is no object matching that UUID.
getEnvironments	Returns an array of strings which are the environment names on the Puppet:Master specified by a UUID. Returns `[""]` if there are no environments.
getRoleClasses	Returns an array of strings which are role class names on the Puppet:Master specified by a UUID and in a specified environment. Returns `[""]` if there are no role classes there.
getRoleClassesWithDescriptions	Used internally, returns specially formated JSON string used by vRA 7.3 Enterprise with the role classes and their descriptions from a master's environment. Throws an error if no master UUID or environment name provided. Optionally accepts a filter regex string to limit results.

All actions are visible on the "Actions" tab of the Java vRO client when in "Design" view, where you can view the full source code of each action, including parameters and return types.

Encrypting content with eyaml

Securing passwords used in the manifest is beyond the scope of this reference implementation. As a starting point, many Puppet deployments use Hiera, a key/value lookup tool for configuration, with eyaml, or encrypted YAML, to solve this problem.

This solution not only provides secure storage for the password value, but also provides parameterization to support reuse, opening the door to easy password rotation policies across an entire network of nodes.

For information, see the Hiera documentation and the blog post Encrypt your data using Hiera-eyaml.