Don't touch vapp properties (ovf) where ovf:userConfigurable="false"

[dhekimian]

Terraform Version

0.11.3

vSphere Provider Version

terraform-provider-vsphere_v1.3.2_x4

Affected Resource(s)

• vsphere_virtual_machine

Expected Behavior

When a vapp has a mix of ovf:userConfigurable="true" and ovf:userConfigurable="false" values, only modify the values where ovf:userConfigurable="true"

Don't touch the values for ovf:userConfigurable="false"

Actual Behavior

When Terraform runs, it tries to edit/change/remove all ovf:userConfigurable values and errors with:

vsphere_virtual_machine.vcenter-01: error reconfiguring virtual machine: error reconfiguring virtual machine: Property guestinfo.cis.appliance.net.ports is not user configurable.

Snippet from the .ovf

<Property ovf:key="guestinfo.cis.appliance.net.ports" ovf:type="string" ovf:userConfigurable="false" ovf:value="{}">
  <Label>Custom Network Ports</Label>
  <Description>A string encoding a JSON object mapping port names to port numbers.</Description>
</Property>

It should be a simple check to see if userConfigurable is false and don't touch.

• r/virtual_machine: add vApp properties #303

[vancluever]

@dhekimian can you send along the Terraform configuration that is causing this error? Just double checking that you the value was not specified in your configuration.

Thanks!

[dhekimian]

@vancluever I've confirmed the value above was not in the .tf.

"vapp": {
    "properties": {
        "guestinfo.cis.vmdir.site-name": "default-first-site",
        "guestinfo.cis.appliance.net.addr": "172.16.3.130",
        "guestinfo.cis.deployment.autoconfig": "true",
        "guestinfo.cis.appliance.net.prefix": "24",
        "guestinfo.cis.appliance.net.addr.family": "ipv4",
        "guestinfo.cis.appliance.net.mode": "static",
        "guestinfo.cis.vmdir.password": "password",
        "guestinfo.cis.appliance.root.passwd": "password",
        "guestinfo.cis.vmdir.domain-name": "vsphere.local",
        "guestinfo.cis.appliance.ssh.enabled": "true",
        "guestinfo.cis.appliance.net.gateway": "172.16.3.1",
        "guestinfo.cis.appliance.net.pnid": "172.16.3.130",
        "guestinfo.cis.deployment.node.type": "embedded",
        "guestinfo.cis.appliance.net.dns.servers": "8.8.8.8",
        "guestinfo.cis.ceip_enabled": "false",
        "guestinfo.cis.appliance.ntp.servers": "0.ntp.pool.org"
    }
}

The OVF has 60 OVF properties and 47 of them are set to ovf:userConfigurable="false".

https://gist.github.com/dhekimian/8061aaee65e9389c2f09cf3d6924c421

As you can see in the gist, the first ovf:userConfigurable="false" value is the one we are getting the error message on.

[vancluever]

Great to know @dhekimian (and am really liking the fact you are trying to TF the VCSA deploy)!

Hoping that we can get to this soon as I don't necessarily think it should be a hard fix.

[dhekimian]

@vancluever

We've been following this guide: virtuallGhetto: How to deploy the vCenter Server Appliance (VCSA) 6.5 running on VMware Fusion & Workstation?

To work around the issue, we ended up doing the following:

1. Import the OVA into vcenter
2. Execute this PowerShell script to change the ovf:userConfigurable="false" to True:

$VM = Get-VM -Name "VMware vCenter Server Appliance v6.5.0 b7119157"

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.changeVersion = $VM.ExtensionData.Config.ChangeVersion
$spec.vAppConfig = New-Object VMware.Vim.VmConfigSpec

$properties = $vm.ExtensionData.Config.VAppConfig.Property
foreach ($prop in $properties) {
  $p = New-Object VMware.Vim.VAppPropertySpec
  $p.operation = "edit"
  $p.info = $prop
  $p.info.UserConfigurable = $True
  
  $spec.vAppConfig.property += $p
}

$VM.ExtensionData.ReconfigVM_Task($spec)

# should add a place to convert passwords to strings...

# get all the id's and values
$vm.ExtensionData.Config.VAppConfig.Property | Select {$_.id,$_.Value}

3. Manually change all the password fields to strings (Couldn't get it to work without this step...)
4. Add ALL 60 OVF properties with sane values to our terraform .tf

