VCF Automation: Automate the rotation of root passwords for selected ESXi hosts in a VMware Cloud Foundation (VCF) environment.

#VCF #PowerVCF #SDDC #ESXI #vmwarecloudfoundation #PowerShell

Let's talk about the script before executing it.

1. Set variables:

   • Define VCF SDDC Manager FQDN and credentials.

   • Set the path for storing temporary JSON config files.

2. Authenticate with VCF:

   • Call Request-VCFToken using the SDDC Manager and provided credentials to authenticate.

3. Select ESXi Hosts:

   • Define a list of VCF cluster names.

   • For each cluster:

     • Fetch its clusterId.

     • Get all hosts under that cluster and add them to $vcfHosts.

4. Log current root credentials:

   • For each ESXi host:

     • Retrieve current stored root credentials using Get-VCFCredential.

     • Print them to the console (note: this exposes passwords in plaintext).

5. Rotate root passwords:

   • For each host:

     • Construct a JSON structure that defines a ROTATE operation for the root SSH credentials.

     • Save this JSON to a file using the hostname.

     • Call Set-VCFCredential to rotate the credentials using the JSON.

     • Wait 10 seconds before moving to the next host.

6. Verify new root credentials:

   • For each host again:

     • Retrieve and print the newly rotated root password to the console.

***********************************Script****************************************************************

# Powershell Script to Rotate ESXI root passwords on selected hosts

#################

### VARIABLES ###

#################

$SDDCManager = "Your SDDC manager FQDN"

$vcfUsername = "Administrator@vsphere.local"

$vcfPassword = "Password"

Request-VCFToken -fqdn $SDDCManager -username $vcfUsername -password $vcfPassword

#Configure Path to store json configuration files

$jsonFilePath = "Path\1.ESXI" #Windows System

#Select All Hosts from Given Cluster

#$VCFClusterName = "vcf-m01-cl01 vcf-w01-cl01"

#$VCFClusterId = (Get-VCFCluster -name $VCFClusterName).id

#$vcfHosts = Get-VCFHost |Where-Object {$_.cluster.id -eq $VCFClusterId} |Select-Object fqdn, id |Sort-Object fqdn

# Or select ALL hosts from VCF | You may want to filter here

# Define multiple cluster names

$VCFClusterNames = @("vcf-m01-cl01", "vcf-w01-cl01")

$vcfHosts = @()

# Get hosts for each cluster and combine

foreach ($clusterName in $VCFClusterNames) {

$clusterId = (Get-VCFCluster -name $clusterName).id

$hostsInCluster = Get-VCFHost | Where-Object { $_.cluster.id -eq $clusterId } | Select-Object fqdn, id

$vcfHosts += $hostsInCluster

}

#$vcfHosts = Get-VCFHost |Select-Object fqdn

# Write current root passwords to console

foreach ($vcfHost in $vcfHosts){

$recName = $vcfHost.fqdn

$VCFCreds = Get-VCFCredential -resourceName $recName|Where-Object {$_.username -eq "root"}

Write-host "Current root credentials for VCF Host" $recName " : " $VCFCreds.password

}

# Change root passwords - Operation Type can be UPDATE, ROTATE, REMEDIATE

foreach ($vcfHost in $vcfHosts) {

$esxFilename = $jsonFilePath + $vcfHost.fqdn + ".json"

$recName = $vcfHost.fqdn

#$recId = $vcfHost.id

$jsonData = "{

`"elements`": [ {

`"credentials`": [ {

`"credentialType`": `"SSH`",

`"username`": `"root`"

} ],

`"resourceName`": `"$recName`",

`"resourceType`": `"ESXI`"

} ],

`"operationType`": `"ROTATE`"

}"

$jsonData |Out-File $esxFilename -Force #Export the json to a file

Set-VCFCredential -json $esxFilename

Start-Sleep -Seconds 10 #This is really lazy. You should use Get-VCFCredentialTask :)

}

# Write current root passwords to console

foreach ($vcfHost in $vcfHosts){

$recName = $vcfHost.fqdn

$VCFCreds = Get-VCFCredential -resourceName $recName|Where-Object {$_.username -eq "root"}

Write-host "Current root credentials for VCF Host" $recName " : " $VCFCreds.password

}

**********************************End************************************************************

8. Execute this script and you should see outputs similar to the ones below:

Showing current root pw for selected hosts,

Ongoing tasks and the root password has been updated,

You can also monitor the progress in the SDDC task section

Notes & Suggestions:

• Security Concern: Root passwords are printed in plain text in the console — consider removing or masking this for production use.

• Sleep Delay: A 10-second static delay is used; this should ideally be replaced with a proper task monitoring check using Get-VCFCredentialTask.

• JSON Generation: Done inline — could be improved with a templating approach for better readability and error handling.

• Scope: Only ESXi hosts in the specified clusters are affected.