Assistance assigning IMC policy to Server Profile

[tbrock47]

I'm looking for assistance on the proper syntax used to assign an existing Access Policy to an existing Server Profile.
Given the following, how to I assign $IntersightAccessPolicy to $IntersightserverProfile?
I'm not quite sure how to supply the correct commands to Set-IntersightServerProfile.

$IntersightserverProfile = Get-IntersightserverProfile -Name MyServerName
$IntersightAccessPolicy = Get-IntersightAccessPolicy -Name MyIMCAccessPolicy

[briamorr]

Not sure if others might have a better way but in the past I would read in the profile's policy bucket, edit it, and then push it back out with whatever changes I needed to make (would be way easier though if we could do Set-IntersightServerProfile -ImcAccess xyz -Syslog xyz -Bios xyz if there is not already an enhancement like this)

$IntersightserverProfile = Get-IntersightserverProfile -Name briamorr_test
$IntersightAccessPolicy = Get-IntersightAccessPolicy -Name IMM-FI-LOAN_IMCAccess

$IntersightAccessPolicyMoRef = Initialize-IntersightMoMoRef -Moid $IntersightAccessPolicy.Moid -Objecttype ($IntersightAccessPolicy.ObjectType | Out-String)

#Create policybucket array
$policybucket = @()

#Ignore null values and add existing policy buckets into the array except for any existing IMC Access policy in the chassis profile
if($IntersightserverProfile.PolicyBucket.ActualInstance)
{
    $policybucket += $IntersightserverProfile.PolicyBucket.ActualInstance | Where-Object { $_.ObjectType –ne "AccessPolicy" }
}

#Add Access Policy policy reference to policybucket array
$policybucket += $IntersightAccessPolicyMoRef

#Attach policy bucket to server profile
$IntersightserverProfile | Set-IntersightServerProfile -PolicyBucket $policybucket

[tbrock47]

@briamorr I'll give this method a shot. Thanks.

[tbrock47]

@briamorr I see what you're doing here. You are taking the existing policies, replacing/adding the IMC policy and then reapplying the policy bucket.

I assume this means that if I attempted to apply the policy bucket that ONLY had the IMC policy in it, it would wipe the rest of the policies?

[briamorr]

@tbrock47 - Correct, if you do not read in the existing policy bucket items and rewrite them back then you would just end up with only the IMC policy attached to the profile and all the other policies would be detached from the profile.

[tbrock47]

@tbrock47 - Correct, if you do not read in the existing policy bucket items and rewrite them back then you would just end up with only the IMC policy attached to the profile and all the other policies would be detached from the profile.

Understood. With that said, I ran your code and it worked perfectly. Thanks!
I'll leave the "Issue" open a little longer in case someone has an alternative suggestion.

[tbrock47]

@briamorr Somewhat related. How do you go about detaching and attaching templates on profiles?

Here is what I have that I thought would work to attach a template, but nothing happened, and I received no errors.

$IntersightServerProfile = Get-IntersightServerProfile -Name MyServer
$IntersightServerProfileTemplate = Get-IntersightServerProfileTemplate -Name MyTemplate
$IntersightServerProfile | Set-IntersightServerProfile -SrcTemplate (Get-IntersightMoMoRef -ManagedObject $IntersightServerProfileTemplate)

[briamorr]

@tbrock47 -
You'll need to use BulkMoMerger to first sync the template to the profile similar to what the browser UI does if you walk through the operations with chrome dev tools opened.

$ProfileName="briamorr_test"
$DestinationTemplateName="IMM-template"

$org = Get-IntersightOrganizationOrganization -Name default

$profile = Get-intersightserverprofile -Name $ProfileName -Organization $org 

$destTemplate = Get-IntersightServerProfileTemplate -Name $DestinationTemplateName -Organization $org
$destTemplateMoRef = Initialize-IntersightMoMoRef -Moid $destTemplate.Moid -Objecttype ($destTemplate.ObjectType | Out-String)

#unbind template from server profile
$profile | Set-IntersightServerProfile -SrcTemplate $null

#bulkmomerger of template to profile to mimic actions done by UI
$source = Initialize-IntersightMoBaseMo -Moid $destTemplate.Moid -ClassId $destTemplate.ClassId -Objecttype ($destTemplate.ObjectType | Out-String)
$target = Initialize-IntersightMoBaseMo -Moid $profile.Moid -ClassId $profile.ClassId -ObjectType ($profile.ObjectType | Out-String)

# This cmdlet is broken in post-1.0.11.13892 https://github.com/CiscoDevNet/intersight-powershell/issues/147 & https://github.com/CiscoDevNet/intersight-powershell/issues/139
# New-IntersightBulkMoMerger -MergeAction Replace -Sources $source -Targets $target

