vRealize Automation 8.7 | 22 MAR 2022

Check for additions and updates to these release notes.

Release Versions

VRealize Automation 8.7 | 01 April 2022
  • vRA Easy Installer (ISO) build 19527797
  • vRA Product (appliance) build 19508505
  • SaltStack Config build 87010

Updates made to this document

Date Description of update Type
03/22/2022 Initial publishing.
3/23/2022 Constraints used with CR schema modification feature Known Issue
3/23/2022 Custom form text input field values Known Issue
3/23/2022 Custom Resource Objects are not expandable Known Issue
3/23/2022 Detailed visualization of array of complex in a datagrid cell is not supported Known Issue
4/08/2022 Onboarding machines create duplicate entries in the resource center Known Issue
04/18/2022 Visibility binding doesn't work in Custom Form Renderer Known Issue

About vRealize Automation 8.7

vRealize Automation 8.7 complements vRealize Automation 8.6.2 capabilities with variety of new features including the ability to change project for provisioned deployments, an evolution of the ABX On Prem engine, SaltStack Config avaliability as a resource within Cloud Templates, custom validation for catalog items by custom forms via API, custom remediations for SaltStack Sec Ops and more.

Before you begin

Familiarize yourself with the supporting documents.

After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.7 product documentation.

For information on vRealize Orchestrator 8.7 features and limitations, refer to the vRealize Orchestrator 8.7 Release Notes.

What's New

The many benefits of vRealize Automation 8.7 include:

Evolution of the ABX On Prem engine

ABX On Prem now uses the next generation On Prem engine, which has advanced performance and scalability. The New FaaS is much faster, fixes numerous issues with memory limits, and introduces memory based throttling. You can also troubelshoot action runs easier with additional logging capabilities.

The new on prem engine includes these improvements:

  • ABX On Prem actions use a new FaaS engine that is more stable, scalable, and faster. It also fixes numerous issues discovered using the old FaaS engine.
  • ABX On Prem actions have faster deployment times. This enables you to develop actions much faster.
  • ABX On Prem action memory limits are now per action run, instead of shared. As a result, the memory limit of all existing actions is reset to the default value due to memory based throttling. If we allowed existing actions with high memory limits that were created from sharing parallel action runs, they would consume a large amount of the capacity when, which is no longer needed.
  • ABX On Prem action run logs now include additional information for finished action runs. There is an additional log line at the end of the log which shows the approximate memory consumed from the action run, allowing you to set appropriate memory limits.
  • ABX On Prem actions now show logs in case of an action run timeout. This allows for easier investigation of timed out action runs.
  • ABX On Prem now enables better isloation between action runs of the same action, because every action run is now run in a separate container.

Changing deployment projects for provisioned deployments

Day 2 action to change project is now enabled for provisioned deployments. Provisioned deployments can contain any number of Machines, Disks, Resource Groups, Load Balancers, Networks, Security Groups, NATs, and Gateways. If a provisioned deployment is updated to either contain a not aforementioned resource, for example, terraform configuration, or an onboarded/ migrated resource, the change project action is not available. If the resource is deleted, then the change project action becomes available again.

  • Day 2 action is restricted to cloud administrators only.
  • Machines' and Disks' cloud zones must be present in the target Project and set quota limits are respected. The quota is released from the initial project and reserved in the target project. In case of any failure, the action is automatically rolled back.
  • See Day 2 Actions for more information.

SaltStack Config available as a resource type within Cloud Templates

You can now natively deploy and configure a salt-minion as part of a Cloud Template as a day-0 operation by dragging and dropping directly on to the canvas to attach the SaltStack Config resource type to one or multiple virtual machines. The new resource type is found under SaltStack on the left-hand resource menu.

Updated vRealize Automation plugin for vRealize Orchestrator with versions 8.4.2+

Updated plugin version is now available on the VMware Marketplace.

