Inputs

These are the inputs that can be provided to the tasks. Each task can only take a specific set, indicated under the inputs property of the YAML.

director config

The config director will set the bosh tile (director) on Ops Manager.

The config input for a director task expects to have a director.yml file. The configuration of the director.yml is IAAS specific for some properties -- i.e. networking.

There are two ways to build a director config.

1. Using an already deployed Ops Manager, you can extract the config using staged-director-config.
2. Deploying a brand new Ops Manager requires more effort for a director.yml. The configuration of director is variables based on the features enabled. For brevity, this director.yml is a basic example for vsphere.

---
az-configuration:
- clusters:
  - cluster: cluster-name
    resource_pool: resource-pool-name
  name: AZ01

properties-configuration:
  iaas_configuration:
    vcenter_host: vcenter.example.com
    vcenter_username: admin
    vcenter_password: password
    ......
  director_configuration:
    blobstore_type: local
    bosh_recreate_on_next_deploy: false
    custom_ssh_banner: null
    ......
  security_configuration:
    generate_vm_passwords: true
    trusted_certificates:
  syslog_configuration:
    enabled: false

network-assignment:
  network:
    name: INFRASTRUCTURE
  other_availability_zones: []
  singleton_availability_zone:
    name: AZ01

networks-configuration:
  icmp_checks_enabled: false
  networks:
  - name: NETWORK-NAME
  ......

resource-configuration:
  compilation:
    instance_type:
      id: automatic
    instances: automatic
  ......

The IAAS specific configuration can be found in the Ops Manager API documentation.

Included below is a list of properties that can be set in the director.yml and a link to the API documentation explaining any IAAS specific properties.

• az-configuration - a list of availability zones Ops Manager API
• network-assignment - the network the bosh director is deployed to Ops Manager API
• networks-configuration - a list of named networks Ops Manager API
• properties-configuration
  • iaas_configuration - configuration for the bosh IAAS CPI Ops Manager API
  • director_configuration - properties for the bosh director Ops Manager API
  • security_configuration - security properties for the bosh director Ops Manager API
  • syslog_configuration - configure the syslog sinks for the bosh director Ops Manager API
• resource-configuration - IAAS VM flavor for the bosh director Ops Manager API
• vmextensions-configuration - create/update/delete vm extensions Ops Manager API

GCP Shared VPC

Support for Shared VPC is done via configuring the iaas_identifier path for the infrastructure subnet, which includes the host project id, region of the subnet, and the subnet name.

For example:

[HOST_PROJECT_ID]/[NETWORK]/[SUBNET]/[REGION]

download-product-config

The config input for a download product task can be used with a download-config.yml file to download a tile. The configuration of the download-config.yml looks like this:

---
pivnet-api-token: token
## Note that file globs must be quoted if they start with *;
## otherwise they'll be interpreted as a YAML anchor.
pivnet-file-glob: "*.pivotal"
pivnet-product-slug: product-slugs

## defaults to false and should be excluded if not set to true
# pivnet-disable-ssl: true

## Either product-version OR product-version-regex is required
# product-version: 1.2.3

## Note that the regex mustn't be quoted,
## as escape characters for the regex will confuse yaml parsers.
# product-version-regex: ^1\.2\..*$

## If set, will attempt to download the latest stemcell for the product.
## Ignored if the specified file is not a `.pivotal` file.
## Valid options are: aws, azure, google, openstack, vsphere.
# stemcell-iaas: google

## The following are required only if using download-product-s3.
## Any key marked required above is still required when using S3.
## If s3-bucket is set,
## downloaded product files will have their slug and version prepended.
s3-bucket: s3-bucket
s3-region-name: us-west-1      # required; sufficient for AWS
s3-endpoint: s3.endpoint.com   # if not using AWS, this is required

## Required unless `s3-auth-method` is `iam`
s3-access-key-id: aws-or-minio-key-id
s3-secret-access-key: aws-or-minio-secret-key

## Optional paths for both the product and the associated stemcell
## defaults to the root path of the specified bucket
# s3-product-path: /path/to/product
# s3-stemcell-path: /path/to/stemcell

## defaults to false and should be excluded if not set to true
# s3-disable-ssl: true

## defaults to false;
## made available only because sometimes necessary for compatibility
# s3-enable-v2-signing: true

## defaults to accesskey;
## allows use of AWS instance IAM creds, if available
# s3-auth-type: iam

download-stemcell-product-config

The config input for a download product task can be used with a download-config.yml file to download a stemcell. The configuration of the download-config.yml looks like this:

---
pivnet-api-token: token
## Note that file globs must be quoted if they start with *;
## otherwise they'll be interpreted as a YAML anchor.
pivnet-file-glob: "*vsphere*"
pivnet-product-slug: stemcells-ubuntu-xenial

## defaults to false and should be excluded if not set to true
# pivnet-disable-ssl: true

## Either product-version OR product-version-regex is required
# product-version: "250.82"

## Note that the regex mustn't be quoted,
## as escape characters for the regex will confuse yaml parsers.
# product-version-regex: ^250\..*$


## The following are required only if using download-product-s3.
## Any key marked required above is still required when using S3.
## If s3-bucket is set,
## downloaded product files will have their slug and version prepended.
s3-bucket: s3-bucket
s3-region-name: us-west-1      # required; sufficient for AWS
s3-endpoint: s3.endpoint.com   # if not using AWS, this is required

## Required unless `s3-auth-method` is `iam`
s3-access-key-id: aws-or-minio-key-id
s3-secret-access-key: aws-or-minio-secret-key

## Optional paths for both the product and the associated stemcell
## defaults to the root path of the specified bucket
# s3-product-path: /path/to/product
# s3-stemcell-path: /path/to/stemcell

## defaults to false and should be excluded if not set to true
# s3-disable-ssl: true

## defaults to false;
## made available only because sometimes necessary for compatibility
# s3-enable-v2-signing: true

## defaults to accesskey;
## allows use of AWS instance IAM creds, if available
# s3-auth-type: iam

env

The env input for a task expects to have a env.yml file. This file contains properties for targeting and logging into the Ops Manager API.

basic authentication

---
target: https://pcf.example.com
connect-timeout: 30            # default 5
request-timeout: 1800          # default 1800
skip-ssl-validation: false     # default false
username: username
password: password
# decryption-passphrase is optional,
# except for use with `import-installation`.
# OpsMan depends on the passphrase
# to decrypt the imported installation.
# For other commands, providing this key allows
# decryption of the OpsMan VM after reboot,
# which would otherwise need to be done manually.
decryption-passphrase: passphrase

uaa authentication

---
target: https://pcf.example.com
connect-timeout: 30          # default 5
request-timeout: 1800        # default 1800
skip-ssl-validation: false   # default false
client-id: client_id
client-secret: client_secret
# decryption-passphrase is optional,
# except for use with `import-installation`.
# OpsMan depends on the passphrase
# to decrypt the imported installation.
# For other commands, providing this key allows
# decryption of the OpsMan VM after reboot,
# which would otherwise need to be done manually.
decryption-passphrase: passphrase

Getting the client-id and client-secret

Ops Manager will by preference use Client ID and Client Secret if provided. To create a Client ID and Client Secret

1. uaac target https://YOUR_OPSMANAGER/uaa
2. uaac token sso get if using SAML or uaac token owner get if using basic auth. Specify the Client ID as opsman and leave Client Secret blank.
3. Generate a client ID and secret

uaac client add -i
Client ID:  NEW_CLIENT_NAME
New client secret:  DESIRED_PASSWORD
Verify new client secret:  DESIRED_PASSWORD
scope (list):  opsman.admin
authorized grant types (list):  client_credentials
authorities (list):  opsman.admin
access token validity (seconds):  43200
refresh token validity (seconds):  43200
redirect uri (list):
autoapprove (list):
signup redirect url (url):

installation

The file contains the information to restore an Ops Manager VM. The installation input for a opsman VM task expects to have a installation.zip file.

This file can be exported from an Ops Manager VM using the export-installation. This file can be imported to an Ops Manager VM using the import-installation.

Warning

This file cannot be manually created. It is a file that must be generated via the export function of Ops Manager.

Ops Manager config

The config for an Ops Manager described IAAS specific information for creating the VM -- i.e. VM flavor (size), IP addresses

The config input for opsman task expects to have a opsman.yml file. The configuration of the opsman.yml is IAAS specific.

Specific examples for each IaaS are as follows:

AWS

These required properties are adapted from the instructions outlined in Launching an Ops Manager Director Instance on AWS

---
opsman-configuration:
  aws:
    region: us-west-2
    vpc_subnet_id: subnet-0292bc845215c2cbf
    security_group_ids: [ sg-0354f804ba7c4bc41 ]
    key_pair_name: ops-manager-key  # used to ssh to VM
    iam_instance_profile_name: env_ops_manager

    # At least one IP address (public or private) needs to be assigned to the
    # VM. It is also permissible to assign both.
    public_ip: 1.2.3.4      # Reserved Elastic IP
    private_ip: 10.0.0.2

    # Optional
    # vm_name: ops-manager-vm    # default - ops-manager-vm
    # boot_disk_size: 100        # default - 200 (GB)
    # instance_type: m5.large    # default - m5.large
                                 # NOTE - not all regions support m5.large
    # assume_role: "arn:aws:iam::..." # necessary if a role is needed to authorize
                                      # the OpsMan VM instance profile

    # Omit if using instance profiles
    # And instance profile OR access_key/secret_access_key is required
    # access_key_id: sample-access-id
    # secret_access_key: sample-secret-access-key

    # security_group_id: sg-123  # DEPRECATED - use security_group_ids
    # use_instance_profile: true # DEPRECATED - will use instance profile for
                                 # execution VM if access_key_id and
                                 # secret_access_key are not set

Info

At least one IP address (public or private) must be assigned to the Ops Manager VM. Both can be assigned, too.

Using instance_profile to Avoid Secrets

For authentication you must either set use_instance_profile: true or provide a secret_key_id and secret_access_key. You must remove key information if you're using an instance profile. Using an instance profile allows you to avoid interpolation, as this file then contains no secrets.

Azure

These required properties are adapted from the instructions outlined in Launching an Ops Manager Director Instance on Azure

---
opsman-configuration:
  azure:
    tenant_id: 3e52862f-a01e-4b97-98d5-f31a409df682
    subscription_id: 90f35f10-ea9e-4e80-aac4-d6778b995532
    client_id: 5782deb6-9195-4827-83ae-a13fda90aa0d
    client_secret: 6Iaue71Lqxfq
    location: westus
    resource_group: res-group
    storage_account: opsman                       # account name of container
    ssh_public_key: ssh-rsa AAAAB3NzaC1yc2EAZ...  # ssh key to access VM

    # Note that there are several environment-specific details in this path
    # This path can reach out to other resource groups if necessary
    subnet_id: /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Network/virtualNetworks/<VNET>/subnets/<SUBNET>

    # At least one IP address (public or private) needs to be assigned
    # to the VM. It is also permissible to assign both.
    private_ip: 10.0.0.3
    public_ip: 1.2.3.4

    # Optional
    # cloud_name: AzureCloud          # default - AzureCloud
    # storage_key: pEuXDaDK/WWo...    # only required if your client does not
                                      # have the needed storage permissions
    # container: opsmanagerimage      # storage account container name
                                      # default - opsmanagerimage
    # network_security_group: ops-manager-security-group
    # vm_name: ops-manager-vm         # default - ops-manager-vm
    # boot_disk_size: 200             # default - 200 (GB)
    # use_managed_disk: true          # this flag is only respected by the
                                      # create-vm and upgrade-opsman commands.
                                      # set to false if you want to create
                                      # the new opsman VM with an unmanaged
                                      # disk (not recommended). default - true
    # vpc_subnet: /subscriptions/...  # DEPRECATED - use subnet_id
    # use_unmanaged_disk: false       # DEPRECATED - use use_managed_disk

Info

At least one IP address (public or private) must be assigned to the Ops Manager VM. Both can be assigned, too.

