Sample script to modify vApp (Network, Firewall Rules, Start/Stop Order, GuestCustomization)

Hi all

I would like to share a script I developed the last few days.

What the script does:

- Add an internal network called "Internal" with NAT/Firewall to a vApp

- Add Firewall rules (f.e. RDP)

- Set the default stop action for every VM within this vApp to "Shutdown" instead of PowerOff

- Enable GuestCustomization for each VM (Enable and SID change, disable all other options like Admin Password)

- Upgrade HW Version to latest (HW9)

---------------------------------------------------------------------------------------------------------------------------------------------

# Add in the VI Toolkit

if ( (Get-PSSnapin -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) -eq $null )

{

Add-PSsnapin VMware.VimAutomation.Core

}

if ( (Get-PSSnapin -Name VMware.VimAutomation.Cloud -ErrorAction SilentlyContinue) -eq $null )

{

Add-PSsnapin VMware.VimAutomation.Cloud

}

#Connect to vCloud Cell and vCenter

Connect-CIServer -Server vcloudcell1

Connect-VIServer -Server vcenter1

$myOrgInput = Read-Host "Please enter the Organization name:"

$myvAppInput = Read-Host "Please enter the vApp name:"

try {

    $myOrg = Get-Org -Name $myOrgInput

} catch {

    [System.Windows.Forms.MessageBox]::Show(“Organization ” + $myOrgInput + " does not exist.",”Org not found.”,0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)

    Exit

}

try {

    $vApps = Get-CIVApp -Name $myvAppInput -Org $myOrg

} catch {

    [System.Windows.Forms.MessageBox]::Show(“vApp ” + $myvAppInput + " does not exist.",”vApp not found”,0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)

    Exit

}

foreach ($vApp in $vApps) {

    #Get org network

    $NATOrgNetwork = Get-OrgNetwork "My External Org Network" -Org $myOrg

    #Add internal network

    New-CIVAppNetwork -ParentOrgNetwork $NATOrgNetwork -VApp $vApp -Routed -DnsSuffix "lab.local" -Gateway "172.20.20.1" -Name "Internal" -Netmask "255.255.255.0" -PrimaryDns "10.1.10.250" -StaticIPPool "172.20.20.100-172.20.20.199"

    #Create Firewall Rules

    $networkConfigSection = $vApp.ExtensionData.GetNetworkConfigSection()

    $vAppNetwork = $networkConfigSection.NetworkConfig | where {$_.networkName -eq "Internal"}

    $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice

    $fwService.DefaultAction = "drop"

    $fwService.LogDefaultAction = $false

    $fwService.IsEnabled = $true

    $fwService.FirewallRule = New-Object vmware.vimautomation.cloud.views.firewallrule

    $fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule

    $fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule

    $fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule

    #First Rule - Allow outgoing

    $fwService.FirewallRule[0].isenabled = $true

    $fwService.FirewallRule[0].description = "Outgoing Traffic"

    $fwService.FirewallRule[0].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols

    $fwService.FirewallRule[0].protocols.ANY = $true

    $fwService.FirewallRule[0].policy = "allow"

    $fwService.FirewallRule[0].destinationIp = "external"

    $fwService.FirewallRule[0].sourceip = "internal"

    #Second Rule - RDP

    $fwService.FirewallRule[1].isenabled = $true

    $fwService.FirewallRule[1].description = "RDP"

    $fwService.FirewallRule[1].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols

    $fwService.FirewallRule[1].protocols.Tcp = $true

    $fwService.FirewallRule[1].policy = "allow"

    $fwService.FirewallRule[1].port = "3389"

    $fwService.FirewallRule[1].destinationIp = "internal"

    $fwService.FirewallRule[1].sourceip = "external"

    #Third Rule - Ping ICMP

    $fwService.FirewallRule[2].isenabled = $true

    $fwService.FirewallRule[2].description = "PING"

    $fwService.FirewallRule[2].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols

    $fwService.FirewallRule[2].protocols.Icmp = $true

    $fwService.FirewallRule[2].policy = "allow"

    $fwService.FirewallRule[2].destinationIp = "internal"

    $fwService.FirewallRule[2].sourceip = "external"

    $vAppNetwork.Configuration.Features = $vAppNetwork.Configuration.Features | where {!($_ -is [vmware.vimautomation.cloud.views.firewallservice])}

    $vAppNetwork.configuration.features += $fwService

    $networkConfigSection.UpdateServerData()

    #For each VM in the vApp

    $vms = Get-CIVM -VApp $vApp

    foreach ($vm in $vms) {

        #Enable guest customization

        $GuestCustomization = $vm.ExtensionData.GetGuestCustomizationSection()

        $GuestCustomization.Enabled = $true

        $GuestCustomization.ChangeSid = $true

        $GuestCustomization.ResetPasswordRequired = $false

        $GuestCustomization.AdminPasswordEnabled = $false

        $GuestCustomization.UpdateServerData()

        #Stop Rule -> set to Shutdown

        $myVM2StartRule = Get-CIVAppStartRule -VApp $vApp -VM $vm

        Set-CIVAppStartRule -StartRule $myVM2StartRule -StopAction ShutDown

        #Upgrade HW version to latest

        $vsphereVMView = Get-View –RelatedObject $vm.ExtensionData

        $vivm = Get-VIObjectByVIView $vsphereVMView

        $vmview = Get-View -id $vivm.Id

        $param = @($null)

        $vmview.gettype().GetMethod("UpgradeVM_Task").Invoke($vmview,$param)

        }

}