A Terraform module for bootstrapping Linux or Windows Virtual Machines or Virtual Machine Scale Sets via supported agents and/custom scripts.
Supported Agents:
- Azure Monitor
- Dynatrace OneAgent
- Splunk Universal Forwarder
- Tenable Nessus Agent
- Run Command
- Microsoft Antimalware
If the tenable install is failing please check that the download link has not expired as the link changes often. https://www.tenable.com/downloads
A virtual machine or virtual machine scale set.
| Name | Version |
|---|---|
| azurerm | n/a |
| azurerm.cnp | n/a |
| azurerm.dcr | n/a |
| azurerm.soc | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_script_mi_id | This variable will be used to pass Managed Identity ID when the additional script has been used | any |
null |
no |
| additional_script_name | Additional script name when using script additional_script_uri. | any |
null |
no |
| additional_script_path | Path to additional script. | any |
null |
no |
| additional_script_uri | Uri download link to additional script | any |
null |
no |
| antimalwareenabled | Enable AntiMalware Protection | string |
true |
no |
| azure_monitor_auto_upgrade_minor_version | Specifies if the platform deploys the latest minor version Azure Monitor update to the type_handler_version specified. | bool |
true |
no |
| azure_monitor_protected_settings | The protected_settings passed to the Azure Monitor extension, like settings, these are specified as a JSON object in a string. | string |
null |
no |
| azure_monitor_settings | The settings passed to the Azure Monitor extension, these are specified as a JSON object in a string. | string |
null |
no |
| azure_monitor_type_handler_version | Version of Azure Monitor - To find: az vm extension image list --location uksouth -p Microsoft.Azure.Monitor -o table | string |
"1.9" |
no |
| cnp_vault_rg | The name of the resource group where the CNP Key Vault is located. | string |
null |
no |
| common_tags | Common Tags | map(string) |
null |
no |
| custom_script_extension_name | Custom script extension name label. | string |
"HMCTSVMBootstrap" |
no |
| custom_script_type_handler_version | Type handler version number | string |
"2.1" |
no |
| custom_script_type_handler_version_windows | Type handler version number for Windows VMs | string |
"1.9" |
no |
| dynatrace_auto_upgrade_minor_version | Specifies if the platform deploys the latest minor version Dynatrace OneAgent update to the type_handler_version specified. | bool |
true |
no |
| dynatrace_hostgroup | Define the hostgroup to which the VM belongs. | string |
null |
no |
| dynatrace_network_zone | the network zone the oneagent is attached to i.e azure.cft | string |
"azure.cft" |
no |
| dynatrace_server | The server URL, if you want to configure an alternative communication endpoint. | string |
null |
no |
| dynatrace_tenant_id | The tenant ID of your Dynatrace environment. | string |
"" |
no |
| dynatrace_token | The API token of your Dynatrace environment. | string |
"" |
no |
| dynatrace_type_handler_version | Version of Dynatrace OneAgent - To find: az vm extension image list --location uksouth -p dynatrace.ruxit -o table | string |
"2.200" |
no |
| endpoint_protection_handler_version | Enable Antimalware Protection. | string |
"1.6" |
no |
| endpoint_protection_upgrade_minor_version | Specifies if the platform deploys the latest minor version Endpoint Protection update to the type_handler_version specified. | bool |
true |
no |
| env | Environment name. | string |
n/a | yes |
| install_azure_monitor | Install Azure Monitor Agent. | bool |
true |
no |
| install_docker | Should Docker and Docker Compose be installed -- Ubuntu only | bool |
false |
no |
| install_dynatrace_oneagent | Install Dynatrace OneAgent. | bool |
true |
no |
| install_endpoint_protection | Install Endpoint Protection. | bool |
true |
no |
| install_nessus_agent | Install Nessus Agent. | bool |
true |
no |
| install_splunk_uf | Install Splunk UF. | bool |
true |
no |
| location | The region in Azure that the Data collection rule will be deployed to. | string |
"UK South" |
no |
| nessus_groups | Nessus group name. | string |
"Platform-Operation-Bastions" |
no |
| nessus_key | Nessus linking key - read input from keyvault. | string |
null |
no |
| nessus_server | Nessus server endpoint - read input from keyvault. | string |
"" |
no |
| os_type | Windows or Linux. | string |
"Linux" |
no |
| rc_auto_upgrade_minor_version | n/a | bool |
false |
no |
| rc_os_sku | n/a | any |
null |
no |
| rc_script_file | A path to a local file for the script | any |
null |
no |
| realtimeprotectionenabled | Enable Realtime Protection | string |
true |
no |
| run_cis | Install CIS hardening using run command script? | bool |
false |
no |
| run_command | n/a | bool |
false |
no |
| run_command_sa_key | SA key for the run command | string |
"" |
no |
| run_command_settings | The settings passed to the Run Command extension, these are specified as a JSON object in a string. | string |
null |
no |
| run_command_type_handler_version | Type handler version number | string |
"1.0" |
no |
| run_command_type_handler_version_windows | Type handler version number for Windows VMs | string |
"1.1" |
no |
| run_xdr_agent | Install XDR agents using run command script? | bool |
false |
no |
| run_xdr_collector | Install XDR collectors using run command script? | bool |
false |
no |
| scheduledscansettings | Enable Scanning | map(string) |
{ |
no |
| soc_vault_name | The name of the SOC Key Vault. | string |
"soc-prod" |
no |
| soc_vault_rg | The name of the resource group where the SOC Key Vault is located. | string |
"soc-core-infra-prod-rg" |
no |
| splunk_group | Splunk universal forwarder global target group. | string |
"hmcts_forwarders" |
no |
| splunk_pass4symmkey | Splunk universal forwarder communication security key - read input from keyvault. | string |
null |
no |
| splunk_password | Splunk universal forwarder local admin password - read input from keyvault. | string |
null |
no |
| splunk_username | Splunk universal forwarder local admin username - read input from keyvault. | string |
null |
no |
| virtual_machine_id | Virtual machine resource id. | string |
null |
no |
| virtual_machine_scale_set_id | Virtual machine scale set resource id. | string |
null |
no |
| virtual_machine_type | vm or vmss. | string |
n/a | yes |
| xdr_env | Set environment for XDR Agent to make sure which environment it should go to, defaults to prod | string |
"prod" |
no |
| xdr_tags | XDR specific Tags | string |
"" |
no |
| Name | Description |
|---|---|
| XDR_TAGS | n/a |
This README provides instructions for logging into Redhat ELS, checking the Subscription Manager and Insights-client, and other relevant details.
To log into Redhat, use the following credentials stored in the Key Vault (KV):
Username: [email protected] Password: https://portal.azure.com/#@HMCTS.NET/asset/Microsoft_Azure_KeyVault/Secret/https://acmedcdcnpdev.vault.azure.net/secrets/redhat-portal/cd61d615bffe415f8dd6c1907df3115b
The certificate is placed under the following directory: /etc/pki/product/204.pem
Ensure that both the Subscription Manager and Insights-client are installed correctly and show an active status.
You can verify the status of both Subscription Manager and Insights-client by visiting the following inventory link:
https://console.redhat.com/insights/inventory
Both Subscription Manager and Insights-client should display an active status.
Documentation links - https://tools.hmcts.net/confluence/display/~thomas.thornton/RHEL+7+ELS+Support
For more detailed documentation, please refer to the RHEL 7 ELS Support Documentation.