Exporting and Importing vSphere Distributed Switch Permissions using PowerCLI

/ René Bos

powercli.png

At my current assignment, I got busy with the replacement of an existing vCenter Server and migration of all linked objects. This included migrating the vSphere Distributed Switch Port Group objects, settings and permissions.

Exporting the vSphere Distributed Switch configuration is an easy-to-do job using the GUI. However permissions are not included. This post is dedicated to the script I wrote to export and import these permissions.

Script Description

This script will export existing vSphere Distributed Switch Port Group permissions to a CSV file from a specified vCenter Server instance.

Next, it will import these permissions into a specified destination vCenter Server instance. The script assumes that you already have created the required vSphere Distributed Switches and Port Groups. Also, it assumes you’ve got all used roles and principals inside the destination vCenter Server.

Important: Use this script at your own risk. Please use a test environment before firing it off into production.

Setting up

First of all, you’re going to need PowerCLI. I’m using PowerCLI module 10.2.0.9372002 during the creation and execution of this script. If you don’t have PowerCLI yet, you can download the standalone version of the VMware website, or import the module into PowerShell 3.0 using the command InstallModule Name VMware.PowerCLI.

Next, you need to gather some information:

  • FQDN of source vCenter Server
  • FQDN of destination vCenter Server
  • Credentials of both vCenter Server instances
  • Location on local server to store temporary files for running the script

Running the script

To use the script, save the script code below to a new file called VDSPermissionExportImport.ps1 (or anything you like).

Next, navigate to the folder containing the script file using PowerShell and execute the script (.VDSPermissionExportImport.ps1)

During its execution, it will follow these steps in order:

  1. Connect to source vCenter Server
  2. Gather data and save to CSV file
  3. Disconnect source vCenter Server
  4. Connect to destination vCenter Server
  5. Modify permissions based on input CSV file
  6. Disconnect destination vCenter Server

All steps are recorded in a log file, which will be placed next to the CSV file for audit or troubleshooting purposes.

Script Code


#General information for VDSPermissionExportImport.ps1
#Date: September 24th, 2018
#Author: Rene Bos
#URL: https://snowvm.com
#Script version: 0.3

#Script summary
#This script copies all or specified vSphere Distributed Switch Port Group permissions from one vCenter to another

#This script assumes you have already exported and imported the existing vDS configuration (Containing all port groups)
#This script assumes all used roles are present in the destination vCenter Server

#As Port Group names need to be unique in each vCenter Server, there will be no specific VDS to be targeted
#During execution, you might be prompted for a valid login if your currently logged on credentials are not sufficient

#Make sure to customize the source and destination vCenter Server
#You are able to filter certain networks by name, as specified in the Parameters section

#Disclaimer
#Please use this script at your own risk and test it out in your test environment first before using it in production
#When using my script, please leave the general information in place. And provide feedback if you can so I can improve it in the future.

#Import PowerCLI commandlets
Import-Module VMware.PowerCLI

#Parameters - Customizable
$SourcevCenter = "sourcevcenter.fqdn.local"
$DestinationvCenter = "destinationvcenter.fqdn.local"
$CSVFileLocation = "C:TempVDSPermissionExportImport.csv"
$PortGroupName = "" #This is an optional filter, in case you only want to export and import certain Port Groups based by name
$LogFile = "C:TempVDSPermissionExportImport.log"

#Logging
$ErrorActionPreference="SilentlyContinue"
Stop-Transcript | Out-Null

$ErrorActionPreference = "Continue"
Start-Transcript -path $LogFile -append

#Make sure no existing vCenter Server connections are active
Write-Host "Disconnecting any existing vCenter Server connections..."
Disconnect-VIServer * -Force -Confirm:$false

#Connect to source vCenter Server
Write-Host "Connecting to $SourcevCenter..."
Connect-VIServer $SourcevCenter

#Get permissions from source vSphere Distributed Switch
Write-Host "Exporting permission data to CSV..."
Get-VIPermission | Where {$_.EntityId -match "dvportgroup" -and $_.Entity -match $PortGroupName} | Export-Csv $CSVFileLocation

#Disconnect from source vCenter Server
Write-Host "Disconnecting from $SourcevCenter..."
Disconnect-VIServer * -Force -Confirm:$false

#Connect to destination vCenter Server
Connect-VIServer $DestinationvCenter
Write-Host "Connecting to $DestinationvCenter..."

#Import data from CSV file
Write-Host "Importing data from CSV..."
$vDS_PG_Permissions = Import-CSV $CSVFileLocation

#Start configuring Permissions
Write-Host "Configuring new permissions..."
ForEach ($Permission in $vDS_PG_Permissions)

              {
              $Entity = $Permission.Entity
              $PG = Get-VirtualPortGroup -Name $Entity
              $Role = $Permission.Role
              $Principal = $Permission.Principal

              New-VIPermission -Role $Role -Principal $Principal -Entity $PG

              }

#Disconnect from destination vCenter Server
Write-Host "Disconnecting from $DestinationvCenter..."
Disconnect-VIServer * -Force -Confirm:$false

#Stop Logging
Stop-Transcript

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s