
# PowerShell module for VMware Cloud Foundation Validated Solutions
# Contributions, Improvements &/or Complete Re-writes Welcome!
# https://github.com/?


### Note
# This powershell module should be considered entirely experimental. It is still in development & not tested beyond lab
# scenarios. It is recommended you dont use it for any production environment without testing extensively!

# Enable communication with self signed certs when using Powershell Core. If you require all communications to be secure
# and do not wish to allow communication with self signed certs remove lines 17-38 before importing the module.

if ($PSEdition -eq 'Core') {
    $PSDefaultParameterValues.Add("Invoke-RestMethod:SkipCertificateCheck", $true)

if ($PSEdition -eq 'Desktop') {
    # Enable communication with self signed certs when using Windows Powershell
    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

    if ("TrustAllCertificatePolicy" -as [type]) {} else {
        add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertificatePolicy : ICertificatePolicy {
        public TrustAllCertificatePolicy() {}
        public bool CheckValidationResult(
            ServicePoint sPoint, X509Certificate certificate,
            WebRequest wRequest, int certificateProblem) {
            return true;

        [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertificatePolicy

#### Do not modify anything below this line. All user variables are in the accompanying JSON files #####

Function Resolve-PSModule {
        Check for a PowerShell module presence, if not there try to import/install it.

        This function is not exported. The idea is to use the return searchResult from the caller function to establish
        if we can proceed to the next step where the module will be required (developed to check on Posh-SSH).
        - Check if module is imported into the current session
        - If module is not imported, check if available on disk and try to import
        - If module is not imported & not available on disk, try PSGallery then install and import
        - If module is not imported, not available and not in online gallery then abort

        Informing user only if the module needs importing/installing. If the module is already present nothing will be displayed.

        PS C:\> $poshSSH = Resolve-PSModule -moduleName "Posh-SSH"
        This example will check if the current PS module session has Posh-SSH installed, if not will try to install it

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$moduleName

    # Check if module is imported into the current session
    if (Get-Module -Name $moduleName) {
        $searchResult = "ALREADY_IMPORTED"
    else {
        # If module is not imported, check if available on disk and try to import
        if (Get-Module -ListAvailable | Where-Object { $_.Name -eq $moduleName }) {
            Try {
                "`n Module $moduleName not loaded, importing now please wait..."
                Import-Module $moduleName
                Write-Output "Module $moduleName imported successfully."
                $searchResult = "IMPORTED"
            Catch {
                $searchResult = "IMPORT_FAILED"
        else {
            # If module is not imported & not available on disk, try PSGallery then install and import
            if (Find-Module -Name $moduleName | Where-Object { $_.Name -eq $moduleName }) {
                Try {
                    Write-Output "Module $moduleName was missing, installing now please wait..."
                    Install-Module -Name $moduleName -Force -Scope CurrentUser
                    Write-Output "Importing module $moduleName, please wait..."
                    Import-Module $moduleName
                    Write-Output "Module $moduleName installed and imported"
                    $searchResult = "INSTALLED_IMPORTED"
                Catch {
                    $searchResult = "INSTALLIMPORT_FAILED"
            else {
                # If module is not imported, not available and not in online gallery then abort
                $searchResult = "NOTAVAILABLE"
    Return $searchResult

################# I D E N T I T Y A N D A C C E S S M A N A G E M E N T F U N C T I O N S ##################

Function Add-IdentitySource {
        Add Active Directory over LDAP/LDAPS as an Identity Provider to vCenter Server

        The Add-IdentitySource cmdlets adds Active Directory over LDAP/LDAPS as an Identity Provider to the vCenter
        Server and configures is as the default provider. The cmdlet connects to SDDC Manager using the -server, -user,
        and -password values to retrive the management domain vCenter server details from its inventory and then:
        - Verifies a connection to the Active Directory domain controller using the -domain and -dcMachineName values
        - Adds the Active Directory domain as an Identity Provider if not already present
        - Configures the new domain as the default Identity Provider

        Add-IdentitySource -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -dcMachineName dc-sfo01 -baseGroupDn "ou=Security Groups,dc=sfo,dc=rainpole,dc=io" -baseUserDn "ou=Security Users,dc=sfo,dc=rainpole,dc=io" -protocol ldap
        This example adds the sfo.rainpole.io domain as the default Identity Provider to vCenter Server using LDAP

        Add-IdentitySource -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -dcMachineName dc-sfo01 -baseGroupDn "ou=Security Groups,dc=sfo,dc=rainpole,dc=io" -baseUserDn "ou=Security Users,dc=sfo,dc=rainpole,dc=io" -protocol ldaps -certificate F:\certificates\Root64.cer
        This example adds the sfo.rainpole.io domain as the default Identity Provider to vCenter Server using LDAPS

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$dcMachineName,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$baseGroupDn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$baseUserDn,
        [Parameter (Mandatory = $true)] [ValidateSet("ldap", "ldaps")] [String]$protocol,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$certificate

    if (!$PsBoundParameters.ContainsKey("certificate") -and ($protocol -eq "ldaps")) {
        $certificate = Get-ExternalFileName -title "Select the Root CA Certificate File (.cer)" -fileType "cer" -location "default"
    elseif ($protocol -eq "ldaps") {
        if (!(Test-Path -Path $certificate)) {
            Write-Error  "Certificate (cer) for Root Certificate Authority '$certificate' File Not Found"

    $domainAlias = ($domain.Split("."))[0].ToUpper()
    $bindUser = $domainBindUser + '@' + ($domain.Split("."))[0].ToLower()
    if ($protocol -eq "ldaps") {
        $primaryUrl = 'ldaps://' + $dcMachineName + '.' + $domain + ':636'
    elseif ($protocol -eq "ldap") {
        $primaryUrl = 'ldap://' + $dcMachineName + '.' + $domain + ':389'

    Try {
        $ssoServer = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        $ssoConnection = Connect-SsoAdminServer -Server $ssoServer.fqdn -User $ssoServer.ssoAdmin -Password $ssoServer.ssoAdminPass
        if ($DefaultSsoAdminServers.Name -eq $($ssoServer.fqdn)) {
            if (Get-IdentitySource -Server $ssoConnection | Where-Object { $_.Name -eq $domain }) {
                Write-Warning "Identity Source $domain already added to vCenter Server $($ssoServer.fqdn)"
            else {
                if (Test-Connection -ComputerName ($dcMachineName + "." + $domain) -Quiet -Count 1) {
                    if ($protocol -eq "ldaps") {
                        Add-LDAPIdentitySource -ServerType ActiveDirectory -Name $domain -DomainName $domain -DomainAlias $domainAlias -PrimaryUrl $primaryUrl -BaseDNUsers $baseUserDn -BaseDNGroups $baseGroupDn -Username $bindUser -Password $domainBindPass -Certificate $certificate
                    else {
                        Add-LDAPIdentitySource -ServerType ActiveDirectory -Name $domain -DomainName $domain -DomainAlias $domainAlias -PrimaryUrl $primaryUrl -BaseDNUsers $baseUserDn -BaseDNGroups $baseGroupDn -Username $bindUser -Password $domainBindPass
                    if (Get-IdentitySource -Server $ssoConnection | Where-Object { $_.Name -eq $domain }) {
                        Connect-VIServer -Server $ssoServer.fqdn -User $ssoServer.ssoAdmin -Password $ssoServer.ssoAdminPass | Out-Null
                        if ($DefaultVIServer.Name -eq $($ssoServer.fqdn)) {
                            $scriptCommand = '/opt/vmware/bin/sso-config.sh -set_default_identity_sources -i ' + $domain + ''
                            $output = Invoke-VMScript -VM $ssoServer.vmName -ScriptText $scriptCommand -GuestUser $ssoServer.root -GuestPassword $ssoServer.rootPass
                        else {
                            Write-Error  "Not connected to vCenter Server $($ssoServer.fqdn)"
                    else {
                        Write-Error  "Adding Identity Source $domain to vCenter Server $($ssoServer.vmName) Failed"
                    $scriptCommand = '/opt/vmware/bin/sso-config.sh -set_default_identity_sources -i ' + $domain + ''
                    $output = Invoke-VMScript -VM $ssoServer.vmName -ScriptText $scriptCommand -GuestUser $ssoServer.root -GuestPassword $ssoServer.rootPass
                    Write-Output  "Confirmed adding Identity Source $domain and setting as default to vCenter Server $($ssoServer.fqdn) Successfully"
                    Disconnect-VIServer -Server $ssoServer.fqdn -Confirm:$false -WarningAction SilentlyContinue | Out-Null
                else {
                    Write-Error  "Domain Controller $dcMachineName is not contactable"
            Disconnect-SsoAdminServer -Server $ssoServer.fqdn -WarningAction SilentlyContinue
        else {
            Write-Error  "Not connected to Single-Sign On Domain Server $($ssoServer.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-IdentitySource

Function Add-SddcManagerRole {
        Assign SDDC Manager roles to a user/group

        The Add-SddcManagerRole cmdlet assigns an SDDC Manager role to the user or group provided.
        The cmdlet connects to SDDC Manager using the -server, -user, and -password values and then:
        - Verifies that the bind credetials are valid
        - Verifies that the domain is present in vCenter Server as an Identity Provider
        - Verifies the user or group exists in Active Directory
        - Assigns the user or group to the SDDC Manager role

        Add-SddcManagerRole -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -principal gg-vcf-admins -role ADMIN -type group
        This example assigns the group gg-vcf-admins from domain sfo.rainpole.io the SDDC Manager role ADMIN

        Add-SddcManagerRole -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -principal gg-vcf-operators -role OPERATOR -type group
        This example assigns the group gg-vcf-operators from domain sfo.rainpole.io the SDDC Manager role OPERATOR

        Add-SddcManagerRole -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -principal gg-vcf-viewers -role VIEWER -type group
        This example assigns the group gg-vcf-viewers from domain sfo.rainpole.io the SDDC Manager role VIEWER

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal,
        [Parameter (Mandatory = $true)] [ValidateSet("ADMIN", "OPERATOR", "VIEWER")] [String]$role,
        [Parameter (Mandatory = $true)] [ValidateSet("group", "user")] [String]$type

    Try {
        $checkAdAuthentication = Test-ADAuthentication -user $domainBindUser -pass $domainBindPass -server $domain -domain $domain -ErrorAction SilentlyContinue
        if ($checkAdAuthentication[1] -match "Authentication Successful") {
            $securePass = ConvertTo-SecureString -String $domainBindPass -AsPlainText -Force
            $domainCreds = New-Object System.Management.Automation.PSCredential ($domainBindUser, $securePass)
            Request-VCFToken -fqdn $server -Username $user -Password $pass | Out-Null
            if ($accessToken) {
                $ssoServer = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
                $ssoConnection = Connect-SsoAdminServer -Server $ssoServer.fqdn -User $ssoServer.ssoAdmin -Password $ssoServer.ssoAdminPass
                if (Get-IdentitySource -Server $ssoConnection | Where-Object { $_.Name -eq $domain }) {
                    if ($type -eq "group") { $adObjectCheck = (Get-ADGroup -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal }) }
                    elseif ($type -eq "user") { $adObjectCheck = (Get-ADUser -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal }) }
                    if ($adObjectCheck) {
                        if ($type -eq "group") {
                            $vcfCheck = Get-VCFUser | Where-Object { $_.name -eq $($domain.ToUpper() + "\" + $principal) }
                            if ($vcfCheck.name -eq $($domain.ToUpper() + "\" + $principal)) {
                                Write-Warning -Message "Active Directory $type '$principal' already assigned the $role role in SDDC Manager"
                            else {
                                New-VCFGroup -group $principal -domain $domain -role $role | Out-Null
                                $vcfCheck = Get-VCFUser | Where-Object { $_.name -eq $($domain.ToUpper() + "\" + $principal) }
                                if ($vcfCheck.name -eq $($domain.ToUpper() + "\" + $principal)) {
                                    Write-Output "Active Directory $type '$principal' assigned the $role role in SDDC Manager Successfully"
                                else {
                                    Write-Error "Assigning Active Directory $type '$principal' the $role role in SDDC Manager Failed"
                        elseif ($type -eq "user") {
                            $vcfCheck = Get-VCFUser | Where-Object { $_.name -eq $($principal + "@" + $domain.ToUpper()) }
                            if ($vcfCheck.name -eq $($principal + "@" + $domain.ToUpper())) {
                                Write-Warning -Message "Active Directory $type '$principal' already assigned the $role role in SDDC Manager"
                            else {
                                New-VCFUser -user ($principal + "@" + $domain.ToUpper()) -role $role | Out-Null
                                $vcfCheck = Get-VCFUser | Where-Object { $_.name -eq $($principal + "@" + $domain.ToUpper()) }
                                if ($vcfCheck.name -eq $($principal + "@" + $domain.ToUpper())) {
                                    Write-Output "Active Directory $type '$principal' assigned the $role role in SDDC Manager Successfully"
                                else {
                                    Write-Error "Assigning Active Directory $type '$principal' the $role role in SDDC Manager Failed"
                    else { Write-Error "Active Directory $type '$principal' not found in the Active Directory Domain, please create and retry"
                else {
                    Write-Error "Active Directory domain $domain not added as an Identity Source to vCenter Server $($ssoServer.fqdn)"
            else {
                Write-Error "Failed to obtain access token from SDDC Manager, check details provided"
        else {
            Write-Error  "Unable to authenticate to Active Directory with user '$domainBindUser' and password '$domainBindPass', verify they are correct and try again"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-SddcManagerRole

Function Set-vCenterPasswordExpiration {
        Set the password expiration for the root account

        The Set-vCenterPasswordExpiration cmdlet configures password expiration settings for the vCenter Server root
        account. The cmdlet connects to vCenter Server using the -server, -user, and -password values and then:
        - Configures the password expiration either to never expire or to expire in given number of days
        - Sets the email for warning notification to given value

        Set-vCenterPasswordExpiration -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -passwordExpires $true -email "admin@rainpole.io" -maxDaysBetweenPasswordChange 80
        This example configures the configures password expiration settings for the vCenter Server root account to expire after 80 days with email for warning set to "admin@rainpole.io"

        Set-vCenterPasswordExpiration -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -passwordExpires $false
        This example configures the configures password expiration settings for the vCenter Server root account to never expire

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $false, ParameterSetName = 'neverexpire')]
        [Parameter (Mandatory = $true, ParameterSetName = 'expire')] [ValidateNotNullOrEmpty()] [Bool]$passwordExpires,
        [Parameter (Mandatory = $true, ParameterSetName = 'expire')] [ValidateNotNullOrEmpty()] [String]$email,
        [Parameter (Mandatory = $true, ParameterSetName = 'expire')] [ValidateNotNullOrEmpty()] [String]$maxDaysBetweenPasswordChange

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        Request-vSphereApiToken -Fqdn $vcenter.fqdn -Username $vcenter.ssoadmin -Password $vcenter.ssoAdminPass -admin | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $pwdExpirySettings = Get-VCPasswordExpiry
            if ($passwordExpires) {
                Set-VCPasswordExpiry -passwordExpires $passwordExpires -email $email -maxDaysBetweenPasswordChange $maxDaysBetweenPasswordChange | Out-Null
            else {
                Set-VCPasswordExpiry -passwordExpires $passwordExpires | Out-Null
            $pwdExpirySettings = Get-VCPasswordExpiry
            if ($pwdExpirySettings.max_days_between_password_change -eq -1) {
                Write-Output "vCenter Server Appliance Password Expiration set to 'Never Expire' Successfully"
            else {
                Write-Output "vCenter Server Appliance Password Expiration set to '$($pwdExpirySettings.max_days_between_password_change) days' and Email Notification set to '$($pwdExpirySettings.email)' Successfully"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-vCenterPasswordExpiration

Function Set-EsxiPasswordPolicy {
        Set ESXi password polciies

        The Set-EsxiPasswordPolicy cmdlet configures the password and lockout policies on ESXi.
        The cmdlet connects to SDDC Manager using the -server, -user, and -password values and then:
        - Gathers the vCenter Server details for the workload domain
        - Gathers the ESXi hosts for the cluster specificed
        - Configured all ESXi hosts in he provided cluster

        Set-EsxiPasswordPolicy -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -cluster sfo-m01-cl01 -policy "retry=5 min=disabled,disabled,disabled,disabled,15"
        This example configures all ESXi hosts within the cluster named sfo-m01-cl01 of the workload domain sfo-m01

      Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$cluster,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$policy

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $checkCluster = Get-Cluster | Where-Object {$_.Name -eq $cluster}
            if ($checkCluster) {
                $esxiHosts = Get-Cluster $cluster | Get-VMHost
                $count = 0
                Foreach ($esxiHost in $esxiHosts) {
                    $advancedSetting = Get-VMHost | Where-Object { $_.ConnectionState -eq "Connected" } | Get-AdvancedSetting | Where-Object { $_.Name -eq "Security.PasswordQualityControl" }
                    if ($advancedSetting) {
                        Set-AdvancedSetting -AdvancedSetting $advancedSetting -Value $policy -Confirm:$false | Out-Null
                        $checkSetting = Get-VMHost | Where-Object { $_.ConnectionState -eq "Connected" } | Get-AdvancedSetting | Where-Object { $_.Name -eq "Security.PasswordQualityControl" }
                        if ($checkSetting -match $policy) {
                             Write-Output "Updated the Advanced System Setting 'Security.PasswordQualityControl' for '$esxiHost' Successfully"
                        else {
                            Write-Error "Updating the Advanced System Setting 'Security.PasswordQualityControl for '$esxiHost' Failed, please retry"
                    $count = $count + 1
            else {
                Write-Error "Cluster '$cluster' is not found in vCenter Server '$($vcenter.fqdn)', check the input and retry"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-EsxiPasswordPolicy

Function Install-WorkspaceOne {
        Deploy Workspace ONE Access Virtual Appliance

        The Install-WorkspaceOne cmdlet deploys the Workspace ONE Access Virtual Appliance OVA.
        The cmdlet connects to SDDC Manager using the -server, -user, and -password values to retrive the management domain
        vCenter Server details from its inventory and then:
        - Gathers vSphere configuration from vCenter Server
        - Gathers DNS and NTP configuration from SDDC Manager
        - Deploys the Workspace ONE Access Virtual Appliance

        Install-WorkspaceOne -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -wsaFqdn sfo-wsa01.sfo.rainpole.io -wsaIpAddress -wsaGateway -wsaSubnetMask -wsaOvaPath F:\identity-manager.ova -wsaFolder sfo-m01-fd-wsa
        This example deploys the Workspace ONE Access Virtual Appliance named sfo-wsa01.sfo.rainpole.io into the sfo-m01-fd-wsa folder of the management domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaIpAddress,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaGateway,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaSubnetMask,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaFolder,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$wsaOvaPath

    Try {
        if (!$PsBoundParameters.ContainsKey("wsaOvaPath")) {
            $wsaOvaPath = Get-ExternalFileName -title "Select the Workspace ONE Access OVA file (.ova)" -fileType "ova" -location "default"
        else {
            if (!(Test-Path -Path $wsaOvaPath)) {
                Write-Error  "Workspace ONE Access OVA '$wsaOvaPath' File Not Found"
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        $wsaHostname = $wsaFqdn.Split(".")[0]
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $wsaExists = Get-VM -Name $wsaHostname -ErrorAction Ignore
            if ($wsaExists) {
                Write-Warning "A virtual machine called $wsaHostname already exists in vCenter Server $vcServer"
            else {
                $dnsServer1 = (Get-VCFConfigurationDNS | Where-Object { $_.isPrimary -Match "True" }).ipAddress
                $dnsServer2 = (Get-VCFConfigurationDNS | Where-Object { $_.isPrimary -Match "False" }).ipAddress
                $cluster = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.type -eq "MANAGEMENT" }).clusters.id) }).Name
                $datastore = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.type -eq "MANAGEMENT" }).clusters.id) }).primaryDatastoreName
                $datacenter = (Get-Datacenter -Cluster $cluster).Name
                $avnCheck = (Get-VCFApplicationVirtualNetwork | Where-Object { $_.regionType -eq "REGION_A" }).name
                if ($avnCheck) {
                    $regionaPortgroup = (Get-VCFApplicationVirtualNetwork | Where-Object { $_.regionType -eq "REGION_A" }).name
                    $domain = (Get-VCFApplicationVirtualNetwork | Where-Object { $_.regionType -eq "REGION_A" }).domainName

                    $command = '"C:\Program Files\VMware\VMware OVF Tool\ovftool.exe" --noSSLVerify --acceptAllEulas --allowAllExtraConfig --diskMode=thin --powerOn --name=' + $wsaHostname + ' --ipProtocol="IPv4" --ipAllocationPolicy="fixedAllocatedPolicy" --vmFolder=' + $wsaFolder + ' --net:"Network 1"=' + $regionaPortgroup + ' --datastore=' + $datastore + ' --X:injectOvfEnv --prop:vamitimezone=' + $timezone + ' --prop:vami.ip0.IdentityManager=' + $wsaIpAddress + ' --prop:vami.netmask0.IdentityManager=' + $wsaSubnetMask + ' --prop:vami.hostname=' + $wsaFqdn + ' --prop:vami.gateway.IdentityManager=' + $wsaGateway + ' --prop:vami.domain.IdentityManager=' + $domain + ' --prop:vami.searchpath.IdentityManager=' + $domain + ' --prop:vami.DNS.IdentityManager=' + $dnsServer1 + ',' + $dnsServer2 + ' "' + $wsaOvaPath + '" "vi://' + $vcenter.ssoAdmin + ':' + $vcenter.ssoAdminPass + '@' + $vcenter.fqdn + '/' + $datacenter + '/host/' + $cluster + '/"'
                    Invoke-Expression "& $command" -ErrorAction Ignore
                    $wsaExists = Get-VM -Name $wsaHostname -ErrorAction Ignore
                    if ($wsaExists) {
                        $Timeout = 900  ## seconds
                        $CheckEvery = 15  ## seconds
                        Try {
                            $timer = [Diagnostics.Stopwatch]::StartNew()  ## Start the timer
                            Write-Output "Waiting for $wsaIpAddress to become pingable."
                            While (-not (Test-Connection -ComputerName $wsaIpAddress -Quiet -Count 1)) {
                                ## If the timer has waited greater than or equal to the timeout, throw an exception exiting the loop
                                if ($timer.Elapsed.TotalSeconds -ge $Timeout) {
                                    Throw "Timeout Exceeded. Giving up on ping availability to $wsaIpAddress"
                                Start-Sleep -Seconds $CheckEvery  ## Stop the loop every $CheckEvery seconds
                        Catch {
                            Write-Error "Failed to get a Response from $wsaFqdn"
                        Finally {
                            $timer.Stop()  ## Stop the timer
                        $Timeout = 900  ## seconds
                        $CheckEvery = 5  ## seconds
                        Try {
                            $timer = [Diagnostics.Stopwatch]::StartNew()  ## Start the timer
                            $uri = "https://" + $wsaFqdn + "/SAAS/jersey/manager/api/system/health"
                            Write-Output "Initial connection made, waiting for $wsaFqdn to fully boot and services to start. Be warned, this takes a long time."
                            While ($timer.Elapsed.TotalSeconds -lt $Timeout) {
                                ## If the timer has waited greater than or equal to the timeout, throw an exception exiting the loop
                                Try {
                                    $response = Invoke-RestMethod $uri -Method 'GET' -SessionVariable webSession -ErrorAction Ignore
                                    if ($response.AllOk -eq "true") {
                                        Write-Output "Deployment of $wsaFqdn using $wsaOvaPath completed Successfully"
                                Catch {
                                    Write-Output "Waiting for $wsaFqdn to fully boot up. Checking every $CheckEvery seconds"
                                Start-Sleep -Seconds $CheckEvery  ## Stop the loop every $CheckEvery seconds
                            if ($timer.Elapsed.TotalSeconds -ge $Timeout) {
                                    Write-Error "$wsaFqdn failed to initialize properly. Please delete the VM from $($vcenter.fqdn) and retry"
                        Catch {
                            Debug-ExceptionWriter -object $_
                        Finally {
                            $timer.Stop()  ## Stop the timer
                    else {
                        Write-Error "Workspace ONE Access Failed to deploy"
                else {
                    Write-Error  "Application Virtual Networks have not been configured on $server, unable to find REGION_A details. Configure them and try again"
            Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Install-WorkspaceOne

Function Initialize-WorkspaceOne {
        Initalize Workspace ONE Access Virtual Appliance

        The Initialize-WorkspaceOne cmdlet performs the initial configuration of Workspace ONE Access Virtual Appliance.
        - Sets the default password for the admin, root and SSH Users
        - Initializes the internal PostgrsSQL database
        - Activates the default connector

        Initialize-WorkspaceOne -wsaFqdn sfo-wsa01.sfo.rainpole.io -adminPass VMw@re1! -rootPass VMw@re1! -sshUserPass VMw@re1!
        This example initialzes the Workspace ONE Access Virtual Appliance sfo-wsa01.sfo.rainpole.io and sets the default passwords for admin, root and SSH User

      Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$adminPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$rootPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$sshUserPass

    Try {
        $baseUri = "https://" + $wsaFqdn + ":8443"
        $uri = $baseUri + "/login"
        $response = Invoke-RestMethod $uri -Method 'GET' -SessionVariable webSession
        $response | Out-File wsaResponse.txt
        $tokenSource = (Select-String -Path wsaResponse.txt -Pattern 'window.ec_wiz.vk =')
        $token = ($tokenSource -Split ("'"))[1]
        Remove-Item wsaResponse.txt
        if ($token) {
            $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
            $headers.Add("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8")
            $headers.Add("X-Vk", "$token")
            $headers.Add("Accept", "application/json")
            # Set the Admin Password
            $body = "password=" + $adminPass + "&confpassword=" + $adminPass
            $uri = $baseUri + "/cfg/changePassword"
            Invoke-RestMethod $uri -Method 'POST' -Headers $headers -Body $body -WebSession $webSession | Out-Null
            # Set the Root & SSHUser Passwords
            $body = "rootPassword=" + $rootPass + "&sshuserPassword=" + $sshUserPass
            $uri = $baseUri + "/cfg/system"
            Invoke-RestMethod $uri -Method 'POST' -Headers $headers -Body $body -WebSession $webSession  | Out-Null
            # Initalize the Internal Database
            $uri = $baseUri + "/cfg/setup/initialize"
            Invoke-RestMethod $uri -Method 'POST' -Headers $headers -WebSession $webSession  | Out-Null
            # Activate the default connector
            $uri = $baseUri + "/cfg/setup/activateConnector"
            Invoke-RestMethod $uri -Method 'POST' -Headers $headers -WebSession $webSession  | Out-Null
            Write-Output "Initial configuration of Workspace ONE Access Virtual Appliance $wsaFqdn completed Succesfully"
        else {
            Write-Warning "Initial configuration of Workspace ONE Access Virtual Appliance $wsaFqdn has already been performed"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Initialize-WorkspaceOne

Function Set-WorkspaceOneNtpConfig {
        Configure NTP Server on Workspace ONE Access Appliance

        The Set-WorkspaceOneNtpConfig cmdlet configures the NTP Server details of the Workspace ONE Access Appliance
        using the same NTP Server configuration as SDDC Manager

        Set-WorkspaceOneNtpConfig -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -wsaFqdn sfo-wsa01.sfo.rainpole.io -rootPass VMw@re1!
        This example configures the Workspace ONE Access Virtual Appliance sfo-wsa01.sfo.rainpole.io with the same NTP Servers defined in SDDC Manager

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$rootPass

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        if (Test-Connection -ComputerName ($wsaFqdn) -Quiet -Count 1) {
            Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
            if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
                $ntpServer = (Get-VCFConfigurationNTP).ipAddress
                $vmName = $wsaFqdn.Split(".")[0]
                if ($checkVm = (Get-VM -Name $vmName -WarningAction SilentlyContinue -ErrorAction SilentlyContinue )) {
                    $scriptCommand = '/usr/local/horizon/scripts/ntpServer.hzn --get'
                    $output = Invoke-VMScript -VM $vmName -ScriptText $scriptCommand -GuestUser root -GuestPassword $rootPass -Server $vcenter.fqdn
                    if (($output.ScriptOutput).Contains($ntpServer)) {
                        Write-Warning -Message "NTP Server '$ntpServer' already configured on Workspace One Access Virtual Appliance $vmName"
                    else {
                        $scriptCommand = '/usr/local/horizon/scripts/ntpServer.hzn --set ' + $ntpServer
                        $output = Invoke-VMScript -VM $vmName -ScriptText $scriptCommand -GuestUser root -GuestPassword $rootPass -Server $vcenter.fqdn
                        $scriptCommand = '/usr/local/horizon/scripts/ntpServer.hzn --get'
                        $output = Invoke-VMScript -VM $vmName -ScriptText $scriptCommand -GuestUser root -GuestPassword $rootPass -Server $vcenter.fqdn
                        if (($output.ScriptOutput).Contains($ntpServer)) {
                            Write-Output "Configured NTP Server '$ntpServer' on Workspace One Access Virtual Appliance $vmName Successfully"
                        else {
                            Write-Error "Configuring NTP Server '$ntpServer' on Workspace One Access Virtual Appliance $vmName Failed"
                else {
                    Write-Error  "A virtual machine with name $vmName not found in vCenter Server $($vcenter.fqdn)"
                Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
            else {
                Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error "Workspace ONE Access Appliance $wsaFqdn is not contactable"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-WorkspaceOneNtpConfig

Function Install-WorkspaceOneCertificate {
        Install a Signed Certificate on Workspace ONE Access Appliance

        The Install-WorkspaceOneCertificate cmdlet replaces the certificate on the Workspace ONE Access

        Install-WorkspaceOneCertificate -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -wsaFqdn sfo-wsa01.sfo.rainpole.io -rootPass VMw@re1! -sshUserPass VMw@re1!
        This example install the Workspace ONE Access Virtual Appliance sfo-wsa01.sfo.rainpole.io with a the signed certificate provided

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$rootPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$sshUserPass,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$rootCa,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$wsaCertKey,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$wsaCert

    Try {

        if (!$PsBoundParameters.ContainsKey("rootCa")) {
            $rootCa = Get-ExternalFileName -title "Select the Root CA Certificate File (.cer)" -fileType "cer" -location "default"
        elseif ($PsBoundParameters.ContainsKey("rootCa")) {
            if (!(Test-Path -Path $rootCa)) {
                Write-Error  "Certificate (.cer) for Root Certificate Authority '$rootCa' File Not Found"

        if (!$PsBoundParameters.ContainsKey("wsaCertKey")) {
            $wsaCertKey = Get-ExternalFileName -title "Select the Workspace ONE Access Certificate Key (.key)" -fileType "key" -locaion "default"
        elseif ($PsBoundParameters.ContainsKey("wsaCertKey")) {
            if (!(Test-Path -Path $wsaCertKey)) {
                Write-Error  "Certificate Key (.key) for Workspace ONE Access '$wsaCertKey' File Not Found"

        if (!$PsBoundParameters.ContainsKey("wsaCert")) {
            $wsaCert = Get-ExternalFileName -title "Select the Workspace ONE Access Certificate File (.cer)" -fileType "cer" -location "default"
        elseif ($PsBoundParameters.ContainsKey("wsaCert")) {
            if (!(Test-Path -Path $wsaCert)) {
                Write-Error  "Certificate (.cer) for Workspace ONE Access '$wsaCert' File Not Found"

        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $vmName = $wsaFqdn.Split(".")[0]
            $SecurePassword = ConvertTo-SecureString -String $sshUserPass -AsPlainText -Force
            $secureCreds = New-Object System.Management.Automation.PSCredential ("sshuser", $SecurePassword)
            Set-SCPFile -ComputerName $wsaFqdn -Credential $secureCreds -RemotePath '/tmp' -LocalFile $rootCa -NoProgress -AcceptKey $true -Force -WarningAction SilentlyContinue
            Set-SCPFile -ComputerName $wsaFqdn -Credential $secureCreds -RemotePath '/tmp' -LocalFile $wsaCertKey -NoProgress -AcceptKey $true -Force -WarningAction SilentlyContinue
            Set-SCPFile -ComputerName $wsaFqdn -Credential $secureCreds -RemotePath '/tmp' -LocalFile $wsaCert -NoProgress -AcceptKey $true -Force -WarningAction SilentlyContinue
            $scriptCommand = 'echo "yes" | /usr/local/horizon/scripts/installExternalCertificate.hzn --ca /tmp/' + (Split-Path -Leaf $rootCa) + ' --cert /tmp/' + (Split-Path -Leaf $wsaCert) + ' --key /tmp/' + (Split-Path -Leaf $wsaCertKey)
            $output = Invoke-VMScript -VM $vmName -ScriptText $scriptCommand -GuestUser root -GuestPassword $rootPass -Server $vcenter.fqdn
            Write-Output "Installed Signed Certifcate $wsaCert on Workspace One Access Virtual Appliance $wsaFqdn Successfully"
            Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Install-WorkspaceOneCertificate

