VMware vRealize Automation 8.5 | 19 AUG 2021

Check for additions and updates to these release notes.

Release Versions

VRealize Automation 8.5 | 19 August 2021
  • vRA Easy Installer (ISO) build 18488288
  • vRA Product (appliance) build 18472703

Updates made to this document

Date Description of update Type
08/19/2021 Initial publishing.
09/30/2021 Azure image enumeration is not finishing for all the Azure endpoints in an environment Known Issue
11/30/2021 ABX Actions running on AWS Lambda might fail with an error. Known Issue
02/11/2022 Information on vRealize Automation 8.5 Patch 1 Patch
03/02/2022 Added link to KB workaround used to resolve upgrade failure related to the log4j vulnerabilities.

About vRealize Automation 8.5

vRealize Automation 8.5 adds to the vRealize Automation 8.4.2 capabilities focusing on the areas of multi-cloud support with Azure, extensibility with vRO and ABX as well as expansion of network automation capabilities with vSphere and NSX.

vRealize Automation 8.5 Patch 1

vRealize Automation 8.5 Patch 1 is now available and includes bug fixes in different areas as well as log4j security update. This is a cumulative patch. For more information and installation instructions, see KB 87562.


Upgrade failure after performing steps in KB 87120

Performing the instructions used to address the CVE-2021-44228 and CVE-2021-45046 log4j vulnerabilities described in KB 87120 can cause upgrade failures for vRealize Automation and vRealize Orchestrator 8.6.2 or earlier. For a workaround, see KB 87794.

Before you begin

Familiarize yourself with the supporting documents.

After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.5 product documentation.

For information on vRealize Orchestrator 8.5 features and limitations, refer to the vRealize Orchestrator 8.5 Release Notes.

What's New

The many benefits of vRealize Automation 8.5 include:

Project Administrator can act as Approver for all approval requests

When creating an approval policy, administrators can select a Project Administrator (for the project in which the approval was triggered) as the approver. This means a policy can be created once, for the organization, or a group of projects, instead of a policy per project with specific users as approver. Learn more.

Configure when IP address from IPAM is released

You can configure how long it takes for an IP address to be released from allocation once it is no longer used. This allows for faster provisioning of new workloads where IP addresses are scarce. There is no change to default behavior where it can take up to 30 mins before an IP address is released after its no longer used. Learn more.

Limit the number of namespaces for a project on a K8s zone

The maximum number of supervisor namespaces that can be deployed for the project on a given K8s zone now has a configurable limit. Learn more about working with Kubernetes zones.

VMware vRealize Orchestrator plug-in for vRealize Automation 8.5 and vRealize Automation Cloud

The updated vRealize Automation plug-in supports scripting objects generation such as cloud accounts, cloud zones, projects, tags, and CRUD operations to build your own content. For each object, some sample content is provided by default. Learn more.

Technical limitations in vRealize Orchestrator/vRealize Automation 8.5.0:

  • The timeout period for REST operations is 2 minutes.
  • Masked custom property values coming from vRealize Automation do not work as input in the Update Project workflow, where custom properties hold encrypted values due to the different encryption logic implemented in vRealize Orchestrator. As a workaround, re-enter the encrypted value without the secret key.
  • No pagination support for vSphere cloud account, NSX-T, NSX-V, Data Collector, Regions.

Enable resources across Azure regions to be added to the same resource group

An Azure resource group is created in an Azure region. However, resources from any Azure region can be added into it. This feature enables admins to add resources from other regions into the Azure RG. Learn more about working with Azure resource groups.

NVDS-CVDS Migration Support

The infrastructure admin can migrate vSphere NVDS to CVDS and have vRA update its state including networks and deployments with new information. Additional considerations apply if using vSphere network representations in vRA.

Snapshot management for Azure disks

You can now pass the resource group name, encryption set, and network policy while creating the disk snapshot. This builds on previous Azure disk snapshot functionality introduced in prior release. Learn more about Azure resource snapshots.

Ability to enable/disable boot diagnostics for Azure VMs - Day 2

You can enable/disable boot diagnostics for Azure VMs as a day 2 action. This builds on ability to enable this as Day 1 action introduced in prior release. Learn more about the day 2 boot diagnostic actions.


The Service Broker administrator can view the list of available email notification scenarios and enable or disable them for all users in their organization:

  • Deployment lease expired
  • Deployment lease expiring
  • Deployment request approved
  • Deployment request rejected
  • Deployment request waiting for approval (notification sent to requester)
  • Pending approval request (notification sent to approver)

Learn more about notifications.