# Workaround to use generic managed object + JSON
$sources = @(
    @{
        ObjectType = "server.ProfileTemplate"
        Moid = $source.Moid
    }
)

$targets = @(
    @{
        ObjectType = "server.Profile"
        Moid = $target.Moid
    }
)

$jsonObject = @{
    ObjectType = "bulk.MoMerger"
    MergeAction = "Replace"
    Sources = $sources
    Targets = $targets
}

$jsonString = $jsonObject | ConvertTo-Json -Depth 3

try{
	New-IntersightManagedObject -JsonRequestBody $jsonString 
}
catch{
}
#End Workaround

[tbrock47]

oof. I miss ucsm powershell more and more.
I'll work on that tomorrow. Thanks.

[tbrock47]

@briamorr
Didn't have time yesterday. I was walking through it just now and noticed something.

Both of the Initialize commands result in object with a ClassId of 'AaaAuditRecord'. I doubled checked the ClassId values in $destTemplate and $profile and they were set as "ServerProfileTemplate" and "ServerProfile" respectively. ObjectType was assigned correctly. 'AaaAuditRecord' isn't correct is it?

#bulkmomerger of template to profile to mimic actions done by UI
$source = Initialize-IntersightMoBaseMo -Moid $destTemplate.Moid -ClassId $destTemplate.ClassId -ObjectType ($destTemplate.ObjectType | Out-String)
$target = Initialize-IntersightMoBaseMo -Moid $profile.Moid -ClassId $profile.ClassId -ObjectType ($profile.ObjectType | Out-String)

[briamorr]

@tbrock47 - you can do something like this if you are running an older version where New-IntersightBulkMoMerger is still able to run:

$source = Initialize-IntersightMoBaseMo -Moid $destTemplate.Moid -ClassId ($destTemplate.ClassId | Out-String) -Objecttype ($destTemplate.ObjectType | Out-String)
$target = Initialize-IntersightMoBaseMo -Moid $profile.Moid -ClassId ($profile.ClassId | Out-String) -ObjectType ($profile.ObjectType | Out-String)

For the generic cmdlet workaround we just need the Moid of the profile and template so in reality we probably don't need to even initialize the basemo and can just take it directly from the profile and template objects

[tbrock47]

Running 1.0.11.15830.
I see what you're saying.
The Initialize were only there when New-IntersightBulkMoMerger was used. But its not needed in the workaround.
With that said, I ran it excluding those commands with the modifications and it was successful.

# Workaround to use generic managed object + JSON
$sources = @(
    @{
        ObjectType = 'server.ProfileTemplate'
        Moid       = $destTemplate.Moid
    }
)

$targets = @(
    @{
        ObjectType = 'server.Profile'
        Moid       = $target.Moid
    }
)

$jsonObject = @{
    ObjectType  = 'bulk.MoMerger'
    MergeAction = 'Replace'
    Sources     = $sources
    Targets     = $targets
}

$jsonString = $jsonObject | ConvertTo-Json -Depth 3

try {
    New-IntersightManagedObject -JsonRequestBody $jsonString 
} catch {
}
#End Workaround

Thank you again as always sir.

[tbrock47]

@briamorr Thank for all the help so far. I do have a question to pose.

Attaching a ServerProfile to a ServerProfileTemplate should be as straight forward as...
$IntersightServerProfile | Set-IntersightServerProfile -SrcTemplate (Get-IntersightMoMoRef -ManagedObject $IntersightServerProfileTemplate)

I do notice what while the command executes and indeed assigns the template to the profile, it does not automatically validate the profile settings match the templates settings (policies) in the way the GUI does.

You mentioned using "New-IntersightBulkMoMerger" before, which sounds like it performs the desired function by mirroring the GUI experience (When New-IntersightBulkMoMerger was not bugged that is).

So my question is, did "Set-IntersightServerProfile -SrcTemplate" ever work as I expected it to, or was using "New-IntersightBulkMoMerger" always the correct method? If it never worked, what is even the point of the -SrcTemplate parameter other than to pass $null to remove a template if passing a template to it doesn't fully emulate the GUI?

[briamorr]

@tbrock47 -
My understanding is that the SrcTemplate just created a reference from the Profile to the Template object. But to actually sync the policybucket settings from the Template to Profile is where the bulkmomerger came into effect. This was the same behavior when using generic rest api or the terraform SDK as well.

From a simplicity standpoint I would agree that the SDK should transparently handle the bulkmomerger step if -SrcTemplate is defined (or the backend should just establish a continuously updating relationship). Will defer to the development team though on whether that is feasible as an enhancement