Function Set-WorkspaceOneSmtpConfig {
        Configure SMTP Server on Workspace ONE Access Appliance

        The Set-WorkspaceOneSmtpConfig cmdlet configures the SMTP Server details of the Workspace ONE Access Appliance

        Set-WorkspaceOneSmtpConfig -server sfo-wsa01.sfo.rainpole.io -user admin -pass VMw@re1! -smtpFqdn smtp.sfo.rainpole.io -smtpPort 25 -smtpEmail sfo-wsa@rainpole.io
        This example configures the Workspace ONE Access Virtual Appliance sfo-wsa01.sfo.rainpole.io with the SMTP Server details

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$smtpFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$smtpPort,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$smtpEmail,
        [Parameter (Mandatory = $false)] [String]$smtpEmailPassword

    Try {
        Request-WSAToken -fqdn $server -user $user -pass $pass | Out-Null
        if ($sessionToken) {
            if (-not $PsBoundParameters.ContainsKey("smtpEmailPassword")) {
                Set-WSASmtpConfiguration -fqdn $smtpFqdn -port $smtpPort -user $smtpEmail | Out-Null
            if ($PsBoundParameters.ContainsKey("smtpEmailPassword")) {
                Set-WSASmtpConfiguration -fqdn $smtpFqdn -port $smtpPort -user $smtpEmail -pass $smtpEmailPassword | Out-Null
            Write-Output "Completed SMTP configuration for Workspace ONE Access '$server' Successfully"
        else {
            Write-Error  "Failed to obtain access token from Workspace One Access appliance '$server', check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-WorkspaceOneSmtpConfig

Function Add-WorkspaceOneDirectory {
        Configure Active Directory LDAP Directory in Workspace ONE Access Appliance

        The Add-WorkspaceOneDirectory cmdlet configures Active Directory LDAP Directory in Workspace ONE Access Appliance

        Add-WorkspaceOneDirectory -server sfo-wsa01.sfo.rainpole.io -user admin -pass VMw@re1! -domain sfo.rainpole.io -baseDn "OU=VVD,DC=sfo,DC=rainpole,DC=io" -bindUserDn "CN=svc-wsa-ad,OU=VVD,DC=sfo,DC=rainpole,DC=io" -bindUserPass VMw@re1! -adGroups "gg-nsx-enterprise-admins","gg-nsx-network-admins","gg-nsx-auditors","gg-wsa-admins","gg-wsa-directory-admins","gg-wsa-read-only" -protocol "ldaps" -certificate "F:\platformtools-l1-dev\certificates\Root64.pem"
        This example configures the domain sfo.rainpole.io as a directory source in Workspace ONE Access Virtual Appliance and syncronises the groups provided

      Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$baseDnUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$baseDnGroup,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$bindUserDn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$bindUserPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [Array]$adGroups,
        [Parameter (Mandatory = $true)] [ValidateSet("ldap", "ldaps")] [String]$protocol,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$certificate

    if (!$PsBoundParameters.ContainsKey("certificate") -and ($protocol -eq "ldaps")) {
        $certificate = Get-ExternalFileName -title "Select the Root CA Certificate File (.pem)" -fileType "pem" -location "default"
    elseif ($protocol -eq "ldaps") {
        if (!(Test-Path -Path $certificate)) {
            Write-Error  "Certificate (cer) for Root Certificate Authority '$certificate' File Not Found"

    Try {
        Request-WSAToken -fqdn $server -user $user -pass $pass | Out-Null
        if ($sessionToken) {
            $checkAdAuthentication = Test-ADAuthentication -user ($bindUserDn.Split(",")[0]).Split("=")[1] -pass $bindUserPass -server $domain -domain $domain
            if ($checkAdAuthentication -contains "2") {
                $checkDirectoryExist = Get-WSADirectory | Where-Object { ($_.name -eq $domain) }
                if (!$checkDirectoryExist) {
                    if ($protocol -eq "ldaps") {
                        $directory = Add-WSALdapDirectory -domainName $domain -baseDn $baseDnUser -bindDn $bindUserDn -certificate $certificate
                        $directory = Add-WSALdapDirectory -domainName $domain -baseDn $baseDnUser -bindDn $bindUserDn
                    $connector = Get-WSAConnector
                    Set-WSABindPassword -directoryId $directory.directoryConfigId -connectorId $connector.instanceId -pass $bindUserPass | Out-Null
                    $adUserJson = '{ "identityUserInfo": { "' + $bindUserDn + '": { "selected": true }, "' + $baseDnUser + '": { "selected": true }}}'
                    $mappedGroupObject = @()
                    foreach ($group in $adGroups) {
                        $adGroupDetails = Get-ADPrincipalGuid -domain $domain -user ($bindUserDn.Split(',')[0]).Split('=')[1] -pass $bindUserPass -principal $group
                        if ($adGroupDetails) {
                            $groupsObject = @()
                            $groupsObject += [pscustomobject]@{
                                'horizonName' = $adGroupDetails.Name
                                'dn'          = $adGroupDetails.DistinguishedName
                                'objectGuid'  = $adGroupDetails.ObjectGuid
                                'groupBaseDN' = $baseDnGroup
                                'source'      = "DIRECTORY"
                            $mappedGroupObject += [pscustomobject]@{
                                'mappedGroup' = ($groupsObject | Select-Object -Skip 0)
                                'selected'    = $true
                        else {
                            Write-Error "Group $group is not available in Active Directory Domain"
                    $mappedGroupObjectData = @()
                    $mappedGroupObjectData += [pscustomobject]@{
                        'mappedGroupData' = $mappedGroupObject
                        'selected'        = $false
                    $identityGroupObject = @()
                    $identityGroupObject += [pscustomobject]@{
                        $baseDnGroup = ($mappedGroupObjectData | Select-Object -Skip 0)
                    $adGroupObject = @()
                    $adGroupObject += [pscustomobject]@{
                        'identityGroupInfo'         = ($identityGroupObject | Select-Object -Skip 0)
                        'excludeNestedGroupMembers' = $false
                    $adGroupJson = $adGroupObject | ConvertTo-Json -Depth 10

                    Set-WSADirectoryUser -directoryId $directory.directoryConfigId -json $adUserJson | Out-Null
                    Set-WSADirectoryGroup -directoryId $directory.directoryConfigId -json $adGroupJson | Out-Null
                    Set-WSASyncSetting -directoryId $directory.directoryConfigId | Out-Null
                    Start-WSADirectorySync -directoryId $directory.directoryConfigId | Out-Null
                    Write-Output "Active Directory LDAP Directory created in Workspace One Access Successfully"
                else {
                    Write-Warning  "LDAP Directory for $domain already exists, skipping the creation"
            else {
                Write-Error "Domain User $domainJoinUser Authentication Failed"
        else {
            Write-Error  "Failed to obtain access token from Workspace One Access appliance '$server', check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-WorkspaceOneDirectory

Function Set-WorkspaceOneNsxtIntegration {
        Integrate NSX Manager with Workspace ONE Access

        The Set-WorkspaceOneNsxtIntegration cmdlet configures integration between NSX Manager and Workspace ONE Access. The cmdlet connects
        to SDDC Manager using the -server, -user, and -password values to retrive the NSX Manager details from its inventory and then:
        - Creates a service client within Workspace ONE Access
        - Enables the integration between NSX Manager and Workspace ONE Access

        Set-WorkspaceOneNsxtIntegration -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -wsaFqdn sfo-wsa01.sfo.rainpole.io -wsaUser admin -wsaPass VMw@re1!
        This example integrates the management domain NSX Manager instance with Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$wsaPass

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain
        Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
        if ($accessToken) {
            $clientId = $nsxtManagerDetails.fqdn.Split(".")[0] + "-oauth"
            $command = 'openssl s_client -connect ' + $wsaFqdn + ':443 2>&1 | openssl x509 -sha256 -fingerprint -noout'
            $wsaThumbprint = (Invoke-Expression "& $command").Split("=")[1]
            if (!$wsaThumbprint) {
                Write-Error "Obtain SSL thumbprint for Workspace ONE Access Appliance '$wsaFqdn' failed, check details and try again"
            Request-WSAToken -fqdn $wsaFqdn -user $wsaUser -pass $wsaPass | Out-Null
            if ($sessionToken) {
                $sharedSecret = (Get-WSAOAuthToken).message
                $clientExists = Get-WSAClient | Where-Object { $_.clientId -eq $clientId }
                if (!$clientExists) {
                    Add-WSAClient -clientId $clientId -sharedSecret $sharedSecret | Out-Null
                    $clientExists = Get-WSAClient | Where-Object { $_.clientId -eq $clientId }
                    if ($clientExists) {
                        Write-Output "Created Service client '$clientId' in Workspace ONE Access Successfully"
                    else {
                        Write-Error "Creation of Service client '$clientId' in Workspace ONE Access Failed, check inputs and try again"
                else {
                    Write-Warning "Service client '$clientId' in Workspace ONE Access already exists, skipping the creation"
                $vidmExists = Get-NsxtVidm
                if ($vidmExists) {
                    $clientIdSecret = (Get-WSAClient -clientId $clientId).secret
                    Set-NsxtVidm -wsaHostname $wsaFqdn -thumbprint $wsaThumbprint -clientId $clientId -sharedSecret $clientIdSecret -nsxHostname $nsxtManagerDetails.fqdn | Out-Null
                    Write-Output "Updated integration between NSX-T Manager '$($nsxtManagerDetails.fqdn) and Workspace ONE Acccess '$wsaFqdn' Successfully"
                else {
                    Set-NsxtVidm -wsaHostname $wsaFqdn -thumbprint $wsaThumbprint -clientId $clientId -sharedSecret $sharedSecret -nsxHostname $nsxtManagerDetails.fqdn | Out-Null
                    Write-Output "Created integration between NSX-T Manager '$($nsxtManagerDetails.fqdn) and Workspace ONE Acccess '$wsaFqdn' Successfully"
            else {
                Write-Error  "Failed to obtain access token from Workspace ONE Access appliance '$wsaFqdn', check details provided"
        else {
            Write-Error "Failed to obtain access token from NSX-T Data Center '$($nsxtManagerDetails.fqdn)', check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-WorkspaceOneNsxtIntegration

Function Add-NsxtVidmGroupRole {
        Configure Role-Based Access Control for NSX Manager

        The Add-NsxtVidmGroupRole cmdlet configures role assignments in NSX Manager. The cmdlet connects to SDDC
        Manager using the -server, -user, and -password values to retrive the NSX Manager details from its inventory and then:
        - Assigns Active Directory groups to NSX Manager roles

        Add-NsxtVidmGroupRole -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -group "gg-nsx-enterprise-admins@sfo.rainpole.io" -role enterprise_admin
        This example assigns the gg-nsx-enterprise-admins@sfo.rainpole.io group with the enterprise_admin role in NSX Manager

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$group,
        [Parameter (Mandatory = $true)] [ValidateSet("lb_admin", "security_engineer", "vpn_admin", "network_op", "netx_partner_admin", "gi_partner_admin", "security_op", "network_engineer", "lb_auditor", "auditor", "enterprise_admin")] [string]$role

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain
        Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
        if ($accessToken) {
            $groupExists = Get-NsxtUser | Where-Object { $_.name -eq $group }
            if (!$groupExists) {
                Set-NsxtRole -principal $group -type remote_group -role $role -identitySource VIDM | Out-Null
                $groupExists = Get-NsxtUser | Where-Object { $_.name -eq $group }
                if ($groupExists) {
                    Write-Output "Assigned group '$group' the role' $role' in NSX-T Data Center for Workload Domain '$domain' Successfully"
                else {
                    Write-Error "Failed to assign group '$group' the role '$role' in NSX-T Data Center for Workload Domain '$domain', check details and retry"
            else {
                Write-Warning "Group '$group' has already been assigned the role in NSX-T Data Center for Workload Domain '$domain', skipping the creation"
        else {
            Write-Error "Failed to obtain access token from NSX-T Data Center '$($nsxtManagerDetails.fqdn)', check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-NsxtVidmGroupRole

Function Add-WorkspaceOneRole {
        Assign Active Directory Groups to Roles in the Workspace ONE Access

        The Add-WorkspaceOneRole cmdlet assigns roles to Active Directory groups provided to manage administrative
        access to the Workspace ONE Access instance.

        Add-WorkspaceOneRole -server sfo-wsa01.sfo.rainpole.io -user admin -pass VMw@re1! -group "gg-wsa-admins" -role "Super Admin"
        This example adds the group gg-wsa-admins the Super Admin role

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$group,
        [Parameter (Mandatory = $true)] [ValidateSet("Super Admin", "Directory Admin", "ReadOnly Admin")] [String]$role

    Try {
        Request-WSAToken -fqdn $server -user $user -pass $pass | Out-Null
        if ($sessionToken) {
            $roleId = Get-WSARoleId -role $role
            if (!$roleId) {
                Write-Error "Unable to find role id $roleId for role $role in Workspace ONE Access instance $server)"
            else {
                $groupDetails = Get-WSAActiveDirectoryGroupDetail -group $group
                $groupId = $groupDetails.Resources.id
                if (!$groupId) {
                    Write-Error "Unable to find the group $group in Workspace ONE Access instance $server"
                else {
                    $associations = Get-WSARoleAssociation -roleId $roleId
                    $assign = $true
                    if ($associations.groups) {
                        if ($associations.groups -contains $groupId) {
                            Write-Warning "Already assigned group $group to role $role in Workspace ONE Access instance $server"
                            $assign = $false

                    if ($assign) {
                        if ($role -ne "ReadOnly Admin") {
                            Write-Output "Update the Administrator Role Member with $group group"
                            $administratorRole = Get-WsaRole | Where-Object { $_.displayName -eq "Administrator" }
                            $adminId =  $administratorRole.id
                            Set-WSARoleMember -groupId $groupId -id $adminId
                        $response = Add-WSARoleAssociation -roleId $roleId -groupId $groupId
                        if ($response.operations.code -eq "200") {
                            Write-Output "Assigned group $group to the role $role in Workspace ONE Access instance $server Successfully"
                        elseif ($response.operations.code -eq "409") {
                            Write-Warning "$($response.operations.reason)"
                        else {
                            Write-Error "$($response.operations.reason)"
        else {
            Write-Error  "Failed to obtain access token from Workspace One Access appliance '$server', check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-WorkspaceOneRole

Function Get-NsxtManagerAuthenticationPolicy {
        Retrieve the current Authentication Policy from NSX Manager Nodes

        The Get-NsxtManagerAuthenticationPolicy cmdlet retrieves the current Authentication policy from each NSX
        manager nodes for a workload domain. The cmdlet connects to SDDC Manager using the -server, -user, and
        -password values to retrive the NSX-T Data Center details from its inventory and then:
        - Output the following Authentication policy on each NSX manager node.
            a) api_failed_auth_lockout_period (in sec)
            b) api_failed_auth_reset_period (in sec)
            c) api_max_auth_failures (in attempt)
            d) cli_failed_auth_lockout_period (in sec)
            e) cli_max_auth_failures (in attempt)
            f) minimum_password_length (in characters)

        Get-NsxtManagerAuthenticationPolicy -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01
        This example retrieves the current Authentication policy from NSX manager nodes in sfo-m01 workload domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain -listNodes

        foreach ($nsxtManagerNode in $nsxtManagerDetails.nodes) {
            Request-NsxToken -fqdn $nsxtManagerNode.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
            if ($accessToken) {
                $response = Get-NsxtManagerAuthPolicy -nsxtManagerNode $nsxtManagerNode.fqdn
                Write-Output "Showing $($nsxtManagerNode.fqdn), results: $response"
            else {
                Write-Error "Failed to obtain access token from NSX-T Data Center '$($nsxtManagerDetails.fqdn)', check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Get-NsxtManagerAuthenticationPolicy

Function Set-NsxtManagerAuthenticationPolicy {
        Configure Authentication Password Policy NSX Manager Nodes

        The Set-NsxtManagerAuthenticationPolicy cmdlet configures Authentication policy within NSX manager nodes within
        a workload domain. The cmdlet connects to SDDC Manager using the -server, -user, and -password values to
        retrive the NSX-T Data Center details from its inventory and then:
        - Configure the following Authentication password policy on each NSX manager.
            a) api_failed_auth_lockout_period (in sec)
            b) api_failed_auth_reset_period (in sec)
            c) api_max_auth_failures (in attempt)
            d) cli_failed_auth_lockout_period (in sec)
            e) cli_max_auth_failures (in attempt)
            f) minimum_password_length (in characters)

        Set-NsxtManagerAuthenticationPolicy -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -apiLockoutPeriod 900 -apiResetPeriod 120 -apiMaxAttempt 5 -cliLockoutPeriod 900 -cliMaxAttempt 5 -minPasswdLength 15
        This example configures the Authentication password policy in NSX manager nodes in sfo-m01 workload domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$apiLockoutPeriod,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$apiResetPeriod,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$apiMaxAttempt,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cliLockoutPeriod,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cliMaxAttempt,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$minPasswdLength,
        [Parameter (Mandatory = $false)] [ValidateSet("true","false")] [String]$detail="true"

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain -listNodes
        foreach ($nsxtManagerNode in $nsxtManagerDetails.nodes) {
            Request-NsxToken -fqdn $nsxtManagerNode.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
            if ($accessToken) {
                $response = Get-NsxtManagerAuthPolicy -nsxtManagerNode $nsxtManagerNode.fqdn
                if (!$PsBoundParameters.ContainsKey("apiLockoutPeriod")){
                    $apiLockoutPeriod = [int]$response.api_failed_auth_lockout_period
                if (!$PsBoundParameters.ContainsKey("apiResetPeriod")){
                    $apiResetPeriod = [int]$response.api_failed_auth_reset_period
                if (!$PsBoundParameters.ContainsKey("apiMaxAttempt")){
                    $apiMaxAttempt = [int]$response.api_max_auth_failures
                if (!$PsBoundParameters.ContainsKey("cliLockoutPeriod")){
                    $cliLockoutPeriod = [int]$response.cli_failed_auth_lockout_period
                if (!$PsBoundParameters.ContainsKey("cliMaxAttempt")){
                    $cliMaxAttempt = [int]$response.cli_max_auth_failures
                if (!$PsBoundParameters.ContainsKey("minPasswdLength")){
                    $minPasswdLength = [int]$response.minimum_password_length
                $response = Set-NsxtManagerAuthPolicy -nsxtManagerNode $nsxtManagerNode.fqdn -api_lockout_period $apiLockoutPeriod -api_reset_period $apiResetPeriod -api_max_attempt $apiMaxAttempt -cli_lockout_period $cliLockoutPeriod -cli_max_attempt $cliMaxAttempt -min_passwd_length $minPasswdLength
                if ($detail -eq "true") {
                    Write-Output "Configured the Authentication Policy on NSX Manager '$($nsxtManagerNode.fqdn)' for Workload Domain '$domain' Successfully"
            else {
                Write-Error "Failed to obtain access token from NSX Data Center '$($nsxtManagerDetails.fqdn)', check details provided"
        if ($detail -eq "false") {
            Write-OutPut "Configured Authentication Password Policy on all NSX Manager Nodes Successfully"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-NsxtManagerAuthenticationPolicy

Function Get-NsxtEdgeNodeAuthenticationPolicy {
        Retrieve Authentication Policy from NSX Edge Nodes

        The Get-NsxtEdgeNodeAuthenticationPolicy cmdlet retrieves the current Authentication policy from NSX Edge
        nodes within a workload domain. The cmdlet connects to SDDC Manager using the -server, -user, and -password
        values to retrive the NSX-T Data Center details from its inventory and then:
        -Output the following Authentication policy on each NSX Edge Nodes.
            a) cli_failed_auth_lockout_period (in sec)
            b) cli_max_auth_failures (in attempt)
            c) minimum_password_length (in characters)

        Get-NsxtEdgeNodeAuthenticationPolicy -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01
        This example retrieving the Authentication policy for NSX Edge nodes in sfo-m01 workload domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain -listNodes
        Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
        $nsxtEdgeNodes = (Get-NsxtEdgeCluster | Where-Object {$_.member_node_type -eq "EDGE_NODE"})
        if ($accessToken) {
            foreach ($nsxtEdgeNode in $nsxtEdgeNodes.members) {
                $response = Get-NsxtEdgeNodeAuthPolicy -nsxtManager $nsxtManagerDetails.fqdn -nsxtEdgeNodeID $nsxtEdgeNode.transport_node_id
                Write-Output "Retrieving $($nsxtEdgeNode.transport_node_id), results: $response"
        else {
                Write-Error "Failed to obtain access token from NSX-T Data Center '$($nsxtManagerDetails.fqdn)', check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Get-NsxtEdgeNodeAuthenticationPolicy

Function Set-NsxtEdgeNodeAuthenticationPolicy {
        Configure Authentication Policy NSX Edge Nodes

        The Set-NsxtEdgeNodeAuthenticationPolicy cmdlet configures the Authentication policy within NSX Edge nodes.
        The cmdlet connects to SDDC Manager using the -server, -user, and -password values to retrive the NSX-T
        Data Center details from its inventory and then:
        - Configure the following Authentication policy on each NSX Edge Node.
            a) cli_failed_auth_lockout_period (in sec)
            b) cli_max_auth_failures (in attempt)
            c) minimum_password_length (in characters)

        Set-NsxtEdgeNodeAuthenticationPolicy -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -cliLockoutPeriod 900 -cliMaxAttempt 5 -minPasswdLength 15
        This example configures the Authentication policy of the NSX Edges nodes in sfo-m01 workload domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cliLockoutPeriod,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cliMaxAttempt,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$minPasswdLength,
        [Parameter (Mandatory = $false)] [ValidateSet("true","false")] [String]$detail="true"

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain -listNodes
        Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
        $nsxtEdgeNodes = (Get-NsxtEdgeCluster | Where-Object {$_.member_node_type -eq "EDGE_NODE"})
        if ($accessToken) {
            foreach ($nsxtEdgeNode in $nsxtEdgeNodes.members) {
                $response = Get-NsxtEdgeNodeAuthPolicy -nsxtManager $nsxtManagerDetails.fqdn -nsxtEdgeNodeID $nsxtEdgeNode.transport_node_id
                if (!$PsBoundParameters.ContainsKey("cliLockoutPeriod")){
                    $cliLockoutPeriod = [int]$response.cli_failed_auth_lockout_period
                if (!$PsBoundParameters.ContainsKey("cliMaxAttempt")){
                    $cliMaxAttempt = [int]$response.cli_max_auth_failures
                if (!$PsBoundParameters.ContainsKey("minPasswdLength")){
                    $minPasswdLength = [int]$response.minimum_password_length
                $response = Set-NsxtEdgeNodeAuthPolicy -nsxtManager $nsxtManagerDetails.fqdn -nsxtEdgeNodeID $nsxtEdgeNode.transport_node_id -cli_lockout_period $cliLockoutPeriod -cli_max_attempt $cliMaxAttempt -min_passwd_length $minPasswdLength
                if ($detail -eq "true") {
                    Write-Output "Configured the Authentication Policy on NSX Edge nodes for Workload Domain '$domain' Successfully"
        else {
                Write-Error "Failed to obtain access token from NSX-T Data Center '$($nsxtManagerDetails.fqdn)', check details provided"
        if ($detail -eq "false") {
            Write-OutPut "Configured Authentication Password Policy on all NSX Edge Nodes Successfully"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-NsxtEdgeNodeAuthenticationPolicy

########################################## E N D O F F U N C T I O N S ##########################################

####################### S I T E P R O T E C T I O N & R E C O V E R Y F U N C T I O N S #######################

Function Install-SiteRecoveryManager {
        Deploy Site Recovery Manager Virtual Appliance

        The Install-SiteRecoveryManager cmdlet deploys the Site Recovery Manage Virtual Appliance OVA.
        The cmdlet connects to SDDC Manager using the -server, -user, and -password values to retrive the management domain
        vCenter Server details from its inventory and then:
        - Gathers vSphere configuration from vCenter Server
        - Gathers DNS and NTP configuration from SDDC Manager
        - Deploys the Site Recovery Manage Virtual Appliance

        PS C:\> Install-SiteRecoveryManager -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -srmFqdn sfo-wsa01.sfo.rainpole.io -srmIpAddress -srmGateway -srmSubnetMask -srmOvfPath F:\identity-manager.ova -srmFolder sfo-m01-fd-srm
        This example deploys the Workspace ONE Access Virtual Appliance into the sfo-m01-fd-srm folder of the management domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$srmFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$srmIpAddress,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$srmGateway,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$srmNetPrefix,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$srmNetworkSearchPath,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$srmFolder,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$srmOvfPath,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$srmVaRootPassword,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$srmVaAdminPassword,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$srmDbPassword,
        [Parameter (Mandatory = $false)] [ValidateSet("Standard", "Large")] [String]$deploymentOption

    Try {
        if (!$PsBoundParameters.ContainsKey("srmOvfPath")) {
            $srmOvfPath = Get-ExternalFileName -title "Select the Site Recovery Manager OVF file (.ovf)" -fileType "ovf"
        else {
            if (!(Test-Path -Path $srmOvfPath)) {
                Write-Error  "Site Recovery Manager OVA '$srmOvfPath' File Not Found"
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        $srmHostname = $srmFqdn.Split(".")[0]
        $srmDomain = $srmFQDN.Substring($srmFQDN.IndexOf(".") + 1)
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $srmExists = Get-VM -Name $srmHostname -ErrorAction SilentlyContinue
            if ($srmExists) {
                Write-Warning "A virtual machine called $srmHostname already exists in vCenter Server $vcServer"
            else {
                $dnsServer1 = (Get-VCFConfigurationDNS | Where-Object { $_.isPrimary -Match "True" }).ipAddress
                $dnsServer2 = (Get-VCFConfigurationDNS | Where-Object { $_.isPrimary -Match "False" }).ipAddress
                $cluster = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.type -eq "MANAGEMENT" }).clusters.id) }).Name
                $datastore = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.type -eq "MANAGEMENT" }).clusters.id) }).primaryDatastoreName
                $datacenter = (Get-Datacenter -Cluster $cluster).Name
                $mgmtPortgroup = (Get-VM | Where-Object { $_.ExtensionData.Guest.Hostname -eq $vcenter.fqdn }).ExtensionData.Guest.Net.Network
                $ntpServer = (Get-VCFConfigurationNTP).ipAddress
                $netMode = "static"
                $command = '"C:\Program Files\VMware\VMware OVF Tool\ovftool.exe" --noSSLVerify --acceptAllEulas --allowAllExtraConfig --diskMode=thin --powerOn --name=' + $srmHostname + ' --ipProtocol="IPv4" --ipAllocationPolicy="fixedAllocatedPolicy" --vmFolder=' + $srmFolder + ' --net:"Network 1"=' + $mgmtPortgroup + ' --datastore=' + $datastore + ' --deploymentOption=' + $deploymentOption + ' --prop:varoot-password=' + $srmVaRootPassword + ' --prop:vaadmin-password=' + $srmVaAdminPassword +' --prop:dbpassword=' + $srmDbPassword + ' --prop:network.netmode.VMware_Site_Recovery_Manager_Appliance=' + $netMode + ' --prop:network.ip0.VMware_Site_Recovery_Manager_Appliance=' + $srmIpAddress + ' --prop:network.netprefix0.VMware_Site_Recovery_Manager_Appliance=' + $srmNetPrefix + ' --prop:vami.hostname=' + $srmFqdn + ' --prop:network.domain.VMware_Site_Recovery_Manager_Appliance=' + $srmDomain + ' --prop:network.searchpath.VMware_Site_Recovery_Manager_Appliance=' + $srmNetworkSearchPath + ' --prop:ntpserver=' + $ntpServer +' --prop:network.gateway.VMware_Site_Recovery_Manager_Appliance=' + $srmGateway + ' --prop:network.DNS.VMware_Site_Recovery_Manager_Appliance=' + $dnsServer1 + ',' + $dnsServer2 + ' --prop:enableFileIntegrity= ' + $enableFileIntegrity +' ' + $srmOvfPath + ' "vi://' + $vcenter.ssoAdmin + ':' + $vcenter.ssoAdminPass + '@' + $vcenter.fqdn + '/' + $datacenter + '/host/' + $cluster + '/"'
                Invoke-Expression "& $command"
                    $srmExists = Get-VM -Name $srmHostname -ErrorAction SilentlyContinue
                    if ($srmExists) {
                        $Timeout = 900  ## seconds
                        $CheckEvery = 15  ## seconds
                        Try {
                            $timer = [Diagnostics.Stopwatch]::StartNew()  ## Start the timer
                            Write-Output "Waiting for $srmIpAddress to become pingable."
                            While (-not (Test-Connection -ComputerName $srmIpAddress -Quiet -Count 1)) {
                                ## If the timer has waited greater than or equal to the timeout, throw an exception exiting the loop
                                if ($timer.Elapsed.TotalSeconds -ge $Timeout) {
                                    Throw "Timeout Exceeded. Giving up on ping availability to $srmIpAddress"
                                Start-Sleep -Seconds $CheckEvery  ## Stop the loop every $CheckEvery seconds
                        Catch {
                            Write-Error "Failed to get a Response from $srmFqdn"
                        Finally {
                            $timer.Stop()  ## Stop the timer
                        Try {
                            # Polling for Completed Deployment
                            $uri = "https://" + $srmFqdn + ":5480"
                            Write-Output "Initial connection made, waiting for $srmFqdn to fully boot and services to start. Be warned, this takes a long time."
                            Do {
                                Start-Sleep 30
                                $response = Invoke-RestMethod $uri -Method 'GET' -SessionVariable webSession
                                if ($response.AllOk -eq "true") { $finished = $true }
                            } Until ($finished)
                            if ($response.AllOk -eq "true") {
                                Write-Output "Deployment of $srmFqdn using $srmOvfPath completed Successfully"
                            else {
                                Write-Error "$srmFqdn failed to initialize properly. Please delete the VM from $($vcenter.fqdn) and retry"
                        Catch {
                            Debug-ExceptionWriter -object $_
                    else {
                        Write-Error "Site Recovery Manager Failed to deploy"
            Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Install-SiteRecoveryManager

Function Install-SiteRecoveryManagerCertificate {
        Install a Signed Certificate on a Site Recovery Manager Appliance

        The Install-SiteRecoveryManagerCertificate cmdlet replaces the certificate on the Site Recovery Manager appliance

        PS C:\> Install-SiteRecoveryManagerCertificate -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -wsaFqdn sfo-wsa01.sfo.rainpole.io -rootPass VMw@re1! -sshUserPass VMw@re1!
        This example configures the Workspace ONE Access Virtual Appliance with the same NTP Servers as SDDC Manager

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$srmFqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$rootPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$sshUserPass,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$rootCa,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$wsaCertKey,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$wsaCert

    Try {

        if (!$PsBoundParameters.ContainsKey("rootCa")) {
            $rootCa = Get-ExternalFileName -title "Select the Root CA Certificate File (.cer)" -fileType "cer"
        elseif ($PsBoundParameters.ContainsKey("rootCa")) {
            if (!(Test-Path -Path $rootCa)) {
                Write-Error  "Certificate (.cer) for Root Certificate Authority '$rootCa' File Not Found"

        if (!$PsBoundParameters.ContainsKey("wsaCertKey")) {
            $wsaCertKey = Get-ExternalFileName -title "Select the Workspace ONE Access Certificate Key (.key)" -fileType "key"
        elseif ($PsBoundParameters.ContainsKey("wsaCertKey")) {
            if (!(Test-Path -Path $wsaCertKey)) {
                Write-Error  "Certificate Key (.key) for Workspace ONE Access '$wsaCertKey' File Not Found"

        if (!$PsBoundParameters.ContainsKey("wsaCert")) {
            $wsaCert = Get-ExternalFileName -title "Select the Workspace ONE Access Certificate File (.cer)" -fileType "cer"
        elseif ($PsBoundParameters.ContainsKey("wsaCert")) {
            if (!(Test-Path -Path $wsaCert)) {
                Write-Error  "Certificate (.cer) for Workspace ONE Access '$wsaCert' File Not Found"

