diff --git a/lib/ansible/modules/cloud/vmware/vmware_guest.py b/lib/ansible/modules/cloud/vmware/vmware_guest.py index 55300b2dc42..605974a297c 100644 --- a/lib/ansible/modules/cloud/vmware/vmware_guest.py +++ b/lib/ansible/modules/cloud/vmware/vmware_guest.py @@ -149,6 +149,8 @@ options: version then no action is taken. version_added: 2.6' - ' - C(boot_firmware) (string): Choose which firmware should be used to boot the virtual machine. Allowed values are "bios" and "efi". version_added: 2.7' + - ' - C(virt_based_security) (bool): Enable Virtualization Based Security feature for Windows 10. + (Support from Virtual machine hardware version 14, Guest OS Windows 10 64 bit, Windows Server 2016)' guest_id: description: @@ -1142,6 +1144,33 @@ class PyVmomiHelper(PyVmomi): # Don't fail if VM is already upgraded. pass + if 'virt_based_security' in self.params['hardware']: + host_version = self.select_host().summary.config.product.version + if int(host_version.split('.')[0]) < 6 or (int(host_version.split('.')[0]) == 6 and int(host_version.split('.')[1]) < 7): + self.module.fail_json(msg="ESXi version %s not support VBS." % host_version) + guest_ids = ['windows9_64Guest', 'windows9Server64Guest'] + if vm_obj is None: + guestid = self.configspec.guestId + else: + guestid = vm_obj.summary.config.guestId + if guestid not in guest_ids: + self.module.fail_json(msg="Guest '%s' not support VBS." % guestid) + if (vm_obj is None and int(self.configspec.version.split('-')[1]) >= 14) or \ + (vm_obj and int(vm_obj.config.version.split('-')[1]) >= 14 and (vm_obj.runtime.powerState == vim.VirtualMachinePowerState.poweredOff)): + self.configspec.flags = vim.vm.FlagInfo() + self.configspec.flags.vbsEnabled = bool(self.params['hardware']['virt_based_security']) + if bool(self.params['hardware']['virt_based_security']): + self.configspec.flags.vvtdEnabled = True + self.configspec.nestedHVEnabled = True + if (vm_obj is None and self.configspec.firmware == 'efi') or \ + (vm_obj and vm_obj.config.firmware == 'efi'): + self.configspec.bootOptions = vim.vm.BootOptions() + self.configspec.bootOptions.efiSecureBootEnabled = True + else: + self.module.fail_json(msg="Not support VBS when firmware is BIOS.") + if vm_obj is None or self.configspec.flags.vbsEnabled != vm_obj.config.flags.vbsEnabled: + self.change_detected = True + def get_device_by_type(self, vm=None, type=None): if vm is None or type is None: return None diff --git a/test/integration/targets/vmware_guest/tasks/windows_vbs_d1_c1_f0.yml b/test/integration/targets/vmware_guest/tasks/windows_vbs_d1_c1_f0.yml new file mode 100644 index 00000000000..89a021c70fa --- /dev/null +++ b/test/integration/targets/vmware_guest/tasks/windows_vbs_d1_c1_f0.yml @@ -0,0 +1,122 @@ +- name: Wait for Flask controller to come up online + wait_for: + host: "{{ vcsim }}" + port: 5000 + state: started + +- name: kill vcsim + uri: + url: "{{ 'http://' + vcsim + ':5000/killall' }}" +- name: start vcsim with no folders + uri: + url: "{{ 'http://' + vcsim + ':5000/spawn?datacenter=1&cluster=1&folder=0' }}" + register: vcsim_instance + +- name: Wait for Flask controller to come up online + wait_for: + host: "{{ vcsim }}" + port: 443 + state: started + +- name: get a list of Clusters from vcsim + uri: + url: "{{ 'http://' + vcsim + ':5000/govc_find?filter=CCR' }}" + register: clusterlist + +- debug: var=vcsim_instance +- debug: var=clusterlist + +- name: Create Windows 10 VM with VBS enabled + vmware_guest: + validate_certs: False + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + folder: "/{{ (clusterlist['json'][0]|basename).split('_')[0] }}/vm" + name: vbs-Test + datacenter: "{{ (clusterlist['json'][0]|basename).split('_')[0] }}" + cluster: "{{ clusterlist['json'][0] }}" + resource_pool: Resources + guest_id: windows9_64Guest + hardware: + memory_mb: 1024 + num_cpus: 1 + virt_based_security: True + version: 14 + boot_firmware: efi + scsi: paravirtual + disk: + - size_mb: 128 + type: thin + datastore: LocalDS_0 + cdrom: + type: client + register: vbs_vm + +- debug: var=vbs_vm + +- name: assert the VM was created + assert: + that: + - "vbs_vm.failed == false" + - "vbs_vm.changed == true" + +- name: Create Windows Server 2016 VM without VBS enabled + vmware_guest: + validate_certs: False + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + folder: "/{{ (clusterlist['json'][0]|basename).split('_')[0] }}/vm" + name: vbs-Test2 + datacenter: "{{ (clusterlist['json'][0]|basename).split('_')[0] }}" + cluster: "{{ clusterlist['json'][0] }}" + resource_pool: Resources + guest_id: windows9Server64Guest + hardware: + memory_mb: 1024 + num_cpus: 1 + version: 14 + boot_firmware: efi + scsi: paravirtual + disk: + - size_mb: 128 + type: thin + datastore: LocalDS_0 + cdrom: + type: client + register: vbs_vm + +- debug: var=vbs_vm + +- name: assert the VM was created + assert: + that: + - "vbs_vm.failed == false" + - "vbs_vm.changed == true" + +- name: Enable VBS for Windows Server 2016 VM + vmware_guest: + validate_certs: False + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + folder: "/{{ (clusterlist['json'][0]|basename).split('_')[0] }}/vm" + name: vbs-Test2 + datacenter: "{{ (clusterlist['json'][0]|basename).split('_')[0] }}" + disk: + - size_mb: 256 + type: thin + datastore: LocalDS_0 + hardware: + virt_based_security: True + state: present + register: vbs_vm + +- debug: var=vbs_vm + +- name: assert the VM was changed + assert: + that: + - "vbs_vm.failed == false" + - "vbs_vm.changed == true" \ No newline at end of file