How can I Protect/Prevent a VM from deletion in CALM/Self Service? | Nutanix Community
Skip to main content

I am looking for a way to protect the VMs that I’ve stood in as Applications in Calm/Self Service from accidental deletion (mostly by me). I don’t see a way to do this in any areas of Prism or Calm, and I don’t see anything in the Policy Manager docs that would address it, either. Is there any kind of pattern or feature for this? Thanks

You can use approval policies for setting a day 2 action that looks for the action name to contain the word delete.

 


Ok, i do think we’re at least pointed in the right direction, although i’m not clear on the workflow here. Can you point me to Day-2 documentation?


https://portal.nutanix.com/page/documents/details?targetId=Self-Service-Admin-Operations-Guide-v3_7_2_1:nuc-app-mgmt-approval-policy-create-t.html


I’ve got the policy engine VM up, but i don’t think it’s properly configured. Is there just a way to “lock” or toggle the ability to delete a VM at all? What’s the simplest way to put a gate or wall up so someone can’t just delete a VM by accident?


There is no toggle. Your options are:

  • Policy
  • Use a user with a more restricted RBAC with no permissions to delete 

Slowly getting there, but I’m not seeing the Action Name option:

 

 

Is it a version or permissions thing? We’re on CALM v3.6.0:

 


You have to type the attribute I shared before and not look through the drop-down list.


Wow, that works, but is extremely unintuitive.

Feature Request to make all options visible in the attribute menu!


I must be missing something. I have tried several combinations of the condition:

Action Name:

  • contains delete
  • contains action_delete
  • equals delete
  • equals action_delete
  • equals Delete
  • contains Delete

None of them trigger the policy. That is the only condition I’ve set, and it’s scoped to the correct project.


I must be missing something. I have tried several combinations of the condition:

Action Name:

  • contains delete
  • contains action_delete
  • equals delete
  • equals action_delete
  • equals Delete
  • contains Delete

None of them trigger the policy. That is the only condition I’ve set, and it’s scoped to the correct project.

Please ignore for the moment. I had the Policy Engine set to Skip Policy Checks.


For what it’s worth, I had the engine disabled because after standing it up, of course there were no policies created. But it was failing all provisions regardless. So i disabled it.

Now, with the new policy created, it seems to work fine in the sense that it doesn’t break provisions. There is a new policy approval step showing in the audit timeline, successful; previously it would fail.


Ok, now everything is enabled, approvals enabled, and still no approval gate. 

Is it possible that since I’m an approver, the approval is automatically… approved? It shouldn’t be, but is that the case?

 

Thank you!