        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $vmName = $wsaFqdn.Split(".")[0]
            $SecurePassword = ConvertTo-SecureString -String $sshUserPass -AsPlainText -Force
            $secureCreds = New-Object System.Management.Automation.PSCredential ("sshuser", $SecurePassword)
            Set-SCPFile -ComputerName $wsaFqdn -Credential $secureCreds -RemotePath '/tmp' -LocalFile $rootCa -NoProgress -AcceptKey $true -Force -WarningAction SilentlyContinue
            Set-SCPFile -ComputerName $wsaFqdn -Credential $secureCreds -RemotePath '/tmp' -LocalFile $wsaCertKey -NoProgress -AcceptKey $true -Force -WarningAction SilentlyContinue
            Set-SCPFile -ComputerName $wsaFqdn -Credential $secureCreds -RemotePath '/tmp' -LocalFile $wsaCert -NoProgress -AcceptKey $true -Force -WarningAction SilentlyContinue
            $scriptCommand = 'echo "yes" | /usr/local/horizon/scripts/installExternalCertificate.hzn --ca /tmp/' + (Split-Path -Leaf $rootCa) + ' --cert /tmp/' + (Split-Path -Leaf $wsaCert) + ' --key /tmp/' + (Split-Path -Leaf $wsaCertKey)
            $output = Invoke-VMScript -VM $vmName -ScriptText $scriptCommand -GuestUser root -GuestPassword $rootPass
            Write-Output "Installed Signed Certifcate $wsaCert on Workspace One Access Virtual Appliance $wsaFqdn Successfully"
            Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Install-WorkspaceOneCertificate

########################################## E N D O F F U N C T I O N S ##########################################

################## D E V E L O P E R R E A D Y I N F R A S T R U C T U R E F U N C T I O N S #################

Function Add-NetworkSegment {
        Create an NSX segment

        The Add-NetworkSegment cmdlet creates an NSX Segment

        Add-NetworkSegment -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -segmentName "sfo-w01-kub-seg01" -gatewayType "Tier1" -connectedGateway "sfo-w01-ec01-t1-gw01" -cidr "" -transportZone "overlay-tz-sfo-w01-nsx01.sfo.rainpole.io" -segmentType Overlay
        This example creates an overlay-backed NSX segment in the workload domain sfo-w01

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$segmentName,
        [Parameter (Mandatory = $true)] [String]$connectedGateway,
        [Parameter (Mandatory = $true)] [String]$cidr,
        [Parameter (Mandatory = $true)] [String]$transportZone,
        [Parameter (Mandatory = $true)] [ValidateSet("Tier0", "Tier1")] [String]$gatewayType,
        [Parameter (Mandatory = $true)] [ValidateSet("Overlay", "VLAN")] [String]$segmentType

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain
        Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.adminPass | Out-Null
        if (!($validateSegment = Get-NsxtSegment -name $segmentName)) {
            if ($gatewayType -eq "Tier0") { $tierGatewayExists = Get-NsxtTier0Gateway -name $connectedGateway }
            if ($gatewayType -eq "Tier1") { $tierGatewayExists = Get-NsxtTier1Gateway -name $connectedGateway }
            if ($tierGatewayExists) {
                $validateTransportZone = Get-NsxtTransportZone -Name $transportZone -ErrorAction SilentlyContinue
                if ($validateTransportZone.display_name -eq $transportZone) {
                    if ($validateTransportZone.transport_type -ne $segmentType.ToUpper()){
                        Write-Error "NSX Transport Zone $transportZone does not match the defined segment Type $segmentType on NSX Manager $($nsxtManagerDetails.fqdn)"
                else {
                    Write-Error "NSX Transport Zone $transportZone was not found on NSX Manager $($nsxtManagerDetails.fqdn)"
                New-NsxtSegment -name $segmentName -connectedGateway $connectedGateway -cidr $cidr -transportZone $transportZone -gatewayType $gatewayType -segmentType $segmentType | Out-Null
                if ($validateSegment = Get-NsxtSegment -name $segmentName) {
                    Write-Output "Created NSX segment $segmentName on NSX Manager $($nsxtManagerDetails.fqdn) completed Succesfully"
                else {
                    Write-Error "Creation of the NSX segment $segmentName on NSX Manager $($nsxtManagerDetails.fqdn) failed, please retry"
            else {
                Write-Error "NSX $gatewayType Gateway $connectedGateway does not exist on NSX Manager $($nsxtManagerDetails.fqdn)"
        else {
            Write-Warning "$segmentType-backed NSX segment $segmentName already exists on NSX Manager $($nsxtManagerDetails.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-NetworkSegment

Function Add-PrefixList {
        Create an NSX Prefix List

        The Add-PrefixList cmdlet creates an NSX Prefix List

        Add-PrefixList -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -tier0Gateway sfo-w01-ec01-t0-gw01 -prefixListName sfo-w01-ec01-t0-gw01-mgmt-prefixlist -subnetCIDR -ingressSubnetCidr "" -egressSubnetCidr "" -GE "28" -LE "32" -action PERMIT
        This example creates an NSX Prefix List in the workload domain NSX Manager cluster

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$tier0Gateway,
        [Parameter (Mandatory = $true)] [String]$prefixListName,
        [Parameter (Mandatory = $true)] [String]$subnetCidr,
        [Parameter (Mandatory = $true)] [String]$ingressSubnetCidr,
        [Parameter (Mandatory = $true)] [String]$egressSubnetCidr,
        [Parameter (Mandatory = $false)] [String]$GE,
        [Parameter (Mandatory = $false)] [String]$LE,
        [Parameter (Mandatory = $true)] [ValidateSet("PERMIT", "DENY")] [String]$action

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain
        Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
        if ($tier0GatewayExists = Get-NsxtTier0Gateway -name $tier0Gateway) {
            if (!($checkPrefixList = Get-NsxtTier0Gateway -name $tier0Gateway | Get-NsxtPrefixList -name $prefixListName -ErrorAction SilentlyContinue)) {
                Get-NsxtTier0Gateway -name $tier0Gateway | New-NsxtPrefixList -name $prefixListName -subnetCidr $subnetCidr -action $action | Out-Null
                if ($checkPrefixList = Get-NsxtTier0Gateway -name $tier0Gateway | Get-NsxtPrefixList -name $prefixListName -ErrorAction SilentlyContinue) {
                    Get-NsxtTier0Gateway -name $tier0Gateway | Get-NsxtPrefixList -name $prefixListName | Add-NsxtPrefix -subnetCidr $ingressSubnetCidr -GE $GE -LE $LE -action $action | Out-Null
                    Get-NsxtTier0Gateway -name $tier0Gateway | Get-NsxtPrefixList -name $prefixListName | Add-NsxtPrefix -subnetCidr $egressSubnetCidr -GE $GE -LE $LE -action $action | Out-Null
                    Write-Output "NSX IP Prefix List $prefixListName created on NSX Manager $($nsxtManagerDetails.fqdn) Succesfully"
                else {
                    Write-Error "NSX IP Prefix List $prefixListName creation on NSX Manager $($nsxtManagerDetails.fqdn) Failed"
            else {
                Write-Warning "NSX IP Prefix List $prefixListName already exists on NSX Manager $($nsxtManagerDetails.fqdn)"
        else {
            Write-Error "NSX Tier0 Gateway $tier0Gateway does not exist on NSX Manager $($nsxtManagerDetails.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-PrefixList

Function Add-RouteMap {
        Create an NSX Route Map for use by VCF

        The Add-RouteMap cmdlet creates an NSX Route Map

        Add-RouteMap -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -tier0Gateway sfo-w01-ec01-t0-gw01 -routeMapName sfo-w01-ec01-t0-gw01-routemap -prefixListName sfo-w01-ec01-t10-gw01-mgmt-prefixlist -action PERMIT -applyPolicy:$true
        This example creates an NSX Route Map in workload domain sfo-w01

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$tier0Gateway,
        [Parameter (Mandatory = $true)] [String]$routeMapName,
        [Parameter (Mandatory = $true)] [String]$prefixListName,
        [Parameter (Mandatory = $true)] [ValidateSet("PERMIT", "DENY")][String]$action,
        [Parameter (Mandatory = $true)] [Bool]$applyPolicy

    Try {
        $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain
        Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.AdminPass | Out-Null
        if ($tier0GatewayExists = Get-NsxtTier0Gateway -name $tier0Gateway) {
            if (!($checkRouteMap = Get-NsxtRouteMap -tier0Gateway $tier0Gateway -name $routeMapName -ErrorAction SilentlyContinue)) {
                if ($checkPrefixList = Get-NsxtTier0Gateway -name $tier0Gateway | Get-NsxtPrefixList -name $prefixListName -ErrorAction SilentlyContinue) {
                    Get-NsxtTier0Gateway -name $tier0Gateway | New-NsxtRouteMap -name $routeMapName -prefixList $prefixListName -action $Action | Out-Null
                    if ($checkRouteMap = Get-NsxtRouteMap -tier0Gateway $tier0Gateway -name $routeMapName -ErrorAction SilentlyContinue) {
                        if ($applyPolicy -eq $true) {
                            Get-NsxtRouteRedistributionPolicy -tier0Gateway $tier0Gateway | Set-NsxtRouteRedistributionPolicy -routeMap $routeMapName | Out-Null
                        Write-OutPut "NSX Route Map $routeMapName created on NSX Manager $($nsxtManagerDetails.fqdn) Succesfully"
                    else {
                        Write-Error "NSX Route Map $routeMapName creation on NSX Manager $($nsxtManagerDetails.fqdn) Failed"
                else {
                    Write-Error "NSX IP Prefix List $prefixListName does not exist on NSX Manager $($nsxtManagerDetails.fqdn)"
            else {
                Write-Warning "NSX Route Map $routeMapName already exists on NSX Manager $($nsxtManagerDetails.fqdn)"
        else {
            Write-Error "NSX Tier0 Gateway $tier0Gateway does not exist on NSX Manager $($nsxtManagerDetails.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-RouteMap

Function Set-DatastoreTag {
        Creates and applies a vSphere Tag to a datastore

        The Set-DatastoreTag cmdlet creates and applies a vSphere Tag to a datastore

        Set-DatastoreTag -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -tagName vsphere-with-tanzu-tag -tagCategoryName vsphere-with-tanzu-category -datastore sfo-w01-cl01-ds-vsan01
        This example creates a new tag and assigns it to the datastore in workload domain sfo-w01

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$tagName,
        [Parameter (Mandatory = $true)] [String]$tagCategoryName

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $datastore = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }).clusters.id) }).primaryDatastoreName
            if ($datastoreExist = Get-Datastore -Name $datastore -ErrorAction SilentlyContinue | Where-Object {$_.Name -eq $datastore}) {
                if (!($tagAssignmentExists = Get-TagAssignment -Entity $datastoreExist.Name -Category $tagCategoryName -ErrorAction SilentlyContinue)) {
                    if (!($tagCategoryExist = Get-TagCategory -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $tagCategoryName })) {
                        New-TagCategory -Name $tagCategoryName -EntityType Datastore -Confirm:$false | Out-Null
                    if (!($tagExists = Get-Tag -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $tagName })) {
                        New-Tag -Name $tagName -Category $tagCategoryName -Confirm:$false | Out-Null
                    Get-Datastore -Name $Datastore | New-TagAssignment -Tag $tagName -Confirm:$false | Out-Null
                    if (($tagAssignmentExists = Get-TagAssignment -Entity $datastoreExist.Name -Category $tagCategoryName -ErrorAction SilentlyContinue)) {
                        Write-Output  "Created vSphere Tag $tagName and applied to datastore $datastore in vCenter Server $($vcenter.fqdn) Successfully"
                    else {
                        Write-Error  "Assigning vSphere Tag $tagName to datastore $datastore in vCenter Server $($vcenter.fqdn) Failed"
                else {
                    Write-Warning  "vSphere Tag $tagName has already been applied to datastore $datastore in vCenter Server $($vcenter.fqdn)"
            else {
                Write-Error "Datastore $datastore not found in vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
    Finally {
        #Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
Export-ModuleMember -Function Set-DatastoreTag

Function Add-StoragePolicy {
        Create a VM vSphere Storage Policy

        The Add-StoragePolicy cmdlet creates a VM vSphere Storage Policy

        Add-StoragePolicy -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -policyName vsphere-with-tanzu-storage-policy -tagName vsphere-with-tanzu-tag
        This example creates a VM Storage Policy named vsphere-with-tanzu-policy in the VI workload domain vCenter Server

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$policyName,
        [Parameter (Mandatory = $true)] [String]$tagName

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass -Force | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            if (!($getSpbmPolicy = Get-SpbmStoragePolicy -Name $policyName -ErrorAction SilentlyContinue)) {
                if ($tagExists = Get-Tag -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $tagName }) {
                    New-SpbmStoragePolicy -Name $policyName -AnyOfRuleSets (New-SpbmRuleSet -AllOfRules (New-SpbmRule -AnyOfTags $tagName)) | Out-Null
                    if ($getSpbmPolicy = Get-SpbmStoragePolicy -Name $policyName -ErrorAction SilentlyContinue) {
                        Write-Output  "Created vSphere Storage Policy $policyName in vCenter Server $($vcenter.fqdn) Successfully"
                    else {
                        Write-Error  "Creating vSphere Storage Policy $policyName in vCenter Server $($vcenter.fqdn) Failed"
                else {
                    Write-Warning "vSphere $tagName does not exist in vCenter Server $($vcenter.fqdn), please create and try again"
            else {
                Write-Warning "Storage Policy $policyName already exists in vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
    Finally {
        #Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
Export-ModuleMember -Function Add-StoragePolicy

Function Add-ContentLibrary {
        Creates a subscribed content library

        The Add-ContentLibrary cmdlet creates a subscribed content library

        Add-ContentLibrary -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -contentLibraryName Kubernetes -subscriptionUrl "https://wp-content.vmware.com/v2/latest/lib.json"
        This example creates subscribed content library named Kubernetes in workload domain sfo-w01

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$contentLibraryName,
        [Parameter (Mandatory = $true)] [String]$subscriptionUrl

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass -Force | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            if (!($getContentLibrary = Get-ContentLibrary -Name $contentLibraryName -ErrorAction SilentlyContinue)) {
                $datastore = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }).clusters.id) }).primaryDatastoreName
                if ($datastoreExist = Get-Datastore -Name $datastore -ErrorAction SilentlyContinue | Where-Object {$_.Name -eq $datastore}) {

                    #attribution to William Lam (https://gist.github.com/lamw/988e4599c0f88d9fc25c9f2af8b72c92) for this snippet
                    Invoke-RestMethod -Uri $subscriptionUrl -Method Get | Out-Null

                    $endpointRequest = [System.Net.Webrequest]::Create("$subscriptionUrl")
                    $sslThumbprint = $endpointRequest.ServicePoint.Certificate.GetCertHashString()
                    $sslThumbprint = $sslThumbprint -replace '(..(?!$))', '$1:'

                    $contentLibraryInput = @{
                        Name            = $contentLibraryName
                        Datastore       = $datastore
                        AutomaticSync   = $true
                        SubscriptionUrl = $subscriptionUrl
                        SslThumbprint   = $sslThumbprint

                    New-ContentLibrary @contentLibraryInput | Out-Null
                    if ($getContentLibrary = Get-ContentLibrary -Name $contentLibraryName -ErrorAction SilentlyContinue) {
                        Write-Output  "Created Content Library $contentLibraryName in vCenter Server $($vcenter.fqdn) Successfully"
                    else {
                        Write-Error  "Creating Content Library $contentLibraryName in vCenter Server $($vcenter.fqdn) Failed"
                else {
                    Write-Error "Datastore $datastore not found in vCenter Server $($vcenter.fqdn)"
            else {
                Write-Warning "Content Library $contentLibraryName already exists in vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
    Finally {
        #Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
Export-ModuleMember -Function Add-ContentLibrary

Function Enable-SupervisorCluster {
        Enables Workload Management on a VCF cluster

        The Enable-SupervisorCluster cmdlet enables Workload Management on a VCF cluster

        $wmClusterInput = @{
            Server = sfo-vcf01.sfo.rainpole.io
            User = administrator@vsphere.local
            Pass = 'VMw@re1!'
            Domain = sfo-m01
            SizeHint = Tiny
            ManagementVirtualNetwork = Get-VirtualNetwork -Name sfo-w01-kub-seg01
            ManagementNetworkMode = StaticRange
            ManagementNetworkStartIpAddress =
            ManagementNetworkAddressRangeSize = 5
            ManagementNetworkGateway =
            ManagementNetworkSubnetMask =
            MasterNtpServer = @(,
            Cluster = sfo-w01-cl01
            ContentLibrary = Kubernetes
            EphemeralStoragePolicy = Get-SpbmStoragePolicy -Name vsphere-with-tanzu-policy
            ImageStoragePolicy = Get-SpbmStoragePolicy -Name vsphere-with-tanzu-policy
            MasterStoragePolicy = Get-SpbmStoragePolicy -Name vsphere-with-tanzu-policy
            NsxEdgeClusterId = (Get-NsxtEdgeCluster -Name sfo-w01-ec01).Id
            DistributedSwitch = sfo-w01-cl01-vds01
            PodCIDRs =
            ServiceCIDR =
            ExternalIngressCIDRs =
            ExternalEgressCIDRs =
            WorkerDnsServer = @(,
            MasterDnsServerIpAddress = @(,
            MasterDnsSearchDomain = sfo.rainpole.io

        Enable-SupervisorCluster @wmClusterInput
        This example enables Workload Management on a vSphere Cluster in workload domain sfo-w01

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$cluster,
        [Parameter (Mandatory = $true)] [String]$sizeHint,
        [Parameter (Mandatory = $true)] [String]$managementNetworkMode,
        [Parameter (Mandatory = $true)] [String]$managementVirtualNetwork,
        [Parameter (Mandatory = $true)] [String]$managementNetworkStartIpAddress,
        [Parameter (Mandatory = $true)] [String]$managementNetworkAddressRangeSize,
        [Parameter (Mandatory = $true)] [String]$managementNetworkGateway,
        [Parameter (Mandatory = $true)] [String]$managementNetworkSubnetMask,
        [Parameter (Mandatory = $true)] [String]$ntpServer1IpAddress,
        [Parameter (Mandatory = $false)] [String]$ntpServer2IpAddress,
        [Parameter (Mandatory = $true)] [String]$dnsServer1IpAddress,
        [Parameter (Mandatory = $false)] [String]$dnsServer2IpAddress,
        [Parameter (Mandatory = $true)] [String]$contentLibrary,
        [Parameter (Mandatory = $true)] [String]$ephemeralStoragePolicy,
        [Parameter (Mandatory = $true)] [String]$imageStoragePolicy,
        [Parameter (Mandatory = $true)] [String]$masterStoragePolicy,
        [Parameter (Mandatory = $true)] [String]$nsxEdgeCluster,
        [Parameter (Mandatory = $true)] [String]$distributedSwitch,
        [Parameter (Mandatory = $true)] [String]$podCIDRs,
        [Parameter (Mandatory = $true)] [String]$serviceCIDR,
        [Parameter (Mandatory = $true)] [String]$externalIngressCIDRs,
        [Parameter (Mandatory = $true)] [String]$externalEgressCIDRs,
        [Parameter (Mandatory = $true)] [String]$masterDnsSearchDomain,
        [Parameter (Mandatory = $true)] [ValidateSet("true", "false")] [String]$async

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass -Force | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $nsxtManagerDetails = Get-NsxtServerDetail -fqdn $server -username $user -password $pass -domain $domain
            Request-NsxToken -fqdn $nsxtManagerDetails.fqdn -username $nsxtManagerDetails.adminUser -password $nsxtManagerDetails.adminPass | Out-Null
            if (!($getWMCluster = Get-WMCluster -Cluster $cluster -ErrorAction SilentlyContinue)) {

                if ($NtpServer2IpAddress) {
                    $ntpServers = @($NtpServer1IpAddress, $NtpServer2IpAddress)
                else {
                    $ntpServers = @($NtpServer1IpAddress)

                if ($DnsServer2IpAddress) {
                    $dnsServers = @($DnsServer1IpAddress, $DnsServer2IpAddress)
                else {
                    $dnsServers = @($DnsServer1IpAddress)

                $internalWMClusterInput = @{
                    SizeHint                          = $SizeHint
                    ManagementVirtualNetwork          = Get-VirtualNetwork -Name $ManagementVirtualNetwork
                    ManagementNetworkMode             = $managementNetworkMode
                    ManagementNetworkStartIpAddress   = $managementNetworkStartIpAddress
                    ManagementNetworkAddressRangeSize = $managementNetworkAddressRangeSize
                    ManagementNetworkGateway          = $managementNetworkGateway
                    ManagementNetworkSubnetMask       = $managementNetworkSubnetMask
                    MasterNtpServer                   = $ntpServers
                    Cluster                           = $cluster
                    ContentLibrary                    = $contentLibrary
                    EphemeralStoragePolicy            = Get-SpbmStoragePolicy -Name $ephemeralStoragePolicy
                    ImageStoragePolicy                = Get-SpbmStoragePolicy -Name $imageStoragePolicy
                    MasterStoragePolicy               = Get-SpbmStoragePolicy -Name $masterStoragePolicy
                    NsxEdgeClusterId                  = (Get-NsxtEdgeCluster -Name $nsxEdgeCluster).Id
                    DistributedSwitch                 = $distributedSwitch
                    PodCIDRs                          = $podCIDRs
                    ServiceCIDR                       = $serviceCIDR
                    ExternalIngressCIDRs              = $externalIngressCIDRs
                    ExternalEgressCIDRs               = $externalEgressCIDRs
                    WorkerDnsServer                   = $dnsServers
                    MasterDnsServerIpAddress          = $dnsServers
                    MasterDnsSearchDomain             = $dnsSearchDomain

                if ($async -eq "true") {
                    Enable-WMCluster @internalWMClusterInput -RunAsync | Out-Null
                    Write-Output  "Submitted Creation of Supervisor Cluster $cluster in vCenter Server $($vcenter.fqdn), this takes a while"
                if ($async -eq "false") {
                    Enable-WMCluster @internalWMClusterInput | Out-Null
                    if ($getWMCluster = Get-WMCluster -Cluster $cluster -ErrorAction SilentlyContinue) {
                        Write-Output  "Created Supervisor Cluster $cluster in vCenter Server $($vcenter.fqdn) Successfully"
                    else {
                        Write-Error  "Creating Supervisor Cluster $cluster in vCenter Server $($vcenter.fqdn) Failed"
            else {
                Write-Warning "Supervisor Cluster $cluster has already been enabled in vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Enable-SupervisorCluster

Function Add-Namespace {
        Creates a Namespace and applies extra configuration to it

        The Add-Namespace cmdlet creates a Namespace and applies extra configuration to it

        Add-Namespace -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -cluster sfo-w01-cl01 -namespace sfo-w01-ns01 -storagePolicy vsphere-with-tanzu-storage-policy
        This example creates a Namespace named sfo-w01-ns01 in the Supervisor Cluster sfo-w01-cl01 with a vSphere Storage Policy vsphere-with-tanzu-storage-policy

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$cluster,
        [Parameter (Mandatory = $true)] [String]$namespace,
        [Parameter (Mandatory = $true)] [String]$storagePolicy

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass -Force | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            if (!($getNamespace = Get-WMNamespace -Name $namespace -ErrorAction SilentlyContinue)) {
                if ($clusterExists = Get-Cluster -Name $cluster -ErrorAction SilentlyContinue) {
                    if ($storagePolicyExists = Get-SpbmStoragePolicy -Name $storagePolicy -ErrorAction SilentlyContinue) {
                        New-WMNamespace -Name $namespace -Cluster $cluster | Out-Null
                        if ($getNamespace = Get-WMNamespace -Name $namespace -ErrorAction SilentlyContinue) {
                            New-WMNamespaceStoragePolicy -Namespace $namespace -StoragePolicy $storagePolicy | Out-Null
                            Write-Output  "Created Namespace $namespace in vCenter Server $($vcenter.fqdn) Successfully"
                        else {
                            Write-Error "Creation of Namespace $namespace in vCenter Server $($vcenter.fqdn) Failed"
                    else {
                        Write-Error "vSphere Storage Policy $storagePolicy not found in vCenter Server $($vcenter.fqdn)"
                else {
                    Write-Error  "Cluster $cluster not found in vCenter Server $($vcenter.fqdn)"
            else {
                Write-Warning "Namespace $namespace already exists in vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
    Finally {
        #Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
Export-ModuleMember -Function Add-Namespace

Function Add-NamespacePermission {
        Adds permissions to a Namespace

        The Add-NamespacePermission cmdlet adds permissions to a Namespace

        Add-NamespacePermission -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -sddcDomain sfo-w01 -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -namespace sfo-w01-ns01 -principal gg-kub-admins -role edit -type group
        This example adds the edit role to the group gg-kub-admins in the domain sfo.rainpole.io to the Namespace sfo-w01-ns01

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$sddcDomain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$namespace,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal,
        [Parameter (Mandatory = $true)] [ValidateSet("edit", "view")] [String]$role,
        [Parameter (Mandatory = $true)] [ValidateSet("group", "user")] [String]$type,
        [Parameter (Mandatory = $true)] [ValidateSet("true", "false")] [String]$disconnect

    Try {
        $checkAdAuthentication = Test-ADAuthentication -user $domainBindUser -pass $domainBindPass -server $domain -domain $domain -ErrorAction SilentlyContinue
        if ($checkAdAuthentication[1] -match "Authentication Successful") {
            $securePass = ConvertTo-SecureString -String $domainBindPass -AsPlainText -Force
            $domainCreds = New-Object System.Management.Automation.PSCredential ($domainBindUser, $securePass)
            $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $sddcDomain
            Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass -Force | Out-Null
            if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
                if ($namespaceExists = Get-WMNamespace -Name $namespace -ErrorAction SilentlyContinue) {
                    if ($type -eq "group") { $adObjectCheck = (Get-ADGroup -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal }) }
                    elseif ($type -eq "user") { $adObjectCheck = (Get-ADUser -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal }) }
                    if ($adObjectCheck) {
                        if (!($permissionExist = Get-WMNamespacePermission -Namespace $namespace -Domain $domain -PrincipalName $principal)) {
                            New-WMNamespacePermission -Namespace $namespace -Role $role -Domain $domain -PrincipalType $type -PrincipalName $principal | Out-Null
                            if ($permissionExist = Get-WMNamespacePermission -Namespace $namespace -Domain $domain -PrincipalName $principal) {
                                Write-Output "Assigned Role $role to $type $principal in Namespace $namespace Successfully"
                            else {
                                Write-Error "Assigning Role $role to $type $principal in Namespace $namespace Failed"
                        else {
                            Write-Warning "Principal $type $principal already assigned permission $role to Namespace $namespace"
                    else {
                        Write-Error "Active Directory $type $principal not found in the Active Directory Domain, please create and retry"
                else {
                    Write-Error "Namespace $namespace does not exist in vCenter Server $($vcenter.fqdn)"
            else {
                Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error  "Unable to authenticate to Active Directory with user $domainBindUser and password $domainBindPass, verify they are correct and try again"
    Catch {
        Debug-ExceptionWriter -object $_
    Finally {
        if ($disconnect -eq "true") {
            #Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
Export-ModuleMember -Function Add-NamespacePermission

Function Enable-Registry {
        Enable the embedded Harbor Registry on a Supervisor Cluster

        The Enable-Registry cmdlet enables the embedded Harbor Registry on a Supervisor Cluster

        Enable-Registry -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-w01 -storagePolicy vsphere-with-tanzu-storage-policy
        This example enables the embedded Harbor Registry on Supervisor Cluster sfo-w01-cl01 with vSPhere Storage Policy vsphere-with-tanzu-policy


    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$storagePolicy

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass -Force | Out-Null
        Request-vSphereApiToken -Fqdn $vcenter.fqdn -Username $vcenter.ssoadmin -Password $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $cluster = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.Name -eq $domain }).clusters.id) }).Name
            if (!($getRegistry = Get-WMRegistry -Cluster $cluster -ErrorAction SilentlyContinue)) {
                if ($getStoragePolicy = Get-SpbmStoragePolicy -Name $StoragePolicy -ErrorAction SilentlyContinue) {
                    Enable-WMRegistry -Cluster $cluster -StoragePolicy $storagePolicy | Out-Null
                    if ($getRegistry = Get-WMRegistry -Cluster $cluster -ErrorAction SilentlyContinue) {
                        Write-Output "Enabled the Embedded Registry Service on cluster $cluster in vCenter Server $($vcenter.fqdn) Successfully"
                    else {
                        Write-Error "Enabling the Embedded Registry Service on cluster $cluster in vCenter Server $($vcenter.fqdn) Failed"
                else {
                    Write-Error -Message "vSphere Storage Policy $storagePolicy does not exist in vCenter Server $($vcenter.fqdn)"
            else {
                Write-Warning "The Embedded Registry Service has already been enabled on cluster $cluster in vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
    Finally {
        #Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue
Export-ModuleMember -Function Enable-Registry

Function Connect-SupervisorCluster {
        Log in to a Supervisor Cluster

        The Connect-SupervisorCluster cmdlet logs the user in to a Supervisor Cluster

        Connect-WMCluster -Cluster sfo-w01-cl01 -User administrator@vsphere.local -Pass VMw@re1!
        This example logs the vSphere SSO user administrator@vsphere.local into Supervisor Cluster sfo-w01-cl01

    Param (
        [Parameter (Mandatory = $true)][string]$Server,
        [Parameter (Mandatory = $true)][string]$User,
        [Parameter (Mandatory = $true)][string]$Pass,
        [Parameter (Mandatory = $true)][string]$Domain,
        [Parameter (Mandatory = $true)][string]$Cluster

    if ($accessToken) {
    else {
        Request-VCFToken -fqdn $Server -username $User -password $Pass | Out-Null

    Try {
        $viserver = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $viserver.fqdn -User $viserver.ssoAdmin -Password $viserver.ssoAdminPass -Force | Out-Null
    Catch {
        Debug-ExceptionWriter -object $_

    Try {
        $kubIpAddress = (Get-WMCluster -Cluster $Cluster).KubernetesHostname
    Catch {
        Debug-ExceptionWriter -object $_

    Try {
        Start-AwaitSession | Out-Null
        Send-AwaitCommand "kubectl vsphere login --server $kubIpAddress --vsphere-username $User --insecure-skip-tls-verify" | Out-Null
        Wait-AwaitResponse "Password:" | Out-Null
        Send-AwaitCommand "$Pass"
        Start-Sleep -seconds 3 | Out-Null
    Catch {
        Write-Error "Something went wrong."

    $tryKubectl = Invoke-Expression "kubectl get nodes"

    if ($tryKubectl) {
        Write-Output "Connection successful."
Export-ModuleMember -Function Connect-Supervisor

Function Add-TanzuKubernetesCluster {
        Create a new Tanzu Kubernetes Cluster on a VCF-deployed Supervisor Cluster

        The Add-TanzuKubernetesCluster cmdlet creates a new Tanzu Kubernetes Cluster on a VCF-deployed Supervisor Cluster

        Add-TanzuKubernetesCluster -Server sfo-vcf01.sfo.rainpole.io -User administrator@vsphere.local -Pass VMware123! -Domain sfo-w01 -Cluster sfo-w01-cl01 -YAML c:\kube\sfo-w01-tkc01.yaml
        This example creates a Tanzu Kubernetes cluster based on YAML in c:\kube\sfo-w01-tkc01.yaml as the vSphere SSO user administrator@vsphere.local on Supervisor Cluster sfo-w01-cl01

    Param (
        [Parameter (Mandatory = $true)][string]$Server,
        [Parameter (Mandatory = $true)][string]$User,
        [Parameter (Mandatory = $true)][string]$Pass,
        [Parameter (Mandatory = $true)][string]$Domain,
        [Parameter (Mandatory = $true)][string]$Cluster,
        [Parameter (Mandatory = $true)][string]$YAML

    if ($accessToken) {
    else {
        Request-VCFToken -fqdn $Server -username $User -password $Pass | Out-Null

    Try {
        $viserver = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain
        Connect-VIServer -Server $viserver.fqdn -User $viserver.ssoAdmin -Password $viserver.ssoAdminPass -Force | Out-Null
    Catch {
        Debug-ExceptionWriter -object $_

    Try {
        $kubIpAddress = (Get-WMCluster -Cluster $Cluster).KubernetesHostname
    Catch {
        Debug-ExceptionWriter -object $_

    Try {
        Connect-SupervisorCluster -Server $Server -User $User -Pass $Pass -Domain $Domain -Cluster $Cluster | Out-Null
    Catch {
        Debug-ExceptionWriter -object $_

    Try {
        New-TanzuKubernetesCluster -YAML $YAML
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-TanzuKubernetesCluster

########################################## E N D O F F U N C T I O N S ##########################################

################# S H A R E D P O W E R V A L I D A T E D S O L U T I O N F U N C T I O N S ################

Function Add-vCenterGlobalPermission {
        Adds a Global Permission to user/group

        The Add-vCenterGlobalPermission cmdlets assigns the vCenter Server Global Permission to the user or group provided.
        The cmdlet connects to SDDC Manager using the -server, -user, and -password values to retrive the management domain
        vCenter Server details from its inventory and then:
        - Verifies that the bind credentials are valid
        - Verifies that the domain is present in vCenter Server as an Identity Provider
        - Verifies the user or group exists in Active Directory
        - Assigns the user or group to the Global Permission

        If -localDomain is selected, then AD authentication check is skipped and user/group is checked for in the local directory

        Add-vCenterGlobalPermission -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -principal gg-vc-admins -role Admin -propagate true -type group
        This example adds the group gg-vc-admins from domain sfo.rainpole.io the Administrator Global Permission

        Add-vCenterGlobalPermission -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain vsphere.local -domainBindUser administrator -domainBindPass VMw@re1! -principal svc-sfo-m01-nsx01-sfo-m01-vc01 -role "NSX-T Data Center to vSphere Integration" -propagate true -type user -localdomain
        This example adds the "NSX-T Data Center to vSphere Integration" Global Permission to the user svc-sfo-m01-nsx01-sfo-m01-vc01 from domain vsphere.local

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$role,
        [Parameter (Mandatory = $true)] [ValidateSet("true", "false")] [String]$propagate,
        [Parameter (Mandatory = $true)] [ValidateSet("group", "user")] [String]$type,
        [Parameter (Mandatory = $false)] [Switch]$localDomain = $false

    Try {
        if (!$localDomain){
            $checkAdAuthentication = Test-ADAuthentication -user $domainBindUser -pass $domainBindPass -server $domain -domain $domain -ErrorAction SilentlyContinue
            if (!($checkAdAuthentication[1] -match "Authentication Successful")) {
                Write-Error  "Unable to authenticate to Active Directory with user '$domainBindUser' and password '$domainBindPass', verify they are correct and try again"

        $securePass = ConvertTo-SecureString -String $domainBindPass -AsPlainText -Force
        $domainCreds = New-Object System.Management.Automation.PSCredential ($domainBindUser, $securePass)
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Pass $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            Connect-SsoAdminServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -Password $vcenter.ssoAdminPass | Out-Null
            if ($DefaultSsoAdminServers.Name -eq $($vcenter.fqdn)) {
                if (!(Get-IdentitySource | Where-Object { $_.Name -eq $domain })) {
                    Write-Error "Identity Source $domain not found in vCenter Server $($vcenter.fqdn)"
                else {
                    if ($type -eq "group") {
                        if (!$localDomain) {
                            $objectCheck = (Get-ADGroup -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal })
                        else {
                            $principal = $domain.ToUpper() + "\" + $principal
                            $objectCheck = (Get-VIAccount -Group -Domain vsphere.local | Where-Object { $_.Name -eq $principal })
                    elseif ($type -eq "user") {
                        if (!$localDomain){
                            $objectCheck = (Get-ADUser -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal })
                            $principal = $domain.ToUpper() + "\" + $principal
                        else {
                            $principal = $domain.ToUpper() + "\" + $principal
                            $objectCheck = (Get-VIAccount -User -Domain vsphere.local | Where-Object { $_.Name -eq $principal })
                    if ($objectCheck) {
                        $roleId = (Get-VIRole -Name $role | Select-Object -ExpandProperty Id)
                        Add-GlobalPermission -vcServer $vcenter.fqdn -vcUsername $vcenter.ssoAdmin -vcPassword $vcenter.ssoAdminPass -roleId $roleId -user $principal -propagate $propagate -type $type
                        Write-Output "Assigned Global Permission Role $role to $type '$principal' in vCenter Server $($vcenter.fqdn) Successfully"
                    else {
                        if ($localDomain) {
                            Write-Error "$type '$principal' not found in the Local Domain, please create and retry"
                        else {
                            Write-Error "Active Directory $type '$principal' not found in the Active Directory Domain, please create and retry"
            else {
                Write-Error  "Not connected to vCenter Single-Sign On $($vcenter.fqdn)"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        Disconnect-SsoAdminServer $vcenter.fqdn -WarningAction SilentlyContinue
        Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-vCenterGlobalPermission

Function Set-vCenterPermission {
        Sets Permission for user or group in the vCenter server. This overrides any existing Global permissions for the user or group in the vCenter server

        The Set-vCenterPermission cmdlet assigns the Permission/Role to existing user or group in the vCenter server.
        The user/group must exist in the domain prior to running this cmdlet

        Set-vCenterPermission -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain vsphere.local -workloadDomain sfo-m01 -principal svc-sfo-w01-nsx01-sfo-w01-vc01 -role "NoAccess"
        This example assigns NoAccess permission to the user svc-sfo-w01-nsx01-sfo-w01-vc01 from domain vsphere.local

        Set-vCenterPermission -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo -workloadDomain sfo-m01 -principal gg-vc-admins -role "Admin"
        This example assigns Admin permission to the group gg-vc-admins from domain sfo

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$workloadDomain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$role

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $workloadDomain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $principal = $domain.ToUpper() + "\" + $principal
            $objectCheck = Get-VIPermission -Server $vcenter.fqdn | Where-Object { $_.Principal -eq $principal }
            if ($objectCheck) {
                if (!($objectCheck.Role -eq $role)) {
                    New-VIPermission -Server $vcenter.fqdn -Role $role -Principal $principal -Entity (Get-Folder "Datacenters" -Type Datacenter | Where-Object {$_.Uid -like "*"+$workloadDomain+"*"}) | Out-Null
                    $objectCheck = Get-VIPermission -Server $vcenter.fqdn | Where-Object { $_.Principal -eq $principal }
                    if ($objectCheck.Role -eq $role) {
                        Write-Output "Assigned $role permission to $principal Successfully"
                    else {
                        Write-Error "Assigning $role permission to $principal failed, please retry"
                else {
                    Write-Warning "Role $($objectCheck.Role) assigned to $principal already"
            else {
                Write-Error "$principal not found in the vCenter Server $($vcenter.fqdn)"
            Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Set-vCenterPermission

Function Add-SsoPermission {
        Assign vCenter Single Sign-On Group to user/group

        The Add-SsoPermission cmdlet assigns the vCenter Single Sign-On Role to the user or group provided.
        The cmdlet connects to SDDC Manager using the -server, -user, and -password values to retrive the management domain
        vCenter Server details from its inventory and then:
        - Verifies that the bind credetials are valid
        - Verifies that the domain is present in vCenter Server as an Identity Provider
        - Verifies the user or group exists in Active Directory
        - Assigns the user or group to the vCenter Single Sign-On Role

        Add-SsoPermission -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -sddcDomain sfo-m01 -domain sfo.rainpole.io -domainBindUser svc-vsphere-ad -domainBindPass VMw@re1! -principal gg-sso-admins -ssoGroup "Administrators" -type group -source external
        This example adds the group gg-sso-admins from domain sfo.rainpole.io to the Administrators vCenter Single Sign-On Group

        Add-SsoPermission -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -sddcDomain sfo-m01 -domain vsphere.local -principal svc-sfo-m01-nsx01-sfo-m01-vc01 -ssoGroup "License.Administrators" -type user -source local
        This example adds the user svc-sfo-m01-nsx01-sfo-m01-vc01 from domain vspherel.local to the License.Administrators vCenter Single Sign-On Group

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$sddcDomain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$domainBindUser,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$domainBindPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$ssoGroup,
        [Parameter (Mandatory = $true)] [ValidateSet("group", "user")] [String]$type,
        [Parameter (Mandatory = $true)] [ValidateSet("local", "external")] [String]$source

    Try {
        if ($source -eq "external") {
            $checkAdAuthentication = Test-ADAuthentication -user $domainBindUser -pass $domainBindPass -server $domain -domain $domain -ErrorAction SilentlyContinue
            if ($checkAdAuthentication[1] -match "Authentication Successful") {
                $securePass = ConvertTo-SecureString -String $domainBindPass -AsPlainText -Force
                $domainCreds = New-Object System.Management.Automation.PSCredential ($domainBindUser, $securePass)
                $ssoServer = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $sddcDomain
                $ssoConnection = Connect-SsoAdminServer -Server $ssoServer.fqdn -User $ssoServer.ssoAdmin -Password $ssoServer.ssoAdminPass
                if ($DefaultSsoAdminServers.Name -eq $($ssoServer.fqdn)) {
                    $targetGroup = Get-SsoGroup -Domain vsphere.local -Name $ssoGroup -Server $ssoConnection
                    if (Get-IdentitySource -Server $ssoConnection | Where-Object { $_.Name -eq $domain }) {
                        if ($type -eq "group") {
                            $adObjectCheck = (Get-ADGroup -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal })
                            if ($adObjectCheck) {
                                if (!(Get-SsoGroup -Group $targetGroup -Name $principal)) {
                                    $ldapGroup = Get-SsoGroup -Domain $domain -Name $principal -Server $ssoConnection
                                    $ldapGroup | Add-GroupToSsoGroup -TargetGroup $targetGroup -ErrorAction SilentlyContinue
                                    if (Get-SsoGroup -Group $targetGroup -Name $principal) {
                                        Write-Output "Assigned Active Directory $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Successfully"
                                    else {  Write-Error "Adding Active Directory $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Failed"
                                else { Write-Warning "Active Directory $type '$principal' from Identity Provider '$domain' already added to vCenter Single-Sign On Group $ssoGroup"
                            else { Write-Error "Active Directory $type '$principal' not found in the Active Directory Domain '$domain', please create and retry"
                        elseif ($type -eq "user") {
                            $adObjectCheck = (Get-ADUser -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal })
                            if ($adObjectCheck) {
                                if (!(Get-SsoPersonUser -Group $targetGroup | Where-Object {$_.Name -eq $principal})) {
                                    $ldapUser = Get-SsoPersonUser -Domain $domain -Name $principal -Server $ssoConnection
                                    $ldapUser | Add-UserToSsoGroup -TargetGroup $targetGroup -ErrorAction SilentlyContinue
                                    if (Get-SsoPersonUser -Group $targetGroup | Where-Object {$_.Name -eq $principal}) {
                                        Write-Output "Assigned Active Directory $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Successfully"
                                    else { Write-Error "Adding Active Directory $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Failed"
                                else { Write-Warning "Active Directory $type '$principal' from Identity Provider '$domain' to already added to vCenter Single-Sign On Group $ssoGroup"
                            else { Write-Error "Active Directory $type '$principal' not found in the Active Directory Domain '$domain', please create and retry"
                    else {
                        Write-Error "Identity Provider '$domain' not found in vCenter Single-Sign On, please create and retry"
                    Disconnect-SsoAdminServer -Server $ssoServer.fqdn
                else {
                    Write-Error  "Not connected to vCenter Single-Sign On $($ssoServer.fqdn)"
            else {
                Write-Error  "Unable to authenticate to Active Directory with user '$domainBindUser' and password '$domainBindPass', verify they are correct and try again"
        elseif ($source -eq "local") {
            $ssoServer = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $sddcDomain
            $ssoConnection = Connect-SsoAdminServer -Server $ssoServer.fqdn -User $ssoServer.ssoAdmin -Password $ssoServer.ssoAdminPass
            if ($DefaultSsoAdminServers.Name -eq $($ssoServer.fqdn)) {
                $targetGroup = Get-SsoGroup -Domain vsphere.local -Name $ssoGroup -Server $ssoConnection
                if (Get-IdentitySource | Where-Object { $_.Name -eq $domain }) {
                    if ($type -eq "group") {
                        if (!(Get-SsoGroup -Group $targetGroup -Name $principal -Server $ssoConnection)) {
                            $ldapGroup = Get-SsoGroup -Domain $domain -Name $principal -Server $ssoConnection
                            $ldapGroup | Add-GroupToSsoGroup -TargetGroup $targetGroup -ErrorAction SilentlyContinue
                            if (Get-SsoGroup -Group $targetGroup -Name $principal -Server $ssoConnection) {
                                Write-Output "Assigned $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Successfully"
                            else {  Write-Error "Adding $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Failed"
                        else { Write-Warning "$type '$principal' from Identity Provider '$domain' already added to vCenter Single-Sign On Group $ssoGroup"
                    elseif ($type -eq "user") {
                        if (!(Get-SsoPersonUser -Group $targetGroup -Server $ssoConnection | Where-Object {$_.Name -eq $principal})) {
                            $ldapUser = Get-SsoPersonUser -Domain $domain -Name $principal -Server $ssoConnection
                            $ldapUser | Add-UserToSsoGroup -TargetGroup $targetGroup -ErrorAction SilentlyContinue
                            if (Get-SsoPersonUser -Group $targetGroup -Server $ssoConnection| Where-Object {$_.Name -eq $principal}) {
                                Write-Output "Assigned $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Successfully"
                            else { Write-Error "Adding $type '$principal' from Identity Provider '$domain' to vCenter Single-Sign On Group '$ssoGroup' Failed"
                        else { Write-Warning "$type '$principal' from Identity Provider '$domain' already added to vCenter Single-Sign On Group $ssoGroup"
                else {
                    Write-Error "Identity Provider '$domain' not found in vCenter Single-Sign On, please create and retry"
                Disconnect-SsoAdminServer -Server $ssoServer.fqdn
            else {
                Write-Error  "Not connected to vCenter Single-Sign On $($ssoServer.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-SsoPermission

Function Add-vSphereRole {
        Add a vSphere role

        The Add-vSphereRole cmdlet creates a role in vCenter Server. The cmdlet connects to SDDC Manager using the -server, -user,
        and -password values to retrive the management domain vCenter Server details from its inventory and then:
        - Verifies if the role already exists and if not creates it
        - Assigns permissions to the role based on the template file provided

        Add-vSphereRole -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -roleName "NSX-T Data Center to vSphere Integration" -template .\vSphereRoles\nsx-vsphere-integration.role
        This example adds the nsx-vsphere-integration role in the management domain vCenter Server

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$roleName,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$template

    Try {
        if (!$PsBoundParameters.ContainsKey("template")) {
            $template = Get-ExternalFileName -title "Select the vSphere role template (.role)" -fileType "role" -location "C:\Program Files\WindowsPowerShell\Modules\PowerValidatedSolutions\vSphereRoles"
        else {
            if (!(Test-Path -Path $template)) {
                Write-Error  "vSphere Role Template '$template' File Not Found"

        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domainType MANAGEMENT
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $roleContent = Get-Content -Path $template
            $checkRole = Get-VIRole -Server $vcenter.fqdn | Where-Object { $_.Name -eq $roleName }
            if (!$checkRole ) {
                New-VIRole -Name $roleName -Server $vcenter.fqdn | Out-Null
                Write-Output "Created new role '$roleName' in vCenter Server $($vcenter.fqdn) Successfully"
            else {
                Write-Warning "Role '$roleName' already exists in $($vcenter.fqdn)"
            Foreach ($privilege in $roleContent) {
                if (-not ($privilege -eq $null -or $privilege -eq "")) {
                    Set-VIRole -Server $vcenter.fqdn -Role $roleName -AddPrivilege (Get-VIPrivilege -ID $privilege) -Confirm:$False -ErrorAction SilentlyContinue | Out-Null
            Write-Output "Assigned all privileges from the template file to role '$roleName' in vCenter Server $($vcenter.fqdn) Successfully"

            Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-vSphereRole

Function Add-VMFolder {
        Create a VM Folder

        The Add-VMFolder cmdlet creates a VM and Template folder. The cmdlet connects to SDDC Manager using the -server, -user, and -password values
        to retrive the vCenter Server details from its inventory and then:
        - Verifies that the folder has not already been created
        - Creates the folder

        Add-VMFolder -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -foldername "myFolder"
        This example shows how to create the folder myFolder within the VMware Cloud Foundation domain sfo-m01

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$folderName

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain -ErrorAction SilentlyContinue
        if ($vcenter) {
            Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
            if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
                $cluster = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }).clusters.id) }).Name
                $datacenter = (Get-Datacenter -Cluster $cluster -Server $vcenter.fqdn).Name
                $folderExists = (Get-Folder -Name $folderName -Server $vcenter.fqdn -WarningAction SilentlyContinue -ErrorAction Ignore)
                if ($folderExists) {
                    Write-Warning "The VM and Template Folder '$folderName' already exists"
                else {
                    $folder = (Get-View -Server $vcenter.fqdn (Get-View -Server $vcenter.fqdn -viewtype datacenter -filter @{"name" = [String]$datacenter }).vmfolder).CreateFolder($folderName)
                    $folderExists = (Get-Folder -Name $folderName -Server $vcenter.fqdn -WarningAction SilentlyContinue -ErrorAction Ignore)
                    if ($folderExists) {
                        Write-Output  "Created VM and Template Folder '$folderName' in vCenter Server Successfully"
                    else {
                        Write-Error "Creating VM and Template Folder '$folderName' in vCenter Server Failed"
                Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
            else {
                Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error "Workload domain name does not exist in SDDC Manager"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-VMFolder

Function Add-AntiAffinityRule {
        Creates a vSphere Anti-Affinity rule

        The Add-AntiAffinityRule cmdlet creates a vSphere Anti-Affinity rule. The cmdlet connects to SDDC Manager using the -server, -user, and -password values
        to retrive the vCenter Server details from its inventory and then:
        - Verifies that the anti-affinity rule has not already been created
        - Creates the anti-affinity rule

        Add-AntiAffinityRule -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -ruleName sfo-m01-anti-affinity-rule-wsa -antiAffinityVMs "xreg-wsa01a,xreg-wsa01b,xreg-wsa01c"
        This example shows how to create a vSphere Anti-Affinity rule in the vCenter Server of the sfo-m01 workload domain

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$ruleName,
        [Parameter (Mandatory = $true)] [String]$antiAffinityVMs

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain -ErrorAction SilentlyContinue
        if ($vcenter) {
            Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
            if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
                $cluster = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }).clusters.id) }).Name
                $antiAffinityRuleExists = (Get-Cluster -Name $cluster | Get-DrsRule | Where-Object {$_.Name -eq $ruleName})
                if ($antiAffinityRuleExists) {
                    Write-Warning "The Anti-Affinity Rule '$ruleName' already exists"
                else {
                    $vmNames = $antiAffinityVMs.split(",")
                    $vms = foreach ($name in $vmNames) { Get-VM -name $name -ErrorAction SilentlyContinue }
                    New-DrsRule -Cluster $cluster -Name $ruleName -VM $vms -KeepTogether $false -Enabled $true | Out-Null
                    $antiAffinityRuleExists = (Get-Cluster -Name $cluster | Get-DrsRule | Where-Object {$_.Name -eq $ruleName})
                    if ($antiAffinityRuleExists) {
                        Write-Output "Created vSphere Anti-Affinity Rule '$ruleName' in vCenter Server '$($vcenter.fqdn)' Successfully"
                    else {
                        Write-Error "Creating vSphere Anti-Affinity Rule '$ruleName' in vCenter Server '$($vcenter.fqdn)' Failed, Please Retry"
                Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
            else {
                Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error "Workload domain name does not exist in SDDC Manager"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-AntiAffinityRule

Function Add-ClusterGroup {
        Creates a vSphere DRS Cluster Group

        The Add-ClusterGroup cmdlet creates a vSphere DRS Cluster Group. The cmdlet connects to SDDC Manager using the -server, -user, and -password values
        to retrive the vCenter Server details from its inventory and then:
        - Verifies that that the vSphere DRS Cluster Group does not already exist
        - Creates the vSphere DRS Cluster Group

        Add-ClusterGroup -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -drsGroupName "Clustered Workspace ONE Access Appliances" -drsGroupVMs "xreg-wsa01a,xreg-wsa01b,xreg-wsa01c"
        This example shows how to create a vSphere DRS Cluster group in the vCenter Server of the sfo-m01 workload domain

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$drsGroupName,
        [Parameter (Mandatory = $true)] [String]$drsGroupVMs

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain -ErrorAction SilentlyContinue
        if ($vcenter) {
            Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
            if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
                $cluster = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }).clusters.id) }).Name

                $drsGroupExists = (Get-Cluster -Name $cluster | Get-DrsClusterGroup | Where-Object {$_.Name -eq $drsGroupName})
                if ($drsGroupExists) {
                    Write-Warning "The vSphere DRS Group '$drsGroupName' already exists"
                else {
                    $vmNames = $drsGroupVMs.split(",")
                    $vms = foreach ($name in $vmNames) { Get-VM -name $name -ErrorAction SilentlyContinue }
                    New-DrsClusterGroup -Cluster $cluster -VM $vms -Name $drsGroupName | Out-Null
                    $drsGroupExists = (Get-Cluster -Name $cluster | Get-DrsClusterGroup | Where-Object {$_.Name -eq $drsGroupName})
                    if ($drsGroupExists) {
                        Write-Output "Created vSphere DRS Group '$drsGroupName' in vCenter Server '$($vcenter.fqdn)' Successfully"
                    else {
                        Write-Error "Creating vSphere DRS Group '$drsGroupName' in vCenter Server '$($vcenter.fqdn)' Failed, Please Retry"
                Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
            else {
                Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error "Workload domain name does not exist in SDDC Manager"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-ClusterGroup

Function Add-VmStartupRule {
        Creates a VM to VM DRS rule

        The Add-VmStartupRule cmdlet creates a vSphere DRS Virtual Machine to Virtual Machine startup rule. The cmdlet connects to SDDC Manager using the -server,
        -user, and -password values to retrive the vCenter Server details from its inventory and then:
        - Verifies that that the Virtual Machine to Virtual Machine startup rule does not already exist
        - Creates the vSphere DRS Virtual Machine to Virtual Machine startup rule

        Add-VmStartupRule -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -ruleName vm-vm-rule-wsa-vra -vmGroup sfo-m01-vm-group-wsa -dependOnVmGroup sfo-m01-vm-group-vra
        This example shows how to create a vSphere DRS Cluster group in the vCenter Server of the sfo-m01 workload domain

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$ruleName,
        [Parameter (Mandatory = $true)] [String]$vmGroup,
        [Parameter (Mandatory = $true)] [String]$dependOnVmGroup

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain -ErrorAction SilentlyContinue
        if ($vcenter) {
            Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
            if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
                $cluster = (Get-VCFCluster | Where-Object { $_.id -eq ((Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }).clusters.id) }).Name
                $ruleNameExists = Get-DrsVmToVmGroup -Cluster $cluster -Name $ruleName
                if ($ruleNameExists) {
                    Write-Warning "The vSphere DRS Virtual Machine to Virtual Machine Group '$ruleName' already exists"
                else {
                    Add-DrsVmToVmGroup -name $ruleName -vmGroup $vmGroup -dependOnVmGroup $dependOnVmGroup -Enabled -cluster $cluster | Out-Null
                    Start-Sleep 5
                    $ruleNameExists = Get-DrsVmToVmGroup -Cluster $cluster -Name $ruleName
                    if ($ruleNameExists) {
                        Write-Output "Created the vSphere DRS Virtual Machine to Virtual Machine Group '$ruleName' Successfully"
                    else {
                        Write-Error "Creating the vSphere DRS Virtual Machine to Virtual Machine Group '$ruleName' Failed, Please Retry"
                Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
            else {
                Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error "Workload domain name does not exist in SDDC Manager"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-VmStartupRule

Function Move-VMtoFolder {
        Moves VMs to a folder

        The Move-VMtoFolder cmdlet moves the Virtual Machines to a folder. The cmdlet connects to SDDC Manager using the -server, -user, and -password values
        to retrive the vCenter Server details from its inventory and then:
        - Verifies that the folder provided exists in the vCenter Server inventory
        - Moves the virtual machines pprovided in the -vmlist parameter

        Move-VMtoFolder -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -domain sfo-m01 -vmList "xreg-wsa01a,xreg-wsa01b,xreg-wsa01c" -folder xinst-m01-fd-wsa
        This example shows how to move a list of virtual machines to a new folder

    Param (
        [Parameter (Mandatory = $true)] [String]$server,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$pass,
        [Parameter (Mandatory = $true)] [String]$domain,
        [Parameter (Mandatory = $true)] [String]$vmList,
        [Parameter (Mandatory = $true)] [String]$folder

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $domain -ErrorAction SilentlyContinue
        if ($vcenter) {
            Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
            if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
                if (Get-Folder | Where-Object {$_.Name -eq $folder}) {
                    $vmNames = $vmList.split(",")
                    foreach ($vm in $vmNames) { Get-VM -Name $vm | Move-VM -InventoryLocation (Get-Folder | Where-Object {$_.Name -eq $folder}) | Out-Null }
                    Write-Output "Virtual Machines '$vmList' relocated to folder '$folder' in vCenter Server '$($vcenter.fqdn)' Successfully"
                else {
                    Write-Error "Folder with name '$folder' not found in vCenter Server '$($vcenter.fqdn)'"
                Disconnect-VIServer $vcenter.fqdn -Confirm:$false -WarningAction SilentlyContinue
            else {
                Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
        else {
            Write-Error "Workload domain name does not exist in SDDC Manager"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Move-VMtoFolder

Function Import-vRSLCMLockerCertificate {
        Add a certificate to the vRSLCM locker

        The Import-vRSLCMLockerCertificate cmdlet imports a PEM encoded chain file to the vRSLCM locker. The cmdlet connects to SDDC Manager using the -server, -user, and -password values
        to retrive the vRSLCM details from its inventory and then:
        - Verifies that the certificate doesnt already exist
        - imports the certificate chain

        Import-vRSLCMLockerCertificate -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass VMw@re1! -certificateAlias "xint-vrops01" -certificatePassphrase "VMw@re1!"
        This example gets the details of a certificate based on the vmid

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$certificateAlias,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$certificatePassphrase,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$certChainPath

    Try {
        if (!$PsBoundParameters.ContainsKey("certChainPath")) {
            $certChainPath = Get-ExternalFileName -title "Select the Certificate Chain PEM File (.pem)" -fileType "pem" -location "default"
        else {
            if (!(Test-Path -Path $certChainPath)) {
                Write-Error  "Certificate Chain '$certChainPath' File Not Found"

        $vrslcm = Get-vRSLCMServerDetail -fqdn $server -username $user -password $pass
        Request-vRSLCMToken -fqdn $vrslcm.fqdn -username $vrslcm.adminUser -password $vrslcm.adminPass | Out-Null
        if (!(Get-vRSLCMLockerCertificate | Where-Object {$_.alias -Match $certificateAlias})) {
            if ($PsBoundParameters.ContainsKey("certificatePassphrase")) {
                $lockerCert = Add-vRSLCMLockerCertificate -vrslcmFQDN $vrslcm.fqdn -certificateAlias $certificateAlias -certificatePassphrase $certificatePassphrase -certChainPath $certChainPath
            else {
                $lockerCert = Add-vRSLCMLockerCertificate -vrslcmFQDN $vrslcm.fqdn -certificateAlias $certificateAlias -certChainPath $certChainPath
            if ((Get-vRSLCMLockerCertificate | Where-Object {$_.alias -Match $certificateAlias})) {
                Write-Output "Certificate with alias $certificateAlias imported to the locker successfully"
            else {
                Write-Error "Certificate with alias $certificateAlias failed to import to the locker"
        else {
            Write-Warning "Certificate with alias $certificateAlias already exists in the locker"
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Import-vRSLCMLockerCertificate

########################################## E N D O F F U N C T I O N S ##########################################

##################################### S U P P O R T I N G F U N C T I O N S ######################################

############# Begin Active Directory Functions #############

Function Test-ADAuthentication {
        Test authetication against Active Directory

        The Test-ADAuthentication cmdlet tests the credentials provided against Active Directory domain

        Test-ADAuthentication -user svc-vsphere-ad -pass VMw@re1! -server sfo.rainpole.io -domain sfo.rainpole.io
        This example check that the svc-vsphere-ad user can authenticate to the sfo.rainpole.io domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $false)] [String]$server,
        [Parameter (Mandatory = $false)] [String]$domain = $env:USERDOMAIN

    Try {
        Add-Type -AssemblyName System.DirectoryServices.AccountManagement
        $contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
        $argumentList = New-Object -TypeName "System.Collections.ArrayList"
        $null = $argumentList.Add($contextType)
        $null = $argumentList.Add($domain)
        if ($null -ne $server) {
        $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $argumentList -ErrorAction SilentlyContinue
        if ($null -eq $principalContext) {
            Write-Error "$domain\$user - AD Authentication Failed"
        if ($principalContext.ValidateCredentials($user, $pass)) {
            Write-Output "$domain\$user - AD Authentication Successful"
        else {
            Write-Error "$domain\$user - AD Authentication Failed"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Test-ADAuthentication

Function Get-ADPrincipalGuid {
        Get principal GUID details

        The Get-ADPrincipalGuid cmdlet retrieves the GUID details for an active directory user or group Active Directory domain

        Get-ADPrincipalGuid -domain sfo.rainple.io -user svc-vsphere-ad -pass VMw@re1! -principal gg-sso-admin
        This example retrives the details for th gg-sso-admin domain

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal

    Try {
        $checkAdAuthentication = Test-ADAuthentication -user $user -pass $pass -server $domain -domain $domain
        if ($checkAdAuthentication -contains "2") {
            $securePassword = ConvertTo-SecureString -String $pass -AsPlainText -Force
            $creds = New-Object System.Management.Automation.PSCredential ($user, $securePassword)
            $nsxAdminGroupObject = (Get-ADGroup -Server $domain -Credential $creds -Filter { SamAccountName -eq $principal })
        else {
            Write-Error "Domain User $user Authentication Failed"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Get-ADPrincipalGuid

############## End Active Directory Functions ##############

############# Begin Cloud Foundation Functions #############

Function Get-vCenterServerDetail {
    Param (
        [Parameter (Mandatory = $false)] [String]$server,
        [Parameter (Mandatory = $false)] [String]$user,
        [Parameter (Mandatory = $false)] [String]$pass,
        [Parameter (Mandatory = $false)] [ValidateSet("MANAGEMENT", "VI")][String]$domainType,
        [Parameter (Mandatory = $false)] [String]$domain

    Try {
        if (!$PsBoundParameters.ContainsKey("user") -or (!$PsBoundParameters.ContainsKey("pass"))) {
            # Request Credentials
            $creds = Get-Credential
            $user = $creds.UserName.ToString()
            $pass = $creds.GetNetworkCredential().password
        if (!$PsBoundParameters.ContainsKey("server")) {
            $server = Read-Host "SDDC Manager access token not found. Please enter the SDDC Manager FQDN, e.g., sfo-vcf01.sfo.rainpole.io"
        Request-VCFToken -fqdn $server -Username $user -Password $pass | Out-Null

        if ($accessToken) {
            if ($PsBoundParameters.ContainsKey("domainType")) {
                # Dynamically build vCenter Server details based on Cloud Foundation domain type
                $vcfWorkloadDomainDetails = Get-VCFWorkloadDomain | Where-Object { $_.type -eq $domainType }
            if ($PsBoundParameters.ContainsKey("domain")) {
                # Dynamically build vCenter Server details based on Cloud Foundation domain name
                $vcfWorkloadDomainDetails = Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }
            if ($vcfWorkloadDomainDetails) {
                $vcenterServerDetails = Get-VCFvCenter | Where-Object { $_.id -eq $($vcfWorkloadDomainDetails.vcenters.id) }
                $vcenterCredentialDetails = Get-VCFCredential | Where-Object { $_.resource.resourceId -eq $($vcenterServerDetails.id) }
                $pscCredentialDetails = Get-VCFCredential | Where-Object { $_.resource.resourceType -eq "PSC" }
                $vcenterServer = New-Object -TypeName psobject
                $vcenterServer | Add-Member -notepropertyname 'fqdn' -notepropertyvalue $vcenterServerDetails.fqdn
                $vcenterServer | Add-Member -notepropertyname 'vmName' -notepropertyvalue $vcenterServerDetails.fqdn.Split(".")[0]
                $vcfDetail = Get-VCFManager
                if ( ($vcfDetail.version).Split("-")[0] -gt "") {
                    $vcenterServer | Add-Member -notepropertyname 'ssoAdmin' -notepropertyvalue ($pscCredentialDetails | Where-Object { ($_.credentialType -eq "SSO" -and $_.accountType -eq "SYSTEM") }).username
                    $vcenterServer | Add-Member -notepropertyname 'ssoAdminPass' -notepropertyvalue ($pscCredentialDetails | Where-Object { ($_.credentialType -eq "SSO" -and $_.accountType -eq "SYSTEM") }).password
                else {
                    $vcenterServer | Add-Member -notepropertyname 'ssoAdmin' -notepropertyvalue ($pscCredentialDetails | Where-Object { ($_.credentialType -eq "SSO" -and $_.accountType -eq "USER") }).username
                    $vcenterServer | Add-Member -notepropertyname 'ssoAdminPass' -notepropertyvalue ($pscCredentialDetails | Where-Object { ($_.credentialType -eq "SSO" -and $_.accountType -eq "USER") }).password
                $vcenterServer | Add-Member -notepropertyname 'root' -notepropertyvalue ($vcenterCredentialDetails | Where-Object { ($_.credentialType -eq "SSH" -and $_.accountType -eq "USER") }).username
                $vcenterServer | Add-Member -notepropertyname 'rootPass' -notepropertyvalue ($vcenterCredentialDetails | Where-Object { ($_.credentialType -eq "SSH" -and $_.accountType -eq "USER") }).password
            else {
                Write-Error "Workload domainType or domain name does not exist"
        else {
            Write-Error "Failed to obtain access token from SDDC Manager, check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Get-vCenterServerDetail

