Providing a self-service catalog can be a great way to allow users in an organization to quickly get applications and services they need and can help IT focus on other tasks outside of just full-filling requests for machines. However when a catalog is presented to an organization it is important that there are some guardrails and governance around those requests from the catalog. Policies such as “Lease Times” help by eliminating resources that are not being used and ensuring that users know they cannot keep something forever. Governance is a key aspect of building a cloud-like experience for an organization and now vRealize Automation contains “Approval” policy definitions to allow for even greater control. In this blog I will highlight this exciting feature and explain how it can be used.
What is an Approval Policy in vRealize Automation?
Approval policies are a level of governance that helps control which Deployment Requests and Actions require approvals before being initiated. If the approver rejects the request, the request is not initiated and fails to execute.
For example, you have a catalog item that is important, but it consumes a significant amount of resources. You want one of your IT administrators to review any deployment requests to ensure that the request is needed. Another example applies to day 2 actions. Making changes to a deployment that is used by many might be devastating. You want the project administrator who manages the deployment for that team to review all changes to the deployed catalog item.
Approval policies can also be applied to “Actions” that can be performed within vRealize Automation. Examples include “Deployment Creation” , “AWS EC2 Instance Power On”, in fact there are 70+ actions that can have an approval attached to them.
So lets jump into this exciting new policy feature and take a look.
How To Get Started with Approvals
In this section I am going to go over where and how to setup approvals. Of course before implementing approval policies in a production environment the approvers and items needing to be approved should be identified.
In order to start configuring Approval policies you need to go to the Service Broker service within vRealize Automation. Once inside Service Broker , go to Content and Policies —> Policies —> Definitions —> New Policy Definitions then click on the Approval Policy tile as shown in the screenshot below.
Once you click on the Approval Policy tile you will see the various configuration options for creating the Approval Policy. Provide the following information:
- Name – of the Approval Policy
- Description – (optional)
- Scope – this determines if the policy is applicable to all deployments or just to deployments within a certain Project. To learn more about Projects go here.
- Deployment Criteria – if you want to further refine when the policy is applied then you can add policy criteria. Policy criteria options are:
- blueprint: choose a blueprint that was created in Cloud Assembly
- catalog item: choose any catalog item that is published in Service Broker catalog
- deploymentCreationCost: (vRA 8.1/8.2 only) – requires integration with vRealize Operations Manager. This criteria enforces the policy based on estimated cost of the deployment.
- deployment: choose an existing deployment and apply an action that you want to be the trigger for the approval (e.g. – Deployment.Poweroff)
- requested By: choose a user in the system, when this user requests an item it triggers an approval
- resources: choose a resource that will trigger an approval (e.g. – Cloud Zone, Flavor, or Image etc.)
- Approver Mode – choose whether just one or all approvers need to approve the request.
- Approvers – click the “Add Users” button to add approvers. They will get an email when an approval request is initiated.
- Auto Expiry – choose either to Approve or Reject a request after a period of no response from approvers
- Auto Expiry Trigger – choose in “Days” how long the request can live before the auto expiry action takes affect
- Actions – search for approval actions that would be triggered at time of request.
It is worth mentioning that Deployment Criteria can be refined by and/or statements and choosing multiple criteria. Take a look at the example below.
Once you hit the “Create” button then the policy will be show up under the Policy Definitions page. At that point the policy is in effect.
The Approval Process
The policy definition that I defined states that whenever someone tries to deploy a Multi-Cloud Machine, an approval is needed. After the user requests the service within the Service Broker catalog they then fill out the information needed for the request.
Once the user hits the “Submit” button, then the deployment will stall at the Approval Needed step in the deployment. So the user will see this type of message in the Deployment section:
Shortly after that the Approver will get an email with some instructions and a notification that a deployment is needing their attention.
Once the Approver clicks on the “Approve or Reject the request now” link in the email, they will be taken to the vRealize Automation login screen then sent to the Deployment Approve/Reject screen. The approver can then review the Request Details and then click “Approve” or “Reject” with comments. The approver can also see information about the request via the Policy Details, Resource Details and Input Details tabs.
Once the Approver clicks “Approve” the deployment will continue to completion. If the Approver rejects the request, then it is cancelled and the item will not be deployed.
Approval policies will also apply to a Cloud Template when the deployment of the Cloud Template is initiated from Cloud Assembly. This was not possible in previous releases and is new in vRealize Automation 8.2 (and later) and vRealize Cloud.
This was just one example where approvals can help govern what get deployed out of your Self-Service catalog. Also keep in mind that actions can also be chosen as approval criteria. So if you do not want a user to be able to “update tags” without approvals, then that can also be done.
Check out these other blogs related to our vRealize Portfolio: