vRealize Automation 8.5.1 | 16 SEP 2021

Check for additions and updates to these release notes.

Release Versions

VRealize Automation 8.5.1 | 16 September 2021

  • vRA Easy Installer (ISO) build 18627676

  • vRA Product (appliance) build 18627002

  • SaltStack Config build 18565512

Updates made to this document


Description of update



Initial publishing.


Failed to start upgrade to 8.5.1

Known Issue


The vRealize Orchestrator Control Center password is reset to its initial value after service redeployment.

Known Issue


Upgrading from 8.5.0 may fail to complete

Known Issue


Upgrading to vRA 8.5.1 from vRA 8.5 fails with an error "Upgrade terminated due to critical error"

Known Issue


ABX Actions running on AWS Lambda might fail with an error.

Known Issue


If NSX-V to NSX-T migration is perfomed, it fails after importing vRA_output.json file

Known Issue


Added link to KB workaround used to resolve upgrade failure related to the log4j vulnerabilities.


NSX-v to NSX-T migration does not update any description objects

Known Issue

About vRealize Automation 8.5.1

vRealize Automation 8.5.1 adds to the vRealize Automation 8.5 capabilities focusing on the areas of multi-cloud support with Azure, XaaS improvements with ABX custom resources and vRO, as well as expansion of network automation capabilities with vSphere, VMC and Azure. Pipeline automation now supports Docker and Kubernetes tasks.


Upgrade failure after performing steps in KB 87120

Performing the instructions used to address the CVE-2021-44228 and CVE-2021-45046 log4j vulnerabilities described in KB 87120 can cause upgrade failures for vRealize Automation and vRealize Orchestrator 8.6.2 or earlier. For a workaround, see KB 87794.

Before you begin

Familiarize yourself with the supporting documents.

After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.5 product documentation.

For information on vRealize Orchestrator 8.5 features and limitations, refer to the vRealize Orchestrator 8.5 Release Notes.

What's New

The many benefits of vRealize Automation 8.5.1 include:

New "Project Supervisor" role for approvals

This release introduces a new out of the box role called "Project Supervisor" which can be used for approving deployment requests. Any user with this role can serve as an approver only for that specific Project. Learn more.

Onboard vSphere networks

You can onboard vSphere network objects along with the VM while executing the onboarding plan. When a VM is onboarded, the attached vSphere network object is also onboarded and the network object is shown on the deployment canvas.

Indicate vRO based catalog item status

Based on the status of vRO workflow, you can see if any items are valid/invalid/out of sync.

SaltStack SecOps: New Benchmark for RHEL8 (CIS)

New certified compliance benchmark for Red Hat Enterprise Linux version 8 based on the Center for Internet Security (CIS) standards. This new benchmark allows the scanning and automated remediation of RHEL8 through the SaltStack SecOps add-on for vRealize Automation.

Custom Resources with extensibility actions

Application architects can use extensibility actions in cloud templates to build complex applications. They can create custom resources based on extensibility actions and assess lifecycle operation and day2 context actions.

The extensibility action script can return text that can be directly populated as a custom component on the design canvas. Learn More.

Kubernetes support in Code Stream Workspace

The Code Stream pipeline workspace now supports Docker and Kubernetes for continuous integration tasks. The Kubernetes platform manages the entire lifecycle of the container, similar to Docker. In the pipeline workspace, you can choose Docker (the default selection) or Kubernetes. In the workspace, you select the appropriate endpoint. The Kubernetes workspace provides:

  • The builder image to use

  • Image registry

  • Namespace

  • Node port

  • Persistent Volume Claim

  • Working directory

  • Environment variables

  • CPU limit

  • Memory limit.

You can also choose to create a clone of the Git repository.

Ability to configure machine tags in VCT for VMs deployed in VMC

You can configure machine tags for a VM deployed on VMC and update the tag after initial deployment. These tags are used to dynamically assign a VM to an appropriate security group. This builds on similar capability introduced for NSX-T in earlier vRA release.

Ability to change default Active Directory OU settings after VM provisioning.

You can now configure a special custom property in the YAML template and move machines to a different OU after the post provisioning task.

Cloud Templates with dynamic vRO inputs

You can now leverage dynamic inputs in native Cloud Templates when vRO workflow based dynamic values are enabled in Cloud Templates input.