Function Get-NsxtServerDetail {
    Param (
        [Parameter (Mandatory = $false)] [String]$fqdn,
        [Parameter (Mandatory = $false)] [String]$username,
        [Parameter (Mandatory = $false)] [String]$password,
        [Parameter (Mandatory = $false)] [String]$domain,
        [Parameter( Mandatory = $false)] [ValidateSet("MANAGEMENT", "VI")] [String]$domainType,
        [Parameter (Mandatory = $false)] [switch]$listNodes = $false

    Try {
        if (!$PsBoundParameters.ContainsKey("username") -or (!$PsBoundParameters.ContainsKey("password"))) {
            # Request Credentials
            $creds = Get-Credential
            $username = $creds.UserName.ToString()
            $password = $creds.GetNetworkCredential().password
        if (!$PsBoundParameters.ContainsKey("fqdn")) {
            $fqdn = Read-Host "SDDC Manager access token not found. Please enter the SDDC Manager FQDN, e.g., sfo-vcf01.sfo.rainpole.io"
        Request-VCFToken -fqdn $fqdn -Username $username -Password $password | Out-Null

        if ($accessToken) {
            if ($PsBoundParameters.ContainsKey("domainType")) {
                # Dynamically build vCenter Server details based on Cloud Foundation domain type
                $vcfWorkloadDomainDetails = Get-VCFWorkloadDomain | Where-Object { $_.type -eq $domainType }
            if ($PsBoundParameters.ContainsKey("domain")) {
                # Dynamically build vCenter Server details based on Cloud Foundation domain name
                $vcfWorkloadDomainDetails = Get-VCFWorkloadDomain | Where-Object { $_.name -eq $domain }
            if ($vcfWorkloadDomainDetails) {
                $nsxtServerDetails = Get-VCFNsxtcluster | Where-Object { $_.id -eq $($vcfWorkloadDomainDetails.nsxtCluster.id) }
                $nsxtCreds = Get-VCFCredential | Where-Object { $_.resource.resourceId -eq $($nsxtServerDetails.id) }

                $nsxtCluster = New-Object -TypeName PSCustomObject
                $nsxtCluster | Add-Member -notepropertyname 'fqdn' -notepropertyvalue $nsxtServerDetails.vipFqdn
                $nsxtCluster | Add-Member -notepropertyname 'adminUser' -notepropertyvalue ($nsxtCreds | Where-Object { ($_.credentialType -eq "API" -and $_.accountType -eq "SYSTEM") }).username
                $nsxtCluster | Add-Member -notepropertyname 'adminPass' -notepropertyvalue ($nsxtCreds | Where-Object { ($_.credentialType -eq "API" -and $_.accountType -eq "SYSTEM") }).password
                $nsxtCluster | Add-Member -notepropertyname 'rootUser' -notepropertyvalue ($nsxtCreds | Where-Object { ($_.credentialType -eq "SSH" -and $_.accountType -eq "SYSTEM") }).username
                $nsxtCluster | Add-Member -notepropertyname 'rootPass' -notepropertyvalue ($nsxtCreds | Where-Object { ($_.credentialType -eq "SSH" -and $_.accountType -eq "SYSTEM") }).password
                if ($listNodes) {
                    $nsxtCluster | Add-Member -notepropertyname 'nodes' -notepropertyvalue $nsxtServerDetails.nodes
            else {
                Write-Error "Workload domainType or domain name does not exist"
        else {
            Write-Error "Failed to obtain access token from SDDC Manager, check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Get-NsxtServerDetail

Function Get-vRSLCMServerDetail {
    Param (
        [Parameter (Mandatory = $false)] [String]$fqdn,
        [Parameter (Mandatory = $false)] [String]$username,
        [Parameter (Mandatory = $false)] [String]$password

    Try {
        if (!$PsBoundParameters.ContainsKey("username") -or (!$PsBoundParameters.ContainsKey("password"))) {
            # Request Credentials
            $creds = Get-Credential
            $username = $creds.UserName.ToString()
            $password = $creds.GetNetworkCredential().password
        if (!$PsBoundParameters.ContainsKey("fqdn")) {
            $fqdn = Read-Host "SDDC Manager access token not found. Please enter the SDDC Manager FQDN, e.g., sfo-vcf01.sfo.rainpole.io"
        Request-VCFToken -fqdn $fqdn -Username $username -Password $password | Out-Null

        if ($accessToken) {
                # Get vRSLCM Server Details
                $vRSLCMFQDN = Get-VCFvRSLCM
                $vRSLCMCreds = Get-VCFCredential -resourceName $vRSLCMFQDN.fqdn
                $vrslcmDetails = New-Object -TypeName PSCustomObject
                $vrslcmDetails | Add-Member -notepropertyname 'fqdn' -notepropertyvalue $vRSLCMFQDN.fqdn
                $vrslcmDetails | Add-Member -notepropertyname 'adminUser' -notepropertyvalue ($vRSLCMCreds | Where-Object { ($_.credentialType -eq "API" -and $_.accountType -eq "SYSTEM") }).username
                $vrslcmDetails | Add-Member -notepropertyname 'adminPass' -notepropertyvalue ($vRSLCMCreds | Where-Object { ($_.credentialType -eq "API" -and $_.accountType -eq "SYSTEM") }).password
        else {
            Write-Error "Failed to obtain access token from SDDC Manager, check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Get-vRSLCMServerDetail

############## End Cloud Foundation Functions ##############

################## Begin vSphere Functions #################

Function Request-VCToken {
        Connects to the specified vCenter Server API and stores the credentials in a base64 string

        The Request-VCToken cmdlet connects to the specified vCenter Server and stores the credentials
        in a base64 string. It is required once per session before running all other cmdlets

        Request-VCToken -fqdn sfo-m01-vc01.sfo.rainpole.io -username administrator@vsphere.local -password VMw@re1!
        This example shows how to connect to the vCenter Server API

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$fqdn,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$username,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$password

    if ( -not $PsBoundParameters.ContainsKey("username") -or ( -not $PsBoundParameters.ContainsKey("password"))) {
        $creds = Get-Credential # Request Credentials
        $username = $creds.UserName.ToString()
        $password = $creds.GetNetworkCredential().password

    $Global:vcenterFqdn = $fqdn

    $vcenterHeader = @{"Authorization" = "Basic "+[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($username+":"+$password))}
    $contentType = "application/json"
    $uri = "https://$vcenterFqdn/api/session"

    Try {
        # Checking authentication with vCenter Server API
        if ($PSEdition -eq 'Core') {
            $Global:vcToken = Invoke-RestMethod -Uri $uri -Headers $vcenterHeader -Method POST -ContentType $contentType -SkipCertificateCheck # PS Core has -SkipCertificateCheck implemented
        else {
            $Global:vcToken = Invoke-RestMethod -Uri $uri -Headers $vcenterHeader -Method POST -ContentType $contentType
        if ($vcToken) {
            Write-Output "Successfully connected to the vCenter Server API: $vcenterFqdn"
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Request-VCToken

Function Get-VCVersion {
        Get the version

        The Get-VCVersion cmdlet gets the version of the vCenter Server

        This example gets the version of the vCenter Server

    Try {
        $vcenterHeader = @{"vmware-api-session-id" = "$vcToken"}
        $uri = "https://$vcenterFqdn/api/appliance/system/version"

        $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $vcenterHeader
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-VCVersion

Function Get-VCConfigurationNTP {
        Get NTP configuration

        The Get-VCConfigurationNTP cmdlet gets the NTP configuration of vCenter Server

        This example gets the NTP configuration of the vCenter Server

    Try {
        $vcenterHeader = @{"vmware-api-session-id" = "$vcToken"}
        $uri = "https://$vcenterFqdn/api/appliance/ntp"

        $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $vcenterHeader
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-VCConfigurationNTP

Function Get-VCConfigurationDNS {
        Get DNS configuration

        The Get-VCConfigurationDNS cmdlet gets the DNS configuration of vCenter Server

        This example gets the DNS configuration of the vCenter Server

    Try {
        $vcenterHeader = @{"vmware-api-session-id" = "$vcToken"}
        $uri = "https://$vcenterFqdn/api/appliance/networking/dns/servers"

        $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $vcenterHeader
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-VCConfigurationDNS

Function Get-VCPasswordPolicy {
        Get the global password policy.

        The Get-VCPasswordPolicy cmdlet gets global password policy for the vCenter Server

        This example gets the global password policy of the vCenter Server

    Try {
        $vcenterHeader = @{"vmware-api-session-id" = "$vcToken"}
        $uri = "https://$vcenterFqdn/api/appliance/local-accounts/global-policy"

        $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $vcenterHeader
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-VCPasswordPolicy

Function Set-VCPasswordPolicy {
        Set the global password policy

        The Set-VCPasswordPolicy cmdlet configures the global password policy for the vCenter Server

        Set-VCPasswordPolicy -maxDays 120 -minDays 1 -warnDays 14
        This example configures the global password policy of the vCenter Server

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$maxDays,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$minDays,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$warnDays

    Try {
        $vcenterHeader = @{"vmware-api-session-id" = "$vcToken"}
        $vcenterHeader.Add("Content-Type", "application/json")
        $uri = "https://$vcenterFqdn/api/appliance/local-accounts/global-policy"
        $body = '{ "max_days": '+$maxDays+', "min_days": '+$minDays+', "warn_days": '+$warnDays+' }'

        $response = Invoke-RestMethod -Method PUT -Uri $uri -Headers $vcenterHeader -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-VCPasswordPolicy

Function Get-VCPasswordExpiry {
        Get the vcenter password expiry date.

        The Get-VCPasswordPolicy cmdlet gets password expiration settings for the vCenter Server root account

        This example gets the password policy of the vCenter Server

    Try {
        $uri = "https://$currentvCenterServer"+":5480/rest/appliance/local-accounts/root"
        $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $vcAdminHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-VCPasswordExpiry

Function Set-VCPasswordExpiry {
        Set the vcenter password expiry date

        The Set-VCPasswordExpiry cmdlet configures password expiration settings for the vCenter Server root account

        Set-VCPasswordExpiry -passwordExpires $true -email "admin@rainpole.io" -maxDaysBetweenPasswordChange 91
        This example configures the configures password expiration settings for the vCenter Server root account

        Set-VCPasswordExpiry -passwordExpires $false
        This example configures the configures password expiration settings for the vCenter Server root account to never expire

    Param (
        [Parameter (Mandatory = $false, ParameterSetName = 'neverexpire')] [Parameter (Mandatory = $true, ParameterSetName = 'expire')] [ValidateNotNullOrEmpty()] [Bool]$passwordExpires,
        [Parameter (Mandatory = $true, ParameterSetName = 'expire')] [ValidateNotNullOrEmpty()] [String]$email,
        [Parameter (Mandatory = $true, ParameterSetName = 'expire')] [ValidateNotNullOrEmpty()] [String]$maxDaysBetweenPasswordChange

    Try {
        $uri = "https://$currentvCenterServer"+":5480/rest/appliance/local-accounts/root"

        if ($passwordExpires) {
            $body = '{"config":{"password_expires": "'+ $passwordExpires +'", "email": "'+ $email+ '", "max_days_between_password_change": "' + $maxDaysBetweenPasswordChange + '" }}'
        else {
            $body = '{"config":{"password_expires": "'+ $passwordExpires + '"}}'
        $response = Invoke-RestMethod -Method PATCH -Uri $uri -Headers $vcAdminHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-VCPasswordExpiry

Function Add-GlobalPermission {
        Script to add vSphere Global Permission

        The Add-GlobalPermission cmdlet adds a new vSphere Global Permission

        Author: William Lam. Modified by Ken Gould to permit principal type (user or group) and Gary Blake to include
                    in this function
        Reference: http://www.virtuallyghetto.com/2017/02/automating-vsphere-global-permissions-with-powercli.html

        Add-GlobalPermission -vcServer sfo-m01-vc01.sfo.rainpole.io -username administrator@vsphewre.local -vcPassword VMware1! -user svc-vc-admins
        This example shows how to add the Administrator global permission to a user called svc-vc-admins

    Param (
        [Parameter (Mandatory = $true)] [String]$vcServer,
        [Parameter (Mandatory = $true)] [String]$vcUsername,
        [Parameter (Mandatory = $true)] [String]$vcPassword,
        [Parameter (Mandatory = $true)] [String]$user,
        [Parameter (Mandatory = $true)] [String]$roleId,
        [Parameter (Mandatory = $true)] [String]$propagate,
        [Parameter (Mandatory = $true)] [String]$type

    Try {
        $secpasswd = ConvertTo-SecureString $vcPassword -AsPlainText -Force
        $credential = New-Object System.Management.Automation.PSCredential($vcUsername, $secpasswd)
        $mob_url = "https://$vcServer/invsvc/mob3/?moid=authorizationService&method=AuthorizationService.AddGlobalAccessControlList" # vSphere MOB URL to private enableMethods

    # Ignore SSL Warnings
    add-type -TypeDefinition  @"
        using System.Net;
        using System.Security.Cryptography.X509Certificates;
        public class TrustAllCertsPolicy : ICertificatePolicy {
            public bool CheckValidationResult(
                ServicePoint srvPoint, X509Certificate certificate,
                WebRequest request, int certificateProblem) {
                return true;

    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
        $results = Invoke-WebRequest -Uri $mob_url -SessionVariable vmware -Credential $credential -Method GET # Initial login to vSphere MOB using GET and store session using $vmware variable
        # Extract hidden vmware-session-nonce which must be included in future requests to prevent CSRF error
        # Credit to https://blog.netnerds.net/2013/07/use-powershell-to-keep-a-cookiejar-and-post-to-a-web-form/ for parsing vmware-session-nonce via Powershell
        if ($results.StatusCode -eq 200) {
            $null = $results -match 'name="vmware-session-nonce" type="hidden" value="?([^\s^"]+)"'
            $sessionnonce = $matches[1]
        else {
            Write-Error "Failed to login to vSphere MOB"
            exit 1

        $vc_user_escaped = [uri]::EscapeUriString($user) # Escape username

        # The POST data payload must include the vmware-session-nonce variable + URL-encoded
    If ($type -eq "group") {
        $body = @"

    else {
        $body = @"


        $results = Invoke-WebRequest -Uri $mob_url -WebSession $vmware -Method POST -Body $body # Second request using a POST and specifying our session from initial login + body request
        if ($results.StatusCode -eq 200) {
            Write-Verbose "Successfully added global permission for: $user"
        $mob_logout_url = "https://$vcServer/invsvc/mob3/logout" # Logout out of vSphere MOB
        $results = Invoke-WebRequest -Uri $mob_logout_url -WebSession $vmware -Method GET
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-GlobalPermission

Function Get-SsoPasswordPolicies {
        Get vSphere Single-Sign On password policies

        The Get-SsoPasswordPolicies cmdlet gets the vSphere Single-Sign On password policies

        Get-SsoPasswordPolicies -ssoAdminPass VMw@re1! -ssoDomain vsphere.local -vmName sfo-m01-vc01 -rootPass VMw@re1!
        This example shows how to get vSphere Single-Sign On password policies

    Param (
        [Parameter (Mandatory = $true)] [String]$ssoAdminPass,
        [Parameter (Mandatory = $true)] [String]$ssoDomain,
        [Parameter (Mandatory = $true)] [String]$vmName,
        [Parameter (Mandatory = $true)] [String]$rootPass

    Try {
        $a, $b = $ssoDomain.split(".")
        $scriptCommand = "/opt/likewise/bin/ldapsearch -h localhost -w $ssoAdminPass -x -D `"cn=Administrator,cn=Users,dc=$a,dc=$b`" -b `"cn=password and lockout policy,dc=$a,dc=$b`" | grep vmwPassword"
        $output = Invoke-VMScript -ScriptText $scriptCommand -vm $vmName -GuestUser "root" -GuestPassword $rootPass
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-SsoPasswordPolicies

Function Add-DrsVmToVmGroup {
        Creates a vSphere VM to VM Group

        The Add-DrsVmToVmGroup cmdlet creates a vSphere VM to VM Group

        Add-DrsVmToVmGroup -name vm-vm-rule-wsa-vra -vmGroup sfo-m01-vm-group-wsa -dependOnVmGroup sfo-m01-vm-group-vra -Enabled -cluster sfo-m01-cl01
        This example shows how to create a vSphere VM to VM group in the vCenter Server

    Param (
        [Parameter (Mandatory = $true)] [String]$name,
        [Parameter (Mandatory = $true)] [String]$vmGroup,
        [Parameter (Mandatory = $true)] [String]$dependOnVmGroup,
        [Parameter (Mandatory = $false)] [Switch]$enabled=$true,
        [Parameter (Mandatory = $true)] [String]$cluster

    Try {
        $updateCluster = Get-Cluster | Where-Object {$_.Name -eq $cluster}

        $spec = New-Object VMware.Vim.ClusterConfigSpecEx
        $spec.RulesSpec = New-Object VMware.Vim.ClusterRuleSpec[] (1)
        $spec.RulesSpec[0] = New-Object VMware.Vim.ClusterRuleSpec
        $spec.RulesSpec[0].Operation = 'add'
        $spec.RulesSpec[0].Info = New-Object VMware.Vim.ClusterDependencyRuleInfo
        $spec.RulesSpec[0].Info.DependsOnVmGroup = $dependOnVmGroup
        $spec.RulesSpec[0].Info.VmGroup = $vmGroup
        $spec.RulesSpec[0].Info.Name = $name
        $spec.RulesSpec[0].Info.UserCreated = $true
        $spec.RulesSpec[0].Info.Enabled = $true

        $ClusterToReconfig = Get-View -Id $updateCluster.ExtensionData.MoRef
        $ClusterToReconfig.ReconfigureComputeResource_Task($spec, $true)
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-DrsVmToVmGroup

Function Get-DrsVmToVmGroup {
        Gets all vSphere VM to VM Group

        The Get-DrsVmToVmGroup cmdlet retrieves the vSphere VM to VM Group

        Get-DrsVmToVmGroup -name vm-vm-rule-wsa-vra -cluster sfo-m01-cl01
        This example shows how to retrieve a vSphere VM to VM group in the vCenter Server

    Param (
        [Parameter (Mandatory = $false)] [String]$name,
        [Parameter (Mandatory = $true)] [String]$cluster

    Try {
        $getCluster = Get-Cluster | Where-Object {$_.Name -eq $cluster}
        if ($PsBoundParameters.ContainsKey("name")){
            $getCluster.ExtensionData.Configuration.Rule | Where-Object {$_.Name -eq $name}
        else {
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-DrsVmToVmGroup

################## End vSphere Functions ###################

########### Begin Workspace ONE Access Functions ###########

Function Request-WSAToken {
        Connects to the specified Workspace ONE Access instance to obtain a session token

        The Request-WSAToken cmdlet connects to the specified Workspace ONE Access instance and requests a session token

        Request-WSAToken -fqdn sfo-wsa01.sfo.rainpole.io -username admin -password VMware1!
        This example shows how to connect to a Workspace ONE Access instance and request a session token

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$fqdn,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$pass

    If ( -not $PsBoundParameters.ContainsKey("user") -or ( -not $PsBoundParameters.ContainsKey("pass"))) {
        # Request Credentials
        $creds = Get-Credential
        $user = $creds.UserName.ToString()
        $pass = $creds.GetNetworkCredential().password

    $Global:workSpaceOne = $fqdn

    # Validate credentials by executing an API call
    $wsaHeaders = @{"Content-Type" = "application/json" }
    $wsaHeaders.Add("Accept", "application/json; charset=utf-8")
    $uri = "https://$workSpaceOne/SAAS/API/1.0/REST/auth/system/login"
    $body = '{"username": "' + $user + '", "password": "' + $pass + '", "issueToken": "true"}'

    Try {
        # Checking against the API
        # PS Core has -SkipCertificateCheck implemented, PowerShell 5.x does not
        if ($PSEdition -eq 'Core') {
            $response = Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -Body $body -SkipCertificateCheck
            $Global:sessionToken = "HZN " + $response.sessionToken
        else {
            $response = Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -Body $body
            $Global:sessionToken = "HZN " + $response.sessionToken
        if ($response.sessionToken) {
            Write-Output "Successfully Requested New Session Token From Workspace ONE Access instance: $fqdn"
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Request-WSAToken

Function Get-WSAConnector {
        Get connectors

        The Get-WSAConnector cmdlets retrieves a list of connectors in Workspace ONE Access

        This example retrives a list of connectors in Workspace ONE Access

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.connector+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/connectorinstances"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAConnector

Function Get-WSADirectory {
        Get diretories

        The Get-WSADirectory cmdlets retrieves all directories in Workspace ONE Access

        This example retrives a list of directories in Workspace ONE Access

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.ad.over.ldap+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/directoryconfigs"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSADirectory

Function Get-WSADirectoryDomain {
        Get directory domains

        The Get-WSADirectoryDomain cmdlets retrieves a list of directory domains in Workspace ONE Access

        Get-WSADirectoryDomain -directoryId a1c985d5-0eeb-4a66-bc51-11eda9321aac
        This example retrives a list of directory domains in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [string]$directoryId

    Try {
        $wsaHeaders = @{"Accept" = "application/vnd.vmware.horizon.manager.connector.management.directory.domain.list+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/$directoryId/domains"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSADirectoryDomain

Function Add-WSALdapDirectory {
        Create an LDAP directory

        The Add-WSALdapDirectory cmdlets creates a new LDAP Active Directory connection in Workspace ONE Access

        Add-WSALdapDirectory -domainName sfo.rainpole.io -baseDn "ou=VVD,dc=sfo,dc=rainpole,dc=io" -bindDn "cn=svc-wsa-ad,ou=VVD,dc=sfo,dc=rainpole,dc=io"
        This example creates a new LDAP Active Directory connection in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainName,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$baseDn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$bindDn,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$certificate

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.ad.over.ldap+json" }
        $wsaHeaders.Add("Accept", "application/vnd.vmware.horizon.manager.connector.management.directory.ad.over.ldap+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        if ($PsBoundParameters.ContainsKey("certificate")){
            #read certificate file contents as certdata
            $certdata = (Get-Content ($certificate)) -join "\n"
            $body = '{
 + $domainName + '",
 + $baseDn + '",
 + $bindDn + '",
 + $certdata + '"

        else {
            $body = '{
 + $domainName + '",
 + $baseDn + '",
 + $bindDn + '"

        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/directoryconfigs"
        $response = Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-WSALdapDirectory

Function Set-WSABindPassword {
        Create an LDAP directory

        The Set-WSABindPassword cmdlets creates a new LDAP Active Directory connection in Workspace ONE Access

        Set-WSABindPassword -directoryId a1c985d5-0eeb-4a66-bc51-11eda9321aac -connectorId 59ee9717-a09e-45b6-9e5f-8d92a55a1825 -password VMw@re1!
        This example creates a new LDAP Active Directory connection in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$directoryId,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$connectorId,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.details+json" }
        $wsaHeaders.Add("Accept", "application/vnd.vmware.horizon.manager.connector.management.connector+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $body = '{"directoryId":"' + $directoryId + '","directoryBindPassword":"' + $pass + '","usedForAuthentication":true}'
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/connectorinstances/$connectorId/associatedirectory"
        $response = Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-WSABindPassword

Function Set-WSASyncSetting {
        Set directory sync schedule

        The Set-WSASyncSetting cmdlets configures the directory sync schedule in Workspace ONE Access

        Set-WSASyncSetting -directoryId a1c985d5-0eeb-4a66-bc51-11eda9321aac
        This example configures the directory sync schedule in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$directoryId

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.syncschedule+json" }
        $wsaHeaders.Add("Accept", "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.syncschedule+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $body = '{"frequency":"fifteenMinutes"}'
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/$directoryId/syncprofile"
        Invoke-RestMethod $uri -Method 'PUT' -Headers $wsaHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-WSASyncSetting

Function Start-WSADirectorySync {
        Start an directory sync

        The Start-WSADirectorySync cmdlets triggers a directory sync in Workspace ONE Access

        Start-WSADirectorySync -directoryId a1c985d5-0eeb-4a66-bc51-11eda9321aac
        This example starts a directory sync in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$directoryId

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.sync+json" }
        $wsaHeaders.Add("Accept", "application/vnd.vmware.horizon.v1.0+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $body = '{"ignoreSafeguards":true}'
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/$directoryId/syncprofile/sync"
        Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Start-WSADirectorySync

Function Set-WSADirectoryUser {
        Add users to directory

        The Set-WSADirectoryUser cmdlets configures the user/ou that should be sycncronised for Workspace ONE Access

        Set-WSADirectoryUser -directoryId a1c985d5-0eeb-4a66-bc51-11eda9321aac -json (Get-Content -Raw .\adUsers.json)
        This example configures the user/ou that should be sycncronised for Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$directoryId,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$json

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.users+json" }
        $wsaHeaders.Add("Accept", "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.users+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/$directoryId/syncprofile"
        Invoke-RestMethod $uri -Method 'PUT' -Headers $wsaHeaders -Body $json
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-WSADirectoryUser

Function Set-WSADirectoryGroup {
        Add groups to directory

        The Set-WSADirectoryGroup cmdlets configures the groups/ou that should be sycncronised for Workspace ONE Access

        Set-WSADirectoryUser -directoryId a1c985d5-0eeb-4a66-bc51-11eda9321aac -json (Get-Content -Raw .\adGroups.json)
        This example configures the groups/ou that should be sycncronised for Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$directoryId,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$json

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.groups+json" }
        $wsaHeaders.Add("Accept", "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.groups+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/$directoryId/syncprofile"
        $response = Invoke-RestMethod $uri -Method 'PUT' -Headers $wsaHeaders -Body $json
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-WSADirectoryGroup

Function Get-WSASmtpConfiguration {
        Get SMTP configuration

        The Get-WSASmtpConfiguration cmdlets retrieves the SMTP configurtion of Workspace ONE Access

        This example gets the current SMTP configuration of Workspace ONE Access

    Try {
        $wsaHeaders = @{"Accept" = "application/json, text/plain, */*" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/system/config/smtp"
        $response = Invoke-RestMethod $uri -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSASmtpConfiguration

Function Set-WSASmtpConfiguration {
        Set SMTP configuration

        The Set-WSASmtpConfiguration cmdlets configures the SMTP configurtion of Workspace ONE Access

        This example sets the SMTP configuration of Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$fqdn,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$port,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$pass

    Try {
        $wsaHeaders = @{"Accept" = "application/json, text/plain, */*" }
        $wsaHeaders.Add("Content-Type", "application/vnd.vmware.horizon.manager.system.config.smtp+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        if (-not $PsBoundParameters.ContainsKey("pass")) {
            $body = '{ "host": "' + $fqdn + '", "port": ' + $port + ', "user": "' + $user + '", "password": "' + $pass + '"}'
        else {
            $body = '{ "host": "' + $fqdn + '", "port": ' + $port + ', "user": "' + $user + '" }'
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/system/config/smtp"
        $response = Invoke-RestMethod $uri -Method 'PUT' -Headers $wsaHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-WSASmtpConfiguration

Function Set-WSARoleMember {
        Set WSA Role Member

        The Set-WSARoleMember cmdlets updates the Role with the given group

        Set-WSARoleMember -id 55048dee-fe1b-404a-936d-3e0b86a7209e -groupId fe515568-fdcd-43c7-9971-e834d7246203
        This example updates the Role with the given GroupId in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$id,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$groupId

    Try {
        $wsaHeaders = @{"Content-Type" = "application/json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        if ($PsBoundParameters.ContainsKey("id")) {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Roles/$id"

               $json = @"
                  "schemas": [
                  "members": [
                      "value": "$groupId",
                      "type": "Group"

            $response = Invoke-RestMethod -Method PATCH -URI $uri -ContentType application/json -body $json -headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message

Function Get-WSARole {
        Get roles

        The Get-WSARole cmdlets retrieves the roles in Workspace ONE Access

        This example retrieves the roles in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$id

    Try {
        $wsaHeaders = @{"Content-Type" = "application/json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        if ($PsBoundParameters.ContainsKey("id")) {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Roles/$id"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
        else {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Roles"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSARole

Function Get-WSAGroup {
        Get groups

        The Get-WSAGroup cmdlets retrieves the groups in Workspace ONE Access

        This example retrieves the groups in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$id

    Try {
        $wsaHeaders = @{"Content-Type" = "application/json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        if ($PsBoundParameters.ContainsKey("id")) {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Groups/$id"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
        else {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Groups"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAGroup

Function Get-WSAUser {
        Get users

        The Get-WSAUser cmdlets retrieves the users in Workspace ONE Access

        This example retrieves the users in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$id

    Try {
        $wsaHeaders = @{"Content-Type" = "application/json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        if ($PsBoundParameters.ContainsKey("id")) {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Users/$id"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
        else {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Users"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAUser

Function Get-WSARuleSet {
        Get rulesets

        The Get-WSARuleSet cmdlets retrieves the rulesets in Workspace ONE Access

        This example retrieves the rulesets in Workspace ONE Access

    Try {
        $wsaHeaders = @{"Accept-Type" = "application/json, text/plain, */*" }
        $wsaHeaders.Add("Content-Type", "application/vnd.vmware.vidm.accesscontrol.ruleset.list+json")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/acs/rulesets"
        $response = Invoke-RestMethod $uri -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSARuleSet

Function Get-WSAOAuthToken {
        Get AOuth Token

        The Get-WSAOAuthToken cmdlets gets an OAuth token from Workspace ONE Access

        This example retrieves the am OAuth oken from Workspace ONE Access

    Try {
        $wsaHeaders = @{"Content-Type" = "application/x-www-form-urlencoded; charset=UTF-8" }
        $wsaHeaders.Add("Accept", "application/json, text/javascript, */*; q=0.01")
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/admin/settings/OAuthClient/generateRandomOAuthSecret"
        $response = Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAOAuthToken

Function Get-WSAClient {
        Get clients

        The Get-WSAClient cmdlets gets a list of clients in Workspace ONE Access

        This example retrieves all clients in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$clientId

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.oauth2client+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        if ($PsBoundParameters.ContainsKey("clientId")) {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/oauth2clients/$clientId"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
        else {
            $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/oauth2clients"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAClient

Function Add-WSAClient {
        Add a client

        The Add-WSAClient cmdlets add a client in Workspace ONE Access

        Add-WSAClient -json .\SampleJson\nsxClient.json
        This example retrieves all clients in Workspace ONE Access

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$clientId,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$sharedSecret

    Try {
        $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.horizon.manager.oauth2client+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $body = '{
            "clientId": "'
 + $clientId + '",
            "secret": "'
 + $sharedSecret + '",
            "scope": "admin",
            "authGrantTypes": "refresh_token client_credentials",
            "redirectUri": "",
            "tokenType": "Bearer",
            "tokenLength": 32,
            "accessTokenTTL": 8,
            "refreshTokenTTL": 1440,
            "refreshTokenIdleTTL": 4,
            "rememberAs": "'
 + $clientId + '",
            "displayUserGrant": false,
            "internalSystemClient": false,
            "inheritanceAllowed": true

        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/oauth2clients"
        Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-WSAClient

Function Add-WSARoleAssociation {
       Add the AD group to the WSA role

       Add the AD group to the given WSA role.

       Add-WSARoleAssociation -roleId "1d0b09a1-8744-4f85-8c4f-ac104e586010" -groupId "1e942dc6-94ba-43ef-97ce-9ba34fee1609"

   Param (
       [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$roleId,
       [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$groupId

   Try {
       $wsaHeaders = @{"Content-Type" = "application/vnd.vmware.vidm.accesscontrol.ruleset.associations.bulk.request+json" }
       $wsaHeaders.Add("Authorization", "$sessionToken")
       $uri = "https://$workSpaceOne/acs/associations/rulesets/$roleId"
       $body = '{
                   "operations": [
                               "users": [],
                               "groups": [
                               "associationMethodTO": "POST"
                               "users": [],
                               "groups": [],
                               "associationMethodTO": "DELETE"

       $response = Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -body $body
   Catch {
       Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-WSARoleAssociation

Function Get-WSARoleId {
       Get role id for role name

       Get the role id corresponding to the given role name

       Get-WSARoleId -role "Super Admin"
       This retrieves the id for the Super Admin role

   Param (
       [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$role

   Try {
       $wsaHeaders = @{"Content-Type" = "application/json" }
       $wsaHeaders.Add("Authorization", "$sessionToken")
       $uri = "https://$workSpaceOne/acs/rulesets"
       $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
       $roledetails = $response.items | Where-Object {$_.name -eq $role}
   Catch {
       Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSARoleId

Function Get-WSAActiveDirectoryGroupDetail {
       Get details of the given Active Directory group

       Get details from Workspace ONE Access of the given Active Directory group

       Get-WSAActiveDirectoryGroupDetail -group "gg-wsa-admins"

   Param (
       [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$group

   Try {
       $wsaHeaders = @{"Content-Type" = "application/json" }
       $wsaHeaders.Add("Authorization", "$sessionToken")
       $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/scim/Groups/.search?locale=en"
       $body = '{
                   "attributes": "id,displayName",
                   "filter": "(displayName co \"'
 + $group + '\")"

       $response = Invoke-RestMethod $uri -Method 'POST' -Headers $wsaHeaders -body $body
   Catch {
       Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAActiveDirectoryGroupDetail

Function Get-WSARoleAssociation {
       Get associations for the given Role Id

       Get details of associations for the given Role Id. This has details of the groups associated with a role.

       Get-WSARoleAssociation -roleId "1d0b09a1-8744-4f85-8c4f-ac104e586010"

   Param (
       [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$roleId

   Try {
       $wsaHeaders = @{"Content-Type" = "application/json" }
       $wsaHeaders.Add("Authorization", "$sessionToken")
       $uri = "https://$workSpaceOne/acs/associations/rulesets/$roleId"
       $response = Invoke-RestMethod $uri -Method 'GET' -Headers $wsaHeaders
   Catch {
       Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSARoleAssociation

Function Get-WSAPasswordLockout {
        Get password lockout policy

        Get details of the password lockout policy for Workspace ONE Access


    Try {
        $wsaHeaders = @{"Accept" = "application/vnd.vmware.horizon.manager.password.lockout+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/passwordlockoutconfig"
        $response = Invoke-RestMethod $uri -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAPasswordLockout

Function Set-WSAPasswordLockout {
        Set password lockout policy

        Set details of the password lockout policy for Workspace ONE Access


    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$numAttempts,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$attemptInterval,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$unlockInterval

    Try {
        $wsaHeaders = @{"Accept" = "application/vnd.vmware.horizon.manager.password.lockout+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $wsaHeaders.Add("Content-Type", "application/vnd.vmware.horizon.manager.password.lockout+json")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/passwordlockoutconfig"
        $body = '{"numAttempts":'+$numAttempts+',"attemptInterval":'+$attemptInterval+',"unlockInterval":'+$unlockInterval+'}'
        $response = Invoke-RestMethod $uri -Method 'PUT' -Headers $wsaHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-WSAPasswordLockout

 Function Get-WSAPasswordPolicy {
        Get password policy

        Get details of the password policy for Workspace ONE Access


    Try {
        $wsaHeaders = @{"Accept" = "application/vnd.vmware.horizon.manager.tenants.tenant.passwordpolicy+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/tenants/tenant/passwordpolicy"
        $response = Invoke-RestMethod $uri -Headers $wsaHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-WSAPasswordPolicy

Function Set-WSAPasswordPolicy {
        Set password lockout policy

        Set details of the password lockout policy for Workspace ONE Access

        Set-WSAPasswordPolicy -minLen 6 -minLower 0 -minUpper 0 -minDigit 0 -minSpecial 0 -history 0 -maxConsecutiveIdenticalCharacters 3 -maxPreviousPasswordCharactersReused 2 -tempPasswordTtlInHrs 167 -passwordTtlInDays 81 -notificationThresholdInDays 16 -notificationIntervalInDays 11

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$minLen,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$minLower,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$minUpper,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$minDigit,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$minSpecial,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$history,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$maxConsecutiveIdenticalCharacters,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$maxPreviousPasswordCharactersReused,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$tempPasswordTtlInHrs,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$passwordTtlInDays,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$notificationThresholdInDays,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$notificationIntervalInDays


    Try {
        $wsaHeaders = @{"Accept" = "application/vnd.vmware.horizon.manager.tenants.tenant.passwordpolicy+json" }
        $wsaHeaders.Add("Authorization", "$sessionToken")
        $wsaHeaders.Add("Content-Type", "application/vnd.vmware.horizon.manager.tenants.tenant.passwordpolicy+json")
        $uri = "https://$workSpaceOne/SAAS/jersey/manager/api/tenants/tenant/passwordpolicy"
        $passwordTtlInHours = [int]$passwordTtlInDays * 24
        $notificationThresholdInMilliSec = [int]$notificationThresholdInDays * 24 * 3600 * 1000
        $notificationIntervalInMilliSec = [int]$notificationIntervalInDays * 24 * 3600 * 1000
        $body = '{

        Write-OutPut $body
        $response = Invoke-RestMethod $uri -Method 'PUT' -Headers $wsaHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-WSAPasswordPolicy

############ End Workspace ONE Access Functions ############

############ Begin NSX-T Data Center Functions #############

Function Request-NsxToken {
        Connects to the specified NSX Manager

        The Request-NsxToken cmdlet connects to the specified NSX Manager with the supplied credentials

        Request-NsxToken -fqdn sfo-w01-nsx01.sfo.rainpole.io -username admin -password VMware1!VMw@re1!
        This example shows how to connect to NSX Manager

        Get-NsxtServerDetail -fqdn sfo-vcf01.sfo.rainpole.io -username admin@local -password VMw@re1!VMw@re1! -domain sfo-w01 | Request-NsxToken
        This example shows how to connect to NSX Manager using pipeline input from Get-NsxtServerDetail

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()][String]$fqdn,
        [Parameter (Mandatory = $false)] [String]$username,
        [Parameter (Mandatory = $false)] [String]$password,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psobject]$inputObject

    if ($inputObject) {
        $username = $inputObject.adminUser
        $password = $inputObject.adminPass
        $fqdn = $inputObject.fqdn
        $sddcManager = (Get-VCFManager).fqdn
    else {
        if (!$PsBoundParameters.ContainsKey("username") -or (!$PsBoundParameters.ContainsKey("password"))) {
            # Request Credentials
            $creds = Get-Credential
            $username = $creds.UserName.ToString()
            $password = $creds.GetNetworkCredential().password
        if (!$PsBoundParameters.ContainsKey("fqdn")) {
            $fqdn = Read-Host "NSX Manager FQDN not found, please enter a value e.g. sfo-m01-nsx01.sfo.rainpole.io"

    # Validate credentials by executing an API call
    $Global:nsxtHeaders = createBasicAuthHeader $username $password
    $Global:nsxtmanager = $fqdn
    $uri = "https://$nsxtmanager/api/v1/logical-ports"

    Try {
        # Checking against the NSX Managers API
        # PS Core has -SkipCertificateCheck implemented, PowerShell 5.x does not
        if ($PSEdition -eq 'Core') {
            $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $nsxtHeaders -SkipCertificateCheck
        else {
            $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $nsxtHeaders
        if ($response) {
            if ($inputObject) {
                Write-Output "Successfully Requested New API Token for NSX Manager $nsxtmanager via SDDC Manager $sddcManager"
            else {
                Write-Output "Successfully Requested New API Token for NSX Manager $nsxtmanager"
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Request-NsxToken

Function Get-NsxtComputeManager {
    Retrieves a list of compute managers from NSX Manager

    The Get-NsxtComputeManager cmdlet gets compute managers from NSX Manager

    This example gets all compute managers

    Get-NsxtComputeManager -vCenterServer "sfo-m01-vc01.sfo.rainpole.io"
    This example gets the compute manager named "sfo-m01-vc01.sfo.rainpole.io"

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$vCenterServer

    Try {
        if (!$PsBoundParameters.ContainsKey("vCenterServer")) {
            $uri = "https://$nsxtManager/api/v1/fabric/compute-managers"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
        elseif ($PsBoundParameters.ContainsKey("vCenterServer")) {
            $uri = "https://$nsxtManager/api/v1/fabric/compute-managers"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $responseChecked = $response.results | Where-Object { $_.server -eq $vCenterServer }

            if (!$responseChecked) {
                Write-Output "Compute Manager $vCenterServer was not found."
            elseif ($responseChecked) {
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtComputeManager

Function Set-NsxtComputeManager {
    Configure a set of parameters on a compute manager

    The Set-NsxtComputeManager cmdlet configures a set of parameters on a compute manager

    Get-NsxtComputeManager -vCenterServer sfo-w01-vc01.sfo.rainpole.io | Set-NsxtComputeManager -EnableTrust:$true
    This example enables trust (sets OIDC provider to true) for Compute Manager sfo-w01-vc01.sfo.rainpole.io
    In this release, it is required to use pipeline input from Get-NsxtComputeManager.

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [Bool]$EnableTrust,
        [Parameter (ValueFromPipeline, Mandatory = $true)] [psObject]$inputObject

    # Validating pipeline input resource_type
    if ($inputObject.resource_type -ne "ComputeManager") {
        Write-Error "Invalid pipeline passthrough."
    elseif ($inputObject.resource_type -eq "ComputeManager") {
        $computeManagerId = $inputObject.id
        $computeManagerRevision = $inputObject._revision
        $computeManagerFqdn = $inputObject.server
        $computeManagerOriginType = $inputObject.origin_type
        $computeManagerSetAsOidcProvider = $inputObject.set_as_oidc_provider
        $computeManagerCredentialType = $inputObject.credential.credential_type
        $computeManagerCredentialThumbprint = $inputObject.credential.thumbprint

    if ($EnableTrust -eq $computeManagerSetAsOidcProvider) {
        Write-Error -Message "Compute Manager trust is already set to $EnableTrust."

    $json = @"
"_revision" : $computeManagerRevision,
"server" : "$computeManagerFqdn",
"origin_type" : "$computeManagerOriginType",
"set_as_oidc_provider" : "$EnableTrust",
"credential" :
    "credential_type" : "$computeManagerCredentialType",
    "thumbprint" : "$computeManagerCredentialThumbprint"

    Try {
        $uri = "https://$nsxtManager/api/v1/fabric/compute-managers/$computeManagerId"
        $response = Invoke-RestMethod -Method PUT -URI $uri -ContentType application/json -body $json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-NsxtComputeManager

Function Get-NsxtVidm {
        Get Identity Manager Configuration

        The Get-NsxtVidm cmdlet gets the Identity Manager Configuration

        This example gets the Identity Manager Configuration

    Try {
        $uri = "https://$nsxtManager/api/v1/node/aaa/providers/vidm"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtVidm

Function Set-NsxtVidm {
        Set Identity Manager Configuration

        The Set-NsxtVidm cmdlet configures Identity Manager in NSX-T Manager

        This example configures the Identity Manager in NSX-T Manager

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$wsaHostname,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$thumbprint,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$clientId,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$sharedSecret,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$nsxHostname

    Try {
        $uri = "https://$nsxtManager/api/v1/node/aaa/providers/vidm"
        $body = '{
            "lb_enable": false,
            "vidm_enable": true,
            "host_name": "'
 + $wsaHostname + '",
            "thumbprint": "'
 + $thumbprint + '",
            "client_id": "'
 + $clientId + '",
            "client_secret": "'
 + $sharedSecret + '",
            "node_host_name": "'
 + $nsxHostname + '"

        $response = Invoke-RestMethod $uri -Method 'PUT' -Headers $nsxtHeaders -body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-NsxtVidm

Function Get-NsxtRole {
        Gets NSX-T Manager roles

        The Get-NsxtRole cmdlet gets the roles in NSX-T Manager

        This example gets all roles in NSX-T Manager

    Try {
        $uri = "https://$nsxtManager/api/v1/aaa/roles"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtRole

Function Set-NsxtRole {
        Adds a role to a user/group

        The Set-NsxtRole cmdlet assigns users/groups to roles

        Set-NsxtRole -principle "gg-nsx-enterprise-admins@lax.rainpole.io"
        This example assigned the provided group the Enterprise Admin role

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal,
        [Parameter (Mandatory = $true)] [ValidateSet("remote_group", "remote_user")] [String]$type,
        [Parameter (Mandatory = $true)] [ValidateSet("lb_admin", "security_engineer", "vpn_admin", "network_op", "netx_partner_admin", "gi_partner_admin", "security_op", "network_engineer", "lb_auditor", "auditor", "enterprise_admin")] [String]$role,
        [Parameter (Mandatory = $true)] [ValidateSet("LDAP", "VIDM", "OIDC")] [String]$identitySource

    Try {
        $uri = "https://$nsxtManager/api/v1/aaa/role-bindings"
        $body = '{
            "name": "'
 + $principal + '",
            "type": "'
 + $type + '",
            "identity_source_type": "'
 + $identitySource + '",
            "roles": [
                        "role": "'
 + $role + '"

        $response = Invoke-RestMethod $uri -Method 'POST' -Headers $nsxtHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-NsxtRole

Function Remove-NsxtRole {
        Delete a user/group role assignment

        The Remove-NsxtRole cmdlet removes a user/group role in NSX-T Manager

        Remove-NsxtRole -id
        This example removes the role for the user/group based on the id

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$id

    Try {
        $uri = "https://$nsxtManager/api/v1/aaa/role-bindings/$id"
        $response = Invoke-RestMethod $uri -Method 'DELETE' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Remove-NsxtRole

Function Get-NsxtUser {
        Gets all users and groups

        The Get-NsxtUser cmdlet gets all users and groups in NSX-T Manager

        This example gets all users and grops in NSX-T Manager

    Try {
        $uri = "https://$nsxtManager/api/v1/aaa/role-bindings"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtUser

Function Get-NsxtVidmUser {
        Gets vIDM users

        The Get-NsxtVidmUser cmdlet gets all vIDM users from NSX-T Manager

        Get-NsxtVidmUser -searchString svc
        This example gets all vIDM users starting with 'svc' from NSX-T Manager

    Param (
        [Parameter (Mandatory = $true)] [ValidateLength(3, 255)] [String]$searchString

    Try {
        $uri = "https://$nsxtManager/api/v1/aaa/vidm/users?search_string=$searchString"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtVidmUser

Function Get-NsxtVidmGroup {
        Gets vIDM groups

        The Get-NsxtVidmGroup cmdlet gets all vIDM groups from NSX-T Manager

        Get-NsxtVidmGroup -searchString gg-
        This example gets all vIDM groups starting with gg- from NSX-T Manager

    Param (
        [Parameter (Mandatory = $true)] [ValidateLength(3, 255)] [String]$searchString

    Try {
        $uri = "https://$nsxtManager/api/v1/aaa/vidm/groups?search_string=$searchString"
        $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtVidmGroup

Function Get-NsxtEdgeCluster {
        Retrieves NSX-T Edge Cluster(s)

        The Get-NsxtEdgeCluster cmdlet retrieves NSX-T Edge Cluster(s)

        This example returns any NSX-T Edge Clusters

        Get-NsxtEdgeCluster -Name "sfo-w01-ec01"
        This example returns any NSX-T Edge Clusters

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$Name

    Try {
        if (!$PsBoundParameters.ContainsKey("Name")) {
            $uri = "https://$nsxtmanager/api/v1/edge-clusters"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
        elseif ($PsBoundParameters.ContainsKey("Name")) {
            $uri = "https://$nsxtmanager/api/v1/edge-clusters"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $responseChecked = $response.results | Where-Object { $_.display_name -eq $Name }

            if (!$responseChecked) {
                Write-Output "NSX-T Edge Cluster $Name was not found."
            elseif ($responseChecked) {
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtEdgeCluster

Function Get-NsxtTransportZone {
        Get a list of Transport Zones

        The Get-NsxtTransportZone cmdlet retrieves a list of Transport Zones

        This example gets all Transport Zones

        Get-NsxtTransportZone -Name overlay-tz-sfo-w01-nsx01.sfo.rainpole.io
        This example gets the Transport Zone with the name "overlay-tz-sfo-w01-nsx01.sfo.rainpole.io"

    Param (
        [Parameter (Mandatory = $false)] [String]$Name

    Try {
        if (!$PsBoundParameters.ContainsKey("Name")) {
            $uri = "https://$nsxtManager/api/v1/transport-zones"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $response.results | Sort-Object display_name
        elseif ($PsBoundParameters.ContainsKey("Name")) {
            $uri = "https://$nsxtManager/api/v1/transport-zones"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $responseChecked = $response.results | Where-Object { $_.display_name -eq $Name }

            if (!$responseChecked) {
                Write-Output "NSX Transport Zone $Name was not found"
            elseif ($responseChecked) {
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtTransportZone

Function New-NsxtSegment {
        Create a new NSX-T Segment

        The New-NsxtSegment cmdlet creates NSX-T Segments

        New-NsxtSegment -Name "sfo-w01-xreg-seg01" -GatewayType "Tier1" -ConnectedGateway "sfo-w01-ec01-t1-gw01" -Cidr "" -TransportZone "overlay-tz-sfo-w01-nsx01.sfo.rainpole.io"
        This example creates an NSX-T Overlay Segment with the name "sfo-w01-xreg-seg01", connected to Tier-1 gateway "sfo-w01-ec01-t1-gw01", Transport Zone "overlay-tz-sfo-w01-nsx01.sfo.rainpole.io", and CIDR address of ""

    Param (
        [Parameter (Mandatory = $true)] [String]$Name,
        [Parameter (Mandatory = $false)] [String]$ConnectedGateway,
        [Parameter (Mandatory = $false)] [String]$Cidr,
        [Parameter (Mandatory = $true)] [String]$TransportZone,
        [Parameter (Mandatory = $false)] [ValidateSet("Tier0", "Tier1")] [String]$GatewayType,
        [Parameter (Mandatory = $true)] [ValidateSet("Overlay", "VLAN")] [String]$SegmentType,
        [Parameter (Mandatory = $false)] [String]$VlanId

    if ($GatewayType -eq "Tier0") {
        $connectivityPath = (Get-NsxtTier0Gateway -Name $ConnectedGateway).path
    elseif ($GatewayType -eq "Tier1") {
        $connectivityPath = (Get-NsxtTier1Gateway -Name $ConnectedGateway).path
    elseif (!$GatewayType -and $VlanId) {
        Write-Output "Valid VLAN segment configuration"
    else {
        Write-Error "Gateway type not defined"

    $transportZoneId = (Get-NsxtTransportZone -Name $TransportZone).id

    if ($SegmentType -match "overlay") {

        $json = @"
"display_name" : "$Name",
"subnets" : [{ "gateway_address" : "$Cidr" }],
"connectivity_path" : "$connectivityPath",
"transport_zone_path" : "/infra/sites/default/enforcement-points/default/transport-zones/$transportZoneId"

    elseif ($SegmentType -match "vlan") {

        $json = @"
"display_name" : "$Name",
"vlan_ids" : [ "$VlanId" ],
"transport_zone_path" : "/infra/sites/default/enforcement-points/default/transport-zones/$transportZoneId"

    else {
        Write-Error "SegmentType $SegmentType is invalid."

    Try {
        $uri = "https://$nsxtManager/policy/api/v1/infra/segments/$Name"
        $response = Invoke-RestMethod -Method PUT -URI $uri -ContentType application/json -Body $json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function New-NsxtSegment

Function Get-NsxtSegment {
        Get a list of Segments

        The Get-NsxtSegment cmdlet retrieves a list of Segments

        This example gets all Segments

        Get-NsxtSegment -name sfo-w01-kub-seg01
        This example gets the segment with the name sfo-w01-kub-seg01

    Param (
        [Parameter (Mandatory = $false)] [String]$name

    Try {
        if (!$PsBoundParameters.ContainsKey("name")) {
            $uri = "https://$nsxtManager/policy/api/v1/infra/segments/"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $response.results | Sort-Object display_name
        elseif ($PsBoundParameters.ContainsKey("name")) {
            $uri = "https://$nsxtManager/policy/api/v1/infra/segments/"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $response.results | Where-Object { $_.display_name -eq $name }
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtSegment

Function Remove-NsxtSegment {
        Removes a named Segment

        The Remove-NsxtSegment cmdlet removes a named segment.

        Remove-NsxtSegment -name sfo-w01-kub-seg01
        This example removes the segment with the name sfo-w01-kub-seg01

    Param (
        [Parameter (Mandatory = $false)] [String]$Name

    Try {
        $preCheckSegment = Get-NsxtSegment -Name $name -ErrorAction SilentlyContinue
    Catch {
        Write-Error $_.Exception.Message

    if ($preCheckSegment -eq "NSX segment $Name was not found") {
        Write-Error $preCheckSegment

    Try {
        $uri = "https://$nsxtManager/policy/api/v1/infra/segments/$Name"
        $response = Invoke-RestMethod -Method DELETE -URI $uri -ContentType application/json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message

    # Validation
    Try {
        $checkSegment = Get-NsxtSegment -Name $Name -ErrorAction SilentlyContinue
    Catch {
        Write-Error $_.Exception.Message

    if ($checkSegment -eq "NSX segment $Name was not found") {
        Write-Output "NSX-T Segment $Name has been successfully deleted."
    else {
        Write-Error -Message "NSX-T Segment $Name was not deleted. Please check the logs."
Export-ModuleMember -Function Remove-NsxtSegment

Function Get-NsxtTier0Gateway {
        Get a list of Tier 0 Gateways

        The Get-NsxtTier0 cmdlet retrieves a list of Tier 0 Gateways

        This example returns all Tier 0 Gateways

        Get-NsxtTier0Gateway -name sfo-w01-ec01-t0-gw01
        This example returns the Tier 0 Gateway named sfo-w01-ec01-t0-gw01

        Get-NsxtTier0Gateway -id 84a6c7a5-9fe8-4446-8684-814663399584
        This example returns the Tier 0 Gateway based on its id

    Param (
        [Parameter (Mandatory = $false)] [String]$name,
        [Parameter (Mandatory = $false)] [String]$id

    Try {
        if (!$PsBoundParameters.ContainsKey("name") -and !$PsBoundParameters.ContainsKey("id")) {
            $uri = "https://$nsxtmanager/policy/api/v1/infra/tier-0s"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
        elseif ($PsBoundParameters.ContainsKey("id")) {
            $uri = "https://$nsxtmanager/policy/api/v1/infra/tier-0s/$id"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
        elseif ($PsBoundParameters.ContainsKey("name")) {
            $uri = "https://$nsxtmanager/policy/api/v1/infra/tier-0s"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $response.results | Where-Object { $_.display_name -eq $name }
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtTier0Gateway

Function Get-NsxtTier1Gateway {
        Get a list of Tier 1 Gateways

        The Get-NsxtTier1Gateway cmdlet retrieves a list of Tier 1 Gateways

        This example returns all Tier 1 Gateways

        Get-NsxtTier1Gateway -name sfo-w01-ec01-t1-gw01
        This example returns the Tier 1 Gateway named sfo-w01-ec01-t1-gw01

        Get-NsxtTier1Gateway -id 84a6c7a5-9fe8-4446-8684-814663399584
        This example returns the Tier 1 Gateway based on its id

    Param (
        [Parameter (Mandatory = $false)] [String]$name,
        [Parameter (Mandatory = $false)] [String]$id

    Try {
        if ( -not $PsBoundParameters.ContainsKey("name")) {
            $uri = "https://$nsxtmanager/policy/api/v1/infra/tier-1s"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
        elseif ($PsBoundParameters.ContainsKey("id")) {
            $uri = "https://$nsxtmanager/policy/api/v1/infra/tier-1s/$id"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
        elseif ($PsBoundParameters.ContainsKey("name")) {
            $uri = "https://$nsxtmanager/policy/api/v1/infra/tier-1s"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $response.results | Where-Object { $_.display_name -eq $name }
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtTier1Gateway

Function Get-NsxtPrefixList {
        Get Tier-0 Gateway IP Prefix Lists

        The Get-NsxtTier0PrefixList cmdlet retrieves the IP Prefix Lists assigned to a Tier-0 Gateway

        Get-NsxtPrefixList -tier0Gateway sfo-w01-ec01-t0-gw01
        This example returns all IP Prefix Lists

        Get-NsxtPrefixList -name sfo-w01-cl01-prefix-list -tier0Gateway sfo-w01-ec01-t0-gw01
        This example returns the IP Prefix List based on the prefix name provided

        Get-NsxtTier0Gateway -name sfo-w01-ec01-t0-gw01 | Get-NsxtPrefixList -name sfo-w01-cl01-prefix-list
        This example returns the IP Prefix List based on the prefix name provided

    Param (
        [Parameter (Mandatory = $false)] [String]$tier0Gateway,
        [Parameter (Mandatory = $false)] [String]$name,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    # Validating pipeline input resource_type
    if ($inputObject -and $inputObject.resource_type -eq "Tier0") {
        $tier0Gateway = $inputObject.display_name
        $uriPath = $inputObject.path
    elseif ($inputObject -and $inputObject.resource_type -ne "Tier0") {
        Write-Error "Invalid pipeline passthrough. Exiting."
    elseif (!$inputObject -and $Tier0Gateway) {
        $uriPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway).path
    else {
        if (!$tier0Gateway) {
            $tier0Gateway = Read-Host -Prompt "Tier-0 Gateway not defined. Type in the name of your Tier-0 Gateway, then press Enter"

    Try {
        if (!$name) {
            $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/prefix-lists"
            $response = Invoke-RestMethod -Method GET -URI $uri -headers $nsxtHeaders -ErrorAction SilentlyContinue
        elseif ($name) {
            $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/prefix-lists"
            $response = Invoke-RestMethod -Method GET -URI $uri -headers $nsxtHeaders -ErrorAction SilentlyContinue
            $response.results | Where-Object { $_.display_name -eq $name }
    Catch {
        if ($_.Exception -match "400" -or $_.Exception -match "Bad Request") {
            Write-Output $uri
            Write-Error "The NSX Tier-0 Gateway was not properly defined"

Export-ModuleMember -Function Get-NsxtPrefixList

Function New-NsxtPrefixList {
        Creates a Tier-0 Gateway IP Prefix List

        The New-NsxtPrefixList cmdlet creates a Prefix List on a specified Tier-0 Gateway

        New-NsxtPrefixList -Name sfo-w01-cl01-prefix-list -Tier0Gateway sfo-w01-ec01-t0-gw01
        This example creates a new IP Prefix List on a Tier 0 Gateway

    Param (
        [Parameter (Mandatory = $false)] [String]$Name,
        [Parameter (Mandatory = $false)] [String]$Tier0Gateway,
        [Parameter (Mandatory = $false)] [String]$SubnetCIDR,
        [Parameter (Mandatory = $false)] [String]$GE,
        [Parameter (Mandatory = $false)] [String]$LE,
        [Parameter (Mandatory = $false)] [ValidateSet("PERMIT", "DENY")] [String]$Action,
        [Parameter (Mandatory = $false)] [String]$Json,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    # Validating pipeline input resource_type
    if ($inputObject -and $inputObject.resource_type -eq "Tier0") {
        $uriPath = $inputObject.path
        $Tier0Gateway = $inputObject.display_name
    elseif ($inputObject -and $inputObject.resource_type -ne "Tier0") {
        Write-Error "Invalid pipeline passthrough. Exiting."
    elseif (!$inputObject) {
        if (!$Tier0Gateway) {
            $Tier0Gateway = Read-Host -Prompt "Tier-0 Gateway not defined. Type in the name of your Tier-0 Gateway, then press Enter"
            $uriPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway).path

    if (!$json) {
        if (!$GE -or !$LE) {
            $Json = @"
    "display_name" : "$Name",
    "prefixes" :
        "network" : "$SubnetCIDR",
        "action" : "$Action"

        elseif ($GE -and $LE) {
            $Json = @"
    "display_name" : "$Name",
    "prefixes" :
        "network" : "$SubnetCIDR",
        "action" : "$Action",
        "ge" : "$GE",
        "le" : "$LE"

        else {
            Write-Error "Invalid subnet configuration."

    Try {
        $global:uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/prefix-lists/$Name"
        $global:response = Invoke-RestMethod -Method PUT -URI $uri -ContentType application/json -body $json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function New-NsxtPrefixList

Function Remove-NsxtPrefixList {
        Remove an IP Prefix List from a Tier-0 Gateway

        The Remove-NsxtPrefixList cmdlet removes a IP Prefix List from a specified Tier-0 Gateway

        Remove-NsxtPrefixList -Name sfo-w01-cl01-prefix-list -Tier0Gateway sfo-w01-ec01-t0-gw01
        This example removes a Prefix List on a Tier 0 Gateway

    Param (
        [Parameter (Mandatory = $false)] [String]$Name,
        [Parameter (Mandatory = $false)] [String]$Tier0Gateway,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    # Validating pipeline input resource_type
    if ($inputObject -and $inputObject.resource_type -eq "Tier0") {
        $uriPath = $inputObject.path
    elseif ($inputObject -and $inputObject.resource_type -ne "Tier0") {
        Write-Error "Invalid pipeline passthrough. Exiting."
    } elseif (!$inputObject) {
        if (!$Tier0Gateway) {
            $Tier0Gateway = Read-Host -Prompt "Tier-0 Gateway not defined. Type in the name of your Tier-0 Gateway, then press Enter"
        $uriPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway).path

    Try {
        $preCheckPrefixList = Get-NsxtPrefixList -Name $Name -Tier0Gateway $Tier0Gateway -ErrorAction SilentlyContinue
    Catch {
        Write-Error $_.Exception.Message

    if ($preCheckPrefixList -eq "NSX IP Prefix List $Name was not found") {
        Write-Error $preCheckPrefixList

    Try {
        $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/prefix-lists/$Name"
        $response = Invoke-RestMethod -Method DELETE -URI $uri -headers $nsxtHeaders -ContentType application/json
    Catch {
        Write-Error $_.Exception.Message

    # Validation
    Try {
        $checkPrefixList = Get-NsxtPrefixList -Name $Name -Tier0Gateway $Tier0Gateway -ErrorAction SilentlyContinue
    Catch {
        Write-Error $_.Exception.Message

    if ($checkPrefixList -eq "NSX IP Prefix List $Name was not found") {
        Write-Output "NSX-T PrefixList $Name has been successfully deleted."
    else {
        Write-Error -Message "NSX-T PrefixList $Name was not deleted. Please check the logs."
Export-ModuleMember -Function Remove-NsxtPrefixList

Function Add-NsxtPrefix {
        Add a single entry to an existing NSX IP Prefix List

        The Add-NsxtPrefix cmdlet adds a single entry to an existing NSX IP Prefix List

        Get-NsxtPrefixList -name sfo-w01-cl01-prefix-list | Add-NsxtPrefix -subnetCIDR -LE 32 -GE 28 -action PERMIT
        This example adds an IP Prefix entry on an existing IP Prefix List

    Param (
        [Parameter (Mandatory = $false)] [String]$prefixListName,
        [Parameter (Mandatory = $false)] [String]$tier0Gateway,
        [Parameter (Mandatory = $false)] [String]$subnetCIDR,
        [Parameter (Mandatory = $false)] [String]$GE,
        [Parameter (Mandatory = $false)] [String]$LE,
        [Parameter (Mandatory = $false)] [String]$action,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    if (!$inputObject -and $tier0Gateway -and $prefixListName) {
        $uriPath = (Get-NsxtTier0Gateway -Name $tier0Gateway).path
        $existingPrefixes = (Get-NsxtPrefixList -Name $prefixListName -Tier0Gateway $tier0Gateway).prefixes

    if ($inputObject -and $inputObject.resource_type -eq "PrefixList") {
        $uriPath = $inputObject.parent_path
        $Tier0GatewayId = $inputObject.parent_path.Split('/')[3]
        $PrefixListName = $inputObject.display_name
        $existingPrefixes = $inputObject.prefixes

        $getTier0Gateway = Get-NsxtTier0Gateway -name $tier0GatewayId -ErrorAction SilentlyContinue

        if ($getTier0Gateway -eq "NSX Tier-0 Gateway $tier0GatewayId was not found") {
            $tier0Gateway = (Get-NsxtTier0Gateway -Id $tier0GatewayId).display_name
        else {
            $Tier0Gateway = $Tier0GatewayId

    elseif ($inputObject -and $inputObject.resource_type -ne "PrefixList") {
        Write-Error "Invalid pipeline passthrough"

    $prefixes = @()

    $prefixes += $existingPrefixes

    if (!$GE -or !$LE) {
        $newPrefix = @{
            network = $subnetCIDR
            action  = $action
    elseif ($GE -and $LE) {
        $newPrefix = @{
            network = $subnetCIDR
            action  = $action
            ge      = $GE
            le      = $LE
    else {
        Write-Error "Invalid subnet configuration"

    $prefixes += $newPrefix
    $prefixesJson = $prefixes | ConvertTo-Json

    $json = @"
        "display_name": "$PrefixListName",
        "prefixes": $prefixesJson

    Try {
        $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/prefix-lists/$PrefixListName"
        $response = Invoke-RestMethod -Method PATCH -URI $uri -ContentType application/json -body $json -headers $nsxtHeaders

        if (!$response) {
            $output = Get-NsxtPrefixList -Name $PrefixListName -Tier0Gateway $Tier0Gateway
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-NsxtPrefix

Function Add-NsxtPrefixList {
        Add an IP Prefix List to a Route Map

        The Add-NsxtPrefixList cmdlet adds an IP Prefix List to a Route Map

        Get-NsxtPrefixList -Name sfo-w01-cl01-prefix-list | Add-NsxtPrefixList -RouteMap sfo-w01-ec01-route-map -Action PERMIT
        This example adds an IP Prefix List to a specific Route Map

    Param (
        [Parameter (Mandatory = $false)] [String]$Name,
        [Parameter (Mandatory = $false)] [String]$Tier0Gateway,
        [Parameter (Mandatory = $false)] [String]$RouteMap,
        [Parameter (Mandatory = $false)] [String]$Action,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    if ($inputObject) {
        $Tier0GatewayId = $inputObject.parent_path.Split('/')[3]
        $Tier0Gateway = (Get-NsxtTier0Gateway -Id $Tier0GatewayId).display_name

        if ($inputObject.resource_type -eq "Tier0RouteMap") {
            $RouteMap = $inputObject.display_name
            $existingEntries = $inputObject.entries
            $uriPath = $inputObject.parent_path
        elseif ($inputObject.resource_type -eq "PrefixList" -and $RouteMap) {
            $routeMapInput = Get-NsxtTier0Gateway -Name $Tier0Gateway | Get-NsxtRouteMap -Name $RouteMap
            $existingEntries = $routeMapInput.entries
            $uriPath = $routeMapInput.parent_path
        else {
            Write-Error "Invalid pipeline passthrough. Exiting."

