Least Privilege¶
Create a custom vSphere role with the required privileges to integrate HashiCorp Packer with VMware vSphere. A service account can be added to the role to ensure that Packer has least privilege access to the infrastructure.
Required Privileges¶
Clone the default Read-Only vSphere role and add the following privileges:
| Category | Privilege | Reference |
| Content Library | Add library item | ContentLibrary.AddLibraryItem |
| Update Library Item | ContentLibrary.UpdateLibraryItem |
|
| Cryptographic Operations | Direct Access (Required for packer_cache upload.) |
Cryptographer.Access |
| Encrypt (Required for vTPM.) |
Cryptographer.Encrypt |
|
| Datastore | Allocate space | Datastore.AllocateSpace |
| Browse datastore | Datastore.Browse |
|
| Low level file operations | Datastore.FileManagement |
|
| Host | Configuration > System Management | Host.Config.SystemManagement |
| Network | Assign network | Network.Assign |
| Resource | Assign virtual machine to resource pool | Resource.AssignVMToPool |
| vApp | Export | vApp.Export |
| Virtual Machine | Configuration > Add new disk | VirtualMachine.Config.AddNewDisk |
| Configuration > Add or remove device | VirtualMachine.Config.AddRemoveDevice |
|
| Configuration > Advanced configuration | VirtualMachine.Config.AdvancedConfig |
|
| Configuration > Change CPU count | VirtualMachine.Config.CPUCount |
|
| Configuration > Change memory | VirtualMachine.Config.Memory |
|
| Configuration > Change settings | VirtualMachine.Config.Settings |
|
| Configuration > Change Resource | VirtualMachine.Config.Resource |
|
| Configuration > Modify device settings | VirtualMachine.Config.EditDevice |
|
| Configuration > Set annotation | VirtualMachine.Config.Annotation |
|
| Edit Inventory > Create from existing | VirtualMachine.Inventory.CreateFromExisting |
|
| Edit Inventory > Create new | VirtualMachine.Inventory.Create |
|
| Edit Inventory > Remove | VirtualMachine.Inventory.Delete |
|
| Interaction > Configure CD media | VirtualMachine.Interact.SetCDMedia |
|
| Interaction > Configure floppy media | VirtualMachine.Interact.SetFloppyMedia |
|
| Interaction > Connect devices | VirtualMachine.Interact.DeviceConnection |
|
| Interaction > Inject USB HID scan codes | VirtualMachine.Interact.PutUsbScanCodes |
|
| Interaction > Power off | VirtualMachine.Interact.PowerOff |
|
| Interaction > Power on | VirtualMachine.Interact.PowerOn |
|
| Provisioning > Create template from virtual machine | VirtualMachine.Provisioning.CreateTemplateFromVM |
|
| Provisioning > Mark as template | VirtualMachine.Provisioning.MarkAsTemplate |
|
| Provisioning > Mark as virtual machine | VirtualMachine.Provisioning.MarkAsVM |
|
| State > Create snapshot | VirtualMachine.State.CreateSnapshot |
Once the custom vSphere role is created, assign Global Permissions in vSphere for the service account that will be used for the HashiCorp Packer to VMware vSphere integration in the next step. Global permissions are required for the content library.
For example:
-
Log in to the vCenter Server at
https://<management_vcenter_server_fqdn>/uiasadministrator@vsphere.local. -
Select Menu > Administration.
-
Create service account in vSphere SSO if it does not exist: In the left pane, select Single Sign On > Users and Groups and click on Users, from the dropdown select the domain in which you want to create the user (e.g.,
example.com) and click ADD, fill all the username (e.g.,svc-packer-vsphere)and all required details, then click ADD to create the user. -
In the left pane, select Access control > Global permissions and click the Add permissions icon.
-
In the Add permissions dialog box, enter the service account (e.g.,
svc-packer-vsphere@example.com), select the custom role (e.g., Packer to vSphere Integration Role) and the Propagate to children checkbox, and click OK.
In an environment with many vCenter Server instances, such as management and workload domains, you may wish to further reduce the scope of access across the infrastructure in vSphere for the service account. For example, if you do not want Packer to have access to your management domain, but only allow access to workload domains:
-
From the Hosts and clusters inventory, select management domain vCenter Server to restrict scope, and click the Permissions tab.
-
Select the service account with the custom role assigned and click the Edit.
-
In the Change role dialog box, from the Role drop-down menu, select No Access, select the Propagate to children checkbox, and click OK.
Terraform Example¶
If you would like to automate the creation of the custom vSphere role, a Terraform example is included in the project.
-
Navigate to the directory for the example.
cd terraform/vsphere-role -
Duplicate the
terraform.tfvars.examplefile toterraform.tfvarsin the directory.cp terraform.tfvars.example terraform.tfvars -
Open the
terraform.tfvarsfile and update the variables according to your environment. -
Initialize the current directory and the required Terraform provider for VMware vSphere.
terraform init -
Create a Terraform plan and save the output to a file.
terraform plan -out=tfplan -
Apply the Terraform plan.
terraform apply tfplan