VMware vRealize Automation 8.5 | 19 AUG 2021
Check for additions and updates to these release notes.
|VRealize Automation 8.5 | 19 August 2021
Updates made to this document
|Date||Description of update||Type|
|09/30/2021||Azure image enumeration is not finishing for all the Azure endpoints in an environment||Known Issue|
|11/30/2021||ABX Actions running on AWS Lambda might fail with an error.||Known Issue|
|02/11/2022||Information on vRealize Automation 8.5 Patch 1||Patch|
|03/02/2022||Added link to KB workaround used to resolve upgrade failure related to the log4j vulnerabilities.|
vRealize Automation 8.5 adds to the vRealize Automation 8.4.2 capabilities focusing on the areas of multi-cloud support with Azure, extensibility with vRO and ABX as well as expansion of network automation capabilities with vSphere and NSX.
vRealize Automation 8.5 Patch 1
vRealize Automation 8.5 Patch 1 is now available and includes bug fixes in different areas as well as log4j security update. This is a cumulative patch. For more information and installation instructions, see KB 87562.
Upgrade failure after performing steps in KB 87120
Performing the instructions used to address the CVE-2021-44228 and CVE-2021-45046 log4j vulnerabilities described in KB 87120 can cause upgrade failures for vRealize Automation and vRealize Orchestrator 8.6.2 or earlier. For a workaround, see KB 87794.
Familiarize yourself with the supporting documents.
After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.5 product documentation.
For information on vRealize Orchestrator 8.5 features and limitations, refer to the vRealize Orchestrator 8.5 Release Notes.
The many benefits of vRealize Automation 8.5 include:
Project Administrator can act as Approver for all approval requests
When creating an approval policy, administrators can select a Project Administrator (for the project in which the approval was triggered) as the approver. This means a policy can be created once, for the organization, or a group of projects, instead of a policy per project with specific users as approver. Learn more.
Configure when IP address from IPAM is released
You can configure how long it takes for an IP address to be released from allocation once it is no longer used. This allows for faster provisioning of new workloads where IP addresses are scarce. There is no change to default behavior where it can take up to 30 mins before an IP address is released after its no longer used. Learn more.
Limit the number of namespaces for a project on a K8s zone
The maximum number of supervisor namespaces that can be deployed for the project on a given K8s zone now has a configurable limit. Learn more about working with Kubernetes zones.
VMware vRealize Orchestrator plug-in for vRealize Automation 8.5 and vRealize Automation Cloud
The updated vRealize Automation plug-in supports scripting objects generation such as cloud accounts, cloud zones, projects, tags, and CRUD operations to build your own content. For each object, some sample content is provided by default. Learn more.
Technical limitations in vRealize Orchestrator/vRealize Automation 8.5.0:
Enable resources across Azure regions to be added to the same resource group
An Azure resource group is created in an Azure region. However, resources from any Azure region can be added into it. This feature enables admins to add resources from other regions into the Azure RG. Learn more about working with Azure resource groups.
NVDS-CVDS Migration Support
The infrastructure admin can migrate vSphere NVDS to CVDS and have vRA update its state including networks and deployments with new information. Additional considerations apply if using vSphere network representations in vRA.
Snapshot management for Azure disks
You can now pass the resource group name, encryption set, and network policy while creating the disk snapshot. This builds on previous Azure disk snapshot functionality introduced in prior release. Learn more about Azure resource snapshots.
Ability to enable/disable boot diagnostics for Azure VMs - Day 2
You can enable/disable boot diagnostics for Azure VMs as a day 2 action. This builds on ability to enable this as Day 1 action introduced in prior release. Learn more about the day 2 boot diagnostic actions.
The Service Broker administrator can view the list of available email notification scenarios and enable or disable them for all users in their organization:
Learn more about notifications.
Terraform runtime environment authentication
This release introduces authentication for adding Terraform service runtime version to vRA for more secure environments. Learn more.
Support for new topologies with on-demand load-balancer as part of NSX-V to NSX-T migration
Next phase of NSX-V to NSX-T migration capability in vRA introduces support for additional topologies with on-demand load-balancers. Learn more.
Support for NSX-V to NSX-T migration with vSphere 6.7
vRealize Automation NSX-V to NSX-T migration now supports migrating deployments that are running on vSphere 6.7. Previously, only vSphere 7.0 was supported. Learn more.
Note: Eventual migration from NVDS to CVDS will be required with vSphere 7.0. NSX-V to NSX-T migration automatically migrates to CVDS.