    $prefixListPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway | Get-NsxtPrefixList -Name $Name).path
    $prefixListPathArray = @()
    $prefixListPathArray += $prefixListPath

    $existingEntriesPrefixListMatches = $existingEntries.prefix_list_matches
    $existingPrefixListPathArray = @()
    $existingPrefixListPathArray += $existingEntriesPrefixListMatches

    $existingEntriesAction = $existingEntries.action

    $existingEntry = @{
        prefix_list_matches = $existingPrefixListPathArray
        action              = $existingEntriesAction

    $newEntry = @{
        prefix_list_matches = $prefixListPathArray
        action              = $Action

    $entries = @()
    $entries += $existingEntry
    $entries += $newEntry

    $entriesJson = $entries | ConvertTo-Json

    $json = @"
        "entries": $entriesJson

    Try {
        $uri = "https://$nsxtmanager/policy/api/v1/"+$uriPath+"/route-maps/$RouteMap"
        $response = Invoke-RestMethod -Method PUT -URI $uri -ContentType application/json -body $json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-NsxtPrefixList

Function Get-NsxtRouteMap {
        Get Tier-0 Gateway Route Maps

        The Get-NsxtRouteMap cmdlet retrieves the Route Maps assigned to a specified Tier-0 Gateway

        Get-NsxtRouteMap -tier0Gateway sfo-w01-ec01-t0-gw01
        This example gets all Route Maps on the Tier-0 Gateway

        Get-NsxtRouteMap -tier0Gateway sfo-w01-ec01-t0-gw01 -name sfo-w01-ec01-t0-gw01-routemap
        This example gets a specific route map by name from the Tier-0 Gateway

    Param (
        [Parameter (Mandatory = $true)] [String]$tier0Gateway,
        [Parameter (Mandatory = $false)] [String]$name,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    # Validating pipeline input resource_type
    if ($inputObject -and $inputObject.resource_type -eq "Tier0") {
        $tier0Gateway = $inputObject.display_name
        $uriPath = $inputObject.path
    elseif ($inputObject -and $inputObject.resource_type -ne "Tier0") {
        Write-Error "Invalid pipeline passthrough. Exiting."
    elseif (!$inputObject) {
        if (!$tier0Gateway) {
            Write-Output "Tier 0 Gateway: $Tier0Gateway"
            $Tier0Gateway = Read-Host -Prompt "Tier-0 Gateway not defined. Type in the name of your Tier-0 Gateway, then press Enter"
        $uriPath = (Get-NsxtTier0Gateway -Name $tier0Gateway).path

    Try {
        if (!$PsBoundParameters.ContainsKey("Name")) {
            $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/route-maps"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
        elseif ($PsBoundParameters.ContainsKey("Name")) {
            $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/route-maps"
            $response = Invoke-RestMethod -Method GET -URI $uri -ContentType application/json -headers $nsxtHeaders
            $response.results | Where-Object { $_.display_name -eq $Name }
    Catch {
        if ($_.Exception -match "400" -or $_.Exception -match "Bad Request") {
            Write-Error "The NSX Tier-0 Gateway was not properly defined."
Export-ModuleMember -Function Get-NsxtRouteMap

Function New-NsxtRouteMap {
        Creates a Route Map on a specified Tier-0 Gateway

        The New-NsxtRouteMap cmdlet creates a Route Map on a specified Tier-0 Gateway

        New-NsxtRouteMap -Name sfo-w01-cl01-route-map -Tier0Gateway sfo-w01-ec01-t0-gw01 -PrefixList sfo-w01-ec01-prefix-list
        This example creates a new Route Map on a Tier-0 Gateway

        Net-NsxtTier0Gateway sfo-w01-ec01-t0-gw01 | Get-NsxtPrefixList -Name sfo-w01-ec01-prefix-list | New-NsxtRouteMap -Name sfo-w01-cl01-route-map
        This example creates a new Route Map on a Tier-0 Gateway

    Param (
        [Parameter (Mandatory = $false)] [String]$Name,
        [Parameter (Mandatory = $false)] [String]$Tier0Gateway,
        [Parameter (Mandatory = $false)] [String]$PrefixList,
        [Parameter (Mandatory = $false)] [String]$Action,
        [Parameter (Mandatory = $false)] [String]$Json,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    if ($inputObject) {
        if ($inputObject.resource_type -eq "Tier0") {
            $Tier0Gateway = $inputObject.display_name
            $Tier0GatewayId = $inputObject.id
            $uriPath = $inputObject.path
        elseif ($inputObject.resource_type -eq "PrefixList") {
            $Tier0GatewayId = $inputObject.parent_path.Split('/')[3]
            $PrefixListPath = $inputObject.path
            $Tier0Gateway = (Get-NsxtTier0Gateway -Id $Tier0GatewayId).display_name
            $uriPath = $inputObject.parent_path
        else {
            Write-Error "Invalid pipeline passthrough. Exiting."
    } elseif (!$inputObject){
        $uriPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway).path

    if (!$PrefixListPath) {
        $PrefixListPath = $uriPath+"/prefix-lists/"+$PrefixList

    $json = @"
    "display_name" : "$Name",
    "entries" :
        "action" : "$Action",
        "prefix_list_matches" : [ "$prefixListPath" ]

    Try {
        $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/route-maps/$Name"
        $response = Invoke-RestMethod -Method PUT -URI $uri -ContentType application/json -body $json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function New-NsxtRouteMap

Function Remove-NsxtRouteMap {
        Remove a Route Map from a specified Tier-0 Gateway

        The Remove-NsxtRouteMap cmdlet removes a Route Map attached to a specified Tier-0 Gateway

        Remove-NsxtRouteMap -name sfo-w01-ec01-t0-gw01-routemap -tier0Gateway sfo-w01-ec01-t0-gw01
        This example removes the Route Map sfo-w01-ec01-t0-gw01-routemap from Tier-0 Gateway sfo-w01-ec01-t0-gw01

    Param (
        [Parameter (Mandatory = $false)] [String]$name,
        [Parameter (Mandatory = $false)] [String]$tier0Gateway,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    if ($inputObject) {
        if ($inputObject.resource_type -eq "Tier0RouteMap") {
            $Name = $inputObject.display_name
            $Tier0GatewayId = $inputObject.parent_path.Split('/')[3]
            $Tier0Gateway = (Get-NsxtTier0Gateway -Id $Tier0GatewayId).display_name
            $uriPath = $inputObject.parent_path
        elseif ($inputObject.resource_type -eq "Tier0" -and $Name -and !$Tier0Gateway) {
            $Tier0GatewayId = $inputObject.id
            $Tier0Gateway = $inputObject.display_name
            $uriPath = $inputObject.path
        else {
            Write-output $inputObject.resource_type
            Write-Error "Invalid pipeline passthrough. Exiting."
    elseif (!$inputObject) {
        if (!$tier0Gateway) {
            $tier0Gateway = Read-Host -Prompt "Tier-0 Gateway not defined. Type in the name of your Tier-0 Gateway, then press Enter"
        $uriPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway).path

    Try {
        $preCheckRouteMap = Get-NsxtRouteMap -name $Name -tier0Gateway $Tier0Gateway -ErrorAction SilentlyContinue
    Catch {
        Write-Error $_.Exception.Message

    if ($preCheckRouteMap -eq "NSX-T RouteMap $Name was not found.") {
        Write-Error $preCheckRouteMap

    # Check if the route map is applied to the route redistribution configuration
    Try {
        $getRouteRedistribution = Get-NsxtRouteRedistributionPolicy -tier0Gateway $tier0Gateway
        if ($getRouteRedistribution.route_redistribution_config.redistribution_rules.route_map_path -eq $preCheckRouteMap.path) {
            $getRouteRedistribution | Set-NsxtRouteRedistributionPolicy -tier0Gateway $tier0Gateway -RemoveRouteMap:$True | Out-Null
    Catch {
        Write-Error $_.Exception.Message

    Try {
        $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/route-maps/$name"
        $response = Invoke-RestMethod -Method DELETE -URI $uri -headers $nsxtHeaders -ContentType application/json
    Catch {
        Write-Error $_.Exception.Message

    # Validation
    Try {
        $checkRouteMap = Get-NsxtRouteMap -Name $Name -Tier0Gateway $Tier0Gateway -ErrorAction SilentlyContinue
    Catch {
        Write-Error $_.Exception.Message

    if ($checkRouteMap -eq "NSX-T RouteMap $Name was not found.") {
        Write-Output "NSX-T RouteMap $Name has been successfully deleted."
    else {
        Write-Error -Message "NSX-T RouteMap $Name was not deleted. Please check the logs."
Export-ModuleMember -Function Remove-NsxtRouteMap

Function Get-NsxtRouteRedistributionPolicy {
        Get the route redistribution policy from a Tier-0 Gateway

        The Get-NsxtRouteRedistributionPolicy cmdlet get the route redistribution policy from a Tier-0 Gateway

        Get-NsxtRouteRedistributionPolicy -tier0Gateway sfo-w01-ec01-t0-gw01
        This example returns the route redistribution policy for Tier-0 Gateway sfo-w01-ec01-t0-gw01

    Param (
        [Parameter (Mandatory = $false)] [String]$tier0Gateway,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    if ($inputObject -and $inputObject.resource_type -eq "Tier0") {
        $Tier0Gateway = $inputObject.display_name
        $uriPath = $inputObject.path
    elseif ($inputObject -and $inputObject.resource_type -ne "Tier0") {
        Write-Error "Invalid pipeline passthrough. Exiting."
    elseif (!$inputObject) {
        if (!$Tier0Gateway) {
            $Tier0Gateway = Read-Host -Prompt "Tier-0 Gateway not defined. Type in the name of your Tier-0 Gateway, then press Enter"
        $uriPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway).path

    Try {
        $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/locale-services/default"
        $response = Invoke-RestMethod -Method GET -URI $uri -headers $nsxtHeaders -ContentType application/json
    Catch {
        Write-Error $_.Exception.Message

Export-ModuleMember Get-NsxtRouteRedistributionPolicy

Function Set-NsxtRouteRedistributionPolicy {
        Set the route redistriution policy for a Tier 0 Gateway

        The Set-NsxtRouteRedistributionPolicy cmdlet sets the route redistriution policy for a Tier 0 Gateway

        Get-NsxtRouteRedistributionPolicy -tier0Gateway "sfo-w01-ec01-t0-gw01" | Set-NsxtRouteRedistributionPolicy -RouteMap "sfo-w01-ec01-t0-gw01-routemap"
        This example sets the RouteMap "sfo-w01-ec01-t0-gw01-routemap" on the route redistribution policy for Tier-0 Gateway "sfo-w01-t0-ec01-t0-gw01"

    Param (
        [Parameter (Mandatory = $false)] [String]$tier0Gateway,
        [Parameter (Mandatory = $false)] [String]$routeMap,
        [Parameter (Mandatory = $false)] [Bool]$removeRouteMap,
        [Parameter (ValueFromPipeline, Mandatory = $true)] [psObject]$inputObject

    if ($inputObject -and $inputObject.resource_type -eq "LocaleServices") {
        $Tier0GatewayId = $inputObject.parent_path.Split('/')[3]
        $Tier0Gateway = (Get-NsxtTier0Gateway -Id $Tier0GatewayId).display_name
        $edgeClusterPath = $inputObject.edge_cluster_path
        $bgpEnabled = $inputObject.route_redistribution_config.bgp_enabled
        $routeRedistributionName = $inputObject.route_redistribution_config.redistribution_rules.name
        $routeRedistributionTypes = $inputObject.route_redistribution_config.redistribution_rules.route_redistribution_types
        $uriPath = $inputObject.parent_path
    elseif ($inputObject -and $inputObject.resource_type -ne "LocaleServices") {
        Write-Error "Invalid pipeline passthrough. Exiting."

    if (!$inputObject) {
        if (!$Tier0Gateway) {
            $Tier0Gateway = Read-Host -Prompt "Tier-0 Gateway not defined. Type in the name of your Tier-0 Gateway, then press Enter"

        $getRedistributionPolicy = Get-NsxtTier0Gateway -Name $Tier0Gateway

        $edgeClusterPath = $getRedistributionPolicy.edge_cluster_path
        $bgpEnabled = $getRedistributionPolicy.route_redistribution_config.bgp_enabled
        $routeRedistributionName = $getRedistributionPolicy.route_redistribution_config.redistribution_rules.name
        $routeRedistributionTypes = $getRedistributionPolicy.route_redistribution_config.redistribution_rules.route_redistribution_types
        $uriPath = (Get-NsxtTier0Gateway -Name $Tier0Gateway).path

    $routeMapPath = "/infra/tier-0s/$Tier0GatewayId/route-maps/$RouteMap"

    foreach ($routeRedistributionType in $routeRedistributionTypes) {
        $routeRedistributionTypeString += @"


    $routeRedistributionTypeString = $routeRedistributionTypeString.Substring(0, $routeRedistributionTypeString.Length - 1)

    if ($RemoveRouteMap -eq $true) {
        $json = @"
    "edge_cluster_path" : "$edgeClusterPath",
    "route_redistribution_config" :
        "bgp_enabled" : "$bgpEnabled",
        "redistribution_rules" :
            "name" : "$routeRedistributionName",
            "route_redistribution_types" : [ $routeRedistributionTypeString ]

    elseif ($RemoveRouteMap -eq $false -or !$RemoveRouteMap) {
        $json = @"
    "edge_cluster_path" : "$edgeClusterPath",
    "route_redistribution_config" :
        "bgp_enabled" : "$bgpEnabled",
        "redistribution_rules" :
            "name" : "$routeRedistributionName",
            "route_redistribution_types" : [ $routeRedistributionTypeString ],
            "route_map_path" : "$routeMapPath"


    Try {
        $uri = "https://$nsxtmanager/policy/api/v1"+$uriPath+"/locale-services/default"
        $response = Invoke-RestMethod -Method PATCH -URI $uri -headers $nsxtHeaders -ContentType application/json -body $json

        if (!$response) {
            $output = Get-NsxtRouteRedistributionPolicy -Tier0Gateway $Tier0Gateway
    Catch {
        Write-Error $_.Exception.Message

Export-ModuleMember Set-NsxtRouteRedistributionPolicy

Function Get-NsxtManagerAuthPolicy {
        Get the Authentication Policy for NSX Manager Nodes

        The Get-NsxtManagerAuthPolicy cmdlet getss the current authentication policy for NSX Manager Node

        Get-NsxtManagerAuthPolicy -nsxtManagerNode "sfo-m01-nsx01a.sfo.rainpole.io"
        This example returns the current Authentication policy in NSX manager node sfo-m01-nsx01a.sfo.rainpole.io

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$nsxtManagerNode

    Try {
        $requestingURL = "https://" + $nsxtManagerNode + "/api/v1/node/aaa/auth-policy"
        $response = Invoke-RestMethod -Method GET -URI $requestingURL -ContentType application/json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember Get-NsxtManagerAuthPolicy

Function Set-NsxtManagerAuthPolicy {
        Set the Authentication Policy for NSX Manager Node

        The Set-NsxtManagerAuthPolicy cmdlet configures the authentication policy for NSX Manager Node

        Set-NsxManagerAuthPolicy -nsxtManagerNode "sfo-m01-nsx01a.sfo.rainpole.io" -api_lockout_period 900 -api_reset_period 120 -api_max_attempt 5 -cli_lockout_period 900 -cli_max_attempt 5 -min_passwd_length 15
        This example customized the Authentication policy in NSX manager node sfo-m01-nsx01a.sfo.rainpole.io.

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$nsxtManagerNode,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$api_lockout_period,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$api_reset_period,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$api_max_attempt,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cli_lockout_period,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cli_max_attempt,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$min_passwd_length

    $authPolicyBody = @{}
    if ($PsBoundParameters.ContainsKey("api_lockout_period")) {
        $authPolicyBody+= @{api_failed_auth_lockout_period = $api_lockout_period}
    if ($PsBoundParameters.ContainsKey("api_reset_period")) {
        $authPolicyBody += @{api_failed_auth_reset_period = $api_reset_period}
    if ($PsBoundParameters.ContainsKey("api_max_attempt")) {
        $authPolicyBody += @{api_max_auth_failures = $api_max_attempt}
    if ($PsBoundParameters.ContainsKey("cli_lockout_period")) {
        $authPolicyBody += @{cli_failed_auth_lockout_period = $cli_lockout_period}
    if ($PsBoundParameters.ContainsKey("cli_max_attempt")) {
        $authPolicyBody += @{cli_max_auth_failures = $cli_max_attempt}
    if ($PsBoundParameters.ContainsKey("min_passwd_length")) {
        $authPolicyBody += @{minimum_password_length = $min_passwd_length}

    Try {
        $requestingURL = "https://" + $nsxtManagerNode + "/api/v1/node/aaa/auth-policy"
        $response = Invoke-RestMethod -Method PUT -URI $requestingURL -ContentType application/json -headers $nsxtHeaders -Body ($authPolicyBody | ConvertTo-Json)
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember Set-NsxtManagerAuthPolicy

Function Get-NsxtEdgeNodeAuthPolicy {
        Get the Authentication Policy for NSX Edge Nodes

        The Get-NsxtEdgeNodeAuthPolicy cmdlet getss the authentication policy for NSX Edge Nodes

        Get-NsxtEdgeNodeAuthPolicy -nsxtManagerNode "sfo-m01-nsx01a.sfo.rainpole.io"
        This example returns the password policy in NSX manager node sfo-m01-nsx01a.sfo.rainpole.io

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$nsxtManager,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$nsxtEdgeNodeID

    Try {
        $requestingURL = "https://" + $nsxtManager + "/api/v1/transport-nodes/" + $nsxtEdgeNodeID + "/node/aaa/auth-policy"
        $response = Invoke-RestMethod -Method GET -URI $requestingURL -ContentType application/json -headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember Get-NsxtEdgeNodeAuthPolicy

Function Set-NsxtEdgeNodeAuthPolicy {
        Set the Authentication Policy for NSX Manager Nodes

        The Set-NsxtManagerAuthPolicy cmdlet getss the authentication policy for NSX Manager Nodes

        Set-NsxManagerAuthPolicy -nsxtManagerNode "sfo-m01-nsx01a.sfo.rainpole.io" -api_lockout_period 900 -api_reset_period 120 -api_max_attempt 5 -cli_lockout_period 900 -cli_max_attempt 5 -min_passwd_length 15
        This example customized the password policy in NSX manager node sfo-m01-nsx01a.sfo.rainpole.io.

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$nsxtManager,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$nsxtEdgeNodeID,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cli_lockout_period,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$cli_max_attempt,
        [Parameter (Mandatory = $false)] [ValidateRange(1, [int]::MaxValue)] [int]$min_passwd_length

    $authPolicyBody = @{}
    if ($PsBoundParameters.ContainsKey("cli_lockout_period")) {
        $authPolicyBody += @{cli_failed_auth_lockout_period = $cli_lockout_period}
    if ($PsBoundParameters.ContainsKey("cli_max_attempt")) {
        $authPolicyBody += @{cli_max_auth_failures = $cli_max_attempt}
    if ($PsBoundParameters.ContainsKey("min_passwd_length")) {
        $authPolicyBody += @{minimum_password_length = $min_passwd_length}

    Try {
        $requestingURL = "https://" + $nsxtManager + "/api/v1/transport-nodes/" + $nsxtEdgeNodeID + "/node/aaa/auth-policy"
        $response = Invoke-RestMethod -Method PUT -URI $requestingURL -ContentType application/json -headers $nsxtHeaders -Body ($authPolicyBody | ConvertTo-Json)
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember Set-NsxtEdgeNodeAuthPolicy

Function Get-NsxtSyslogStatus {
        Gets the status of the Syslog Service

        The Get-NsxtSyslogStatus cmdlet gets the status of the Syslog Service for NSX-T Data Center components

        Get-NsxtSyslogStatus -type node
        This example gets the status of the syslog service for NSX Manager node

        Get-NsxtSyslogStatus -type transport -id f3bd5bf0-23cd-4c6f-8de5-ab065f74d7fe
        This example gets the status of the syslog service for NSX Edge node

    Param (
        [Parameter (ParameterSetName = 'node', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$node,
        [Parameter (ParameterSetName = 'transport', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$transport,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$id

    Try {
        if ($PsBoundParameters.ContainsKey("node")) {
            $uri = "https://$nsxtManager/api/v1/node/services/syslog/status"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
        if ($PsBoundParameters.ContainsKey("transport")) {
            $uri = "https://$nsxtManager/api/v1/transport-nodes/$id/node/services/syslog/status"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtSyslogStatus

Function Get-NsxtSyslogExporter {
        Gets Syslog exporters

        The Get-NsxtSyslogExporter cmdlet gets the Syslog exporters configures for NSX-T Data Center components

        Get-NsxtSyslogExporter -node
        This example gets the configuration of the syslog exporters for NSX Manager node

        Get-NsxtSyslogExporter -transport -id f3bd5bf0-23cd-4c6f-8de5-ab065f74d7fe
        This example gets the configuration of the syslog exporters for NSX Edge node

    Param (
        [Parameter (ParameterSetName = 'node', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$node,
        [Parameter (ParameterSetName = 'transport', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$transport,
        [Parameter (ParameterSetName = 'transport', Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$id

    Try {
        if ($PsBoundParameters.ContainsKey("node")) {
            $uri = "https://$nsxtManager/api/v1/node/services/syslog/exporters"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
        if ($PsBoundParameters.ContainsKey("transport")) {
            $uri = "https://$nsxtManager/api/v1/transport-nodes/$id/node/services/syslog/exporters"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-NsxtSyslogExporter

Function Set-NsxtSyslogExporter {
        Sets Syslog exporters

        The Set-NsxtSyslogExporter cmdlet Sets the Syslog exporters configures for NSX-T Data Center components

        Set-NsxtSyslogExporter -node -exporterName Syslog1 -logLevel INFO -port 514 -protocol TCP -server sfo-vrli01.sfo.rainpole.io
        This example gets the status of the syslog service for NSX Manager node

        Set-NsxtSyslogExporter -transport -id f3bd5bf0-23cd-4c6f-8de5-ab065f74d7fe -exporterName Syslog1 -logLevel INFO -port 514 -protocol TCP -server sfo-vrli01.sfo.rainpole.io
        This example gets the status of the syslog service for NSX Edge node

    Param (
        [Parameter ( ParameterSetName = 'node', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$node,
        [Parameter ( ParameterSetName = 'transport', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$transport,
        [Parameter ( ParameterSetName = 'transport', Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$id,
        [Parameter ( Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$exporterName,
        [Parameter ( Mandatory = $true)] [ValidateSet("EMERG", "ALERT", "CRIT", "ERR", "WARNING", "NOTICE", "INFO", "DEBUG")]  [String]$logLevel,
        [Parameter ( Mandatory = $true)] [ValidateNotNullOrEmpty()] [Int]$port,
        [Parameter ( Mandatory = $true)] [ValidateSet("TCP", "TLS", "UDP", "LI", "LI-TLS")] [String]$protocol,
        [Parameter ( Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server

      Try {
        $json = '{
            "exporter_name": "'
 + $exporterName + '",
            "level": "'
 + $logLevel + '",
            "port": '
 + $port + ',
            "protocol": "'
 + $protocol + '",
            "server": "'
 + $server + '"

        if ($PsBoundParameters.ContainsKey("node")) {
            $uri = "https://$nsxtManager/api/v1/node/services/syslog/exporters"
            $response = Invoke-RestMethod $uri -Method 'POST' -Headers $nsxtHeaders -ContentType application/json -body $json
        if ($PsBoundParameters.ContainsKey("transport")) {
            $uri = "https://$nsxtManager/api/v1/transport-nodes/$id/node/services/syslog/exporters"
            $response = Invoke-RestMethod $uri -Method 'POST' -Headers $nsxtHeaders -ContentType application/json -body $json
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Set-NsxtSyslogExporter

Function Remove-NsxtSyslogExporter {
        Delete Syslog exporters

        The Remove-NsxtSyslogExporter cmdlet deletes the Syslog exporters for NSX-T Data Center components

        Remove-NsxtSyslogExporter -node -exporterName Syslog1
        This example deletes the syslog exporters for NSX Manager node

        Remove-NsxtSyslogExporter -transport -id f3bd5bf0-23cd-4c6f-8de5-ab065f74d7fe -exporterName Syslog1
        This example deletes the syslog exporters for for NSX Edge node

    Param (
        [Parameter (ParameterSetName = 'node', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$node,
        [Parameter (ParameterSetName = 'transport', Mandatory = $true)] [ValidateNotNullOrEmpty()] [Switch]$transport,
        [Parameter (ParameterSetName = 'transport', Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$id,
        [Parameter ( Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$exporterName

    Try {
        if ($PsBoundParameters.ContainsKey("node")) {
            $uri = "https://$nsxtManager/api/v1/node/services/syslog/exporters/$exporterName"
            $response = Invoke-RestMethod $uri -Method 'DELETE' -Headers $nsxtHeaders
        if ($PsBoundParameters.ContainsKey("transport")) {
            $uri = "https://$nsxtManager/api/v1/transport-nodes/$id/node/services/syslog/exporters/$exporterName"
            $response = Invoke-RestMethod $uri -Method 'DELETE' -Headers $nsxtHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Remove-NsxtSyslogExporter

################## End NSX-T Functions #######################

############ Begin vSphere with Tanzu Functions ##############

Function Request-vSphereApiToken {
        Request an authentication token for the vSphere REST API

        The Request-vSphereApiToken cmdlet requests an authentication token for the vSphere REST API

        use -admin to set the Admin token for vCenter Server Management Interface
        Request-vSphereApiToken -Fqdn sfo-w01-vc01.sfo.rainpole.io -Username administrator@vsphere.local -Password VMw@re1!
        This example requests a vSphere REST API authentication token for user administrator@vsphere.local from vCenter Server sfo-w01-vc01.sfo.rainpole.io

        Get-vCenterServerDetail -Server sfo-vcf01.sfo.rainpole.io -User administrator@vsphere.local -Pass VMw@re1! -Domain sfo-w01 | Request-vSphereApiToken
        This example requests a vSphere REST API authentication token for user administrator@vsphere.local from the vCenter Server that manages VI workload domain sfo-w01

    Param (
        [Parameter (Mandatory = $false)] [String]$Fqdn,
        [Parameter (Mandatory = $false)] [String]$Username,
        [Parameter (Mandatory = $false)] [String]$Password,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psobject]$inputObject,
        [Parameter (Mandatory = $false)] [switch]$admin

    if ($inputObject) {
        $username = $inputObject.ssoAdmin
        $password = $inputObject.ssoAdminPass
        $fqdn = $inputObject.fqdn
        $sddcManager = (Get-VCFManager).fqdn
    else {
        if (!$PsBoundParameters.ContainsKey("username") -or (!$PsBoundParameters.ContainsKey("password"))) {
            # Request Credentials
            $creds = Get-Credential
            $username = $creds.UserName.ToString()
            $password = $creds.GetNetworkCredential().password
        if (!$PsBoundParameters.ContainsKey("fqdn")) {
            $fqdn = Read-Host "vCenter Server FQDN not found. Please enter a value, e.g., sfo-m01-vc01.sfo.rainpole.io"
    $vcAuthHeaders = createvCenterAuthHeader($username, $password)

    # Perform the vCenter REST API call to authenticate and retrieve the session token
    Try {
        if ($admin){
            $tmp = $fqdn
            $fqdn = $fqdn + ":5480"
            $vcAdminSession = (Invoke-WebRequest -Method POST -URI https://$fqdn/rest/com/vmware/cis/session -Headers $vcAuthHeaders | ConvertFrom-Json).Value
            $fqdn = $tmp
        $vcSession = (Invoke-WebRequest -Method POST -URI https://$fqdn/rest/com/vmware/cis/session -Headers $vcAuthHeaders | ConvertFrom-Json).Value
    Catch {
        Write-Error -Message "Something went wrong with vCenter Server authentication."