The plugin now supports:

  • Iaas Inventory and scripting objects for Machines
  • CRUD for Machines
  • EntityFinders

Learn more about the vRealize Automation plug-in. For complete functionality description, please check the “Documents” section in our new vRealize Orchestrator community page.

Custom validation for catalog item by custom forms now supported via API

VRealize Automation now supports custom validation with API. With this new feature, you can design a catalog item with a custom form and external validation via the API. When the user creates a deployment from the catalog item via API, the validation is executed. In the case that the validation fails, the api response would contain validation error messages.

Custom Remediations for SaltStack SecOps

You can now import advisories that aren't supported by SaltStack SecOps. Custom remediation files can be attached to an advisory for automated remediation. Learn more about custom remediation.

Dynamic Job Inputs for SaltStack Configuration Jobs

Reduce, reuse, and delegate your IT automation and configuration management outcomes with Dynamic Jobs.

Optional inputs in property groups

Input property groups now support optional input. In a property group, all properties are optional by default. In order to mark all non-Boolean properties without a default value as required, add the following cloud template property to the desired property group: populateRequiredOnNonDefaultProperties: true If the above property is omitted / set to false, then all properties will be treated as optional (which is the default behavior).

Retain deployment creation date for migrated deployments

Deployments moved by the migration tool now retain the original creation date.

Deployment Limit Policy support for storage

Deployment Limit Policy now supports storage constraints on both day-0 provisioning and day-2 actions including: resizing, adding, and deleting disks. Learn more about deployment limit policies.

Removal of infrastructure machines and volumes view

The infrastructure machines and volumes view has been replaced with the virtual machines and volumes view in the Resource Center under the Resources top level tab. The permission for machines view is no longer available.

Marketplace Retirement

The Marketplace integration within vRealize Automation has been retired.

SSC SecOps: Support for Ubuntu 20.04 and 20.10

Users now have the ability to manage compliance across their Ubuntu 20.04 and 20.10 systems.

Schema modifications and formatting for ABX based Custom Resources

Application architects are now able to edit the Custom resources schema parameters, so they are more comprehensive in the deployment UI. Both parameters and computed properties are now modifiable.


  • Currently there is no form designer for custom resource type details forms. If you desire the ability to customize the form displayed for the custom resource type, then you must edit and save the custom resource type manually:

To do that, you have to perform an API POST call to the form definition controller:


Where you specify the form, in the body, as well as the following parameters:

type: deploymentResource sourceType: resourceType sourceId: Custom.YourResourceTypeHere

as well as any other parameters that you want to set.

  • There is no sync between the vRO workflow and the custom resource type. If, for instance, you add a new input to the CREATE workflow, it will not automatically appear in the schema. Even if you go to the schema, the new input would not be available to be added. This is because the custom resource type is created with the version of the workflow at the time of creation and that definition is not updateable as of now.


  • If you save a custom resource type without a properties value, then a schema will be automatically generated based on the selected CREATE workflow. This works only for vRO-based custom resource types as the schema is generated based on the workflow.
  • If you try to save a custom resource type without a computed property, you will get an error. Behavior before this version was to implicitly generate a new schema (for vRO-based CRTs) and save the custom resource type successfully.

Custom forms supports bind field and conditional value to any input or variable

Custom Forms Field/Tab visibility configuration now supports 'Bind field' Value Source. You can now bind the visibility of a Field or a Tab to another field to type 'Boolean' (i.e. Checkbox).

Service Broker cache for custom form actions

Service Broker now issues the minimal amount of requests to resolve External Source values by making better use of its internal caching mechanism. Upon changing the project field, all cached values are cleaned, but caching is still active for the current vRO integration. Duplicate requests are properly marked based on all relevant information for the request.

API Documentation and Versioning

API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.

Before using the API, consider the latest API updates and changes for this release, and note any changes to the API services that you use. If you have not locked your API using the apiVersion variable before, you might encounter a change in an API response. All API updates and changes for this release are provided in the table below.

For unlocked APIs, the default behavior varies depending upon the API.

