TEXAS A&M UNIVERSITY
vRA Projects
Audience: Cloud Operations and Platform Engineering teams.
Purpose: Manage projects that control access to cloud templates and deployment destinations.
Overview
Projects in vRealize Automation (vRA) control:
- Who has access to cloud templates
- Where cloud templates can be deployed
Projects are typically organized by:
- Organizational structure (cost center)
- Business group or purpose
- Billing code and data classification
Public documentation is available at support.cloud.tamu.edu
Project Types
| Type | Management | Creation Method |
|---|---|---|
| Legacy | Manual changes | Migrated from AggieCloud 1.0 |
| New | Terraform/IaC | ServiceNow + GitHub pipeline |
All new projects should be created using the automated pipeline. Legacy projects should be migrated when possible.
Creating a New Project
Process Steps
- User submits request via ServiceNow Form
- Request processed by team (usually Joseph Rafferty)
- ServiceNow initiates PR against aip-ac-foundation
- GitHub Action runs terraform plan
- Codeowner approves if plan looks good
- Terraform applies to create the project
Project Tags
All new projects have three mandatory tags applied to deployments:
| Tag | Purpose | Example |
|---|---|---|
onboarding | Project identifier | project-name |
BillingCode | Cost allocation | 02-123456 |
DataClassification | Security level | public, confidential |
Only new deployments are automatically tagged. Onboarded (migrated) deployments are not automatically tagged.
User Management
All vRA access is controlled using AUTH Active Directory groups.
Group OU Path:
OU=vCenter Groups,OU=Role Groups,OU=Groups,OU=Infrastructure Services,DC=auth,DC=tamu,DC=edu
Management Locations
| Location | Purpose | Access |
|---|---|---|
| vIDM | Authentication & sync | vidm.it.tamu.edu |
| IAM in vRA | Login permissions | Identity & Access Management |
| Projects | Deployment access | Projects |
Group Naming Conventions
| Type | Format |
|---|---|
| Legacy | vRA-<legacy-project-name>@auth.tamu.edu |
| New | RSG-<new-project-name>-vraaccess@auth.tamu.edu |
vIDM Sync
VMware Identity Manager (vIDM) syncs users and groups from AUTH Active Directory nightly.
Manual Sync Procedure
How to Manually Sync
- Login to vIDM
- Select dropdown next to your name → Administration Console
- Select Identity & Access Management tab
- Find the AUTH directory → click Sync Now
- Review changes in the popup → click Sync Directory
View Synced Users/Groups
- Login to vIDM
- Navigate to Users & Groups tab
- Select Users or Groups sub-tab
Adding Users to Legacy Projects
Legacy User Management Steps
- User submits ServiceNow ticket
- Validate approval with supervisor or project contact
- Connect to a VM with ADUC access (e.g., techbox, net-advisor, bt-test1)
- Open Active Directory Users and Computers
- Navigate to the vCenter Groups OU
- Find the group:
vRA-<project-name> - Add the user to the group
- Sync vIDM (or wait for nightly sync)
Adding Users to New Projects
New Project User Management Steps
- User submits ServiceNow ticket
- Validate approval with supervisor or project contact
- Clone the aip-ac-foundation repository
- Create branch:
add-user/INC<snow-number> - Edit the project's
definition.json:
"owners": [
"netID1@tamu.edu",
"netID2@tamu.edu",
"netID3@tamu.edu"
],
- Open a pull request
- GitHub Action runs terraform plan
- Codeowner approves
- Terraform applies to add user to AD
If the user is new to vRA (not in any other project), a manual vIDM sync may be required.
Identity & Access Management in vRA
Controls which areas of vRA users can access.
- Default access: Service Broker only (catalog and deployments)
- Permissions: Typically granted to AD groups, not individuals
Access IAM
- Login to AggieCloud
- From Cloud Services Console → Identity and Access Management
- Select Active Users or Enterprise Groups