✨ Read tags from vsphere (#5857)

* Add tags field and also add tags to labels

* A bit of small clean up

* Update to grab all tags

* Extract GetVmTags and GetHostTags into a single GetTags function

Author: claytoncasey01

providers/vsphere/resources/common.go

@@ -0,0 +1,70 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package resources
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/vmware/govmomi/vapi/rest"
+	"github.com/vmware/govmomi/vapi/tags"
+	"github.com/vmware/govmomi/vim25"
+	"github.com/vmware/govmomi/vim25/types"
+	vmwaretypes "github.com/vmware/govmomi/vim25/types"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/vault"
+)
+
+// extractTagKeys extracts tag keys from vmware Tag slice
+func extractTagKeys(tags []vmwaretypes.Tag) []string {
+	tagKeys := make([]string, len(tags))
+	for i, tag := range tags {
+		tagKeys[i] = tag.Key
+	}
+	return tagKeys
+}
+
+// GetTags retrieves tags for a host system using the vSphere vAPI
+// If the vAPI is not available, it will return an empty array instead of an error.
+// This maintains backward compatibility with vSphere environments that don't use tags.
+func GetTags(ctx context.Context, ref types.ManagedObjectReference, client *vim25.Client, conf *inventory.Config) []string {
+	// Create vAPI REST client
+	restClient := rest.NewClient(client)
+
+	// Get credentials from connection config
+	creds, err := vault.GetPassword(conf.Credentials)
+	if err != nil {
+		return []string{}
+	}
+
+	userInfo := url.UserPassword(creds.User, string(creds.Secret))
+	err = restClient.Login(ctx, userInfo)
+	if err != nil {
+		return []string{}
+	}
+
+	tagManager := tags.NewManager(restClient)
+
+	// Get attached tags for the host
+	attachedTags, err := tagManager.GetAttachedTags(ctx, ref)
+	if err != nil {
+		return []string{}
+	}
+
+	// Convert tags to string format: "category:tag"
+	tagStrings := make([]string, len(attachedTags))
+	for i, tag := range attachedTags {
+		// Get category information
+		category, err := tagManager.GetCategory(ctx, tag.CategoryID)
+		if err != nil {
+			// If we can't get category, just use tag name
+			tagStrings[i] = tag.Name
+			continue
+		}
+		tagStrings[i] = fmt.Sprintf("%s:%s", category.Name, tag.Name)
+	}
+
+	return tagStrings
+}

providers/vsphere/resources/datacenter.go

@@ -10,8 +10,10 @@ import (
 	"github.com/vmware/govmomi/object"
 	"go.mondoo.com/cnquery/v11/llx"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/util/convert"
 	"go.mondoo.com/cnquery/v11/providers/vsphere/connection"
 	"go.mondoo.com/cnquery/v11/providers/vsphere/resources/resourceclient"
+	"go.mondoo.com/cnquery/v11/types"
 )
 
 func newVsphereHostResources(vClient *resourceclient.Client, runtime *plugin.Runtime, vhosts []*object.HostSystem) ([]interface{}, error) {
@@ -29,15 +31,31 @@ func newVsphereHostResources(vClient *resourceclient.Client, runtime *plugin.Run
 		}
 
 		var name string
+		var tags []string
 		if hostInfo != nil {
 			name = hostInfo.Name
+			simpleTags := extractTagKeys(hostInfo.Tag)
+
+			// Get vAPI tags using the connection
+			conn := runtime.Connection.(*connection.VsphereConnection)
+			ctx := context.Background()
+
+			// Get vAPI tags using the connection config
+			vapiTags := GetTags(ctx, h.Reference(), vClient.Client.Client, conn.Conf)
+			// Use vAPI tags if available, otherwise use simple tags
+			if len(vapiTags) > 0 {
+				tags = vapiTags
+			} else {
+				tags = simpleTags
+			}
 		}
 
 		mqlHost, err := CreateResource(runtime, "vsphere.host", map[string]*llx.RawData{
 			"moid":          llx.StringData(h.Reference().Encode()),
 			"name":          llx.StringData(name),
 			"properties":    llx.DictData(props),
 			"inventoryPath": llx.StringData(h.InventoryPath),
+			"tags":          llx.ArrayData(convert.SliceAnyToInterface(tags), types.String),
 		})
 		if err != nil {
 			return nil, err