GCP

These required properties are adapted from the instructions outlined in Launching an Ops Manager Director Instance on GCP

---
opsman-configuration:
  gcp:
    # Either gcp_service_account_name or gcp_service_account json is required
    # You must remove whichever you don't use
    gcp_service_account_name: user@project-id.iam.gserviceaccount.com
    gcp_service_account: |
      {
        "type": "service_account",
        "project_id": "project-id",
        "private_key_id": "af719b1ca48f7b6ac67ca9c5319cb175",
        "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
        "client_email": "user@project-id.iam.gserviceaccount.com",
        "client_id": "1234567890",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://accounts.google.com/o/oauth2/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/user%40project-id.iam.gserviceaccount.com"
      }

    project: project-id
    region: us-central1
    zone: us-central1-b
    vpc_subnet: infrastructure-subnet

    # At least one IP address (public or private) needs to be assigned to the
    # VM. It is also permissible to assign both.
    public_ip: 1.2.3.4
    private_ip: 10.0.0.2

    ssh_public_key: ssh-rsa some-public-key... # RECOMMENDED, but not required
    tags: ops-manager                          # RECOMMENDED, but not required

    # Optional
    # vm_name: ops-manager-vm  # default - ops-manager-vm
    # custom_cpu: 2            # default - 2
    # custom_memory: 8         # default - 8
    # boot_disk_size: 100      # default - 100
    # scopes: ["my-scope"]

Info

At least one IP address (public or private) must be assigned to the Ops Manager VM. Both can be assigned, too.

Using a Service Account Name to Avoid Secrets

For authentication either gcp_service_account or gcp_service_account_name is required. You must remove the one you are not using note that using gcp_service_account_name allows you to avoid interpolation, as this file then contains no secrets.

Support for Shared VPC is done via configuring the vpc_subnet path to include the host project id, region of the subnet, and the subnet name.

For example:

projects/[HOST_PROJECT_ID]/regions/[REGION]/subnetworks/[SUBNET]

Openstack

These required properties are adapted from the instructions outlined in Launching an Ops Manager Director Instance on Openstack

---
opsman-configuration:
  openstack:
    project_name: project
    auth_url: http://os.example.com:5000/v2.0
    username: admin
    password: password
    net_id: 26a13112-b6c2-11e8-96f8-529269fb1459
    security_group_name: opsman-sec-group
    key_pair_name: opsman-keypair

    # At least one IP address (public or private) needs to be assigned to the VM.
    public_ip: 1.2.3.4 # must be an already allocated floating IP
    private_ip: 10.0.0.3

    # Optional
    # availability_zone: zone-01
    # project_domain_name: default
    # user_domain_name: default
    # vm_name: ops-manager-vm       # default - ops-manager-vm
    # flavor: m1.xlarge             # default - m1.xlarge
    # identity_api_version: 2       # default - 3
    # insecure: true                # default - false

Info

At least one IP address (public or private) must be assigned to the Ops Manager VM. Both can be assigned, too.

vSphere

These required properties are adapted from the instructions outlined in Deploying BOSH and Ops Manager to vSphere

---
opsman-configuration:
  vsphere:
    vcenter:
      ca_cert: cert                 # REQUIRED if insecure = 0 (secure)
      datacenter: example-dc
      datastore: example-ds-1
      folder: /example-dc/vm/Folder # RECOMMENDED, but not required
      url: vcenter.example.com
      username: admin
      password: password
      resource_pool: /example-dc/host/example-host/Resources/example-res-pool
      # resource_pool can use a cluster - /example-dc/host/example-cluster

      # Optional
      # host: host      # DEPRECATED - Platform Automation cannot guarantee
                        # the location of the VM, given the nature of vSphere
      # insecure: 0     # default - 0 (secure) | 1 (insecure)

    disk_type: thin     # thin|thick
    dns: 8.8.8.8
    gateway: 192.168.10.1
    hostname: ops-manager.example.com
    netmask: 255.255.255.192
    network: example-virtual-network
    ntp: ntp.ubuntu.com
    private_ip: 10.0.0.10
    ssh_public_key: ssh-rsa ......  # REQUIRED Ops Manager >= 2.6

    # Optional
    # cpu: 1                        # default - 1
    # memory: 8                     # default - 8 (GB)
    # ssh_password: password        # REQUIRED if ssh_public_key not defined
                                    # (Ops Manager < 2.6 ONLY)
    # vm_name: ops-manager-vm       # default - ops-manager-vm

opsman image

This file is an artifact from Pivnet, which contains the VM image for a specific IaaS. For vsphere and openstack, it's a full disk image. For AWS, GCP, and Azure, it's a YAML file listing the location of images that are already available on the IaaS.

