[Webhook Event] blocking pre-create validation hook to stop VM creation

Support
1
  • Foreman: 3.15
  • foreman_webhooks: rubygem-foreman_webhooks-4.0.1-1.fm3_15.el9.noarch
  • Smart Proxy + smart_proxy_shellhooks: 3.15
  • Compute resource: VMware vSphere
  • OS: RHEL 9

What we’re trying to do
We need to validate two host parameters b_app and env before any VM is created on vSphere. The validation calls the vCenter Tagging API and ensures:

  • b_app exists as a Tag in category B_APP
  • env exists as a Tag in category ENV
  • both categories allow VirtualMachine as associable type

If either value is invalid, we must block provisioning and show an error to the user instead of creating a VM that we then have to clean up.

Problem with current events
With webhooks we only see events like:

  • Host Created, Host Destroyed, Host Facts Updated, Host Updated
  • and the Foreman event build_entered.event.foreman

These fire after the host/compute orchestration has started (or even after the VM is already created). Smart Proxy shellhooks also run during orchestration and are therefore too late to prevent the VM from being created. As a result, our validation can fail but a VM already exists in vCenter.

What we’re asking for / Questions

Is there a blocking pre-create hook/event we can use with webhooks—i.e., something equivalent to a before_create callback for host/managed—that executes before compute resource provisioning begins, and where a non-2xx response (or non-zero exit code) cancels the action?

If there is another supported mechanism (e.g., a “pre-build/pre-provision” callback for compute resources, or a built-in validation point that can call an external service and block the operation), could you point us to the documentation?

Current attempt (for context)

We implemented validation in a Webhook Template (and also in Smart Proxy shellhooks). It correctly checks vCenter tags, but because the events are post-facto, Foreman has already created the VM by the time the validation fails.

We need a synchronous, blocking hook that runs before the host/VM is created and surfaces a clear error back to the UI/API.

Desired behavior

A Foreman event/hook (e.g., host/managed before_create) that:

runs before any compute resource call,

can perform our external validation (vCenter tag lookup),

and aborts the create with a user-visible error when validation fails.

2

As far as I know Webhook was especially design to be non-blocking instead of how the older Hooks plugin worked, so I fear some custom plugin development is needed. But this would also allow for a better user experience when you get the lists for selection from vCenter and make a selection mandatory.

I know dmTECH has some custom plugin based on vSphere which could perhaps give you some inspiration: GitHub - dm-drogeriemarkt/foreman_wreckingball: Foreman plug-in to add vSphere status checks.