Preparing CentOS 7 vRA templates with Ansible

In my lab I’m often spinning up new instances of vRealize Automation (vRA) and need to configure CentOS 7 templates. I created this Ansible playbook to get a freshly installed CentOS 7.2 minimal machine ready to be used by vRA. This is my first attempt and I’ll be modifying it to make it more usable. The playbook can be found at Github.

One nice thing about Ansible is that it’s easy to read so the below shouldn’t require too much explanation. I’ve set up variables for the vRA Appliance and Manager, but that’s it. It shouldn’t be too difficult to parameterize the rest.

I tried to keep this as simple as possible so please don’t take it as a best practice for creating Ansible playbooks.

The playbook performs the following:

  • Installs the required packages like EPEL, VMware tools, git and Ansible
  • Installs my lab CA certificate that issued my vRA certs
  • Adds a couple of users and modifies the sudoers file
  • Sets up my root ssh key. I’ll probably be removing this.
  • Starts VMware tools
  • Gets the SSL thumbprint from the vRA Appliance and Manager nodes
  • Downloads the vRA prepare script from the vRA Appliance
  • Runs the vRA prepare script

# Tested on vRA 7.2 and CentOS Minimal 7.2. Not intended for production use.
- hosts: all
 user: root
 vra_appliance: vra72.vmware.local
 vra_iaas_mgr: vra72-iaas-mgr.vmware.local
 - name: Install libselinux-python. See
 name: libselinux-python
 state: present

- name: Install epel repo
 name: epel-release

- name: Install required packages
 name: "{{ item }}"
 state: present
 - open-vm-tools
 - git
 - ansible
 become: true

- name: Install certs
 src: kubeca.pem
 dest: /etc/pki/ca-trust/source/anchors/

- name: Update cert store
 shell: /usr/bin/update-ca-trust

- name: Ensure users exists
 name: "{{ }}"
 state: present
 comment: "{{ item.comment }}"
 - { name: 'chris', comment: 'Chris'}
 - { name: 'ansible', comment: 'Ansible'}

- name: Ensure required users is sudoer with no password required
 dest: /etc/sudoers
 state: present
 regexp: '^{{ item }} ALL\='
 line: '{{ item }} ALL=(ALL) NOPASSWD:ALL'
 validate: 'visudo -cf %s'
 - ansible
 - chris

 - name: Setup root ssh key
 name: root
 generate_ssh_key: yes
 ssh_key_bits: 2048
 ssh_key_file: .ssh/id_rsa

- name: Copy test.pem for root user
 src: /root/.ssh/test.pem
 dest: /root/.ssh/test.pem
 mode: 0600

- name: Copy ssh config
 src: config
 dest: /root/.ssh/config
 mode: 0400

 - name: Ensure ansible user accepts ssh key
 user: ansible
 key: "{{ lookup('file', '/root/.ssh/') }}"
 state: present

- name: Start open-vm-tools
 name: vmtoolsd
 enabled: true
 state: started

- name: Get VRA appliance cert thumbprint
 shell: openssl s_client -connect {{ vra_appliance }}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d '=' -f 2
 register: vra_appliance_cert_thumbprint

- name: Get VRA IaaS manager cert thumbprint
 shell: openssl s_client -connect {{ vra_iaas_mgr }}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | cut -d '=' -f 2
 register: vra_iaas_mgr_cert_thumbprint

- name: Download vRA prepare script
 url: https://{{ vra_appliance }}/software/download/
 dest: /tmp/

- name: Run vRA prepare script
 shell: bash /tmp/ -m {{ vra_iaas_mgr }} -M 443 -a {{ vra_appliance }} -A 443 -j true -c vsphere -n -g {{ vra_appliance_cert_thumbprint.stdout }} -f {{ vra_iaas_mgr_cert_thumbprint.stdout }}
 register: vra_prepare_script_results

- name: Display vra_prepare_script results
 debug: "vRA prepare script results {{ vra_prepare_script_results.stdout }}"

You can run the playbook with:

ansible-playbook  –ask-pass -i, centos7-init.yaml

You can override the vRA Appliance and Manager parameters by following the instructions at Passing Variables On The Command Line



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s