    # Use the session token to build the header used from here on
    $Global:vcHeaders = @{"vmware-api-session-id" = $vcSession }
    $Global:vcHeaders.Add("Content-Type", "application/json")

    # Use the session token to build the header for admin interface used from here on
    if ($admin){
        $Global:vcAdminHeaders = @{"vmware-api-session-id" = $vcAdminSession }
        $Global:vcAdminHeaders.Add("Content-Type", "application/json")

    # Validate credentials by executing an API call
    $Global:currentvCenterServer = $Fqdn

    $newUri = "https://$fqdn/api/appliance/system/version"
    $oldUri = "https://$fqdn/rest/appliance/system/version"

    Try {
        # Checking against the vCenter API
        # PS Core has -SkipCertificateCheck implemented, PowerShell 5.x does not
        if ($PSEdition -eq 'Core') {
            Try {
                $response = Invoke-RestMethod -Method GET -Uri $newUri -Headers $vcHeaders -SkipCertificateCheck
                if ($response) {
                    $responseSplit = $response.version.Split(".")
                    $global:vCenterApi = $responseSplit[0..2] -join ""
            Catch {
                $errorStatus = $_.Exception.Response.StatusCode
            if ($errorStatus -eq "NotFound") {
                $response = Invoke-RestMethod -Method GET -Uri $oldUri -Headers $vcHeaders -SkipCertificateCheck
                $responseSplit = $response.value.version.Split(".")
                $global:vCenterApi = $responseSplit[0..2] -join ""
        else {
            Try {
                $response = Invoke-RestMethod -Method GET -Uri $newUri -Headers $vcHeaders

                if ($response) {
                    $responseSplit = $response.version.Split(".")
                    $global:vCenterApi = $responseSplit[0..2] -join ""
            Catch {
                $errorStatus = $_.Exception.Response.StatusCode

            if ($errorStatus -eq "NotFound") {
                $response = Invoke-RestMethod -Method GET -Uri $oldUri -Headers $vcHeaders
                $responseSplit = $response.value.version.Split(".")
                $global:vCenterApi = $responseSplit[0..2] -join ""
        if ($response) {
            if ($inputObject) {
                Write-Output "Successfully Requested New API Token for vCenter Server $fqdn via SDDC Manager $sddcManager"
            else {
                Write-Output "Successfully Requested New API Token for vCenter Server $fqdn"
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Request-vSphereApiToken

Function Enable-WMRegistry {
        Enable the embedded Harbor Registry on a Supervisor Cluster

        The Enable-WMRegistry cmdlet enables the embedded Harbor Registry on a Supervisor Cluster

        Enable-WMRegistry -Cluster "sfo-w01-cl01" -StoragePolicy "vsphere-with-tanzu-policy"
        This example enables the embedded Harbor Registry on Supervisor Cluster "sfo-w01-cl01"

        Get-WMCluster -Cluster "sfo-w01-cl01" | Enable-WMRegistry
        This example enables the embedded Harbor Registry on Supervisor Cluster "sfo-w01-cl01" via pipeline from Get-WMCluster with the default image storage policy for the Supervisor Cluster

    Param (
        [Parameter (Mandatory = $false)] [String]$Domain,
        [Parameter (Mandatory = $false)] [String]$Cluster,
        [Parameter (Mandatory = $false)] [String]$StoragePolicy,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    $vCenterFqdn = $currentvCenterServer

    if ($inputObject) {
        $Cluster = $inputObject.Name

    Try {
        if ($vCenterApi -le 701) {
            $getHarborInstalled = (Invoke-RestMethod -Method GET -URI https://$vCenterFqdn/rest/vcenter/content/registries/harbor -Headers $vcHeaders).value
        elseif ($vCenterApi -ge 702) {
            $getHarborInstalled = Invoke-RestMethod -Method GET -URI https://$vCenterFqdn/api/vcenter/content/registries/harbor -Headers $vcHeaders
    Catch {
        Write-Error = $_.Exception

    if (!$getHarborInstalled) {
        Try {
            $wmClusterId = (Invoke-RestMethod -Method GET -URI  https://$vCenterFqdn/api/vcenter/namespace-management/clusters -Headers $vcHeaders | Where-Object { $_.cluster_name -eq $Cluster }).cluster
        Catch {
            Write-Error $_.Exception.Message

        if (!$StoragePolicy) {
            Try {
                $storagePolicyId = (Invoke-RestMethod -Method GET -URI  https://$vCenterFqdn/api/vcenter/namespace-management/clusters/$wmClusterId -Headers $vcHeaders).image_storage.storage_policy
            Catch {
                Write-Error $_.Exception.Message
        elseif ($StoragePolicy) {
            Try {
                if ($vCenterApi -ge 702) {
                    $storagePolicyId = ((Invoke-WebRequest -Method GET -URI https://$vCenterFqdn/api/vcenter/storage/policies -Headers $vcHeaders | ConvertFrom-Json) | Where-Object { $_.name -eq $StoragePolicy }).policy
                    $json = @"
    "cluster" : "$wmClusterId",
    "storage" :
            "policy" : "$storagePolicyId"

                elseif ($vCenterApi -le 701) {
                    $storagePolicyId = ((Invoke-WebRequest -Method GET -URI https://$vCenterFqdn/rest/vcenter/storage/policies -Headers $vcHeaders | ConvertFrom-Json).value | Where-Object { $_.name -eq $StoragePolicy }).policy
                    $json = @"
    "spec" :
        "cluster" : "$wmClusterId",
        "storage" :
                "policy" : "$storagePolicyId"

            Catch {
                Write-Error $_.Exception.Message
    # Send a REST API call to vCenter Server to instantiate the new Harbor registry
        if ($vCenterApi -le 701) {
            Try {
                $installHarbor = Invoke-RestMethod -Method POST -URI https://$vCenterFqdn/rest/vcenter/content/registries/harbor -Headers $vcHeaders -Body $json -ContentType application/json
            Catch {
                Write-Error $_.Exception.Message

            if ($installHarbor) {
                $installHarborValue = $installHarbor.value
                Write-Output "Embedded registry $installHarborValue deployment successfully started on Supervisor Cluster $Cluster"
        elseif ($vCenterApi -ge 702) {
            Try {
                $installHarbor = Invoke-RestMethod -Method POST -URI https://$vCenterFqdn/api/vcenter/content/registries/harbor -Headers $vcHeaders -Body $json -ContentType application/json
            Catch {
                Write-Error $_.Exception.Message

            if ($installHarbor) {
                Write-Output "Embedded registry $installHarbor deployment successfully started on Supervisor Cluster $Cluster"
Export-ModuleMember -Function Enable-WMRegistry

Function Get-WMRegistry {
        Retrieves the embedded Harbor Registry on a Supervisor Cluster

        The Get-WMRegistry cmdlet retrieves the embedded Harbor Registry on a Supervisor Cluster

        This example retrieves all embedded Harbor Registries in vCenter Server inventory

        Get-WMRegistry -Cluster "sfo-w01-cl01"
        This example enables the embedded Harbor Registry on Supervisor Cluster "sfo-w01-cl01"

        Get-WMCluster -Cluster "sfo-w01-cl01" | Get-WMRegistry
        This example enables the embedded Harbor Registry on Supervisor Cluster "sfo-w01-cl01" via pipeline from Get-WMCluster

    Param (
        [Parameter (Mandatory = $false)] [String]$Cluster,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    $vCenterFqdn = $currentvCenterServer

    if ($inputObject) {
        $Cluster = $inputObject.Name

    if ($Cluster) {
        Try {
            $wmClusterId = (Invoke-RestMethod -Method GET -URI  https://$vCenterFqdn/api/vcenter/namespace-management/clusters -Headers $vcHeaders | Where-Object { $_.cluster_name -eq $Cluster }).cluster
        Catch {
            Write-Error $_.Exception.Message

    Try {
        if (!$PsBoundParameters.ContainsKey("Cluster")) {
            if ($vCenterApi -le 701) {
                $response = Invoke-RestMethod -Method GET -URI https://$vCenterFqdn/rest/vcenter/content/registries/harbor -ContentType application/json -headers $vcHeaders
            elseif ($vCenterApi -ge 702) {
                $response = Invoke-RestMethod -Method GET -URI https://$vCenterFqdn/api/vcenter/content/registries/harbor -ContentType application/json -headers $vcHeaders
        elseif ($PsBoundParameters.ContainsKey("Cluster")) {
            if ($vCenterApi -le 701) {
                $response = Invoke-RestMethod -Method GET -URI https://$vCenterFqdn/rest/vcenter/content/registries/harbor -ContentType application/json -headers $vcHeaders
                $response.value | Where-Object { $_.cluster -eq $wmClusterId }
            elseif ($vCenterApi -ge 702) {
                $response = Invoke-RestMethod -Method GET -URI https://$vCenterFqdn/api/vcenter/content/registries/harbor -ContentType application/json -headers $vcHeaders
                $response | Where-Object { $_.cluster -eq $wmClusterId }
    Catch {
        Write-Error = $_.Exception
Export-ModuleMember -Function Get-WMRegistry

Function Remove-WMRegistry {
        Remove the embedded Harbor Registry on a Supervisor Cluster

        The Remove-wmRegistry cmdlet removes the embedded Harbor Registry on a Supervisor Cluster

        Get-WMRegistry -Cluster "sfo-w01-cl01" | Remove-WMRegistry
        This example enables the embedded Harbor Registry on Supervisor Cluster "sfo-w01-cl01" via pipeline from Get-wmCluster with the default storage policy for the Supervisor Cluster

        Remove-WMRegistry -Cluster "sfo-w01-cl01"
        This example enables the embedded Harbor Registry on Supervisor Cluster "sfo-w01-cl01" via pipeline from Get-wmCluster with the default storage policy for the Supervisor Cluster

    Param (
        [Parameter (Mandatory = $false)] [String]$Cluster,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    $vCenterFqdn = $currentvCenterServer

    if ($inputObject) {
        $harborRegistryId = $inputObject.registry
    else {
        Try {
            $harborRegistryId = (Get-WMRegistry -Cluster $Cluster).registry
        Catch {
            Write-Error $_.Exception.Message

    if ($vCenterApi -le 701) {
        $uri = "https://$vCenterFqdn/rest/vcenter/content/registries/harbor/$harborRegistryId"
    elseif ($vCenterApi -ge 702) {
        $uri = "https://$vCenterFqdn/api/vcenter/content/registries/harbor/$harborRegistryId"

    Try {
        $response = Invoke-WebRequest -Method DELETE -URI $uri -ContentType application/json -headers $vcHeaders
        if ($response.StatusCode -eq 200 -or $response.StatusCode -eq 204) {
            Write-Output "Embedded registry removal successfully started for Supervisor Cluster $Cluster"
    Catch {
        Write-Error = $_.Exception
Export-ModuleMember -Function Remove-WMRegistry

Function Connect-WMCluster {
        Log in to a Supervisor Cluster

        The Connect-WMCluster cmdlet adds a refix List to an NSX-T Route Map

        Connect-WMCluster -Cluster sfo-w01-cl01 -User administrator@vsphere.local -Pass VMw@re1!
        This example logs the vSphere SSO user administrator@vsphere.local into Supervisor Cluster sfo-w01-cl01

    Param (
        [Parameter (Mandatory = $false)] [String]$Cluster,
        [Parameter (Mandatory = $true)] [String]$User,
        [Parameter (Mandatory = $true)] [String]$Pass,
        [Parameter (ValueFromPipeline, Mandatory = $false)] [psObject]$inputObject

    if ($inputObject) {
        $Server = $inputObject.KubernetesHostname
    else {
        $Server = (Get-WMCluster -Cluster $Cluster).KubernetesHostname

    Try {
        Start-AwaitSession | Out-Null
        Send-AwaitCommand "kubectl vsphere login --server $Server --vsphere-username $Username --insecure-skip-tls-verify" | Out-Null
        Wait-AwaitResponse "Password:" | Out-Null
        Send-AwaitCommand "$Password"
        Start-Sleep -seconds 3 | Out-Null
    Catch {
        Write-Error "Something went wrong."

    $tryKubectl = Invoke-Expression "kubectl get nodes"

    if ($tryKubectl) {
        Write-Output "Connection successful."
Export-ModuleMember -Function Connect-WMCluster

Function Disconnect-WMCluster {
        Add a Prefix List to an NSX-T Route Map

        The Add-NsxtPrefixList cmdlet adds a refix List to an NSX-T Route Map

        Get-NsxtPrefixList -Name sfo-w01-cl01-prefix-list | Add-NsxtPrefixList -RouteMap sfo-w01-ec01-route-map -Action PERMIT
        This example creates a new Prefix List on a Tier 0 Gateway

    Try {
        Invoke-Expression "kubectl vsphere logout"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Disconnect-WMCluster

Function New-TanzuKubernetesCluster {
        Adds a Tanzu Kubernetes cluster based on the specified YAML file.

        The New-WMTkgsCluster cmdlet adds a Tanzu Kubernetes cluster based on the specified YAML file.

        New-WMTkgsCluster -YAML c:\kube\yaml\tkgsCluster.yaml
        This example creates a new Prefix List on a Tier 0 Gateway

    Param (
        [Parameter (Mandatory = $true)] [String]$YAML

    Try {
        Invoke-Expression "kubectl apply -f $YAML"
    Catch {
        Debug-ExceptionWriter -object $_
New-Alias -name Set-TanzuKubernetesCluster -Value Mew-TanzuKubernetesCluster
Export-ModuleMember -Alias Set-TanzuKubernetesCluster -Function New-TanzuKubernetesCluster

Function Get-TanzuKubernetesCluster {
        Retrieves a Tanzu Kubernetes cluster

        The Get-TanzuKuberntesCluster cmdlet retrieves a Tanzu Kubernetes cluster

        This example retrieves all TanzuKubernetesCluster objects from all namespaces

        Get-TanzuKubernetesCluster -Name sfo-w01-tkc01 -Namespace sfo-w01-tkc01
        This example retrieves a TanzuKubernetesCluster object named "sfo-w01-tkc01" from the namespace specified "sfo-w01-tkc01"

    Param (
        [Parameter (Mandatory = $false)] [String]$Name,
        [Parameter (Mandatory = $false)] [String]$Namespace,
        [Parameter (Mandatory = $false)] [Bool]$Detailed

    if ($Detailed -eq $true) {
        if (!$Name -and !$Namespace) {
            Invoke-Expression "kubectl describe tkc --all-namespaces"
        elseif (!$Name -and $Namespace) {
            Invoke-Expression "kubectl describe tkc -n $Namespace"
        elseif ($Name -and !$Namespace) {
            Write-Error "A resource cannot be retrieved by name across all namespaces"
        elseif ($Name -and $Namespace) {
            Invoke-Expression "kubectl describe tkc $Name -n $Namespace"
    elseif (!$Detailed -or $Detailed -eq $false) {
        if (!$Name -and !$Namespace) {
            Invoke-Expression "kubectl get tkc --all-namespaces"
        elseif (!$Name -and $Namespace) {
            Invoke-Expression "kubectl get tkc -n $Namespace"
        elseif ($Name -and !$Namespace) {
            Write-Error "A resource cannot be retrieved by name across all namespaces"
        elseif ($Name -and $Namespace) {
            Invoke-Expression "kubectl get tkc $Name -n $Namespace"
Export-ModuleMember -Function Get-TanzuKubernetesCluster

Function Remove-TanzuKubernetesCluster {
        Adds a Tanzu Kubernetes cluster based on the specified YAML file.

        The New-WMTkgsCluster cmdlet adds a Tanzu Kubernetes cluster based on the specified YAML file.

        New-WMTkgsCluster -YAML c:\kube\yaml\tkgsCluster.yaml
        This example creates a new Prefix List on a Tier 0 Gateway

    Param (
        [Parameter (Mandatory = $true)] [String]$Name,
        [Parameter (Mandatory = $true)] [String]$Namespace

    Try {
        Invoke-Expression "kubectl delete tkc $Name -n $Namespace"
    Catch {
        Write-Error "Something went wrong."
Export-ModuleMember -Function Remove-TanzuKubernetesCluster

############# End vSphere with Tanzu Functions ###############

################## Start vRealize Suite Lifecycle Manager Functions ###################

Function Request-vRSLCMToken {
        Connects to the specified vRealize Suite Lifecycle Manager and obtains authorization token

        The Request-vRSLCMToken cmdlet connects to the specified vRealize Suite Lifecycle Manager and
        obtains an authorization token. It is required once per session before running all other cmdlets.

        Request-vRSLCMToken -fqdn xreg-vrslcm.rainpole.io -username admin@local -password VMware1!
        This example shows how to connect to the vRealize Suite Lifecycle Manager appliance

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$fqdn,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$username,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$password

    if ( -not $PsBoundParameters.ContainsKey("username") -or ( -not $PsBoundParameters.ContainsKey("password"))) {
        $creds = Get-Credential # Request Credentials
        $username = $creds.UserName.ToString()
        $password = $creds.GetNetworkCredential().password

    $Global:vrslcmHeaders = createBasicAuthHeader $username $password
    $Global:vrslcmAppliance = $fqdn

    Try {
        # Validate credentials by executing an API call
        $uri = "https://$vrslcmAppliance/lcmversion"
        if ($PSEdition -eq 'Core') {
            $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $vrslcmHeaders -SkipCertificateCheck # PS Core has -SkipCertificateCheck implemented, PowerShell 5.x does not
        else {
            $response = Invoke-RestMethod -Method GET -Uri $uri -Headers $vrslcmHeaders
        if ($response.StatusCode -eq 200) {
            Write-Output "Successfully connected to the vRealize Suite Lifecycle Manager Appliance: $vrslcmAppliance"
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Request-vRSLCMToken

Function Get-vRSLCMLockerPassword {
        Get paginated list of Passwords available in the Store

        The Get-vRSLCMLockerPassword cmdlet gets a paginated list of passwords available in the Locker

        This example gets all passwords in the Locker

        Get-vRSLCMLockerPassword -vmid 83abd0fd-c92d-4d8f-a5e8-9a1fc4fa6009
        This example gets the details of a password based on the vmid

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$vmid

    Try {
        if ($PsBoundParameters.ContainsKey("vmid")) {
            $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/passwords/$vmid"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $vrslcmHeaders
        else {
            $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/passwords"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $vrslcmHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-vRSLCMLockerPassword

Function Add-vRSLCMLockerPassword {
        Creates a new Password in a password Store

        The Add-vRSLCMLockerPassword cmdlet add as new passwords to the Locker

        Add-vRSLCMLockerPassword -userName admin -alias xint-admin -password VMw@re1! -description "Password for Cross-Instance Admin"
        This example gets all passwords NSX-T Manager

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$userName,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$alias,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$password,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$description

    Try {
        $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/passwords"
        $body = '{
            "alias": "'
+ $alias +'",
            "password": "'
+ $password +'",
            "passwordDescription": "'
+ $description +'",
            "userName": "'
+ $userName +'"

        $response = Invoke-RestMethod $uri -Method 'POST' -Headers $vrslcmHeaders -Body $body
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Add-vRSLCMLockerPassword

Function Remove-vRSLCMLockerPassword {
        Delete a Password based on vmid

        The Remove-vRSLCMLockerPassword cmdlet deletes a password from the Locker

        Remove-vRSLCMLockerPassword -vmid
        This example delets the password with the vmid

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$vmid

    Try {
        $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/passwords/$vmid"
        $response = Invoke-RestMethod $uri -Method 'DELETE' -Headers $vrslcmHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Remove-vRSLCMLockerPassword

Function Get-vRSLCMLockerCertificate {
        Get paginated list of Certificates available in the Store

        The Get-vRSLCMLockerCertificate cmdlet gets a paginated list of certificates available in the Locker

        This example gets all certificates in the Locker

        Get-vRSLCMLockerCertificate -vmid 83abd0fd-c92d-4d8f-a5e8-9a1fc4fa6009
        This example gets the details of a certificate based on the vmid

        Get-vRSLCMLockerCertificate -alias xint-vrops01
        This example gets the details of a certificate based on the vmid

    Param (
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$vmid,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$alias

    Try {
        if ($PsBoundParameters.ContainsKey("vmid")) {
            $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/certificates/$vmid"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $vrslcmHeaders
        elseif ($PsBoundParameters.ContainsKey("alias")) {
            $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/certificates"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $vrslcmHeaders
            $response.certificates | Where-Object {$_.alias -eq $alias}
        else {
            $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/certificates"
            $response = Invoke-RestMethod $uri -Method 'GET' -Headers $vrslcmHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Get-vRSLCMLockerCertificate

Function Add-vRSLCMLockerCertificate {
        Add a certificate to the vRSLCM locker

        The Add-vRSLCMLockerCertificate cmdlet adds a certificate to the vRSLCM locker

        This example gets all certificates in the Locker

        Add-vRSLCMLockerCertificate -vmid 83abd0fd-c92d-4d8f-a5e8-9a1fc4fa6009
        This example gets the details of a certificate based on the vmid

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$vrslcmFQDN,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$certificateAlias,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$certificatePassphrase,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$certChainPath

    Try {
        foreach ($line in Get-Content $certChainPath) {
            $stringToAdd = $line + '\n'
            $newPEMString += $stringToAdd
    $chain = [regex]::split($newPEMString, "-----BEGIN RSA PRIVATE KEY-----")[0] -replace ".{2}$"
    $key = [regex]::split($newPEMString, "-----END CERTIFICATE-----")[-1].substring(2)
    if (!$PsBoundParameters.ContainsKey("certificatePassphrase")) {
        $body = '{
            "alias": "'
            "certificateChain": "'
            "privateKey": "'

    else {
        $body = '{
            "alias": "'
            "certificateChain": "'
            "certificatePassphrase": "'
            "privateKey": "'


        $uri = "https://$vrslcmFQDN/lcm/locker/api/v2/certificates/import"
        $response = Invoke-RestMethod $uri -Method 'POST' -Headers $vrslcmHeaders -ContentType application/json -body $body
    Catch {
        Write-Error $_.Exception.Message

Export-ModuleMember -Function Add-vRSLCMLockerCertificate

Function Remove-vRSLCMLockerCertificate {
        Delete a certificate based on vmid

        The Remove-vRSLCMLockerCertificate cmdlet deletes a certificate from the Locker

        Remove-vRSLCMLockerCertificate -vmid
        This example delets the certificate with the vmid

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$vmid

    Try {
        $uri = "https://$vrslcmAppliance/lcm/locker/api/v2/certificates/$vmid"
        $response = Invoke-RestMethod $uri -Method 'DELETE' -Headers $vrslcmHeaders
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Remove-vRSLCMLockerCertificate

################### End vRealize Suite Lifecycle Manager Functions ####################

############ Start vRealize Automation Functions #############

Function Request-vRAToken {
        Connects to the specified vRealize Automation and obtains authorization token

        The Request-vRAToken cmdlet connects to the specified vRealize Automation and obtains an authorization token.
        It is required once per session before running all other cmdlets.

        Request-vRAToken -fqdn xreg-vra01.rainpole.io -username configadmin -password VMware1!
        This example shows how to connect to the vRealize Automation appliance

        Request-vRAToken -fqdn xreg-vra01.rainpole.io -username configadmin -password VMware1! -displayToken
        This example shows how to connect to the vRealize Automation appliance and display the token needed for Terraform

    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$fqdn,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$username,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$password,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [String]$tenant,
        [Parameter (Mandatory = $false)] [ValidateNotNullOrEmpty()] [Switch]$displayToken

    if ( -not $PsBoundParameters.ContainsKey("username") -or ( -not $PsBoundParameters.ContainsKey("password"))) {
        $creds = Get-Credential # Request Credentials
        $username = $creds.UserName.ToString()
        $password = $creds.GetNetworkCredential().password

    $Global:vraHeaders = createBasicAuthHeader $username $password
    $Global:vraAppliance = $fqdn

    Try {
        # Validate credentials by executing an API call
        $uri = "https://$vraAppliance/csp/gateway/am/api/login?access_token"
        if ($PsBoundParameters.ContainsKey("tenant")) {
            $body = "{ ""username"":""$username"",""password"":""$password"",""domain"":""$tenant""}"
        else {
            $body = "{ ""username"":""$username"",""password"":""$password""}"

        if ($PSEdition -eq 'Core') {
            $Global:response = Invoke-WebRequest -Method POST -Uri $uri -Headers $vraHeaders -Body $body -SkipCertificateCheck # PS Core has -SkipCertificateCheck implemented, PowerShell 5.x does not
        else {
            $Global:response = Invoke-WebRequest -Method POST -Uri $uri -Headers $vraHeaders -Body $body

        if ($response.StatusCode -eq 200) {
            Write-Output "Successfully connected to vRealize Automation: $vraAppliance"
            if ($PsBoundParameters.ContainsKey("displayToken")) {
                Write-Output "`n---------Refresh Token---------"
                ((Select-String -InputObject $response -Pattern '"refresh_token":') -Split ('"'))[3]
                Write-Output "-------------------------------`n"
    Catch {
        Write-Error $_.Exception.Message
Export-ModuleMember -Function Request-vRAToken

############ End vRealize Automation Functions #############

########################################## E N D O F F U N C T I O N S ##########################################

################## Start Utility Functions ###################

Function Debug-ExceptionWriter {
    Param (
        [Parameter(Mandatory = $true)]

    $lineNumber = $object.InvocationInfo.ScriptLineNumber
    $lineText = $object.InvocationInfo.Line.trim()
    $errorMessage = $object.Exception.Message
    Write-Output " Error at Script Line $lineNumber"
    Write-Output " Relevant Command: $lineText"
    Write-Output " Error Message: $errorMessage"
Export-ModuleMember -Function Debug-ExceptionWriter

Function Get-ExternalFileName ($title, $fileType, $location)
    [System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null
    $OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
    $OpenFileDialog.Title = "$title"
    if ($location -eq "default") {
        $OpenFileDialog.initialDirectory = Get-Location
    else {
        $OpenFileDialog.initialDirectory = $location
    $OpenFileDialog.filter = "All files (*.$fileType) | *.$fileType"
    $OpenFileDialog.ShowDialog() | Out-Null

################### End Utility Functions ####################

Function checkVCFToken {
    if (!$accessToken) {
        Write-Error "API Access Token Required. Request an Access Token by running Request-VCFToken"
    else {
        $expiryDetails = Get-JWTDetail $accessToken
        if ($expiryDetails.timeToExpiry.Hours -eq 0 -and $expiryDetails.timeToExpiry.Minutes -lt 2) {
               Write-Output "API Access Token Expired. Requesting a new access token with current refresh token"
            $headers = @{"Accept" = "application/json" }
            $uri = "https://$sddcManager/v1/tokens/access-token/refresh"
            $response = Invoke-RestMethod -Method PATCH -Uri $uri -Headers $headers -body $refreshToken
            $Global:accessToken = $response
} Export-ModuleMember -Function checkVCFToken

Function Get-JWTDetail {

        [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]

        Decode a JWT Access Token and convert to a PowerShell Object.
        JWT Access Token updated to include the JWT Signature (sig), JWT Token Expiry (expiryDateTime) and JWT Token time to expiry (timeToExpiry).
        Written by Darren Robinson
        Decode a JWT Access Token and convert to a PowerShell Object.
        JWT Access Token updated to include the JWT Signature (sig), JWT Token Expiry (expiryDateTime) and JWT Token time to expiry (timeToExpiry).
        .PARAMETER token
        The JWT Access Token to decode and udpate with expiry time and time to expiry
        Token from Pipeline
        PowerShell Object
        Get-JWTDetail (accesstoken)
        PS> Get-JWTDetail ('eyJ0eXAiOi........XmN4GnWQAw7OwMA')

    if (!$token.Contains(".") -or !$token.StartsWith("eyJ")) { Write-Error "Invalid token" -ErrorAction Stop }

    # Token
    Foreach ($i in 0..1) {
        $data = $token.Split('.')[$i].Replace('-', '+').Replace('_', '/')
        Switch ($data.Length % 4) {
            0 { break }
            2 { $data += '==' }
            3 { $data += '=' }

    $decodedToken = [System.Text.Encoding]::UTF8.GetString([convert]::FromBase64String($data)) | ConvertFrom-Json
    Write-Verbose "JWT Token:"
    Write-Verbose $decodedToken

    # Signature
    Foreach ($i in 0..2) {
        $sig = $token.Split('.')[$i].Replace('-', '+').Replace('_', '/')
        Switch ($sig.Length % 4) {
            0 { break }
            2 { $sig += '==' }
            3 { $sig += '=' }
    Write-Verbose "JWT Signature:"
    Write-Verbose $sig
    $decodedToken | Add-Member -Type NoteProperty -Name "sig" -Value $sig

    # Convert Expiry time to PowerShell DateTime
    $orig = (Get-Date -Year 1970 -Month 1 -Day 1 -hour 0 -Minute 0 -Second 0 -Millisecond 0)
    $timeZone = Get-TimeZone
    $utcTime = $orig.AddSeconds($decodedToken.exp)
    $hoursOffset = $timeZone.GetUtcOffset($(Get-Date)).hours #Daylight saving needs to be calculated
    $localTime = $utcTime.AddHours($hoursOffset)     # Return local time,
    $decodedToken | Add-Member -Type NoteProperty -Name "expiryDateTime" -Value $localTime

    # Time to Expiry
    $timeToExpiry = ($localTime - (get-date))
    $decodedToken | Add-Member -Type NoteProperty -Name "timeToExpiry" -Value $timeToExpiry

    Return $decodedToken
} Export-ModuleMember -Function Get-JWTDetail

Function createHeader {
    $Global:headers = @{"Accept" = "application/json" }
    $Global:headers.Add("Authorization", "Bearer $accessToken")

Function createBasicAuthHeader {
    $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username, $password))) # Create Basic Authentication Encoded Credentials
    $headers = @{"Accept" = "application/json" }
    $headers.Add("Authorization", "Basic $base64AuthInfo")
    $headers.Add("Content-Type", "application/json")

Function createvCenterAuthHeader {
    $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username, $password)))
    $vcAuthHeaders = @{"vmware-use-header-authn" = "true" }
    $vcAuthHeaders.Add("Authorization", "Basic $base64AuthInfo")

##################### Start of Unused Functions ######################

Function Join-ESXiActiveDirectory {
    # Join each ESXi Host to the Active Directory Domain
    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainJoinUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainJoinPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$vcfDomain

    Try {
        $vcenter = Get-vCenterServerDetail -server $server -user $user -pass $pass -domain $vcfDomain
        Connect-VIServer -Server $vcenter.fqdn -User $vcenter.ssoAdmin -pass $vcenter.ssoAdminPass | Out-Null
        if ($DefaultVIServer.Name -eq $($vcenter.fqdn)) {
            $checkAdAuthentication = Test-ADAuthentication -user $domainJoinUser -pass $domainJoinPass -server $domain -domain $domain
            if ($checkAdAuthentication -contains "2") {
                $esxiHosts = Get-VMHost
                $count = 0
                Foreach ($esxiHost in $esxiHosts) {
                    $currentDomainState = Get-VMHostAuthentication -VMHost $esxiHost
                    $currentDomain = [String]$currentDomainState.Domain
                    if ($currentDomain -ne $domain) {
                        Get-VMHostAuthentication -VMHost $esxiHost | Set-VMHostAuthentication -Domain $domain -JoinDomain -Username $domainJoinUser -Password $domainJoinPass -Confirm:$false | Out-Null
                        $currentDomainState = Get-VMHostAuthentication -VMHost $esxiHost
                        $currentDomain = [String]$currentDomainState.Domain
                        if ($currentDomain -eq $domain.ToUpper()) {
                            Write-Output "Confirmed ESXi Host $esxiHost joined Active Directory Domain $domain Successfully"
                        else {
                            Write-Error "Adding ESXi Host $esxiHost to Active Directory Domain $domain Failed"
                    else {
                        Write-Warning "ESXi Host $esxiHost already joined to Active Directory Domain $domain"
                    $count = $count + 1
            else {
                Write-Error "Domain User $domainJoinUser Authentication Failed"
        else {
            Write-Error  "Not connected to vCenter Server $($vcenter.fqdn)"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Join-ESXiActiveDirectory

Function Add-ESXiDomainUser {
    # Assign an Active Directory Group to each ESXi Host for Administration
    Param (
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$server,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$user,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$pass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domain,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindUser,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$domainBindPass,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$principal,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$role,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [bool]$propagate,
        [Parameter (Mandatory = $true)] [ValidateNotNullOrEmpty()] [String]$vcfDomain

    $securePass = ConvertTo-SecureString -String $domainBindPass -AsPlainText -Force
    $domainCreds = New-Object System.Management.Automation.PSCredential ($domainBindUser, $securePass)
    $addPrincipal = ($domain.Split(".")[0]).ToUpper() + "\" + $principal

    Try {
        Request-VCFToken -fqdn $server -Username $user -Password $pass | Out-Null
        if ($accessToken) {
            $esxiHosts = (Get-VCFCredential | Where-Object { $_.resource.domainName -eq $vcfDomain -and $_.accountType -eq "USER" -and $_.resource.resourceType -eq "ESXI" }).resource.resourceName
            if (Get-ADGroup -Server $domain -Credential $domainCreds -Filter { SamAccountName -eq $principal }) {
                $count = 0
                Foreach ($esxiHost in $esxiHosts) {
                    $esxiCreds = Get-VCFCredential | Where-Object { $_.resource.resourceName -eq $esxiHost -and $_.accountType -eq "USER" }
                    Connect-VIServer -Server $esxihost -User $esxiCreds.username -Pass $esxiCreds.password | Out-Null # Connect to ESXi Server
                    if ($DefaultVIServer.Name -eq $esxihost) {
                        $checkPermission = Get-VIPermission | Where-Object { $_.Principal -eq $addPrincipal }
                        if ($checkPermission.Principal -eq $addPrincipal) {
                            Write-Warning "Active Directory Group '$addPrincipal' already assigned permissions to $esxihost"
                        else {
                            New-VIPermission -Entity $esxiHost -Principal $addPrincipal -Propagate $propagate -Role $role
                            $checkPermission = Get-VIPermission | Where-Object { $_.Principal -eq $addPrincipal }
                            if ($checkPermission.Principal -eq $addPrincipal) {
                                Write-Output "Active Directory Group '$addPrincipal' assigned the Administrator role to $esxihost Successfully"
                            else {
                                Write-Error "Assigning Active Directory Group '$addPrincipal' the Administrator role to $esxihost Failed"
                        Disconnect-VIServer * -Force -Confirm:$false -WarningAction SilentlyContinue # Disconnect from ESXi Server
                        $count = $count + 1
                    else {
                        Write-Error "Failed to connect to ESXi host $esxihost"
                        $count = $count + 1
            else {
                Write-Error "Active Directory User/Group '$addPrincipal' not found in the Active Directory Domain, please create and retry"
        else {
            Write-Error "Failed to obtain access token from SDDC Manager, check details provided"
    Catch {
        Debug-ExceptionWriter -object $_
Export-ModuleMember -Function Add-ESXiDomainUser

####################### End Unused Functions #########################