Terraform runtime environment authentication

This release introduces authentication for adding Terraform service runtime version to vRA for more secure environments. Learn more.

Support for new topologies with on-demand load-balancer as part of NSX-V to NSX-T migration

Next phase of NSX-V to NSX-T migration capability in vRA introduces support for additional topologies with on-demand load-balancers. Learn more.

Support for NSX-V to NSX-T migration with vSphere 6.7

vRealize Automation NSX-V to NSX-T migration now supports migrating deployments that are running on vSphere 6.7. Previously, only vSphere 7.0 was supported. Learn more.

Note: Eventual migration from NVDS to CVDS will be required with vSphere 7.0. NSX-V to NSX-T migration automatically migrates to CVDS.

Support for existing global security group as part of NSX-T Federation

vRealize Automation can now discover global security groups configured under NSX-T global manager. These groups can be leveraged in network profiles and VMware Cloud Templates to build deployments. This builds on initial support for NSX-T Federation introduced in vRA 8.4.1 release. Learn more.

Custom Roles API

The APIs for Custom Roles (RBAC) are now available (Create, Read, List, Update, Delete).

To access API specifications for Custom Roles, see https://<vRA-HOSTNAME>/project/api/swagger/swagger-ui.html?urls.primaryName=rbac%3A2020-08-10

Day 2 Install of Salt Minions

You can deploy a Salt Minion on a previously deployed VM resource as a day 2 action. Learn more about the day 2 Salt configuration action.

Day 2 Application of Salt State Files

You can apply one or more Salt State files to a previously deployed VM resource as a day 2 action. Learn more about the day 2 Salt configuration action.

Upgrading to vRealize Automation 8.5

Using VMware vRealize Suite Lifecycle Manager, you can upgrade your vRealize Automation 8.x instance to 8.5. For more information, see Upgrading vRealize Suite Lifecycle Manager and vRealize Suite Products.

Customers that upgraded to vRealize Automation 8.5 using the new upgrade bundle might see errors during scale out (similar to patched environments). As mentioned in KB 79105, the ova bundle is hosted on my.vmware.com.

API Documentation and Versioning

API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.

Before using the API, consider the latest API updates and changes for this release, and note any changes to the API services that you use. If you have not locked your API to a version before, you might encounter a change in an API response. As a best practice, use the apiVersion variable to lock your API to the version you want to use. If you do not lock your APIs, the default behavior varies depending upon the API.

  • For Cloud Assembly IaaS APIs, all requests which are executed without the apiVersion parameter will be redirected to the first version which is 2019-01-15. This redirect will allow every user who did not previously specify the apiVersion parameter to transition smoothly to the latest version without experiencing breaking changes.

    NOTE: For the Cloud Assembly IaaS APIs, the latest version is apiVersion=2021-07-15. If left unlocked, IaaS API requests will be redirected to the first version which is 2019-01-15. The first version is deprecated and will be supported for 12 months. To ensure a smooth transition to the new version, lock your IaaS API requests with the apiVersion parameter assigned to 2021-07-15.

  • For other APIs, you can specify the apiVersion parameter to lock your APIs to whatever date you choose.
    • If you want to lock your APIs to the version in effect for vRealize Automation 8.4.2, use apiVersion=2021-06-22.
    • If you want to lock your APIs to the version in effect for vRealize Automation 8.5, use apiVersion=2021-08-12.

    If left unlocked, your API requests will default to the latest version which is apiVersion=2021-08-12.

For more information about API versioning, see the vRealize Automation 8.5 API Programming Guide.

Service Name Service Description API Updates and Changes
ABX Holds all functionality specific to ABX, including creation and management of actions and their versions and executing actions and flows. No change
Approval Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned No change
Blueprint Create, validate, and provision VMware Cloud Templates (formerly called Blueprints) No change
CMX When using Kubernetes with vRealize Automation, deploy and manage Kubernetes clusters and namespaces. No change
Content Gateway(content service) Connect to your infrastructure as code content in external content sources such as SCM Providers and VMware Marketplace. No change
Custom Forms (form-service) Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services. No change
Deployment Access deployment objects and platforms or blueprints that have been deployed into the system. No change
IaaS Perform infrastructure setup tasks, including validation and provisioning of resources in iterative manner. New IaaS API version is 2021-07-15

Users can call this version by using the parameter: apiVersion='2021-07-15'.

All requests executed without specifying the apiVersion parameter are redirected to the first version of the Cloud Assembly IaaS API which is 2019-01-15.