  • For Cloud Assembly IaaS APIs, all requests which are executed without the apiVersion parameter will be redirected to the first version which is 2019-01-15. This redirect will allow every user who did not previously specify the apiVersion parameter to transition smoothly to the latest version without experiencing breaking changes.

    NOTE: For the Cloud Assembly IaaS APIs, the latest version is apiVersion=2021-07-15. If left unlocked, IaaS API requests will be redirected to the first version which is 2019-01-15. The first version is deprecated and will be supported for 12 months. To ensure a smooth transition to the new version, lock your IaaS API requests with the apiVersion parameter assigned to 2021-07-15.

  • For other APIs, your API requests will default to the latest version. If you select one of the earlier version dates listed for the Swagger spec, the API behavior will reflect APIs that were in effect as of that date and any date until the next most recent version date. APIs are no versioned for every vRealize Automation release and not all APIs support the apiVersion parameter.

For more information about API versioning, see the vRealize Automation 8.7 API Programming Guide.

Service Name Service Description API Updates and Changes
ABX Holds all functionality specific to ABX, including creation and management of actions and their versions and executing actions and flows. No change
Approval Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned No change
Blueprint Create, validate, and provision VMware Cloud Templates (formerly called Blueprints) No change
CMX When using Kubernetes with vRealize Automation, deploy and manage Kubernetes clusters and namespaces. New API endpoints:
  • To get a K8SInstaller associated with the given ID:

    GET /cmx/api/resources/installers/{id}

  • To get resource specific properties of the K8SResources:

    GET /cmx/api/resources/installers/{id}/properties

  • To trigger the installation of the K8SResources owned by the given K8SInstaller:

    POST /cmx/api/resources/installers/{id}/install

  • To rollback the K8SResources owned by the given K8SInstaller:

    POST /cmx/api/resources/installers/{id}/uninstall

Content Gateway (content service) Connect to your infrastructure as code content in external content sources such as SCM Providers. Removed Marketplace and Marketplace Downloads APIs.
Custom Forms (form-service) Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services. No change
Deployment Access deployment objects and platforms or blueprints that have been deployed into the system. No change
IaaS Perform infrastructure setup tasks, including validation and provisioning of resources in iterative manner. New endpoint to list folders within a datacenter so that you can deploy resources to a specific folder:

GET ​/iaas​/api​/folders

Migration This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup No change
Project Holds all functionality specific to creation, management and delete of projects No change
Relocation Define policy and plans for bringing existing VMs from any cloud under management. No change
Catalog Access Service Broker catalog items and catalog sources, including content sharing and the request of catalog items. No change
Catalog Service (Policies) Interact with policies created in Service Broker. No change
Code stream all pipeline-service These API provide access to Code Stream services. No Change
Identity Service A list of identity, account and service management APIs. New API endpoints:
  • To get roles of a group within organization: 

    GET /csp/gateway/am/api/orgs/{orgId}/groups/{groupId}/roles

  • To remove groups from organization:

    DELETE /csp/gateway/am/api/orgs/{orgId}/groups

  • To get a list of organization roles:

    GET /csp/gateway/am/api/orgs/{orgId}/roles

  • To get groups of a specific organization:

    GET /csp/gateway/am/api/orgs/{orgId}/groups

  • To update roles of a group within organization:

    PATCH /csp/gateway/am/api/orgs/{orgId}/groups/{groupId}/roles

Updated API request parameters to require authentication credential when retrieving all service definitions in organization:

GET /csp/gateway/slc/api/definitions

Added API request parameter "includeGroupIdsInRoles" to indicate if the inherited roles in the response should show group information:

  • GET /csp/gateway/am/api/v2/orgs/{orgId}/users
  • GET /csp/gateway/am/api/orgs/{orgId}/users
  • GET /csp/gateway/am/api/orgs/{orgId}/users/search
Relocation Service New restrictions added to PATCH action on onboardingBlueprintState No change

Resolved Issues

The following issues were resolved in this release.

  • Administrator role missing permissions.

