Cloud Blogger

Techblogs on VCF 9, VCF Automation & VCF Operations Orchestrator.

Share
in Article

Update CloudConfig YAML using Orchestrator workflow

by Mayank Goyal · 16 Sep 2025

Recently, I discovered an intriguing capability in VCF Automation: using Event Based Subscriptions to update not just properties but the CloudConfig YAML embedded within the larger Automation blueprints. This technique is particularly appealing because it enables the dynamic injection or modification of configuration data during deployment, eliminating the need to hard-code every detail directly in the blueprint. However, thereโ€™s a crucial and undocumented detail that is essential for making this solution function correctly, something Iโ€™ll reveal in this post.

Why Update CloudConfig Dynamically?

VCF Automation blueprints allow embedding cloudConfig sections for running scripts, installing packages, or configuring the VM during provisioning. But what if the exact configuration needs to change based on environment, policy, or external inputs? Updating the blueprint each time is cumbersome and error-prone.

Using event subscriptions and Orchestrator workflows, we can dynamically modify the cloudConfig without changing the base blueprint. This makes deployments more adaptable and easier to maintain.

A flowchart illustrating the process of VCF Automation deployment, detailing the steps from blueprint context to VM creation with dynamically updated CloudConfig, including events, workflow instructions, and key actions.

Using Compute Allocate Event

The Compute Allocate event in VCF Automation fires when a VM is allocated but before provisioning completes. By subscribing to this event, a VCF Operations Orchestrator (vRO) workflow can intercept the deployment payload and update the cloudConfig dynamically.

Screenshot of a configuration interface for updating Cloud Config in a YAML format, highlighting event subscription details and workflow settings.

This approach allows injecting additional YAML code or modifying existing parts exactly when needed in the provisioning lifecycle.

Example Orchestrator Workflow Logic for CloudConfig Update

An effective way to implement this is via a scriptable task inside a Orchestrator workflow. Here is a working example snippet:

// Workflow Input:
// inputProperties - Properties object containing customProperties with cloudConfig YAML string

// Workflow Output:
// customProperties - Properties object, with __computeConfigContent updated to the modified cloudConfig string

//System.log(inputProperties.customProperties.cloudConfig);

var customProperties = inputProperties.customProperties;

// Read the cloud-config content
var cloudConfig = inputProperties.customProperties.cloudConfig;

// Replace all occurrences of "VMware1!" with "passw0rd123"
var updatedCloudConfig = cloudConfig.replace(/VMware1!/g, 'passw0rd123'); //Put your own logic here

System.log(updatedCloudConfig);

// IMPORTANT: Updating customProperties.cloudConfig directly DOES NOT work!
// customProperties.cloudConfig = updatedCloudConfig; // This does NOT take effect โŒ

// Use the unpublished property __computeConfigContent instead (this works) โœ…
customProperties.__computeConfigContent = updatedCloudConfig;

Key Points

  • The CloudConfig YAML content is accessed via inputProperties.customProperties.cloudConfig.
  • You modify the YAML content as a string โ€” in this case, replacing password placeholders dynamically.
  • Directly updating customProperties.cloudConfig will NOT work in this event subscription context. Attempts to set it do not propagate.
  • Instead, the update must be made to the internal, unpublished property __computeConfigContent which VCF Automation recognizes and uses during provisioning.
  • This distinction is critical for successful CloudConfig updates in Compute Allocate event workflows.

Example Blueprint YAML Including CloudConfig Section

Below is an example of a blueprint YAML where the CloudConfig section is part of a vSphere VM deployment from an OVA. This illustrates the standard way cloudConfig is embedded in the blueprint and targets a user creation with password that can be dynamically updated:

name: vSphere VM from OVA
formatVersion: 1
inputs: {}
resources:
  vm:
    type: Cloud.vSphere.Machine
    properties:
      cpuCount: 2
      totalMemoryMB: 4096
      imageRef: https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-amd64.ova
      cloudConfig: |
        #cloud-config
        users:
          - name: myuser
            groups: sudo
            shell: /bin/bash
            sudo: ALL=(ALL) NOPASSWD:ALL
            lock_passwd: false

        chpasswd:
          list: |
            myuser:VMware1!
          expire: false
      updateCloudConfig: true  # Enables updating cloudConfig via Event Based Subscription

Benefits of This Approach

  • Avoids manual edits to blueprints for environment-specific tweaks.
  • Ensures that dynamic config changes are fully applied just-in-time during provisioning.
  • Facilitates automation-driven, policy-based config injection without blueprint proliferation.
  • Allows secure and seamless updates such as injecting secrets, packages, or dynamic network settings.
  • Some other such properties are __numberOfSnapshots & __hasSnapshot.

This method of updating CloudConfig via the Compute Allocate event in VCF Automation combined with Orchestrator workflow scripting provides a powerful mechanism for dynamic, environment-aware VM provisioning.

Discover more from Cloud Blogger

Subscribe to get the latest posts sent to your email.

Tags:

Leave a Reply

You may also like

Browse

Search

Blog Stats

  • 106,728 views

Badges

VCF Automation Architect Certification

Code and Artifacts

Honors