The new Cloud Assembly IaaS APIs include:

  • Asynchronous Cloud Account APIs - CRUD Cloud account operations and enumeration requests are now asynchronous and help users to avoid timeout issues for long running operations with different cloud accounts such as regions enumeration and credentials validation. The time outs most frequently occured when creating a cloud account for vSphere, VMC, or NSX and when adding a new IPAM Integration. When you execute a cloud account request, the response includes a RequestTracker link that you can use to query the status of the request.
  • New endpoint: /iaas/api/cloud-accounts/certificates

    Create cloud accounts that obtain certificate information or accept a self-signed certificate.

  • New IaaS API: iaas/api/configuration-properties

    Configure user session timeout.

  • Change in existing API

    Revert operation /iaas/api/machines/{machineId}/operations/revert changed to /iaas/api/machines/{id}/operations/revert/{snapshotId}

  • New IaaS API: /iaas/api/machines/{id}/network-interfaces/{networkId} *

    Patch a network interface with a given ID for specific machine. Only name, description, IPv4 address and custom property updates are supported. The change to name and IPv4 address will not propagate to the cloud endpoint for provisioned machines. Internal custom property can not be patched.

  • Modification to existing APIs

    POST /iaas/api/machines

    New optional parameter saltConfiguration for the machine resource. Specify saltConfiguration properties in a map with the following structure. All saltConfiguration properties are optional.


    -masterId -minionId -saltEnvironment -stateFiles -pillarEnvironment -variables -installerFileName -additionalMinionParams -additionalAuthParams

    GET /iaas/api/machines/{id}

    If SaltStack is configured, the GET machine response includes saltConfiguration properties.

  • Modification to existing API

    POST /iaas/api/block-devices/{id}/operations/snapshots

    Extended to include the following optional parameters:

    - resourceGroupName: Specifies the target resource group for the new snapshot

    - encryptionSetId: To specify the encryption with which the created snapshot should get encrypted

    - tags: Key-value pair to tag a snapshot on Azure cloud.

Migration This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup No change
Project Holds all functionality specific to creation, management and delete of projects No change
Relocation Define policy and plans for bringing existing VMs from any cloud under management. No change
Catalog Access Service Broker catalog items and catalog sources, including content sharing and the request of catalog items. No change
Catalog Service (Policies) Interact with policies created in Service Broker. No change
Code stream all pipeline-service These API provide access to Code Stream services. No change
Identity Service A list of identity, account and service management APIs. Get OAuth2 client by passed ID.

GET /csp/gateway/am/api/services/clients/{id}

New APIs for AD group membership

GET /am/api/orgs/{orgId}/groups/{groupId}/groups

GET /am/api/orgs/{orgId}/groups/{groupId}/users

Resolved Issues

The following issues were resolved in this release.

  • Unable to properly save variables of the Regexp type in the Variables editor. Incorrect values are displayed in the editor.

    This issue is caused by the Regexp type variables being misinterpreted as special objects instead of strings.

  • PowerCLI scripts fail with a "An item with the same key has already been added. Key: LinkedView" error.

    This PowerCLI scripting issue is caused by a VMHost PowerCLI object that cannot be parsed into a JSON format.

  • Unable to save Property Group containing property from External Source type

    The validation fails when you try to create a property that contains a number, boolean, or integer types of properties referencing property groups. As a result you are unable to save the property group.

  • Blueprint with invalid schema fails to import after upgrading from 8.2 to 8.4.1

    Due to json-schema validations, if a 8.2 or earlier blueprint has an invalid schema and you migrate it to any version before vRA 8.5, it fails to re-import. 

  • Deployments are failing when compute tags longer than 256 characters are used

    Post upgrade to 8.4, deployments are failing for blueprints with compute tags having length greater than 256 characters or key greater than 128 characters.

  • Cloud Template UI restricts the deployments from the same project but API does not.

    When trying to deploy a cloud template to an existing deployment (iterative scenario), the UI lists the deployments only from the project that the cloud template belongs to.