These are examples to download the image artifact for each IaaS using the download-product task.

opsman.yml

```yaml tab="AWS"

pivnet-api-token: ((pivnet-token)) pivnet-file-glob: "ops-manager-aws*.yml" pivnet-product-slug: ops-manager product-version-regex: ^2.5.\d+$

```yaml tab="Azure"
---
pivnet-api-token: ((pivnet-token))
pivnet-file-glob: "ops-manager-azure*.yml"
pivnet-product-slug: ops-manager
product-version-regex: ^2\.5\.\d+$

```yaml tab="GCP"

pivnet-api-token: ((pivnet-token)) pivnet-file-glob: "ops-manager-gcp*.yml" pivnet-product-slug: ops-manager product-version-regex: ^2.5.\d+$

```yaml tab="OpenStack"
---
pivnet-api-token: ((pivnet-token))
pivnet-file-glob: "ops-manager-openstack*.raw"
pivnet-product-slug: ops-manager
product-version-regex: ^2\.5\.\d+$

```yaml tab="vSphere"

pivnet-api-token: ((pivnet-token)) pivnet-file-glob: "ops-manager-vsphere*.ova" pivnet-product-slug: ops-manager product-version-regex: ^2.5.\d+$

#### download-product task

```yaml
- task: download-opsman-image
  image: platform-automation-image
  file: platform-automation-tasks/tasks/download-product.yml
  params:
    CONFIG_FILE: opsman.yml

product

The product input requires a single tile file (.pivotal) as downloaded from Pivnet.

Here's an example of how to pull the Pivotal Application Service tile using the download-product task.

product.yml

---
pivnet-api-token: token
pivnet-file-glob: "cf-*.pivotal"
pivnet-product-slug: elastic-runtime
product-version-regex: ^2\.6\..*$

download-product task

- task: download-stemcell
  image: platform-automation-image
  file: platform-automation-tasks/tasks/download-product.yml
  params:
    CONFIG_FILE: product.yml

Warning

This file cannot be manually created. It is a file that must retrieved from Pivnet.

product config

There are two ways to build a product config.

1. Using an already deployed product (tile), you can extract the config using staged-config.
2. Use an example and fill in the values based on the meta information from the tile. For brevity, this product.yml is a basic example for healthwatch.

---
product-properties:
  .healthwatch-forwarder.bosh_taskcheck_username:
    value: admin
  .healthwatch-forwarder.boshhealth_instance_count:
    value: 1
  .healthwatch-forwarder.boshtasks_instance_count:
    value: 2
  .healthwatch-forwarder.canary_instance_count:
    value: 2
  .healthwatch-forwarder.cli_instance_count:
    value: 2
  .healthwatch-forwarder.health_check_az:
    value: AZ01
  .healthwatch-forwarder.ingestor_instance_count:
    value: 4
  .healthwatch-forwarder.opsman_instance_count:
    value: 2
  .healthwatch-forwarder.publish_to_eva:
    value: true
  .healthwatch-forwarder.worker_instance_count:
    value: 4
  .mysql.skip_name_resolve:
    value: true
  .properties.opsman:
    value: enable
  .properties.opsman.enable.url:
    value: https://pcf.example.com/
network-properties:
  network:
    name: DEPLOYMENT
  other_availability_zones:
  - name: AZ01
  - name: AZ02
  service_network:
    name: SERVICES
  singleton_availability_zone:
    name: AZ01
resource-config:
  healthwatch-forwarder:
    instances: automatic
    persistent_disk:
      size_mb: automatic
    instance_type:
      id: automatic
  migrate-v1.1-v1.2:
    instances: automatic
    instance_type:
      id: automatic
  mysql:
    instances: automatic
    persistent_disk:
      size_mb: automatic
    instance_type:
      id: automatic
  redis:
    instances: automatic
    persistent_disk:
      size_mb: automatic
    instance_type:
      id: automatic

Included below is a list of properties that can be set in the product.yml and a link to the API documentation explaining the properties.

