Blueprints

Event-driven VM cleanup from vCenter removal events

Source

yaml
id: vm-event-based-cleanup
namespace: company.team
description: >
  Listen for VM removal events from vCenter, log the event details, and clean up
  downstream systems by removing DNS A records, deleting AD computer objects,
  and offboarding the host from CrowdStrike.

tasks:
  - id: foreach_event
    type: io.kestra.plugin.core.flow.ForEach
    values: "{{ trigger.events }}"
    tasks:
      - id: log_vm_event
        type: io.kestra.plugin.core.log.Log
        message: "VM {{ json(taskrun.value).vmName }} had event {{
          json(taskrun.value).eventType }} at {{ json(taskrun.value).timestamp
          }}"

      - id: trigger_cleanup
        type: io.kestra.plugin.core.flow.Sequential
        tasks:
          - id: remove_ad_entry
            type: io.kestra.plugin.scripts.powershell.Commands
            inputFiles:
              main.ps1: |
                # Remove DNS A record from AD by VM name
                Remove-DnsServerResourceRecord -ZoneName "yourdomain.com" -RRType "A" -Name "{{ json(taskrun.value).vmName }}" -Force
            commands:
              - ./main.ps1

          - id: remove_ad_computer
            type: io.kestra.plugin.scripts.powershell.Commands
            inputFiles:
              main.ps1: |
                # Remove the computer object from Active Directory
                Remove-ADComputer -Identity "{{ json(taskrun.value).vmName }}" -Confirm:$false -ErrorAction Stop
                Write-Output "Deleted AD computer object for VM {{ json(taskrun.value).vmName }}"
            commands:
              - ./main.ps1

          - id: offboard_crowdstrike_host
            type: io.kestra.plugin.core.http.Request
            method: POST
            uri: "https://api.crowdstrike.com/devices/entities/devices-actions/v2"
            headers:
              Authorization: "Bearer {{ secret('CROWDSTRIKE_API_TOKEN') }}"
              Content-Type: "application/json"
            body: |
              {
                "action_name": "hide_host",
                "ids": ["{{ json(taskrun.value).vmName }}"]
              }

triggers:
  - id: vcenterTrigger
    type: io.kestra.plugin.ee.vmware.vcenter.Trigger
    interval: PT1M
    server: "vcenter.company.local"
    username: "{{ secret('VMWARE_VCENTER_USERNAME') }}"
    password: "{{ secret('VMWARE_VCENTER_PASSWORD') }}"
    eventType: VM_REMOVED
    vmNameRegex: "vm-.*"
See more

About this blueprint

Infrastructure

This flow listens for VM removal events from VMware vCenter and orchestrates the offboarding steps: logging the event, removing DNS A records, deleting the computer object in Active Directory, and issuing a CrowdStrike API call to hide the host. Provide vCenter credentials as secrets (VMWARE_VCENTER_USERNAME, VMWARE_VCENTER_PASSWORD) and a CrowdStrike API token (CROWDSTRIKE_API_TOKEN).

For Each

Log

Sequential

Commands

Request

Trigger

More Related Blueprints

Infrastructure
Run Ansible playbook and alert on configuration drift
Infrastructure
Extract data from HackerNews and store it in a local CSV file using CloudQuery CLI
CoreInfrastructure
Restore a Kestra instance from a Git backup

New to Kestra?

Use blueprints to kickstart your first workflows.

Get started with Kestra