    Consider the following use case:

    1. Admin created a blueprint and released a new version in project A.
    2. With above version, admin releases a catalog item to project B ( as blueprint is marked as sharable).
    3. Catalog user creates a deployment based on this catalog item.
    4. Admin made some changes to same blueprint and released a new version.
    5. Now, admin wants to update the deployment created in step#3 with latest cloud template changes.
    6. When Admin tries to deploy the new cloud template version to existing deployment, the UI limits the selection to same project and does not show the deployment that was created in step#3. 
  • Custom Forms ValuePicker and MultiValuePicker should not filter data when requested from getExternalValues

    When searching with specific term, sometimes there are search results that are not shown in the UI component dropdown. The Value Picker and Multi-Value Picker do not show results whose label or value do not contain the search term. This can be observed when we search for username in the Active directory and we know that there are search results, but value picker does not show them, because the user's Display Name did not contain his username. 

  • Unable to log in to the vRealize Orchestrator Control Center or the vRealize Orchestrator Appliance.

    Using backslash ("\") characters in the root password of your deployment can cause issues when trying to log in to the vRealize Orchestrator Control Center or the vRealize Orchestrator Appliance over a SSH session.


  • Slow deletion of folders that contain large quantities of workflows or actions.

    When you delete a folder that contains large quantities of workflow or actions (over 2000 objects), the deletion process can take hours to complete.


  • Error in Terraform import possibly due to for loop syntax.

    Using for_each, for & if blocks in Terraform files result in an error.

  • Metrics are only loaded once when a vRO workflow is opened

    Metrics are lost when navigating through execution steps for completed workflow execution. This is visible when profiler and token replay functionalities are enabled. If there is a workflow that calls inner workflows, then the issue is visible for the workflow execution.

  • vRO workflow fails if it contains a default error handling item and embedded workflows with nested workflows that failed.

    If a workflow contains a default error handling item and an embedded workflow item and this embedded workflow has nested workflows, when you run the topmost workflow and a nested workflow fails, the topmost workflow fails too regardless of logic default error handling item.

  • Error loading values for field formValue(Value) | Unable to add or modify the value for any variables of type "Path" in vRO 7.6

    Older workflows can use the deprecated Path type which cannot be used in newer vRealize Orchestrator versions.

    Using the deprecated Path type can cause issues in certain scenarios. For example, you might have nested workflow element that uses the Path type as input or output parameter. Attempting to bind these inputs or output parameters to other parameters or variables that use the Path type fails because this type is deprecated and unavailable. The similar path type variable can now be bound to inputs, outputs, or variables of the Path type. The same also applies to Array/path and Array/Path bindings. In such scenarios, the original input or output type does not change. For example, if an input parameter of the Path type is bound to a variable of the path type, the input parameter will still use the Path type.

  • vRO does not allow you to select a value option action for complex type input

    You cannot select an action as a default value for a Properties type input parameter. An action that returns an Array/Properties cannot be selected as a default value for a Properties type input parameter.

  • Intermittent failure to deploy machine connected to an NSX-T network and contains tags

    The deployment fails with an error: "SecurityException: : : Failed to query unique virtual machine by external id: [UUID]". This occurs when vRA queries NSX for the machine in order to tag it on NSX and receives multiple records since the machine is migrated during vMotion.

Known Issues

The following known issues are present in this release.

  • The vRealize Orchestrator container restarts when over 5000 actions are run for the purpose of catalog item population.

    This issue was tested in an environment where 250 catalog items, each running over 20 vRealize Orchestrator actions, were run in parallel. This causes all available Tomcat threads to be exhausted, which in turn causes a vRealize Orchestrator container restart due to a health check probe fail.

  • The vRealize Orchestrator Control Center password is reset to its initial value after service redeployment.

    After the vRealize Orchestrator Appliance is deployed, you can change the Control Center password by running the vracli vro update-cc-password command. However, after running the /opt/scripts/deploy.sh script to redeploy the vRealize Orchestrator services, the Control Center password is reset to its initial value.

  • vRealize Automation upgrade fails with error code LCMVRAVACONFIG90030

    During upgrade, when the root password is set to non-expiring or has not been changed in over 365 days, the password is updated to expire immediately. As a result LCM can not connect to vRA to check upgrade status and upgrade fails.

    Workaround: Update the password before the upgrade.

  • Running any action from a vRealize Orchestrator Client embedded in a vRealize Automation in an external vRealize Orchestrator deployment returns the following: Action execution with id: was not found.

    This issue occurs when a user wants to run or debug an action in an external vRealize Orchestrator cluster while triggering it from an embedded vRealize Orchestrator Client. The external vRealize Orchestrator cluster must be added as an integration in vRealize Automation.

    Workaround: Use the external vRealize Orchestrator Client to start or debug actions.

  • Exceptions for READ operation are not properly processed

    If a back-end error happens for deployment iterative updates, only a generic error message is shown.

