VMware vRealize Automation 8.6.1 | 19 NOV 2021

Check for additions and updates to these release notes.

Release Versions

VRealize Automation 8.6.1 | 29 November 2021
  • vRA Easy Installer (ISO) build 18940322
  • vRA Product (appliance) build 18939583
  • SaltStack Config build 18865543

Updates made to this document

Date Description of update Type
11/19/2021 Initial publishing.
11/23/2021 Minor modifications.
11/30/2021 ABX Actions running on AWS Lambda might fail with an error. Known Issue
03/02/2022 Added link to KB workaround used to resolve upgrade failure related to the log4j vulnerabilities.

About vRealize Automation 8.6.1

vRealize Automation 8.6.1 complements vRealize Automation 8.6 capabilities with variety of new features. Release highlight includes significant Onboarding and Deployment Enhancements, Extensibility and TKG improvements and new SaltStack and Carbon Black integration.


Upgrade failure after performing steps in KB 87120

Performing the instructions used to address the CVE-2021-44228 and CVE-2021-45046 log4j vulnerabilities described in KB 87120 can cause upgrade failures for vRealize Automation and vRealize Orchestrator 8.6.2 or earlier. For a workaround, seeKB 87794.

Before you begin

Familiarize yourself with the supporting documents.

After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.6 product documentation.

For information on vRealize Orchestrator 8.6 features and limitations, refer to the vRealize Orchestrator 8.6 Release Notes.

What's New

Assign icons to onboarded deployments

To give end user more information about deployments, vRA updates the deployment Edit action to support assigning custom icons to onboarded deployments.

SaltStack and Carbon Black integration

Carbon Black and SaltStack SecOps are now integrated to pass information from Security Teams to Infrastructure Teams. This integration passes Carbon Black's findings into the SaltStack SecOps framework for action through remediation. By leveraging the Carbon Black's security scanning capabilities along with the SaltStack action, arm companies can quickly find and fix vulnerabilities in their infrastructure which reduces exposure and eliminates advisory abilities to exploit these vulnerabilities.

Scale out migrated deployments

After the Cloud admin migrates deployments, you can scale out existing resources within that migrated deployment.

Migrate property groups with external values

The Migration assistant tool now supports the migration of property groups with external values.

Create Extensibility Subscription for lease expire

Cloud admins can extend the machine management process and trigger specific actions when a machine lease is expiring. This allows them to perform a variety of automated tasks such as backing up the machine or adding additional monitoring. Learn more.

Deployment Limit Policy to define Deployment and Deployment Resource Limits

The Deployment Limit Policy allows Cloud Admins to define Deployment limits to restrict CPU count, Memory, and VM count. These policies also allow Cloud Admins to define Deployment Resource limits to restrict CPU count and Memory of specific resources within a larger deployment. These policies are enabled by default for an entire organization, but can be scoped down using familiar criteria such as applying to a certain project, being deployed from a specific VMware Cloud Template, or containing a certain tag. The Deployment Limit Policy also is enforced against any resize actions performed after a successful deployment that falls within the scope of the policy. Learn more.

Assign VCT to onboarded deployments

You can assign a VMware Cloud Template (VCT) to onboarded deployments.

Note: VMware Cloud Template assignments are for visual representation only and updating the onboarded deployments by iterating on the assigned template is not supported.

Ability for devops project users create a TKGs cluster

DevOps project Users can now create TKG clusters.

SaltStack SecOps support for Tenable import scans of Windows systems

Users who leverage Tenable now have the ability to import scans for Windows systems as well as Linux systems.

API Documentation and Versioning

API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.

Before using the API, consider the latest API updates and changes for this release, and note any changes to the API services that you use. If you have not locked your API using the apiVersion variable before, you might encounter a change in an API response. All API updates and changes for this release are provided in the table below.

For unlocked APIs, the default behavior varies depending upon the API.

  • For Cloud Assembly IaaS APIs, all requests which are executed without the apiVersion parameter will be redirected to the first version which is 2019-01-15. This redirect will allow every user who did not previously specify the apiVersion parameter to transition smoothly to the latest version without experiencing breaking changes.

    NOTE: For the Cloud Assembly IaaS APIs, the latest version is apiVersion=2021-07-15. If left unlocked, IaaS API requests will be redirected to the first version which is 2019-01-15. The first version is deprecated and will be supported for 12 months. To ensure a smooth transition to the new version, lock your IaaS API requests with the apiVersion parameter assigned to 2021-07-15.

  • For other APIs, your API requests will default to the latest version. If you select one of the earlier version dates listed for the Swagger spec, the API behavior will reflect APIs that were in effect as of that date and any date until the next most recent version date. APIs are not versioned for every vRealize Automation release and not all APIs support the apiVersion parameter.