"vapp": {
    "properties": {
        "domain": "corp.local",
        "guestinfo.cis.ad.domain-name": "",
        "guestinfo.cis.ad.domain.password": "",
        "guestinfo.cis.ad.domain.username": "",
        "guestinfo.cis.appliance.net.addr": "172.16.3.130",
        "guestinfo.cis.appliance.net.addr.family": "ipv4",
        "guestinfo.cis.appliance.net.dns.servers": "8.8.8.8",
        "guestinfo.cis.appliance.net.gateway": "172.16.3.1",
        "guestinfo.cis.appliance.net.mode": "static",
        "guestinfo.cis.appliance.net.pnid": "vcenter-01.corp.local",
        "guestinfo.cis.appliance.net.ports": "",
        "guestinfo.cis.appliance.net.prefix": "24",
        "guestinfo.cis.appliance.ntp.servers": "0.pool.ntp.org",
        "guestinfo.cis.appliance.root.passwd": "Password1!",
        "guestinfo.cis.appliance.root.shell": "",
        "guestinfo.cis.appliance.ssh.enabled": "True",
        "guestinfo.cis.appliance.time.tools-sync": "False",
        "guestinfo.cis.ceip_enabled": "False",
        "guestinfo.cis.clientlocale": "",
        "guestinfo.cis.db.instance": "",
        "guestinfo.cis.db.password": "",
        "guestinfo.cis.db.provider": "",
        "guestinfo.cis.db.servername": "",
        "guestinfo.cis.db.serverport": "",
        "guestinfo.cis.db.type": "embedded",
        "guestinfo.cis.db.user": "",
        "guestinfo.cis.deployment.autoconfig": "True",
        "guestinfo.cis.deployment.node.type": "embedded",
        "guestinfo.cis.feature.states": "",
        "guestinfo.cis.lookup.hidessltrust": "",
        "guestinfo.cis.netdump.enabled": "",
        "guestinfo.cis.silentinstall": "",
        "guestinfo.cis.system.vm0.hostname": "vcenter-01.corp.local",
        "guestinfo.cis.system.vm0.port": "",
        "guestinfo.cis.upgrade.import.directory": "",
        "guestinfo.cis.upgrade.silent": "",
        "guestinfo.cis.upgrade.source.export.directory": "",
        "guestinfo.cis.upgrade.source.guest.password": "",
        "guestinfo.cis.upgrade.source.guest.user": "",
        "guestinfo.cis.upgrade.source.guestops.host.addr": "",
        "guestinfo.cis.upgrade.source.guestops.host.password": "",
        "guestinfo.cis.upgrade.source.guestops.host.user": "",
        "guestinfo.cis.upgrade.source.ma.port": "",
        "guestinfo.cis.upgrade.source.platform": "",
        "guestinfo.cis.upgrade.source.ssl.thumbprint": "",
        "guestinfo.cis.upgrade.source.vpxd.ip": "",
        "guestinfo.cis.upgrade.source.vpxd.password": "",
        "guestinfo.cis.upgrade.source.vpxd.user": "",
        "guestinfo.cis.upgrade.user.options": "",
        "guestinfo.cis.vmdir.domain-name": "vsphere.local",
        "guestinfo.cis.vmdir.first-instance": "True",
        "guestinfo.cis.vmdir.password": "Password1!",
        "guestinfo.cis.vmdir.replication-partner-hostname": "",
        "guestinfo.cis.vmdir.site-name": "default-first-site",
        "guestinfo.cis.vmdir.username": "administrator@vsphere.local",
        "guestinfo.cis.vpxd.mac-allocation-scheme.prefix": "",
        "guestinfo.cis.vpxd.mac-allocation-scheme.prefix-length": "",
        "guestinfo.cis.vpxd.mac-allocation-scheme.ranges": "",
        "searchpath": "corp.local",
        "vmname": "vcenter-server-applaince"
    }
}

We've been importing VCSA with ovftool and would really like to incorporate it into our Terraform workflow. Do you have access to the VMware VCSA to test with?

[vancluever]

@dhekimian we do have the VCSA OVA - I don't really do any VCSA deploys these days without the OVA and this is personally something that I want to look at as a use case so that we can work towards self-hosting our lab deployment with Terraform. Although I might OOB-test this with something a bit simpler than the VCSA just due to the complexity of the configuration.

[dhekimian]

@vancluever If you do use a different VM, may I suggest you make sure to add the following parameter as we are also running into issues with ovf:password="true".

<Property ovf:key="guestinfo.cis.appliance.root.passwd" ovf:password="true" ovf:type="string" ovf:userConfigurable="true">
  <Label>Root Password</Label>
  <Description>Password to assign to root account.  If blank, password can be set on the console.</Description>
</Property>

[sdorsett]

William Lam's Nested ESXi Virtual Appliances can also be used for testing since they have a 'guestinfo.debug' property that has userConfigurable set to false. They can be found here:
https://www.virtuallyghetto.com/2017/05/updated-nested-esxi-6-0u3-6-5d-virtual-appliances.html

[six-arm]

@dhekimian, any chance you could elborate on what was done for step 3 "Manually change all the password fields to strings (Couldn't get it to work without this step...)". I've able to reproduce your work so far. I'm curious if you are modifying the VCSA ovf and re-packaging the ova? Or is it possible to change the "ovf:password" attribute over powershell?

Thanks.

UPDATE: This is now working. It turns out the VCSA ova in the iso file has an embedded password that expires. This manifests itself as an RPM install failure. After I got the latest(VMware-VCSA-all-6.5.0-8815520), the terarform deploy worked. I did not need to make any changes to password field outside of the script provided.

[adarobin]

I just submitted a PR for this, but I'd love any feedback on if it works for someone else as well.