    From server logs, a detailed error message was shown. However, due to the exception being handled not properly, only a generic error message is displayed in the UI. Users would not know what happened and how to remedy the situation. In this case, if the user can see the detailed error message, they know there is no endpoint for this org

    From UI: Internal Server Error[Error Reference ID:...]

    From backend logs:

    a0056' deployment='def73627-632b-4f60-8c8b-064f1e79799b' trace='337acab2-f5b1-4eb7-8156-b743c3b7d5f2'] com.vmware.tango.blueprint.provider.ResourceTileService - read request Failed: [Provisioning Service] No suitable cloud accounts for providers: 'azure' project: 'bbae7f64-ba5e-4259-aa02-029a45d2ea32'! Reason: [Provisioning Service] There are no endpoints for the specific orgId: 78a681c1-c9fb-46df-92f0-f210d66d4d14 projectId: bbae7f64-ba5e-4259-aa02-029a45d2ea32 endpointType: azure

  • Incorrectly dropped or placed elements in Cloud Templates break the UI page

    In Firefox, drag and drop sometimes redirects page. When dragging a resource node, dropping it outside of the canvas could also cause page redirection in Firefox.

    Workaround: Drop resource in canvas and delete it instead.

  • The vSSC photon appliace is missing libraries required to deploy Windows minions

    The vSSC photon appliance is missing libraries required to deploy Windows minions. The .ova requires pypsexec, smbprotocol, and impacket to be installed, in order to successfully deploy/configure windows minions

    Workaround: Run these commands:

    pip3 install pypsexec smbprotocol

    pip3 install impacket --ignore-installed

  • Deployment created successfully but doesn't contain any resources

    Even when the VCT is empty, the user can deploy the VCT

  • Missing algorithmParameters for LB error not handled properly

    For the algorithms: HTTP_HEADER and URL, without algorithmParameters the yaml validation error is not clear. The algorithm URI also requires algorithmParameters but it doesnt show yaml validation error.

  • When clicking on an AWS instance in the UI, the control jumps to the S3 bucket

    This only occurs when using a Chrome browser. When the user clicks on the side panel tree, the tree scrolls to the top.

  • Change Security day2 operation to remove association with VMs for migrated deployments

    Change Security Groups/Reconfigure (Existing type Security Group) day 2 operation to remove association with VM’s for Deployments migrated from VRA 7.x to VRA 8.x are not supported for NSX-V endpoints. In vRealize Automation, the UI depicts that disassociation was complete, however the NSX-v Endpoint still reflects the association.

    Workaround:  Perform the dissociation on the NSX-V endpoint.

  • Catalog service restarted

    The Catalog service pods are getting restarted every 2-3 days. The Catalog service container memory grows slowly and tries to take more than the assigned limit which results in kubernetes terminating and restarting the catalog service container.

    Workaround: Reduce catalog service JVM heap memory limit to keep the Java process memory within the container limit. This can be done by updating the catalog service deployment and modifying the jvmHeapMax value to "1794m". To update this value edit the file /opt/charts/catalog-service/values.yaml on each node and redeploy the app.

  • Azure image enumeration is not finishing for all the Azure endpoints in an environment

    An error in the Azure image enumeration for one cloud account can prevent other Azure image enumeration operations from completing.

    Workaround: For workaround steps, see KB 85796.

  • ABX Actions running on AWS Lambda might fail with an error.

    Due to a minor change in the AWS Lambda service, ABX Actions run on AWS Lambda might fail with the following error:

    'Error com.amazonaws.services.lambda.model.ResourceConflictException: The operation cannot be performed at this time. The function is currently in the following state: Pending'.

    Workaround: The first trigger of the ABX action after the action was created or updated will most likely fail, but if you wait for a couple of seconds and try again, it should work as expected, and it should continue to work as expected until the action is updated and this requires ABX to update the backing AWS Lambda function.

  • Configuring the IP Address RELEASED period does not work in a multi-tenant environment.

    The task that runs globally to move IP addresses from RELEASED to AVAILABLE is not tenant-aware. In a multi-tenant environment, where one or more tenants has configured an IP address timeout, only one timeout value is applied to all the tenants.

    This issue is being addressed and will be resolved in a future release.

    Workaround: None.

  • Extensibility failures when utilizing secrets

    In 8.5, powershell based ABX fails when called from a subscription that triggers a VMware Cloud Template that utilizes a secret.

Changed and Deprecated Functionality


check-circle-line exclamation-circle-line close-line
Scroll to top icon