This Is the Missing Piece in Your VCF 9.0 Automation Strategy: Red Hat Ansible

​Part of the VCF Automation Series: Tenant-Ready Workflows at Scale

---

VMware Cloud Foundation 9.0 marks a major leap toward a true private cloud platform—with built-in multi-tenancy, automated provisioning, and extensible workflows via external Orchestrator instances. But there's still one critical gap many platform teams face:

What happens after the VM is provisioned?

"This critical gap often leads to manual toil, inconsistent configurations, and delays in application readiness."

That’s where Red Hat Ansible becomes the missing piece.
This post shows how to integrate Ansible with VCF 9.0 Automation to deliver:

• Full-stack automation from VM to application
• Tenant-scoped workflows via external vRO instances
• Post-deployment actions like patching, agent installation, and OS hardening
• GitOps-friendly, repeatable playbook execution
• RBAC and policy enforcement across tenants

If you're building a cloud platform on VCF 9.0, this integration is not just nice-to-have—it's essential.

---

Why This Matters Now

VCF 9.0 moves beyond infrastructure packaging to deliver a true platform operating model. Organizations are now structured as logical tenants with scoped access, quota, identity, and automation policies. But while VCF Automation handles Day 0/1 provisioning cleanly, Day 2 configuration is where many teams still lean on tools like Ansible.

Why? Because:

• It’s agentless
• It integrates easily with source control and CI/CD
• It supports infrastructure, OS, and application layers

The goal: use VCF Automation + Ansible Tower to deliver tenant-isolated, repeatable, and secure workflows at scale.

---

Architecture Overview

Each VCF tenant can have:

• A dedicated Orchestrator instance
• Scoped access to invoke Ansible playbooks
• Fine-grained RBAC and policy enforcement

---

How to Integrate VCF Automation with Ansible Tower

1. Deploy and Configure External Orchestrator

• Deploy the Aria Orchestrator appliance (recommended v9.x)
• Authenticate with the desired VCF org:

vracli vro authentication set -p tm -f -k -u admin -hn https://vra.vcf.lab --tenant automation

• Restart Orchestrator:

kubectl rollout restart deployment vco-app -n prelude

---

2. Create a Workflow to Call Ansible Tower API

• Use a scriptable task to send REST requests to Ansible:

var url = "https://ansible.example.com/api/v2/job_templates/42/launch/";
var token = "your-token-here";

var request = new RESTRequest(url, "POST");
request.setHeader("Content-Type", "application/json");
request.setHeader("Authorization", "Bearer " + token);
request.execute();

• Add inputs for hostname, inventory group, or playbook vars as needed.

Sample Ansible Playbook Triggered by the Tower API:

- name: Configure Linux VM
  hosts: all
  become: true
  tasks:
    - name: Install packages
      apt:
        name:
          - curl
          - docker.io
        state: present
        update_cache: yes

    - name: Add DevOps user
      user:
        name: devops
        shell: /bin/bash
        state: present

---

3. Expose Workflow in VCF Automation

• Publish it as a post-provisioning action
• Or include in a blueprint's Day 2 lifecycle event
• Optionally expose as a catalog item scoped to the org

---

4. Secure API Tokens and Roles

• Store Ansible tokens securely in vRO vaults
• Use scoped service accounts per org in Ansible Tower
• Ensure logs are enabled on both sides for traceability

---

Real-World Use Case Example

Tenant: DevOps-A
Workflow:

1. VCF Automation deploys Ubuntu VM via blueprint
2. Post-deploy, vRO triggers Tower playbook
3. Playbook:
   • Installs Docker
   • Configures SSH keys
   • Registers instance in a monitoring system

Outcome: full-stack automation without human touch—all scoped to the tenant.

---

Best Practices

Area	Recommendation
Inventory	Use tenant-specific projects in Ansible Tower
Security	Avoid shared tokens; prefer OAuth or service accounts
Logging	Enable detailed logging in vRO and Tower for audit trail
Retry Logic	Add fail/retry workflow logic in vRO

---

What’s Next in the Series

• GitOps-Driven Blueprints with Ansible & VCF Automation
• Multi-Tenant RBAC Policies for Workflow Governance
• Service Catalog Patterns for Full-Stack Automation

"This integration transforms VCF 9.0 into a truly holistic cloud platform, eliminating manual Day 2 efforts and accelerating your journey to a fully automated private cloud."

VCF 9.0 delivers the infrastructure automation platform many have waited for—but the real magic happens when it’s extended. By integrating Red Hat Ansible into tenant workflows using vRO and API-driven orchestration, you gain full-stack control, reduce manual toil, and scale securely across lines of business.

In the next post, we’ll explore how to version-control these workflows with GitOps and make them part of your CI/CD pipeline.
​
Stay tuned—this is just the beginning.

---

 Related Posts from Virtualization Velocity

• Massive Upgrades, Lower Costs, and AI Readiness: Meet VCF 9.0
• Architecting Agentic AI Workflows with Spring AI and Tanzu
• From Vision to Execution: Deploying Real AI Workloads on VMware Tanzu + VCF
• Top 10 Must-Attend Sessions at VMware Explore 2025