For more information about API versioning, see the vRealize Automation 8.6 API Programming Guide.

Service Name Service Description API Updates and Changes

No versioning

Holds all functionality specific to ABX, including creation and management of actions and their versions and executing actions and flows. No change

Versions: 2020-11-01, 2020-02-09, 2019-12-13

Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned No change

Versions: 2019-09-12, 2019-01-15

Create, validate, and provision VMware Cloud Templates (formerly called Blueprints) No change

No versioning

When using Kubernetes with vRealize Automation, deploy and manage Kubernetes clusters and namespaces. New APIs to create and manage Cluster plans and to retrieve storage classes for vSphere instance

[GET] /cmx/api/resources/cluster-plans - searching cluster plans by name and cloud account self link id two optional parameters: 1. cloudAccountSelfLinkId: cloud account self link id (only self link id, not the entire selfLink string) 2. name: cluster plan name

[POST] /cmx/api/resources/cluster-plans - creating a cluster plan, the body of the request shall contains a valid cluster plan entity sample cluster plan entity: { "cloudAccountSelfLinkId": "self-link-id", "definition": { "spec": { "distribution": { "version": "v1.20" }, "topology": { "controlPlane": { "count": 1, "class": "best-effort-xsmall", "storageClass": "vsan-default-storage-policy" }, "workers": { "count": 1, "class": "best-effort-xsmall", "storageClass": "vsan-default-storage-policy" } } } }, "name": "small", "type": "TANZU_CLUSTER_PLAN" }

[GET] ​/cmx​/api​/resources​/cluster-plans​/{id} - find a cluster plan by id string

[PUT] /cmx/api/resources/cluster-plans/{id} - update an existing cluster plan item

[DELETE] /cmx/api/resources/cluster-plans/{id} - remove an cluster plan item

[GET] /cmx/api/resources/vsphere/endpoints/{endpointSelfLinkId}/storage-classes - get all storage classes identifiers for a vSphere endpoint

Content Gateway(content service)

Versions: 2019-01-15

Connect to your infrastructure as code content in external content sources such as SCM Providers and VMware Marketplace. No change
Custom Forms (form-service)

No versioning

Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services. No change

Versions: 2020-08-25, 2020-01-30, 2019-01-15

Access deployment objects and platforms or blueprints that have been deployed into the system. No change

Versions: 2021-07-15, 2019-01-15

Perform infrastructure setup tasks, including validation and provisioning of resources in iterative manner. No change

No versioning

This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup No change

Versions: 2019-01-15

Holds all functionality specific to creation, management and delete of projects New endpoint to sync principals assigned to any project within a user organiztion

POST /project-service/api/projects/{id}/sync-principals


Versions: 2020-08-25, 2020-01-30, 2019-01-15

Access Service Broker catalog items and catalog sources, including content sharing and the request of catalog items. No change

Versions: 2020-08-25, 2020-01-30, 2019-01-15

Interact with policies created in Service Broker. No change
Code stream all pipeline-service

Versions: 2019-10-17

These API provide access to Code Stream services. No Change
Identity Service

No versioning

A list of identity, account and service management APIs. No change
Relocation (Onboarding)

No versioning

Define policies and plans to bring existing VMs from any cloud under management New restrictions added to PATCH action on onboardingBlueprintState

Onboarding Blueprints

(/relocation/onboarding/blueprint/) now enforces the following restrictions on the PATCH action:

  • name must be provided if either autogenerate == true OR autogenerate == false and templateLink is provided
  • if autogenerate == true templateLink provided in PATCH request will be ignored
  • if autogenerate == false and templateLink is not provided, then name will be ignored in PATCH request

    The following new restriction is now enforced on the POST action:

  • A request to create a new onboardingBlueprintState now requires the name field to be populated unless autogenerate == true. A name will no longer be automatically generated unless autogenerate is set to true.
saltstack: raas CarbonBlack APIs for integration The vman.import_scan_via_api is enhanced to accept "carbonblack" as an additional vendor to import a vulnerability scan from. Apart from that, the API usage remains the same as previous releases.

Resolved Issues

The following issues were resolved in this release.

  • Administrator Role missing permissions

    When SaltStack Config is integrated with vIDM and has a role of Administrator will not be able to view minions, minion keys or accept minion keys.

  • vRealize Automation Network Profiles created for AWS & Azure cloud accounts that contain discovered Networks and Security Groups can have missing items

    vRA Network Profiles created for AWS & Azure cloud accounts and containing discovered Networks and Security Groups can have missing items (i.e. Networks and/or Security Groups). Missing items start to appear a couple of days after their creation and on some environments. The cause of missing items appeared to be Enumeration process which cannot find correspondence between cloud account and Provisioning entities and deletes Provisioning ones.