providers/vsphere/resources/discovery.go

@@ -124,6 +124,22 @@ func discoverDatacenter(conn *connection.VsphereConnection, datacenterResource *
 			platformID := connection.VsphereResourceID(instanceUuid, mqlHost.Moid.Data)
 			clonedConfig := conn.Conf.Clone(inventory.WithoutDiscovery())
 			clonedConfig.PlatformId = platformID
+
+			labels := map[string]string{
+				"vsphere.vmware.com/name":          mqlHost.Name.Data,
+				"vsphere.vmware.com/moid":          mqlHost.Moid.Data,
+				"vsphere.vmware.com/inventorypath": mqlHost.InventoryPath.Data,
+			}
+
+			// Add tags as labels with vsphere.vmware.com/tag/ prefix
+			if mqlHost.Tags.Error == nil {
+				for _, tag := range mqlHost.Tags.Data {
+					if tagStr, ok := tag.(string); ok {
+						labels["vsphere.vmware.com/tag/"+tagStr] = "true"
+					}
+				}
+			}
+
 			assetList = append(assetList, &inventory.Asset{
 				Name: mqlHost.Name.Data,
 				Platform: &inventory.Platform{
@@ -137,11 +153,7 @@ func discoverDatacenter(conn *connection.VsphereConnection, datacenterResource *
 					TechnologyUrlSegments: []string{"vmware", "esxi", esxiVersion.Version + "-" + esxiVersion.Build},
 				},
 				Connections: []*inventory.Config{clonedConfig}, // pass-in the parent connection config
-				Labels: map[string]string{
-					"vsphere.vmware.com/name":          mqlHost.Name.Data,
-					"vsphere.vmware.com/moid":          mqlHost.Moid.Data,
-					"vsphere.vmware.com/inventorypath": mqlHost.InventoryPath.Data,
-				},
+				Labels:      labels,
 				State:       mapHostPowerstateToState(mqlHost.host.Runtime.PowerState),
 				PlatformIds: []string{platformID},
 			})
@@ -157,15 +169,27 @@ func discoverDatacenter(conn *connection.VsphereConnection, datacenterResource *
 			platformID := connection.VsphereResourceID(instanceUuid, vm.Moid.Data)
 			clonedConfig := conn.Conf.Clone(inventory.WithoutDiscovery())
 			clonedConfig.PlatformId = platformID
+
+			labels := map[string]string{
+				"vsphere.vmware.com/name":           vm.Name.Data,
+				"vsphere.vmware.com/moid":           vm.Moid.Data,
+				"vsphere.vmware.com/inventory-path": vm.InventoryPath.Data,
+			}
+
+			// Add tags as labels with vsphere.vmware.com/tag/ prefix
+			if vm.Tags.Error == nil {
+				for _, tag := range vm.Tags.Data {
+					if tagStr, ok := tag.(string); ok {
+						labels["vsphere.vmware.com/tag/"+tagStr] = "true"
+					}
+				}
+			}
+
 			assetList = append(assetList, &inventory.Asset{
 				Name:        vm.Name.Data,
 				Platform:    &inventory.Platform{},
 				Connections: []*inventory.Config{clonedConfig},
-				Labels: map[string]string{
-					"vsphere.vmware.com/name":           vm.Name.Data,
-					"vsphere.vmware.com/moid":           vm.Moid.Data,
-					"vsphere.vmware.com/inventory-path": vm.InventoryPath.Data,
-				},
+				Labels:      labels,
 				State:       mapVmGuestState(vm.vm.Guest.GuestState),
 				PlatformIds: []string{platformID},
 			})

providers/vsphere/resources/vm.go

@@ -4,12 +4,16 @@
 package resources
 
 import (
+	"context"
+
 	"github.com/vmware/govmomi/object"
 	"github.com/vmware/govmomi/vim25/mo"
 	"go.mondoo.com/cnquery/v11/llx"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/util/convert"
 	"go.mondoo.com/cnquery/v11/providers/vsphere/connection"
 	"go.mondoo.com/cnquery/v11/providers/vsphere/resources/resourceclient"
+	"go.mondoo.com/cnquery/v11/types"
 )
 
 func newMqlVm(runtime *plugin.Runtime, vm *object.VirtualMachine, vmInfo *mo.VirtualMachine) (*mqlVsphereVm, error) {
@@ -19,15 +23,33 @@ func newMqlVm(runtime *plugin.Runtime, vm *object.VirtualMachine, vmInfo *mo.Vir
 	}
 
 	var name string
+	var tags []string
 	if vmInfo != nil && vmInfo.Config != nil {
 		name = vmInfo.Config.Name
+		// Try both approaches for testing
+		simpleTags := extractTagKeys(vmInfo.Tag)
+
+		// Get vAPI tags using the connection
+		conn := runtime.Connection.(*connection.VsphereConnection)
+		vClient := resourceclient.New(conn.Client())
+		ctx := context.Background()
+
+		// Get vAPI tags using the connection config
+		vapiTags := GetTags(ctx, vm.Reference(), vClient.Client.Client, conn.Conf)
+		// Use vAPI tags if available, fallback to simple tags
+		if len(vapiTags) > 0 {
+			tags = vapiTags
+		} else {
+			tags = simpleTags
+		}
 	}
 
 	mqlVm, err := CreateResource(runtime, "vsphere.vm", map[string]*llx.RawData{
 		"moid":          llx.StringData(vm.Reference().Encode()),
 		"name":          llx.StringData(name),
 		"properties":    llx.DictData(props),
 		"inventoryPath": llx.StringData(vm.InventoryPath),
+		"tags":          llx.ArrayData(convert.SliceAnyToInterface(tags), types.String),
 	})
 	if err != nil {
 		return nil, err

providers/vsphere/resources/vsphere.lr

@@ -186,6 +186,8 @@ private vsphere.host @defaults("moid name") {
   ntp() esxi.ntpconfig
   // Host SNMP configuration
   snmp() map[string]string
+  //Host tags
+  tags []string
 }
 
 // vSphere VM resource
@@ -200,6 +202,8 @@ private vsphere.vm @defaults("moid name") {
   properties dict
   // Virtual machine advanced properties
   advancedSettings() map[string]string
+  // VM tags
+  tags []string
 }
 
 // vSphere standard virtual switch

providers/vsphere/resources/vsphere.lr.go

@@ -197,6 +197,8 @@ resources:
       services: {}
       snmp: {}
       standardSwitch: {}
+      tags:
+        min_mondoo_version: 9.0.0
       timezone: {}
       vmknics: {}
     is_private: true
@@ -244,6 +246,8 @@ resources:
       moid: {}
       name: {}
       properties: {}
+      tags:
+        min_mondoo_version: 9.0.0
     is_private: true
     min_mondoo_version: 5.15.0
     platform: