During my current project where I’m implementing vCloud Automation Center as a multi-tenant, private cloud solution, I came across a lot of challenges. One of these challenges was the fact that it didn’t seem possible to bulk destroy virtual machines. This post clarifies how this can be done and what the requirements are.
A while ago, I had to destroy about 100 VMs that were deployed and managed by vCAC. As vCAC creates reservations for these VMs, it’s not a wise choice to delete them from vCenter and leave vCAC in an inconsistent state. Deleting VMs one-by-one was my backup plan, so I tweeted my question and received the following reply from Grant:
So, functionality was available, but I needed to access the Infrastructure side with Fabric Admin permissions. After assigning those permissions, and viewing the right page, I could access the Managed Machines page from Infrastructure > Machines > Managed Machines and view all machines (current, expired, deploying etc) of the tenant. Cool! As Grant wrote, I was able to select multiple VMs and click the destroy function.
After using this function, I noticed that the VMs were still happy running in the state they had and got a bit of a “Talk to the hand, the face ain’t listening” feeling =)
This was confirmed by the vCAC log (Infrastructure>Monitoring>Log) as I was seeing the following error:
Workflow “FireVirtualMachineEventRequest” failed with the following exception: Access Denied
Something was still blocking my actions. After some troubleshooting, I found out that the user you are performing these infrastructure actions with, needs entitlement on the catalog of your tenant and specifically the Destroy VM permission. This is a bit awkward in my opinion as the Infrastructure role in vCAC is system-wide and meant for administrators, and administrator accounts are in a different AD than your tenant, at least in my case.
So, the accounts that can be entitled to the tenant catalog, are coming from the tenant AD. That means, a tenant AD user account needs to get the Infrastructure role. As I really needed to clean up the environment I granted this role just for the purpose of cleaning up an environment, but not something you would do on daily basis.
If you have experiences with this functionality or solution, please let me know how you solved it! I have shared my ideas with VMware and hopefully they will be processed in vCAC 6.1.
Thanks for reading!