How can I Protect/Prevent a VM from deletion in CALM/Self Service? | Nutanix Community
Skip to main content
Question

How can I Protect/Prevent a VM from deletion in CALM/Self Service?


mcascone

I am looking for a way to protect the VMs that I’ve stood in as Applications in Calm/Self Service from accidental deletion (mostly by me). I don’t see a way to do this in any areas of Prism or Calm, and I don’t see anything in the Policy Manager docs that would address it, either. Is there any kind of pattern or feature for this? Thanks

This topic has been closed for comments

12 replies

JoseNutanix
Nutanix Employee
Forum|alt.badge.img+5
  • Nutanix Employee
  • 150 replies
  • March 19, 2024

You can use approval policies for setting a day 2 action that looks for the action name to contain the word delete.

 


mcascone
  • Author
  • Trailblazer
  • 37 replies
  • March 19, 2024

Ok, i do think we’re at least pointed in the right direction, although i’m not clear on the workflow here. Can you point me to Day-2 documentation?


JoseNutanix
Nutanix Employee
Forum|alt.badge.img+5
  • Nutanix Employee
  • 150 replies
  • March 19, 2024

mcascone
  • Author
  • Trailblazer
  • 37 replies
  • March 28, 2024

I’ve got the policy engine VM up, but i don’t think it’s properly configured. Is there just a way to “lock” or toggle the ability to delete a VM at all? What’s the simplest way to put a gate or wall up so someone can’t just delete a VM by accident?


JoseNutanix
Nutanix Employee
Forum|alt.badge.img+5
  • Nutanix Employee
  • 150 replies
  • March 28, 2024

There is no toggle. Your options are:

  • Policy
  • Use a user with a more restricted RBAC with no permissions to delete 

mcascone
  • Author
  • Trailblazer
  • 37 replies
  • March 29, 2024

Slowly getting there, but I’m not seeing the Action Name option:

 

 

Is it a version or permissions thing? We’re on CALM v3.6.0:

 


JoseNutanix
Nutanix Employee
Forum|alt.badge.img+5
  • Nutanix Employee
  • 150 replies
  • March 29, 2024

You have to type the attribute I shared before and not look through the drop-down list.


mcascone
  • Author
  • Trailblazer
  • 37 replies
  • April 2, 2024

Wow, that works, but is extremely unintuitive.

Feature Request to make all options visible in the attribute menu!


mcascone
  • Author
  • Trailblazer
  • 37 replies
  • April 2, 2024

I must be missing something. I have tried several combinations of the condition:

Action Name:

  • contains delete
  • contains action_delete
  • equals delete
  • equals action_delete
  • equals Delete
  • contains Delete

None of them trigger the policy. That is the only condition I’ve set, and it’s scoped to the correct project.


mcascone
  • Author
  • Trailblazer
  • 37 replies
  • April 2, 2024
mcascone wrote:

I must be missing something. I have tried several combinations of the condition:

Action Name:

  • contains delete
  • contains action_delete
  • equals delete
  • equals action_delete
  • equals Delete
  • contains Delete

None of them trigger the policy. That is the only condition I’ve set, and it’s scoped to the correct project.

Please ignore for the moment. I had the Policy Engine set to Skip Policy Checks.


mcascone
  • Author
  • Trailblazer
  • 37 replies
  • April 2, 2024

For what it’s worth, I had the engine disabled because after standing it up, of course there were no policies created. But it was failing all provisions regardless. So i disabled it.

Now, with the new policy created, it seems to work fine in the sense that it doesn’t break provisions. There is a new policy approval step showing in the audit timeline, successful; previously it would fail.


mcascone
  • Author
  • Trailblazer
  • 37 replies
  • April 2, 2024

Ok, now everything is enabled, approvals enabled, and still no approval gate. 

Is it possible that since I’m an approver, the approval is automatically… approved? It shouldn’t be, but is that the case?

 

Thank you!