Support for existing global security group as part of NSX-T Federation
vRealize Automation can now discover global security groups configured under NSX-T global manager. These groups can be leveraged in network profiles and VMware Cloud Templates to build deployments. This builds on initial support for NSX-T Federation introduced in vRA 8.4.1 release. Learn more.
Custom Roles API
The APIs for Custom Roles (RBAC) are now available (Create, Read, List, Update, Delete).
To access API specifications for Custom Roles, see https://<vRA-HOSTNAME>/project/api/swagger/swagger-ui.html?urls.primaryName=rbac%3A2020-08-10
Day 2 Install of Salt Minions
You can deploy a Salt Minion on a previously deployed VM resource as a day 2 action. Learn more about the day 2 Salt configuration action.
Day 2 Application of Salt State Files
You can apply one or more Salt State files to a previously deployed VM resource as a day 2 action. Learn more about the day 2 Salt configuration action.
Using VMware vRealize Suite Lifecycle Manager, you can upgrade your vRealize Automation 8.x instance to 8.5. For more information, see Upgrading vRealize Suite Lifecycle Manager and vRealize Suite Products.
Customers that upgraded to vRealize Automation 8.5 using the new upgrade bundle might see errors during scale out (similar to patched environments). As mentioned in KB 79105, the ova bundle is hosted on my.vmware.com.
API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.
Before using the API, consider the latest API updates and changes for this release, and note any changes to the API services that you use. If you have not locked your API to a version before, you might encounter a change in an API response. As a best practice, use the apiVersion variable to lock your API to the version you want to use. If you do not lock your APIs, the default behavior varies depending upon the API.
NOTE: For the Cloud Assembly IaaS APIs, the latest version is apiVersion=2021-07-15. If left unlocked, IaaS API requests will be redirected to the first version which is 2019-01-15. The first version is deprecated and will be supported for 12 months. To ensure a smooth transition to the new version, lock your IaaS API requests with the apiVersion parameter assigned to 2021-07-15.
If left unlocked, your API requests will default to the latest version which is apiVersion=2021-08-12.
For more information about API versioning, see the vRealize Automation 8.5 API Programming Guide.
|Service Name||Service Description||API Updates and Changes|
|ABX||Holds all functionality specific to ABX, including creation and management of actions and their versions and executing actions and flows.||No change|
|Approval||Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned||No change|
|Blueprint||Create, validate, and provision VMware Cloud Templates (formerly called Blueprints)||No change|
|CMX||When using Kubernetes with vRealize Automation, deploy and manage Kubernetes clusters and namespaces.||No change|
|Content Gateway(content service)||Connect to your infrastructure as code content in external content sources such as SCM Providers and VMware Marketplace.||No change|
|Custom Forms (form-service)||Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services.||No change|
|Deployment||Access deployment objects and platforms or blueprints that have been deployed into the system.||No change|
|IaaS||Perform infrastructure setup tasks, including validation and provisioning of resources in iterative manner.||New IaaS API version is 2021-07-15
Users can call this version by using the parameter: apiVersion='2021-07-15'.
All requests executed without specifying the apiVersion parameter are redirected to the first version of the Cloud Assembly IaaS API which is 2019-01-15.
The new Cloud Assembly IaaS APIs include:
|Migration||This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup||No change|
|Project||Holds all functionality specific to creation, management and delete of projects||No change|
|Relocation||Define policy and plans for bringing existing VMs from any cloud under management.||No change|
|Catalog||Access Service Broker catalog items and catalog sources, including content sharing and the request of catalog items.||No change|
|Catalog Service (Policies)||Interact with policies created in Service Broker.||No change|
|Code stream all pipeline-service||These API provide access to Code Stream services.||No change|
|Identity Service||A list of identity, account and service management APIs.||Get OAuth2 client by passed ID.
New APIs for AD group membership
The following issues were resolved in this release.
Unable to properly save variables of the Regexp type in the Variables editor. Incorrect values are displayed in the editor.
This issue is caused by the Regexp type variables being misinterpreted as special objects instead of strings.
PowerCLI scripts fail with a "An item with the same key has already been added. Key: LinkedView" error.
This PowerCLI scripting issue is caused by a VMHost PowerCLI object that cannot be parsed into a JSON format.
Unable to save Property Group containing property from External Source type
The validation fails when you try to create a property that contains a number, boolean, or integer types of properties referencing property groups. As a result you are unable to save the property group.
Blueprint with invalid schema fails to import after upgrading from 8.2 to 8.4.1
Due to json-schema validations, if a 8.2 or earlier blueprint has an invalid schema and you migrate it to any version before vRA 8.5, it fails to re-import.
