Automating vRealize Suite Lifecycle Manager with Ansible – Part 1: Setup and Deploy vIDM and LCM

Posts in the Series: Automating vRealize Suite Lifecycle Manager & vRealize Automation Deployments with Ansible
  1. Automating vRealize Suite Lifecycle Manager with Ansible – Part 1: Setup and Deploy vIDM and LCM

For many years I have been tasked with building vRealize Automation environments, and one of the biggest pain points, has been the deployment and preparation of the IaaS machines. This has usually required special preparation of a Windows template and a number of scripts to get everything configured, so that vRA plays nice. This is usually an error prone process, especially for the larger enterprise deployments. To tackle this problem, VMware released vRealize Suite Lifecycle Manager, which is on version 2.1, as of this writing.

I decided it was time to try this product and see if it lives up to the claims. I was also more interested in the API functionality, and as with all things automation, I typically turn to Ansible. I wasn’t too surprised to discover, that although the deployment is ‘automated’, depending on your interpretation, there is actually a number of manual steps that are still required. These include ensuring that the IaaS machines and database are already deployed and properly configured. The vRLCM Create Environment process also provides validation and pre-checks, along with scripts that can be used to prepare the machines.

With the preparation of these playbooks, I set out to automate the following:

  • Deployment of a single VMware vIDM appliance;
  • Deployment and initial configuration of a single vRealize Suite Lifecycle Manager appliance;
  • Deployment of vRealize Automation IaaS Servers (Windows VMs), in multiple deployment scenarios.
  • Creation of vRealize Automation environment through LCM.

This post will focus on deploying vRSLCM and vIDM with a follow-up post on the vRA deployments.

However, in my attempts to make this a set of one click processes, I wasn’t able to quite get that far (got pretty close). This was mainly due to some limitations with the vRSLCM API (can’t automate certificates, for example). I will discuss these limitations throughout this post, and if I find workarounds, then I’ll provide an update.

I should also point out that this is quite experimental and although I have done all that I can to make these workflows as idempotent as I can, unfortunately, with the limitations of the LCM API, this has proven to be quite difficult. These playbooks are best used as a one-time only deployment, at least for LCM itself.

Environment Preparation

In my environment I have a dedicated virtual machine that I develop and run my playbooks on (you may call this the Ansible control machine) running on CentOS 7.x.

Environment Overview

CentOS CentOS 7.x
Ansible 2.8.1 (2.8 is a minimum requirement)
Python 3.6 (installed from EPEL Repository)


The following pre-requisites are required:

  • DNS A/PTR records created for vRSLCM and vIDM appliances.

Prepare Environment

Ensure that the system is up-to-date by running:

Install yum-utils

Install Python 3

You will need to ensure that Python 3.6 is installed on your Ansible host. I am using the EPEL repository, but you may decided to use IUS or SCL to install these packages, so the package names may differ. Refer to the relevant documentation for installing Python 3 using these repositories, if required.

Install GIT

Git will be used to clone my Ansible vRSLCM playbooks repository.

Create Python Environment

It’s always the best approach to create a python virtual environment so that packages do not conflict with the base system. I have a directory in the root of my home dir called ‘python-env‘ where I maintain a number of different environments. Once you have a virtual environment set up, you just need to install the required packages from the ‘requirements.txt‘ file (provided later in the git repository).

You can follow these steps below to create a virtual environment:

You will notice that the shell will now display the virtual environment that you are using:

It’s also a good idea to ensure the latest version of pip and setuptools is installed.

Download Ansible vRSLCM Deployment Playbooks

Now that the environment is ready, you can go ahead and clone my Ansible-VRLCM git repository.

The directory tree looks as follows:

Install Required Packages

There is a pip ‘requirements.txt‘ file located in the root of the Ansible-VRLCM folder that was created when the repository was cloned. Move into this directory and issue the following command to install these packages using pip.

This will also install Ansible 2.8.1.

Configure Ansible Playbooks

I always like to create playbooks that are easy to scale and allow me to perform deployments across multiple data centres. Therefore, I place heavy emphasis on variable inheritance and host groups. Below I provide details on how these can be configured to deploy and scale your environment.

Configure Inventory

The inventory is configured in the ‘inventory/hosts‘ file. I have used a single file for the inventory to try and keep things simple. You are not limited to using this approach and can do whatever fits best for your environment. As long as the hosts are defined and in their respective groups, is all that matters.

So let’s take a look at my ‘inventory/hosts‘ file, which is slimmed down to demonstrate a single site (the host file provided in the git repo will include 2 sites).

If you are using a Python virtual environment then you will need to set the ‘ansible_python_interpreter‘ for localhost to your path, otherwise, comment or remove this from the file.

You will see that I have 2 hosts defined in this example (I have purposely limited to the hosts in scope for the moment).

  • sg1-lcm001.sgroot.local – This is the hostname of the vRSLCM appliance that I want to deploy
  • sg1-idm001.sgroot.local – This is the hostname of the vIDM appliance that I want to deploy

Each of these hosts are placed into their respective groups. The table below details the groups that have been configured:

Group Description Members
site_a All hosts in Site A site_a_vrlcm_appliances site_a_vra_appliances site_a_vra_iaas_servers site_a_vidm_appliances
vrlcm_appliances All vRSLCM Appliances site_a_vrlcm_appliances
vidm_appliances All vIDM Appliances site_a_vidm_appliances
vra_appliances All vRA Appliances site_a_vra_appliances
site_a_vra_iaas_servers All vRA IaaS Servers site_a_vra_iaas_servers

I like to use groups in this way as it allows me to use variable inheritance. This is useful, as you can re-use the same variables in your playbooks and have a different value assigned, for the host or the group.

Configure Variables

This section provides an overview of all the variable files that can be configured. Make sure to adjust the variables so that they match your environment/requirements.

Configure Global Variables

There are a number of global variable files under ‘group_vars/all‘. The variables configured in these files will be accessible by all hosts. The names of these files should be easy enough to make out what they are used for.


This file is used to configure the default domain.


This file is used to define the NTP servers. I have used the default servers, which should be fine for everyone, unless you want to use internal ones.


This file is used to define default variables used for interacting with web services.


This file is used to define default variables used for OVA deployments.

Configure Site Variables

There are a number of site specific variable files under ‘group_vars/site_a‘ These variables will apply to all hosts that are a member of the site. The following variable files are available:


This file is used to define site specific DNS servers. Useful if you have the same DNS servers in all sites but wish to present them in a different order.


This file is used to define the CMP vCenter Server that will be used for deploying all the components.


This file is used to define the CMP vCenter Server administrator account details for deployments. I keep this file separate so that it can be encrypted.

Configure vIDM Variables

All variable files related to vIDM are under ‘group_vars/vidm_appliances‘.


This file defines variables associated with the vIDM deployment.

Configure vRLCM Variables

All variable files related to vRLCM are under ‘group_vars/vrlcm_appliances‘.


This file defines variables associated with the vRLCM deployment.


This variable file defines all the account usernames and passwords that is used by vRLCM. I keep this file separate so that it can be encrypted.

Deploy VMware Identity Manager

The playbook that you will need to run is called ‘vidm_deploy_appliance.yml‘, which is located in the root of the Ansible-VRLCM folder. You will need to configure the variables to match your requirements. If you have configured the CMP vCenter variables for the site, then the hostname, username and password fields can be left as-is.

This is a very simple playbook that will deploy the vIDM without any further configuration.

You can run the playbook as follows:

You will need to log into the appliance once it has been deployed and go through the initial configuration.

If you want to deploy multiple, load balanced vIDM appliances then this is also possible with some modification. I plan to release another post in due course on how to do this.

Deploy vRealize Suite Lifecycle Manager

The playbook that you will need to run is called ‘vrlcm_deploy_appliance.yml‘, which is located in the root of the Ansible-VRLCM folder. You will need to configure the variables to match your requirements. If you have configured the CMP vCenter variables for the site, then the hostname, username and password fields can be left as-is.

You can also configure the Datacenters and vCenter Servers that will be created within LCM after it has been deployed.

By default, I add the datacenter and vCenter Server that LCM has been deployed on (CMP stack), that can be further used for the vRA deployments. The ‘vrlcm_endpoint_vcenter_username‘ and ‘vrlcm_endpoint_vcenter_password‘ is the service account that LCM will use to access this vCenter Server, that were configured in the ‘02-vrlcm_credentials.yml‘ variable file.

You’ll notice that there are a number of roles that are called and the names should be pretty self-explanatory. There is also another role called ‘vrlcm_wait_for_request‘ that is used to wait until any vCenter Server that has been added to complete it’s inventory data collection task and to wait for vIDM to complete.

You can run the playbook as follows:

The LCM appliance will now be accessible and configured and ready to create environments.

vRLCM Limitations

When I was attempting to automate as much as possible with the LCM deployment, I unfortunately encountered a number of limitations with the API.

  • Prompted to change root password on first logon, even though this has been changed via the API and the configuration updated on the appliance.
  • Not possible to get existing configured vCenter Servers (but it does fail when the same vCenter is added a second time. I was able to use this to determine if a vCenter already existed).
  • Not possible to get the existing vIDM connection (it will simply re-add to vIDM resulting in multiple LCM items under the vIDM catalog).
  • Not possible to get the configured AD servers (this will result in multiple, duplicated AD servers being added).
  • Not possible to manage certificates.
  • Not possible to manage Servers and Protocols (DNS, NTP and SNMP).
  • Not possible to manage Content Management.

Hopefully I can raise these with the LCM team in the hope they are added in later releases.

That concludes this post. In my next post, I will cover the deployment of vRealize Automation from deploying and configuring the Windows IaaS machines to automating the creation of the environment within LCM.

I am also looking for collaborators on this project, so if you would like to contribute or improve my playbooks then please let me know.

Please rate this post!

Average rating / 5. Vote count:

Leave a Reply

2 Comment threads
3 Thread replies
Most reacted comment
Hottest comment thread
3 Comment authors
Gavin StephensMaciejRobin van Altena Recent comment authors
newest oldest most voted
Notify of
Robin van Altena
Robin van Altena

Excelent post Gavin,
The post gave me a great jumpstart in deploying LCM
The prompt at first logon can be easily fixed by restarting the appliance after deployment.


Nice work Gavin. Just a quick question: did you try to install new vIDM through LCM instead of adding the existing one?