• product-properties - properties for the tile Ops Manager API
• network-properties - a list of named networks to deploy the VMs to Ops Manager API
• resource-config - for the jobs of the tile Ops Manager API

state

This file contains that meta-information needed to manage the Ops Manager VM. The state input for a opsman VM task expects to have a state.yml file.

The state.yml file contains two properties:

1. iaas is the IAAS the ops manager vm is hosted on. (gcp, vsphere, aws, azure, openstack)
2. vm_id is the VM unique identifier for the VM. For some IAAS, the vm ID is the VM name.

Different IaaS uniquely identify VMs differently; here are examples for what this file should look like, depending on your IAAS:

``` yaml tab="AWS" iaas: aws

Instance ID of the AWS VM

vm_id: i-12345678987654321

``` yaml tab="Azure"
iaas: azure
# Computer Name of the Azure VM
vm_id: vm_name

``` yaml tab="GCP" iaas: gcp

Name of the VM in GCP

vm_id: vm_name

``` yaml tab="OpenStack"
iaas: openstack
# Instance ID from the OpenStack Overview
vm_id: 12345678-9876-5432-1abc-defghijklmno

``` yaml tab="vSphere" iaas: vsphere

Path to the VM in vCenter

vm_id: /datacenter/vm/folder/vm_name

### stemcell
This `stemcell` input requires the stemcell tarball (`.tgz`) as downloaded from Pivnet.
It must be in the original filename as that is used by Ops Manager to parse metadata.
The filename could look like `bosh-stemcell-3541.48-vsphere-esxi-ubuntu-trusty-go_agent.tgz`.

!!! warning
    This file cannot be manually created. It is a file that must retrieved from Pivnet.

Here's an example of how to pull the vSphere stemcell
using the [download-product][download-product] task.

#### stemcell.yml

```yaml tab="AWS"
---
pivnet-api-token: token
pivnet-file-glob: "bosh-stemcell-*-aws*.tgz"
pivnet-product-slug: stemcells-ubuntu-xenial
product-version-regex: ^170\..*$

```yaml tab="Azure"

pivnet-api-token: token pivnet-file-glob: "bosh-stemcell--azure.tgz" pivnet-product-slug: stemcells-ubuntu-xenial product-version-regex: ^170..*$

```yaml tab="GCP"
---
pivnet-api-token: token
pivnet-file-glob: "bosh-stemcell-*-google*.tgz"
pivnet-product-slug: stemcells-ubuntu-xenial
product-version-regex: ^170\..*$

```yaml tab="OpenStack"

pivnet-api-token: token pivnet-file-glob: "bosh-stemcell--openstack.tgz" pivnet-product-slug: stemcells-ubuntu-xenial product-version-regex: ^170..*$

```yaml tab="vSphere"
---
pivnet-api-token: token
pivnet-file-glob: "bosh-stemcell-*-vsphere*.tgz"
pivnet-product-slug: stemcells-ubuntu-xenial
product-version-regex: ^170\..*$

download-product task

- task: download-stemcell
  image: platform-automation-image
  file: platform-automation-tasks/tasks/download-product.yml
  params:
    CONFIG_FILE: stemcell.yml

assign-stemcell-task

This artifact is an output of download-product located in the assign-stemcell-config output directory.

This file should resemble the following:

product: cf
stemcell: "97.190"

telemetry

The config input for the collect-telemetry task can be used with a telemetry.yml file to collect data for Pivotal so they can learn and measure results in order to put customer experience at the forefront of their product decisions. The configuration of the telemetry.yml looks like this:

---
env-type: sandbox     # sandbox|development|qa|pre-production|production

# Usage Service (Recommended)
cf-api-url:           # UAA authentication to access Usage Service
usage-service-url:
usage-service-client-id:
usage-service-client-secret:
usage-service-insecure-skip-tls-verify:

# CredHub (Optional)
# with-credhub-info:  # include Credhub certificate expiry information