Deployments are failing when compute tags longer than 256 characters are used
Post upgrade to 8.4, deployments are failing for blueprints with compute tags having length greater than 256 characters or key greater than 128 characters.
Cloud Template UI restricts the deployments from the same project but API does not.
When trying to deploy a cloud template to an existing deployment (iterative scenario), the UI lists the deployments only from the project that the cloud template belongs to.
Consider the following use case:
Custom Forms ValuePicker and MultiValuePicker should not filter data when requested from getExternalValues
When searching with specific term, sometimes there are search results that are not shown in the UI component dropdown. The Value Picker and Multi-Value Picker do not show results whose label or value do not contain the search term. This can be observed when we search for username in the Active directory and we know that there are search results, but value picker does not show them, because the user's Display Name did not contain his username.
Unable to log in to the vRealize Orchestrator Control Center or the vRealize Orchestrator Appliance.
Using backslash ("\") characters in the root password of your deployment can cause issues when trying to log in to the vRealize Orchestrator Control Center or the vRealize Orchestrator Appliance over a SSH session.
Slow deletion of folders that contain large quantities of workflows or actions.
When you delete a folder that contains large quantities of workflow or actions (over 2000 objects), the deletion process can take hours to complete.
Error in Terraform import possibly due to for loop syntax.
Using for_each, for & if blocks in Terraform files result in an error.
Metrics are only loaded once when a vRO workflow is opened
Metrics are lost when navigating through execution steps for completed workflow execution. This is visible when profiler and token replay functionalities are enabled. If there is a workflow that calls inner workflows, then the issue is visible for the workflow execution.
vRO workflow fails if it contains a default error handling item and embedded workflows with nested workflows that failed.
If a workflow contains a default error handling item and an embedded workflow item and this embedded workflow has nested workflows, when you run the topmost workflow and a nested workflow fails, the topmost workflow fails too regardless of logic default error handling item.
Error loading values for field formValue(Value) | Unable to add or modify the value for any variables of type "Path" in vRO 7.6
Older workflows can use the deprecated Path type which cannot be used in newer vRealize Orchestrator versions.
Using the deprecated Path type can cause issues in certain scenarios. For example, you might have nested workflow element that uses the Path type as input or output parameter. Attempting to bind these inputs or output parameters to other parameters or variables that use the Path type fails because this type is deprecated and unavailable. The similar path type variable can now be bound to inputs, outputs, or variables of the Path type. The same also applies to Array/path and Array/Path bindings. In such scenarios, the original input or output type does not change. For example, if an input parameter of the Path type is bound to a variable of the path type, the input parameter will still use the Path type.
vRO does not allow you to select a value option action for complex type input
You cannot select an action as a default value for a Properties type input parameter. An action that returns an Array/Properties cannot be selected as a default value for a Properties type input parameter.
Intermittent failure to deploy machine connected to an NSX-T network and contains tags
The deployment fails with an error: "SecurityException: : : Failed to query unique virtual machine by external id: [UUID]". This occurs when vRA queries NSX for the machine in order to tag it on NSX and receives multiple records since the machine is migrated during vMotion.
The following known issues are present in this release.
The vRealize Orchestrator container restarts when over 5000 actions are run for the purpose of catalog item population.
This issue was tested in an environment where 250 catalog items, each running over 20 vRealize Orchestrator actions, were run in parallel. This causes all available Tomcat threads to be exhausted, which in turn causes a vRealize Orchestrator container restart due to a health check probe fail.
The vRealize Orchestrator Control Center password is reset to its initial value after service redeployment.
After the vRealize Orchestrator Appliance is deployed, you can change the Control Center password by running the vracli vro update-cc-password command. However, after running the /opt/scripts/deploy.sh script to redeploy the vRealize Orchestrator services, the Control Center password is reset to its initial value.
vRealize Automation upgrade fails with error code LCMVRAVACONFIG90030
During upgrade, when the root password is set to non-expiring or has not been changed in over 365 days, the password is updated to expire immediately. As a result LCM can not connect to vRA to check upgrade status and upgrade fails.
Workaround: Update the password before the upgrade.
Running any action from a vRealize Orchestrator Client embedded in a vRealize Automation in an external vRealize Orchestrator deployment returns the following: Action execution with id: was not found.
This issue occurs when a user wants to run or debug an action in an external vRealize Orchestrator cluster while triggering it from an embedded vRealize Orchestrator Client. The external vRealize Orchestrator cluster must be added as an integration in vRealize Automation.