Allow IPAM settings to be an input property on machine NIC component in the blueprint

Prior to this feature, IPAM properties always come from the network that the nic targets to. This feature allows customers to directly set gateway addresses, domain, dns and dns search domain via VCT and ignore the properties from the network.

Other Support Improvements

Realize Suite Lifecycle Manager 8.4.1 Product Support Pack 2 supports the installation of vRealize Network Insight 6.3. See VMware vRealize Suite Lifecycle Manager 8.4 Release Notes. To install and upgrade vRealize Network Insight by using vRealize Suite Lifecycle Manager, see the vRealize Suite Lifecycle Manager Installation, Upgrade, and Management Guide.

Post DR, you can change the network settings of the vRA appliances, including new IP addresses, and continue to manage all workloads not impacted by the same DR event.

In case of a disaster recovery scenario, vRealize Automation is backed up by SRM and is brought up in a backup vCenter. With vRA this release, you can update the network settings, post DR without your vCenters being on a stretched L2. The same applies for the VMware Identity Manager. Please follow the steps in vRealize Automation and Identity Manager re-IP configuration in Site Recovery Manager to update network settings for vRA and vIDM. Note that any failed vCenter workloads are not managed by the newly-active vRA.

API Documentation and Versioning

API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.

Before using the API, consider the latest API updates and changes for this release, and note any changes to the API services that you use. If you have not locked your API to a version before, you might encounter a change in an API response. As a best practice, use the apiVersion variable to lock your API to the version you want to use. If you do not lock your APIs, the default behavior varies depending upon the API.

  • For Cloud Assembly IaaS APIs, all requests which are executed without the apiVersion parameter will be redirected to the first version which is 2019-01-15. This redirect will allow every user who did not previously specify the apiVersion parameter to transition smoothly to the latest version without experiencing breaking changes.

    NOTE: For the Cloud Assembly IaaS APIs, the latest version is apiVersion=2021-07-15. If left unlocked, IaaS API requests will be redirected to the first version which is 2019-01-15. The first version is deprecated and will be supported for 12 months. To ensure a smooth transition to the new version, lock your IaaS API requests with the apiVersion parameter assigned to 2021-07-15.

  • For other APIs, you can specify the apiVersion parameter to lock your APIs to whatever date you choose.

    • If you want to lock your APIs to the version in effect for vRealize Automation 8.5, use apiVersion=2021-08-12.

    • If you want to lock your APIs to the version in effect for vRealize Automation 8.5.1, use apiVersion=2021-09-09.

    If left unlocked, your API requests will default to the latest version which is apiVersion=2021-09-09.

For more information about API versioning, see the vRealize Automation 8.5 API Programming Guide.

Service Name

Service Description

API Updates and Changes


Holds all functionality specific to ABX, including creation and management of actions and their versions and executing actions and flows.

No change


Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned

No change


Create, validate, and provision VMware Cloud Templates (formerly called Blueprints)

No change


When using Kubernetes with vRealize Automation, deploy and manage Kubernetes clusters and namespaces.

No change

Content Gateway(content service)

Connect to your infrastructure as code content in external content sources such as SCM Providers and VMware Marketplace.

No change

Custom Forms (form-service)

Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services.

No change


Access deployment objects and platforms or blueprints that have been deployed into the system.

No change


Perform infrastructure setup tasks, including validation and provisioning of resources in iterative manner.

No change


This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup

No change


Holds all functionality specific to creation, management and delete of projects

No change


Define policy and plans for bringing existing VMs from any cloud under management.

No change


Access Service Broker catalog items and catalog sources, including content sharing and the request of catalog items.

No change

Catalog Service (Policies)

Interact with policies created in Service Broker.

No change

Code stream all pipeline-service

These API provide access to Code Stream services.

Workspace section in pipeline has two new fields to support k8s based workspaces.​

POST /codestream​/api​/pipelinesGET ​/codestream​/api​/pipelines/{id}

GET ​/codestream​/api​/pipelines/{project-name}/{pipeline-name}.workspace

in the request/response payloadWorkspace Type: Two new fields are added "type" - indicates type of workspace (defaults to docker and backward compatible)"customProperties" - a key value pair to customise k8s workspace

Identity Service

A list of identity, account and service management APIs.

No change

Resolved Issues

The following issues were resolved in this release.

  • After upgrading from 8.1 to 8.3 Windows deployments fails when running a wrapper workflow [Wrapped ch.dunes.scripting.server.polyglot.PolyglotRunnerException:

    Polyglot powercli scripts fail with "An item with the same key has already been added. Key: LinkedView". This is caused by a VMHost powercli object that cannot be parsed into JSON.