    When SaltStack Config is integrated with vIDM and has a role of Administrator, you cannot view minions, minion keys or accept minion keys.

  • Extensibility actions running on AWS Lambda might fail with an error.

    Due to a minor change in the AWS Lambda service, extensibility actions running on AWS Lambda might fail with the following error:

    'Error com.amazonaws.services.lambda.model.ResourceConflictException: The operation cannot be performed at this time. The function is currently in the following state: Pending'.

  • Provisioning a VM from a snapshot does not place the VM in the correct datastore as configured in the storage profile.

    When provisioning a VM by using a snapshot, the VM is not placed in the correct datastore where that snapshot resides regardless of the datastores configured in the storage profiles.

  • Reconfiguring security rules fail after upgrade.

    After upgrading, users cannot reconfigure security groups with new rules that use a protocol and port on NSX-T versions earlier then 3.x.

  • Bracket position error issue occurred on Requests - Confirm Delete Requests page.

    Bracket placement in the pop-up confirmation screen is not as expected when multiple deployment resources are present.

  • Azure, AWS networks are marked missing and re-collected as new networks.

    vRealize Automation Network Profiles created for AWS & Azure cloud accounts that contain discovered Networks and Security Groups can start to have missing items (i.e. Networks and/or Security Groups). Missing items start to appear in a couple of days after their creation and on some environments. The cause of missing items appeared to be Enumeration process which cannot find correspondence between the cloud account and the Provisioning entities and because of this the Provisioning entities are deleted.

  • vSphere adapter - Network Reconfiguring of a Windows machine without customization spec is failing

    When updating a deployed vSphere machine with Windows OS to connect to a different network and there is no customization spec specified in the cloud account, a failure occurs. The failure error message is: "Error from vCenter: A specified parameter was not correct: spec.identity". The reason for the error is that vRA does not detect this is a Windows machine and creates customization suitable for a Linux machine.

  • Fix CSV values not evaluated to string value for certain cases

    There are value inconsistencies for 'Complex' values with columns/fieds of type String/Password when the corresponding value in the CSV is either:

    • number - value is being written in the form schema as a number even though it's supposed to be string. (i.e. value: 12 instead of value: '12')
    • false - value is being written as a value: false instead of value: 'false'
  • External value 'complex' parameter CSV gets deleted when other values are changed

    Due to error the parsing logic, the Form Designer was deleting the set value for a 'Complex' parameter whenever any of the other paramaters' values were changed.

  • Added authorization in the get all service definitions endpoint breaks some pipeline jobs

    In order to access the Identity service API endpoint for retrieving all service definitions in organization (GET /csp/gateway/slc/api/definitions) an authentication credentials must be provided to the request.

  • RELEASE_IPADDRESS_PERIOD_MINUTES toggle is not org-aware

    The task that runs globally to move IP addresses from RELEASED to AVAILABLE is not org aware. In multi-org/multi-tenant environments where one or more tenants have configured the timeout, it will only pick one value and apply it to all orgs.

  • Day2 Add Disk action on Azure VM which is of un-managed disk type.

    vRA does not support creation of independent un-managed Azure disks. Hence, the Day2 Add disk action must be disabled on Azure VM which is of un-managed disk type.

  • Salt configuration CREATE with job id [] failed. Error:: : Minion deployment and/or state file run failed on Windows VM;s [Salt Error: Failed to start Salt]

    Minion deployment is failing on windows VM;s with the below error from the salt side

    Salt Side Error:

    "return": "Exception occurred in runner deploy.minion: Traceback (most recent call last):\n File \"/usr/lib/python3.7/site-packages/salt/client/mixins.py\", line 390, in low\n data[\"return\"] = func(*args, **kwargs)\n File \"/usr/lib/python3.7/site-packages/salt/loader.py\", line 1241, in _call_\n return self.loader.run(run_func, *args, **kwargs)\n File \"/usr/lib/python3.7/site-packages/salt/loader.py\", line 2274, in run\n return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)\n File \"/usr/lib/python3.7/site-packages/salt/loader.py\", line 2289, in _run_as\n return _func_or_method(*args, **kwargs)\n File \"/usr/lib/python3.7/site-packages//sseape/runners/deploy.py\", line 589, in minion\n raise salt.exceptions.SaltException('Error in installing salt minion - {}'.format(str(ret)))\nsalt.exceptions.SaltException: Error in installing salt minion - {'salt-vm-windows-test-mcm612-187496514722': {'Error':
    {'Not Deployed': 'Failed to start Salt on host salt-vm-windows-test-mcm612-187496514722'}
    "master_uuid": "a50dfade-26bf-42a5-be08-0b2d785af2c8",
    "minion_id": "saltstack_enterprise_installer",
  • Exceptions for READ operation are not properly processed.

    If a back-end error happens for deployment iterative updates, only a generic error message is shown. From the server logs, a detailed error message is shown. However, because of the exception not being handled properly, only a generic error message is displayed in the UI.

  • Request tracker is not working for resource views.

    On the All resources page, after selecting a machine and performing any day 2 action, the request tracker does not appear unless a manual refresh is initiated.

Known Issues

The following known issues are present in this release.

  • Failed to start upgrade to 8.5.1 and 8.6.0.

    Starting an iterative upgrade trhough vRSLCM to vRealize Automation 8.5.1 or later on a vRealize Automation 8.5.0 system fails at the vRealize Automation Upgrade/Patch/Internal Network step of Stage 1 about a minute or so after launching the upgrade. The previous upgrade, while completed successfully, is unable to delete its runtime data and leaves the upgrade in an "in progress" state. Hence, a new upgrade cannot be launched. This is likely to affect some systems with long host names (FQDNs) that has been upgraded from vRealize Automation 8.4.x to 8.5.0.

    Workaround: In this release, LCM will perform the precheck and notify you of the issue. For information on workaround steps, see KB 85965.

  • Upgrading from vRealize Automation 8.5 and 8.5.1 might fail with an error "Upgrade terminated due to critical error".

    Upgrading from vRealize Automation 8.5 or 8.5.1 might fail with the error "Upgrade terminated due to critical error". Disk space checks show /root at *or near* 100% utilization.

    Workaround: For information on workaround steps, see KB 85864.

  • IPv4 and IPv6 addresses are not allocated in the internal IPAM upon VM re-onboarding.

    For a VM that was onboarded and its IP allocated successfully, unregistering the VM and onboarding the VM immediately will still keep its IPs Released instead of being Allocated again. 

    Workaround: Wait for 30 minutes before onboarding the VM again to have the IP allocated.

  • Custom validation for catalog item by custom forms is now supported via API

    If a customer used vRA 8.6 and had catalog item form external validations via UI, after upgrading to vRA 8.7, when requesting a catalog item via API, the external validation won't be executed.

    Workaround: On the service broker UI, go to the custom form that the catalog item has, and re-save the form by clicking the "save" button on the UI. You can also find the catalog item id and the form id, and use PATCH /catalog/api/admin/items/{catalog-item-id} to populate the catalog item with the formId.

  • SSC: Master authentication failures.

    When a RaaS instance is running, every 24 hours, the key rotation engine attempts to refresh a jwt token. Under certain circumstances, the engine keeps an expired jwt token, instead of refreshing it, causing 401 traceback errors in the salt-master service, as it can't authenticate to the RaaS service. This will cause certain key functionalities of SSC to fail.

    Workaround: On the VM running the salt-master service, do the following:

    1. Remove the sseapi_key.pub:

      rm /etc/salt/pki/master/sseapi_key.pub

    2. Remove the jwt auth token:

      rm /var/cache/salt/master/auth_token.jwt

    3. Restart the salt-master service:

      systemctl restart salt-master

  • SSC vRA 8.6.1 Windows minion and state file deployment Support is Broken

    Sometimes minion installation on Windows fails because the requisite Windows service is not running on the host by the time the minion install has started.