Workaround: Use the external vRealize Orchestrator Client to start or debug actions.
Exceptions for READ operation are not properly processed
If a back-end error happens for deployment iterative updates, only a generic error message is shown.
From server logs, a detailed error message was shown. However, due to the exception being handled not properly, only a generic error message is displayed in the UI. Users would not know what happened and how to remedy the situation. In this case, if the user can see the detailed error message, they know there is no endpoint for this org
From UI: Internal Server Error[Error Reference ID:...]
From backend logs:
a0056' deployment='def73627-632b-4f60-8c8b-064f1e79799b' trace='337acab2-f5b1-4eb7-8156-b743c3b7d5f2'] com.vmware.tango.blueprint.provider.ResourceTileService - read request Failed: [Provisioning Service] No suitable cloud accounts for providers: 'azure' project: 'bbae7f64-ba5e-4259-aa02-029a45d2ea32'! Reason: [Provisioning Service] There are no endpoints for the specific orgId: 78a681c1-c9fb-46df-92f0-f210d66d4d14 projectId: bbae7f64-ba5e-4259-aa02-029a45d2ea32 endpointType: azure
Incorrectly dropped or placed elements in Cloud Templates break the UI page
In Firefox, drag and drop sometimes redirects page. When dragging a resource node, dropping it outside of the canvas could also cause page redirection in Firefox.
Workaround: Drop resource in canvas and delete it instead.
The vSSC photon appliace is missing libraries required to deploy Windows minions
The vSSC photon appliance is missing libraries required to deploy Windows minions. The .ova requires pypsexec, smbprotocol, and impacket to be installed, in order to successfully deploy/configure windows minions
Workaround: Run these commands:
pip3 install pypsexec smbprotocol
pip3 install impacket --ignore-installed
Deployment created successfully but doesn't contain any resources
Even when the VCT is empty, the user can deploy the VCT
Missing algorithmParameters for LB error not handled properly
For the algorithms: HTTP_HEADER and URL, without algorithmParameters the yaml validation error is not clear. The algorithm URI also requires algorithmParameters but it doesnt show yaml validation error.
When clicking on an AWS instance in the UI, the control jumps to the S3 bucket
This only occurs when using a Chrome browser. When the user clicks on the side panel tree, the tree scrolls to the top.
Change Security day2 operation to remove association with VMs for migrated deployments
Change Security Groups/Reconfigure (Existing type Security Group) day 2 operation to remove association with VM’s for Deployments migrated from VRA 7.x to VRA 8.x are not supported for NSX-V endpoints. In vRealize Automation, the UI depicts that disassociation was complete, however the NSX-v Endpoint still reflects the association.
Workaround: Perform the dissociation on the NSX-V endpoint.
Catalog service restarted
The Catalog service pods are getting restarted every 2-3 days. The Catalog service container memory grows slowly and tries to take more than the assigned limit which results in kubernetes terminating and restarting the catalog service container.
Workaround: Reduce catalog service JVM heap memory limit to keep the Java process memory within the container limit. This can be done by updating the catalog service deployment and modifying the jvmHeapMax value to "1794m". To update this value edit the file /opt/charts/catalog-service/values.yaml on each node and redeploy the app.
Azure image enumeration is not finishing for all the Azure endpoints in an environment
An error in the Azure image enumeration for one cloud account can prevent other Azure image enumeration operations from completing.
Workaround: For workaround steps, see KB 85796.
ABX Actions running on AWS Lambda might fail with an error.
Due to a minor change in the AWS Lambda service, ABX Actions run on AWS Lambda might fail with the following error:
'Error com.amazonaws.services.lambda.model.ResourceConflictException: The operation cannot be performed at this time. The function is currently in the following state: Pending'.
Workaround: The first trigger of the ABX action after the action was created or updated will most likely fail, but if you wait for a couple of seconds and try again, it should work as expected, and it should continue to work as expected until the action is updated and this requires ABX to update the backing AWS Lambda function.
Configuring the IP Address RELEASED period does not work in a multi-tenant environment.
The task that runs globally to move IP addresses from RELEASED to AVAILABLE is not tenant-aware. In a multi-tenant environment, where one or more tenants has configured an IP address timeout, only one timeout value is applied to all the tenants.
This issue is being addressed and will be resolved in a future release.
Extensibility failures when utilizing secrets
In 8.5, powershell based ABX fails when called from a subscription that triggers a VMware Cloud Template that utilizes a secret.