  • Exceptions for READ operation are not properly processed

    If a back-end error happens for deployment iterative updates, only a generic error message is shown. From server logs, a detailed error message is shown. However, due to the exception being handled not properly, only a generic error message is displayed in the UI.

  • Request tracker is not working for resource views

    On the All resources page, after selecting a machine and performing any day 2 action, the request tracker does not appear unless a manual refresh is initiated.

Known Issues

The following known issues are present in this release.

  • Failed to start upgrade to 8.5.1 and 8.60

    Starting an iterative upgrade trhough vRSLCM to vRA 8.5.1 or later on a vRA 8.5.0 system fails at the vRealize Automation Upgrade/Patch/Internal Network step of Stage 1 about a minute or so after the launch. The previous upgrade, while completed successfully, has not been able to delete its runtime data and leaves the upgrade in in progress state. Hence, new upgrade cannot be launched. This is likely to affect some systems with long host names (FQDNs) that has been upgraded from vRA 8.4.x to vRA 8.5.0.

    Workaround: In this release LCM will make the precheck and notify you for the issue. For information on workaround steps, see KB 85965.

  • Upgrading from vRA 8.5 and 8.5.1 migth fails with an error "Upgrade terminated due to critical error".

    Upgrading from vRA 8.5 or vRA 8.5.1 might fails with the error "Upgrade terminated due to critical error". Disk space checks show /root at *or near* 100% utilization.

    Workaround: For information on workaround steps, see KB 85864.

  • Attempt to update previously migrated Clustered Deployment might fail

    The following error appears on an attempt to update Clustered deployment which was previously imgrated:

    Multiple update actions are not supported at the same time. Requested actions: [Attach.Disk, Detach.Disk].


  • vRealize Automation Network Profiles created for AWS & Azure cloud accounts that contain discovered Networks and Security Groups can have missing items

    vRA Network Profiles created for AWS & Azure cloud accounts and containing discovered Networks and Security Groups can have missing items (i.e. Networks and/or Security Groups). Missing items start to appear a couple of days after their creation and on some environments. The cause of missing items appeared to be Enumeration process which cannot find correspondence between cloud account and Provisioning entities and deletes Provisioning ones.

    Workaround: Manually fix missing Networks and Security Groups by removing missing ones and adding newly discovered ones corresponding to customer criteria.

  • ABX Actions running on AWS Lambda might fail with an error.

    Due to a minor change in the AWS Lambda service, ABX Actions run on AWS Lambda might fail with the following error:

    'Error com.amazonaws.services.lambda.model.ResourceConflictException: The operation cannot be performed at this time. The function is currently in the following state: Pending'.

    Workaround: The first trigger of the ABX action after the action was created or updated will most likely fail, but if you wait for a couple of seconds and try again, it should work as expected, and it should continue to work as expected until the action is updated and this requires ABX to update the backing AWS Lambda function.

  • Configuring the IP Address RELEASED period does not work in a multi-tenant environment.

    The task that runs globally to move IP addresses from RELEASED to AVAILABLE is not tenant-aware. In a multi-tenant environment, where one or more tenants has configured an IP address timeout, only one timeout value is applied to all the tenants.

    This issue is being addressed and will be resolved in a future release.

    Workaround: None

  • When updating a vSphere machine to connect to a different network, an error occurs if the machine type is Windows and the cloud template does not specify a customization spec

    If a customization spec does not exist in the cloud account, a failure occurs when updating a deployed vSphere machine with Windows OS to connect to a different network. The error message is: Error from vCenter: A specified parameter was not correct: spec.identity.

    The error occurs because vRealize Automation does not detect the machine type as Windows and creates a customization suitable for a Linux machine.

    You can reconfigure the network on the deployed machine by using the Actions -> Update menu sequence or by performing an iterative deployment update.

    Workaround: Specify a customization spec in the cloud template in the machine component's customizationSpec section.

  • Incorrectly dropped or placed elements in Cloud Templates break the UI page

    In Firefox, using drag and drop can sometimes redirect the page. When dragging a resource node, dropping it outside of the canvas could also cause page redirection in Firefox.

    Workaround: Drop resource in canvas and delete it instead.

  • Custom Resource Subscriptions not available for Custom resource based on ABX

    Despite the fact the vRA 8.5.1 introduced ABX based custom resources, there are some limitations such as: Cloud admins are still not able to include ABX based resources in event based subscriptions.

  • Timeout exception appears during deployment update of ABX based custom resource

    When you update an ABX based custom resource deployment, you might see a ''504 Gateway Time-out issue" error. The error appears in the event of an ABX read action failure.

Changed and Deprecated Functionality

check-circle-line exclamation-circle-line close-line
Scroll to top icon