Using vSphere Tags to Drive Automation Tasks with PowerCLI

The use of metadata (in this case, tags) is a helpful way of abstracting what a piece of data is from what a piece of data contains. For instance, if I want to know if a particular virtual machine is running SQL Server, I could launch an RDP session, do a port scan, or try to connect to the database engine. There are many options. Alternatively, I could tag that virtual machine with a SQL Server identification and know, without examining the virtual machine itself, that it is running a database server. In short: tags are pretty cool, but often underutilized.

The team at Rubrik recently went through the process of adding support for vSphere Tags to the Rubrik PowerShell Module. I thought I’d share how this was done so that you can use a similar method for any of your PowerCLI projects. This post will cover the creation of the tagging framework via categories and tags, along with how to assign those tags to vSphere objects.

All About Categories and Tags

The first step is to create the framework. This is done via categories, which are buckets that hold tags, and then the tags themselves. Most any object in vSphere can have one or more tags assigned to it, and each tag lives within a particular category. Categories support two modes of operation:

  • 1 Tag Per Object: Mutually exclusive cardinality, meaning an object can only be assigned one tag from this category.
    • Example: Assigning a virtual machine to a tier, such as production or development.
    • Example: Assigning a virtual machine to a place in an application stack, such as web, middleware, or back-end.
  • Multiple Tags Per Object: Non-mutually exclusive cardinality, meaning an object can be assigned multiple tags from this category.
    • Example: Assigning multiple features to an ESXi host, such as the use of server-side flash and high performance mode.

In addition, you can limit the scope of objects that are allowed to have tags assigned. This is handy when you create tags specifically for virtual machines and do not wish anyone to assign them to other objects such as ESXi hosts and datastores.

Creating Categories and Tags in PowerCLI

Because we can’t assume that someone already has the proper categories and tags, but also want the process to be painless and repeatable, it’s a good idea to automate the process. In this case, the Sync-RubrikTag function was written to create tags for every Rubrik SLA Domain that exists within the cluster. It’s a way that vSphere administrators (and many others) can use tags to express their needs for data protection, without needing to enter our UI.

The code first determines if the proper categories and tags exist, and if not, creates them. The category name is derived from user input, while the tags themselves are pulled from Rubrik’s SLA Domains because the idea is to represent them with tags.

Here’s an example run of the function, in which the code is creating a category named Rubrik and tags for the Gold, Silver, and Bronze SLA Domains.

Sync-RubrikTag -Category 'Rubrik' -vCenter 'vcenter1.rubrik.demo'

Fairly easy stuff. To view the results, open the vSphere Web Client (tags are not available in the Thick Client). From the Tags menu item, do the following:

  1. Select the category name. In this case, it’s Rubrik.
  2. A Tags link appears below, along with the quantity of tags that exist within that category. If you click on this, the list of tags will appear below on the left pane.
  3. On the right pane, select Related Objects.
  4. Now you can see all of the tags, their category name, and a description.

Assigning Tags to Objects with PowerCLI

Now that categories and tags exist in the environment, we can expect people to begin using them. The functionality is again quite simple. Using PowerCLI, gather objects and then pipe them over to the New-TagAssignment cmdlet. Use the Tag parameter to pick a specific tag.

Note: Beware that tag names are not necessarily unique. You can, for example, have a Gold tag in multiple categories. If that’s the case, use the Get-Tag cmdlet to pull in a specific tag using the Tag and Category parameters. Then feed that into the New-TagAssignment code

For this post, I’ll pull in any virtual machines that contain the string “wahl” anywhere in the name and assign the Gold tag to them.

Get-VM -Name "*wahl*" | New-TagAssignment -Tag 'Gold'

To see the results:

  1. Select the Gold tag from the Rubrik category (substituting for the name of the category and tag you’re using).
  2. Select Related Objects from the right pane.
  3. View the list of Objects that have the tag assigned.

Performing Actions with PowerCLI based on vSphere Tags

At this point we have categories, tags, and a few objects assigned to those tags. We can now make logical decisions based on the tag information. Huzzah!

In order to provide data protection based on tags, we created another function named Protect-RubrikTag. Modularity is a great thing; avoid creating functions that do multiple actions, if possible! The purpose of this piece of code is to find virtual machines that match a particular tag value and then associate them to SLA Domains within Rubrik. The logic works like this (related lines of code are the links):

  • The user supplies a tag and category value as parameters to the function.
  • The function finds anything associated with that specific tag.
  • The tag is matched to an SLA Domain name and an association is created within Rubrik to protect that virtual machine with the matched SLA Domain.
  • If desired, the user can supply a parameter named SLA to override the match. This allows existing tags to be leveraged using the same workflow.

Here’s an example:

Protect-RubrikTag -Tag 'Gold' -Category 'Rubrik' -vCenter 'vcenter1.rubrik.demo'

Using this cmdlet will result in the code finding any virtual machine using the Rubrik category and the Gold tag and assigning the Gold SLA Domain within Rubrik. By running a quick search for my “wahl” virtual machines, I can see that both of them are now assigned the Gold SLA Domain. Easy enough!


Alternatively, I can drill down into one of the virtual machines to see that it is protected by the Gold SLA Domain.


Using Pre-Existing Tags

Not everyone is going to want to use brand new tags to create an association. Some folks already use tags and want to recycle those tags for data protection. Fair enough.

As I mentioned earlier, the use of the SLA parameter can be used to override the match. In this case, I have a category named Environment that describes if a workload is Production, Test, or Dev. I’ve gone ahead and associated my two virtual machines to the Test tag.

Using the command below, I have told the function to find any workloads tagged with the Test tag, within the Environment category, and associate it to the Silver SLA Domain.

Protect-RubrikTag -Tag 'Test' -Category 'Environment' -vCenter 'vcenter1.rubrik.demo' -SLA 'Silver'

The workloads are now protected using the Silver SLA Domain using custom tags that existed before Rubrik was introduced into the environment. I prefer creating PowerCLI scripts that allow the greatest amount of flexibility for those using them, while still remaining modular and single-task oriented in nature.

I hope you’ve learned more about categories, tags, and how they can be leveraged by PowerCLI in this post! Have a question or great idea? Leave a comment below. 🙂