  • Custom Forms ValuePicker and MultiValuePicker additionally filters data when requested from getExternalValues

    When searching with a specific term, there are search results that are not shown in the UI component dropdown. The Value Picker and Multi-Value Picker do not show results whose label or value do not contain the search term. This can be observed when we search for username in the Active directory and we know that there are search results, but value picker does not show them, because the user's Display Name did not contain his username. 

  • Custom Resources are not available in Cloud Template after Activating it.

    The Custom Resource should be available in the Cloud Template, once it is activated.

  • Deployments are failing when compute tags longer than 256 characters are used

    Post upgrade to 8.4, deployments are failing for Cloud Templates with compute tags having length greater than 256 characters or key greater than 128 characters.

  • Object input is not working when used with expression

    Object input is failing when used with a complex expression in array notation. For example:

    formatVersion: 1inputs:  disks:    type: array    minItems: 2    maxItems: 2    items:      type: object      properties:        name:          type: string        capacityGB:          type: integerresources:  disk:    type: Cloud.Volume    allocatePerInstance: true    properties:      name: '${input.disks[count.index % length(input.disks)].name}'      capacityGb: '${input.disks[count.index % length(input.disks)].capacityGB}'      count: '${length(input.disks) * 2}'  machine:    type: Cloud.Machine    allocatePerInstance: true    properties:      image: ubuntu      flavor: small      count: '${length(input.disks)}'      attachedDisks: '${map_to_object(slice(resource.disk[*].id, 2*count.index, 2*(count.index + 1)), "source")}'
  • Workflow with input of type properties and widget multi value picker does not fill widget correctly

    Using an action that returns a "Properties" type for the default value of the multi value picker widget results in having empty keys in the value column.

  • Cloud Assembly inputs validation is missing when using some reserved name

    In Cloud Assembly, when defining some inputs there's no validation which eventually causes conflict when promoting the template to service broker.

  • Catalog service restarted every 2-3 days

    The Catalog service pods are getting restarted every 2-3 days. The Catalog service container memory grows slowly and tries to take more than the assigned limit which results in Kubernetes terminating and restarting the catalog service container.

  • Deployment created successfully but doesn't contain any resources

    Deployment is created successfully, but it doesn't contain any resources. When the VCT is empty, the user can deploy the VCT.

  • The vSSC photon appliace is missing libraries required to deploy Windows minions

    The vSSC photon appliance is missing libraries required to deploy Windows minions. The .ova requires pypsexec, smbprotocol, and impacket to be installed, in order to successfully deploy/configure windows minions.

  • Running any action from a vRealize Orchestrator Client embedded in a vRealize Automation in an external vRealize Orchestrator deployment returns the following: Action execution with id: was not found.

    This occurs when a user wants to run or debug an action in an external vRealize Orchestrator cluster while triggering it from an embedded vRealize Orchestrator Client. The external vRealize Orchestrator cluster must be added as an integration in vRealize Automation.

  • The vRealize Orchestrator container restarts when over 5000 actions are run for the purpose of catalog item population.

    This issue was tested in an environment where 250 catalog items, each running over 20 vRealize Orchestrator actions, were run in parallel. This causes all available Tomcat threads to be exhausted, which in turn causes a vRealize Orchestrator container restart due to a health check probe fail.

  • When clicking on an AWS instance in the UI, the control jumps to the S3 bucket

    This only occurs when using a Chrome browser. When the user clicks on the side panel tree, the tree scrolls to the top.

  • Change Security day2 operation to remove association with VMs for migrated deployments

    Change Security Groups/Reconfigure (Existing type Security Group) day 2 operation to remove association with VM’s for Deployments migrated from VRA 7.x to VRA 8.x are not supported for NSX-V endpoints. In vRealize Automation, the UI depicts that disassociation was complete, however the NSX-V endpoint still reflects the association.

  • Missing algorithmParameters for LB error not handled properly

    For the algorithms: HTTP_HEADER and URL, without algorithmParameters the yaml validation error is not clear. The algorithm URI also requires algorithmParameters but it does not show yaml validation error.

Known Issues

The following known issues are present in this release.

  • NSX-v to NSX-T migration does not update any description objects

    NSX-v to NSX-T migration does not update any description objects as the endpoint_links are not expected to be set there. So, after V2T migration the load balancer description records still point to NSX-v and get deleted when the NSX-v cloud account is deleted. This causes problems with Day-2 operations on such deployments.

