Permissions required to run nsxt_vm_tags module

[alexshallcross]

Describe the bug

In NSX I have created a custom security role which only has full access to the 'tags' permission. When running the nsxt_vm_tags module as a user that has that role, it fails with error 403 forbidden. The user is able to successfully alter tags through the GUI and API.

Reproduction steps

1. Create a custom security role in NSX that only has full access to the tags permission.
2. Assign custom security role to a user in NSX
3. Run the nsxt_vm_tags module with the user credentials

Expected behavior

User with full access to the tags permission should be able to run this module.

Additional context

No response

[alagoutte]

Hi @alexshallcross

I think, you need to add permissions to VM inventory to configure tag

[alexshallcross]

Hi @alagoutte,

I've done some more testing with this. It does not work with a custom role with the VM inventory and Tag full access permissions, nor does it work with a custom role that has full access on all permissions. It will only work if the service account is assigned the built in Enterprise Admin role.

[hulr]

I would like to use a custom role for creating tags on virtual machines.

I analyzed this a bit and as far as I understand, it is currently not possible to use a custom role.
The nsxt_vm_tags module is using the virtual-machines endpoint with action update_tags:
https://github.com/vmware/ansible-for-nsxt/blob/dfbbd0463f834046d2dcd32e70d3e26d6120613a/plugins/modules/nsxt_vm_tags.py#L278-L280
According to the API documentation, the feature vm_vm_tags is required to execute this API action: https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/4.1.2/html/api_includes/method_UpdateVirtualMachineTags.html

This feature is marked as internal and therefore it is not possible to create a custom role through the GUI nor with the API with the required permissions to create tags using the nsxt_vm_tags Ansible module.

It is only possible to create a custom role with the policy_vm_vm_tags feature, but another API endpoint must then be used: https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/4.1.2/html/api_includes/method_ApplyTagOnVirtualMachine.html

{
  "features" : [ {
    "feature" : "policy_vm_vm_tags",
    "feature_name" : "Policy Vm Vm Tags",
    "feature_description" : "Policy Create and assign tags to VM",
    "permission" : "crud",
    "is_internal" : false,
    "is_execute_recommended" : false
  }, {
    "feature" : "vm_vm_tags",
    "feature_name" : "Vm Vm Tags",
    "feature_description" : "Create and assign tags to VM",
    "permission" : "none",
    "is_internal" : true,
    "is_execute_recommended" : false
  } ]
}

[akiuni]

I confirm @hulr analysis. I've been able to reproduce it with postman using a limited role (Full-access on tags and VM only).

The update of tags raised a 401 FORBIDDEN when using fabric/virtual-machines and succeeded when using the policy endpoint.

So here is a short proposition (untested) to fix that issue :

diff --git a/plugins/module_utils/nsxt_resource_urls.py b/plugins/module_utils/nsxt_resource_urls.py
index 7a7096d..0225770 100644
--- a/plugins/module_utils/nsxt_resource_urls.py
+++ b/plugins/module_utils/nsxt_resource_urls.py
@@ -61,7 +61,7 @@ EDGE_CLUSTER_URL = _ENFORCEMENT_POINT_URL + '/{}/edge-clusters'
 EDGE_NODE_URL = EDGE_CLUSTER_URL + '/{}/edge-nodes'
 
 VM_LIST_URL = '/virtual-machines'
-VM_UPDATE_URL = '/virtual-machines'
+VM_UPDATE_URL = '/infra/realized-state/virtual-machines'
 
 BFD_PROFILE_URL = '/infra/bfd-profiles'
 
diff --git a/plugins/modules/nsxt_vm_tags.py b/plugins/modules/nsxt_vm_tags.py
index 8017e40..33e5936 100644
--- a/plugins/modules/nsxt_vm_tags.py
+++ b/plugins/modules/nsxt_vm_tags.py
@@ -272,12 +272,12 @@ def realize():
             module.exit_json(msg="No tags detected to update")
 
         post_body = {
-            "external_id": virtual_machine_id,
             "tags": final_tags
         }
         policy_communicator.request(
-            VM_UPDATE_URL + '?action=update_tags', data=post_body,
-            method="POST", base_url='fabric')
+            VM_UPDATE_URL + '/' + virtual_machine_id + '/tags', data=post_body,
+            method="POST", base_url='policy')
+
         module.exit_json(msg="Successfully updated tags on VM {}".format(
             virtual_machine_id), changed=True)
     except Exception as err:

[akiuni]

I have made a PR for that bug : #507

Tested, it works fine.

However, I don't know if it is a real fix or just a workaround