...building hybrid clouds that can support any device from anywhere
It has been a little while since I posted raw PowerShell, so I figured it was time! What do I have for you this time?
Let’s say you have the following things, and want them in a simple working scenario:
Oh, you say you also have Windows Azure Pack (WAP), Service Management Automation (SMA) and/or System Center Orchestrator? Well, that is excellent! Just take the PowerShell examples you see here, and leverage them as you see fit. Of course, I will give some context around usage scenarios for the PowerShell scripts provided here (see “Next Steps” below), but I wanted to be as generic as possible.
Here is the high level breakdown of the scenario in this blog post (all steps are performed with PowerShell against Virtual Machine Manager):
Before we dive in, let’s take a quick look at some of these concepts…
Multi-tenancy within Virtual Machine Manager provides capabilities for VM Network Isolation, individualized Service Deployment and Tenant Administration. Tenant Administrators are responsible for cloud resources and self-service user administration.
Here is how Virtual Machine Manager defines the “Tenant Administrator” User Role Profile:
Essentially, Tenant Administrators can be allocated a specific set of resources in a specified cloud. How each Tenant Administrator uses these resources is up to them, and they are seen as “owners” of the resources within Virtual Machine Manager.
Note If you would like a little bit more information about the Tenant Administrator User Role in VMM, check out this TechNet Library entry: How to Create a Tenant Administrator User Role in VMM (manual steps)
It allows for Virtual Machine Manager commands to be executed “On Behalf Of” specified Users. In our scenario, these commands are executed “On Behalf Of” created and assigned Tenant Administrators.
While a bit dated, it is still relevant - here is a bit more information about “Proxying Identity” with “OnBehalfOf” in Virtual Machine Manager:
Resource: Enabling Hosted IaaS Clouds for Service Providers
So, let’s not waste any more time on explanation, and get right to the scripts!
The following PowerShell workflow script (Create-TenantAdminUserRole) will create a VMM Tenant Administrator User Role with the following settings:
Note You may keep these example settings, or modify to fit your deployment specifications.
You can call the Create-TenantAdminUserRole workflow once per Tenant Admin, like this:
Or, you can create/leverage an array of Tenant Admins, and call Create-TenantAdminUserRole within a foreach statement, like this:
And, I don’t want to get too crazy, but you could even create a hash table to pass in a list of both UserRoleName and CloudName, like this:
Finally, and one step beyond (I am not even going to show it), you could place the workflow call in another workflow, so you could leverage ForEach -Parallel.
There are lots of options here, choose the one that makes sense for your deployment.
The following PowerShell workflow script (Create-VMNetwork) will create a VMM VM Network with the following settings:
You can call the Create-VMNetwork workflow once per Tenant Admin, like this (leverages the Create-TenantAdminUserRole above):
I am not going to dive into the details for this example, but obviously you can leverage all the array and hash table stuff mentioned above with this call (as it is a 1:1 Tenant Admin User Role:VMNetwork in this example).
Again, there are lots of options here, choose the one that makes sense for your deployment.
The following PowerShell workflow script (Deploy-VMMService) will deploy a VMM Service Template with the following settings:
Note The Deploy-VMMService PowerShell workflow script depends on return values from the Build-ServiceSettings PowerShell workflow script.
Obviously there are many ways to get/set Global Settings for VMM Service Template Deployment. The following example is just one of them:
Note The above example is the one used in the “Tenant Provisioning POC” my team is running through. In the POC (as you can see from the script), we have four primary types of Service Templates (Active Directory, SharePoint, Exchange, and Lync). The parameters and naming for each Service Template vary to ensure a varied set of test deployments. To keep things simple, we are deriving all the Service Template Global Settings from pre-existing data (like $OwnerUserRoleName and the associated Tenant Network).
As mentioned above, the Build-ServiceSettings PowerShell workflow script is called from the Deploy-VMMService PowerShell workflow script. The following is a simple example, but you will see it in action within the script of the Deploy-VMMService PowerShell workflow below:
Once again, this example is just so you can see what kind of data the Build-ServiceSettings PowerShell workflow script is “expecting”. Leverage this example as desired The way it is leveraged for our POC can be seen in the very next example.
Note Lines 024 – 027 above deal with the dynamic generation of new Service Templates based on an original (known good) Service Template. The original Service Template is queried for by name and release, and the new Service Template (generated specifically for the $OwnerUserRoleName) is created using the same Service Template Name, but a Service Template Release matching the User Role Name (for unique identification and creation). Line 028 above is used to Grant the User Role permissions to this new Service Template. It should be known that the New-SCServiceTemplate command does not take “OnBehalfOf” switches.
You can call the Deploy-VMMService workflow once per Tenant Admin, like this (leverages both the Create-TenantAdminUserRole and Create-VMNetwork above):
Note The $ServiceTemplateName and $ServiceTemplateRelease values would vary based on your Service Template details.
See the following image for some of the Service Templates in our POC environment:
And this image is the results of a test of the above PowerShell workflow scripts:
And one final image illustrates what the dynamic Service Template creation per User Role looks like:
There is a ton of information here, I can appreciate that. I hope it was laid out in a way that makes sense, and eases you into the world of "OnBehalfOf".
As a recap, here are the commands where the "OnBehalfOf" concept were covered in the examples provided:
Note Taking these commands out of context may not make sense - variable usage was based on the examples.
Do you want to take the raw PowerShell that you see here and leverage it in your environment? Would you like to leverage it within an existing Automation tool? Well if your environment includes Windows Azure Pack, Service Management Automation, and/or System Center Orchestrator (or anything else that can orchestrate PowerShell), you are in luck – simply take portions of the above PowerShell workflow script examples you want and start automating!
Well, I guess it is not exactly that easy. But it is close. Here is a brief explanation of how to leverage the PowerShell shown here in each of the aforementioned tools:
Oh, and some more good news, I have it on pretty good authority that there will be another post related to this content coming out very soon, which will illustrate even more use case scenarios…
That’s it - thanks for checking it out!
And for more information, tips/tricks, and example solutions for PowerShell + System Center 2012 R2, be sure to watch for future blog posts in the Automation Track!