Few days back I did blog on the issue i encountered during my lab upgrade where identity-service-app does not initialize due to vRA Migration Assistant service role assigned to AD users.
Click on the link for the blog : https://www.nukescloud.com/post/identity-service-app-initialization-failure-after-upgrading-to-vrealize-automation-8-4-2
Important points to note
Remove the standalone vRA Migration Assistant service role before you upgrade for all AD groups mapped
Read the release notes : https://docs.vmware.com/en/vRealize-Automation/8.4.2/rn/vRealize-Automation-842-releasenotes.html
If you are stuck with this issue then instead of reverting perform these steps.
Your connecting to
1. ssh root@FQDN
2. vracli dev psql
3. \c identity-db
4. copy and paste the following:
DO $$
BEGIN
IF NOT EXISTS (SELECT def.id from identity_service_role AS role INNER JOIN identity_service_definition AS def ON role.service_definition_id = def.id WHERE role.name = 'migration:admin' AND def.name = 'Cloud Assembly') THEN
INSERT INTO identity_service_role (id, is_default, created_millis, hidden, display_name, name, service_definition_id)
VALUES ((SELECT uuid_in(md5(random()::text || clock_timestamp()::text)::cstring)), TRUE, (SELECT round(date_part('epoch', now() ) * 1000 )), FALSE, 'Migration Assistant Administrator', 'migration:admin', (SELECT id from identity_service_definition where name = 'Cloud Assembly'));
INSERT INTO identity_service_role (id, is_default, created_millis, hidden, display_name, name, service_definition_id)
VALUES ((SELECT uuid_in(md5(random()::text || clock_timestamp()::text)::cstring)), FALSE, (SELECT round(date_part('epoch', now() ) * 1000 )), FALSE, 'Migration Assistant Viewer', 'migration:viewer', (SELECT id from identity_service_definition where name = 'Cloud Assembly'));
END IF;
UPDATE identity_group_service_role
SET role_id = (SELECT id FROM identity_service_role WHERE service_definition_id = (SELECT id FROM identity_service_definition WHERE name = 'Cloud Assembly') AND name = 'migration:viewer')
WHERE role_id = (SELECT id FROM identity_service_role WHERE service_definition_id = (SELECT id FROM identity_service_definition WHERE name = 'Migration') AND name = 'migration:viewer');
UPDATE identity_group_service_role
SET role_id = (SELECT id FROM identity_service_role WHERE service_definition_id = (SELECT id FROM identity_service_definition WHERE name = 'Cloud Assembly') AND name = 'migration:admin')
WHERE role_id = (SELECT id FROM identity_service_role WHERE service_definition_id = (SELECT id FROM identity_service_definition WHERE name = 'Migration') AND name = 'migration:admin');
END $$ LANGUAGE plpgsql;
Then exit database by executing \q
Post that restart the services manually and then wait for services to initialize and complete
/opt/scripts/deploy.sh
If you've done this directly through vRA without completing the upgrade workflow through LCM, you have to clean the upgrade in vRA state manually with this command by running it on one of the nodes
vracli cluster exec -- bash -c 'rm -rf /data/restorepoint /var/vmware/prelude/upgrade /var/log/vmware/prelude/upgrade-report-latest*; crontab -u root -l | grep -v -F "/opt/scripts/upgrade/upg-mon.sh" | crontab -u root -'
Post this perform inventory sync on vRSLCM for this vRA environment
To make it simple
Then after upgrade choose Cloud Assembly based Migration Role
I did not remove this role before upgrading to 8.5.1, so the migration assistant role is still below cloud assembly service. Should I run your SQL commands and deploy.sh?