    Workaround: Upgrade to SSC plugin version 8.6.2. This introduces a default delay of 180 seconds to allow all requisite Windows services to become active. Installation of the SSC plugin is documented here : Install and Configure the Master plugin.

  • SSC: Leading a target-group search with a space breaks the search feature

    Leading a search for target-groups with a space causes the search feature to break. You will experience an infinite spinny and an inability to view your target groups.

    Workaround: Refresh or leave the page. If you don't refresh the page, the feature will be unusable, and the target-group datagrid will be inaccessible.

  • Incorrectly applied constraints can cause errors with customer resources

    When adding constraints to either the item section of array fields or properties section of objects fields in the properties schema, verify that you have validated these constraints as incorrectly applied constraints can cause issues with the custom resource. For example, when adding a maximum constraint to a numbers array, you must verify that this constraint does not break the property's default value.

  • Form Renderer in Deployment Details View truncates long inputs

    As part of the Custom Resource Schema Modification feature we added Form Renderer in the Deployment Details View. The text input field values, that are too long, are not fully displayed. They get cut and there is an invisible scroller that the user can use to view the whole value.

  • Custom Resource Objects are not expandable/collapsable

    As part of the Custom Resource Schema Modification feature we added Form Renderer in the Deployment Details View. The object structures before were collapsable, now the heading of the object and the contents are all aligned and they are not collapsable.

  • Form Renderer in Deployment Details View does not properly render complex arrays.

    As part of the Custom Resource Schema Modification feature we added Form Renderer in the Deployment Details View. In the data grid fields, if there is an array of objects, the array is displayed as '[Object, object]' in the table.

  • Onboarding machines create duplicate entries in the resource center

    When onboarding a machine, a duplicate entry for the machine is created in the resource center, with one entry in the 'discovered' state and one in the 'onboarded' state. This is a regression caused by a fix for an onboarding failure when machines have legacy IDs in the provisioning service inventory. Some machines with legacy (non-UUID) IDs in the provisioning service inventory will still produce duplicate entries in the resource center and manual cleanup of these entries will be required if this happens.

    Workaround: A code fix was made for onboarding to generate a new UUID onlywhen a legacy ID is found for a machine in the provisioning database, in all other cases onboarding will now use the original UUID of the machine and no duplication will occur. Any machines onboarded in 8.7 before this fix was applied to production (2/15 - 2/22) will need to be unregistered and onboarded again in order to remove the duplicate entries. These duplicate entries can also be removed manually if unregistering is not possible.

    Any machines onboarded with legacy (non-UUID) IDs will still create duplicate entries in the resource center, and these entries would need to be removed manually. Machines with legacy IDs are uncommon, only affecting machines that were discovered in early (<8.2) versions of vRA8, any machines discovered later will have UUIDs instead and will not be affected. We do not recommend onboarding these machines, and instead recommend following the process outlined in KB 88162 to temporarily remove access to the machines from vRA allowing them to be rediscovered with a UUID and onboarded normally.

  • Visibility binding doesn't work in Custom Form Renderer

    Visibility binding option was released in Form Designer from version 8.6.2, but implementation is missing in Form Renderer and hence not working.

  • Incorrectly dropped or placed elements in Cloud Templates break the UI page.

    In Firefox, using drag and drop can sometimes redirect the page. When dragging a resource node, dropping it outside of the canvas could also cause page redirection in Firefox.

    Workaround: Drop the resource in the canvas and delete it instead.

  • Custom resource subscriptions not available for custom resources based on extensibility actions.

    While vRealize Automation 8.5.1 introduced extensibility action based custom resources, there are some limitations to the feature. For example, cloud admins are still unable to include extensibility action based resources in event based subscriptions.

  • Timeout exception appears during deployment update of an extensibility action based custom resource.

    When you update an extensibility action based custom resource deployment, you might see a ''504 Gateway Time-out issue" error. The error appears in the event of an extensibility action read failure.

Changed and Deprecated Functionality


check-circle-line exclamation-circle-line close-line
Scroll to top icon