Managing NSX Tag(s) via RESTapi

When using NSX a quite common task is applying tags to VMs. This can be done in several ways, in this post I´m showing how to accomplish that task via the RESTapi of NSX 4.1.2

The API calls and all other scripts in this post were run with these versions:
– VMware NSX Version 4.1.2.1.0.22667789

Retrieving the external-id of a VM

The following code block is an excerpt from the nsx api documentation.

Perform action on a specific virtual machine. External id of the virtual machine needs to be provided in the request body. 
Some of the actions that can be performed are update tags, add
tags, remove tags.
To add tags to existing list of tag, use action parameter add_tags.

This means that the first step for each tagging operation of a VM is to determine the corresponding external-id.

To obtain the external-id of a VM via a simple POST call, the name of the VM is contained in the URL. To keep the API calls lean and avoid unnecessary traffic, we limit the requested data accordingly.

https://NSX-FQDN/policy/api/v1/fabric/virtual-machines?display_name=[name-of-vm]&included_fields=external_id

If the call was successful, the response code is 204 and the response body could look like this.

{
    "results": [
        {
            "external_id": "501fda5b-ec81-6549-ad63-6d545f93a543",
            "tags": [
                {
                    "scope": "",
                    "tag": "demo-tag"
                }
            ]
        }
    ],
    "result_count": 1,
    "sort_by": "display_name",
    "sort_ascending": true
}

In this example, the VM already has an assigned tag and exactly one VM with the name was found, which is recognizable by the variable “result_count: 1”.

Adding a Tag to a VM

With the external-id just retrieved, the second API call can now be made to add a tag. Again a post command is sent to the NSX API for this purpose, this time, however, with data.

URL for the add_tags call:

https://NSX-FQDN/policy/api/v1/fabric/virtual-machines?action=add_tags

Body for the call with JSON formatted content. This will add a tag with the name “restapi-demo-tag” to the VM.

{
    "external_id": "501f7759-c08d-9090-63a7-6412fcfd0054",
    "tags": [
        {"scope": "", "tag": "restapi-demo-tag"}
    ]
}

If two or more tags should be added in one call the body could look like this.

{
    "external_id": "501f7759-c08d-9090-63a7-6412fcfd0054",
    "tags": [
        {"scope": "", "tag": "restapi-demo-tag"},
        {"scope": "", "tag": "restapi-demo-tag2"}
    ]
}

Again, NSX will answer with HTTP 204 when the call has been accepted and processed. Other possible responses can be looked up in the NSX API documentation.

If the tag is already used by other VMs, the same tag will be added to the VM, and all already applied tags will be kept.
If the tag does not yet exist, it will be silently created automatically and assigned to the VM. There will be no different response code for each scenario.

If you run the query from step1 again you´ll see the added tag.

{
    "results": [
        {
            "external_id": "501f7759-c08d-9090-63a7-6412fcfd0054",
            "tags": [
                {
                    "scope": "",
                    "tag": "restapi-demo-tag"
                },
                {
                    "scope": "",
                    "tag": "restapi-demo-tag2"
                }
            ]
        }
    ],
    "result_count": 1,
    "sort_by": "display_name",
    "sort_ascending": true
}

Updating the tags of a VM

Another approach is the “update_tags” command. In contrast to the example above, it overwrites all previous assignments and only sets the tags that are transmitted in the body.

https://NSX-FQDN/policy/api/v1/fabric/virtual-machines?action=update_tags

{
    "external_id": "501f7759-c08d-9090-63a7-6412fcfd0054",
    "tags": [
        {"scope": "", "tag": "restapi-update-tag"}
    ]
}

The successful implementation of the command is also confirmed with an HTTP 204.

If you check the result you will see that the old tags have been deleted and only the new ones remain.

{
    "results": [
        {
            "external_id": "501f7759-c08d-9090-63a7-6412fcfd0054",
            "tags": [
                {
                    "scope": "",
                    "tag": "restapi-update-tag"
                }
            ]
        }
    ],
    "result_count": 1,
    "sort_by": "display_name",
    "sort_ascending": true
}

Removing a tag from a VM

To remove a specific tag you just have to send the body structure to the NSX API as in the previous examples, you just have to change the URL.

https://NSX-FQDN/policy/api/v1/fabric/virtual-machines?action=remove_tags

{
    "external_id": "501f7759-c08d-9090-63a7-6412fcfd0054",
    "tags": [
        {"scope": "", "tag": "restapi-update-tag"}
    ]
}

If you executed the calls one by one as in the examples above, your VM shouldn´t have any tag assigned at this point.

{
    "results": [
        {
            "external_id": "501f7759-c08d-9090-63a7-6412fcfd0054"
        }
    ],
    "result_count": 1,
    "sort_by": "display_name",
    "sort_ascending": true
}

Also keep in mind that that NSX, unlike in your vCenter, removes a tag from the inventory as soon as the last assignment to a VM has been removed.
However, if there is a rule that controls the VM membership of a security group based on a tag, the tag is still retained.