Add a connection entry to RDM Vault on new vm deployment

calendar Nov 13, 2023 · 4 min read · POWERSHELL VMWARE RDM VRA VRO ARIA  ·
Share on: linkedin copy

Overview

Remote Desktop Manager is a fantastic tool for centralized management of various accesses to VMs and services. I have personally always used RDM to save the RDP and SSH connections that I most frequently used.

This tool, when used in conjunction with Devolutions Server (DVLS), is excellent for teams that need a centralized and common repository for access.

Recently, I found myself in need of automating the creation of entries within the various Vaults inside DVLS to reduce the effort caused by adding them manually.

In this post, I will show how to create a Workflow within VRO and a subscription in VRA to automate the addition of the entry following the deployment of a VM in VRA. The type of connection in this case will be a CyberarkPSM Connection. As this is a simplified example, we will statically define the Vault in which the entry will be created.

RDM Preparation

First of all, it is necessary to create an APP Account that is part of a local admin group and that has access to the Vault where you want to create the Entry.

RDM APP Account
RDM APP Account Roles
RDM APP Account Vaults

To simplify the creation with all the necessary data, we create a shared Template with the information required for the connection, such as Privileged Account, PSM Server, and Connection Component.

RDM Cyberark PSM Template

Let's take note of the name of the RDM Vault in which we want to create the connection, as we will need it later.

Creation of the Workflow

Environment

First of all, it is necessary to create the Environment that includes the RDM PowerShell module.

The name of the module is Devolutions.Powershell, and the version in this case is 2023.2.0.9

vRo Environment
Note

Be aware of the version compatibility between the module and the DVLS server. If you are using a server version 2023.2.XX as in this example, you will need to use the ps module version 2023.2.XX; otherwise, the script will connect in Read-Only mode. It's important to have the server and ps module versions aligned.

Worflow

The workflow consists of two Scriptable tasks. The first, "Get Properties", retrieves the VM name and IP address from the deployment by reading the InputProperties. The second, "AddSessionToRDMVault", connects to the server and creates the entry using the data retrieved from the first script.

As Variables and Input/Output, we have:

vRo Workflow Variables
vRo Workflow Inputs

The JavaScript code for the Get Properties task, which has "inputProperties" as input and "VMresourceName" and "vmIpAddress" as output, is very simple:

1var resourceName = inputProperties.get("resourceNames");
2var resourceIp = inputProperties.get('addresses')[0][0];
3
4System.log("VM Name: " + resourceName[0]);
5System.log("VM IP: " + resourceIp);
6
7VMresourceName = resourceName[0];
8vmIpAddress = resourceIp;

This is the PowerShell code for the "AddSessionToRDMVault" task, which has "VMresourceName" and "vmIpAddress" as inputs.

 1function Handler($context, $inputs) {
 2
 3    #setup connection to dvls
 4    $dsname = "YOUR_DVLS_SERVER_CONNECTION_NAME_HERE"  
 5    $dsurl = "YOUR_DVLS_SERVER_URL_HERE"  
 6    $appkey = "eYOUR_APP_KEY_HERE"  
 7    $appsecret = "YOUR_APP_SECRET_HERE"  
 8    New-RDMDataSource -DVLS -Name $dsname -Server $dsurl -ScriptingTenantID $appkey -ScriptingApplicationPassword $appsecret -SetDatasource
 9    $ds = Get-RDMDataSource -Name $dsname
10    Set-RDMDatasourceProperty -DataSource $ds -Property "Timeout" -Value 60 
11    Set-RDMCurrentDataSource $ds.id
12
13    #get and set vault id
14    $repo = Get-RDMRepository -Name "YOUR_VAULT_NAME_HERE"
15    $repoid = $repo.id
16    Set-RDMCurrentRepository -id $repoid
17
18    #set session input details
19    $template = Get-RDMTemplate | Where-Object -FilterScript {$_.Name -eq "YOUR_TEMPLATE_NAME_HERE"}
20    $namesess = $inputs.VMresourceName
21    $hostip = $inputs.vmIpAddress
22
23    #create Session Entry
24    $session = New-RDMSession -Name $namesess -Host $hostip -Type "CyberArkPSM" -TemplateID $template.id -SetSession
25    Set-RDMSession -Session $session -Refresh
26    Update-RDMUI
27
28    #disconnect from DVLS
29    Get-RDMDataSource | Remove-RDMDataSource
30
31    return $output
32
33}

Our Workflow looks like this:

vRo Workflow Schema

Extensibility Subscription

To automatically execute the workflow with every VM deployment, we need to create a Subscription within the Extensibility menu of the Cloud Assembly as follows:

vRa Extensibility Subscription

The event topic should be "Compute post provision" so that our workflow is initiated only after the allocation of resources is complete. In this way, all the data necessary for its execution will be available. With these settings, the Subscription will be active for any deployment of any project within the organization.It is possible to filter it by event topic or by project. See Create an extensibility subscription

Conclusions

When a new VM deployment is executed, this output is obtained:

Worflow executing and output

In the log, many warnings of "The operation has timed out." are visible. To solve this problem, on the suggestion of Devolutions support, I added the following line to the script:

1Set-RDMDatasourceProperty -DataSource $ds -Property "Timeout" -Value 60

However, this did not resolve the issue with the warnings. Nonetheless, despite the warnings, the script works correctly, and we find our entry within RDM. Unfortunately, I couldn't find useful documentation regarding the Devolutions PowerShell module, and since I don't have much time and it works, for now, I'm simply ignoring the warning.

Created Connection Entry in RDM

The steps described in this post are simplified and may require further customization.

comments powered by Disqus