    Workaround: Do not delete the NSX-v cloud account after migration if the vRA 7 to 8 migration was performed.

  • Configuring the IP Address RELEASED period does not work in a multi-tenant environment

    The task that runs globally to move IP addresses from RELEASED to AVAILABLE is not tenant-aware. In a multi-tenant environment, where one or more tenants has configured an IP address timeout, only one timeout value is applied to all the tenants.

    This issue is being addressed and will be resolved in a future release.

    Workaround: None

  • If NSX-V to NSX-T migration is performed, it fails after importing vRA_output.json file

    If NSX-V to NSX-T migration is performed, it fails after importing vRA_output.json file with the following error - 'Unrecognized field "syncDueAt" not marked as ignorable'.

  • An error occurs when configuring a config element in vRealize Orchestrator to adjust the value of a pre-existing string array.

    Configuration file fails to update and an error occurs when adding a static variable to a custom cloud template. The error occurs when configuring a config element in vRO (Orchestrator -> Assets -> Configuration) to adjust the value of a pre-existing string array. The following error message appears when attempting to save the change at the config element Save/Version/Close stage:

    Failure to update configuration undefined.

    Adding values to a new string array allows the Save action. However, editing the same array continues to yield the error message.

    Woraround: None

  • ABX Actions running on AWS Lambda might fail with an error.

    Due to a minor change in the AWS Lambda service, ABX Actions run on AWS Lambda might fail with the following error:

    'Error com.amazonaws.services.lambda.model.ResourceConflictException: The operation cannot be performed at this time. The function is currently in the following state: Pending'.

    Workaround: The first trigger of the ABX action after the action was created or updated will most likely fail, but if you wait for a couple of seconds and try again, it should work as expected, and it should continue to work as expected until the action is updated and this requires ABX to update the backing AWS Lambda function.

  • Upgrading to vRA 8.5.1 from vRA 8.5 fails with an error "Upgrade terminated due to critical error"

    Upgrading to vRA 8.5.1 or later version fails with the error "Upgrade terminated due to critical error". Disk space checks show /root at *or near* 100% utilization.

    Workaround: For information on workaround steps, see KB 85864.

  • Upgrading from 8.5.0 may fail to complete

    Starting an iterative upgrade trhough vRSLCM to vRA 8.5.1 or later on a vRA 8.5.0 system fails at the vRealize Automation Upgrade/Patch/Internal Network step of Stage 1 about a minute or so after the launch. The previous upgrade, while completed successfully, has not been able to delete its runtime data and leaves the upgrade in in progress state. Hence, new upgrade cannot be launched.

    Workaround: For information on workaround steps, see KB 85965.

  • The vRealize Orchestrator Control Center password is reset to its initial value after service redeployment.

    After the vRealize Orchestrator Appliance is deployed, you can change the Control Center password by running the vracli vro update-cc-password command. However, after running the /opt/scripts/deploy.sh script to redeploy the vRealize Orchestrator services, the Control Center password is reset to its initial value.

  • Exceptions for READ operation are not properly processed

    If a back-end error happens for deployment iterative updates, only a generic error message is shown. From server logs, a detailed error message is shown. However, due to the exception being handled not properly, only a generic error message is displayed in the UI.

  • Incorrectly dropped or placed elements in Cloud Templates break the UI page

    In Firefox, using drag and drop can sometimes redirect the page. When dragging a resource node, dropping it outside of the canvas could also cause page redirection in Firefox.

    Workaround: Drop resource in canvas and delete it instead.

  • Custom Resource Subscriptions not available for Custom resource based on ABX

    Despite the fact the vRA 8.5.1 introduced ABX based custom resources, there are some limitations such as: Cloud admins are still not able to include ABX based resources in event based subscriptions.

  • Timeout exception appears during deployment update of ABX based custom resource

    When you update an ABX based custom resource deployment, you might see a ''504 Gateway Time-out issue" error. The error appears in the event of an ABX read action failure.

  • Request tracker is not working for resource views

    When a day 2 action is performed on a resource in resource view, the status tracker does not show on the UI to indicate the action is in progress and when the action is completed, the UI does not refresh automatically to show the completion of the action.

    Workaround: Manually refresh for request status updates.

Changed and Deprecated Functionality


check-circle-line exclamation-circle-line close-line
Scroll to top icon