Infrastructure as Code Connection Profiles

The following topics describe connection profiles for infrastructure as code platforms and services:

ConnectionProfile:AWS CloudFormation

AWS CloudFormation enables you to create, configure, test, and manage your AWS infrastructure, which is a collection of AWS services and resources.

The following examples show how to define an AWS CloudFormation connection profile.

  • This JSON creates a connection profile that authenticates with an AWS access key and secret:

    Copy
    "CLOUDFORMATION":
    {
       "Type": "ConnectionProfile:AWS CloudFormation",
       "CloudFormation URL": "https://cloudformation.us-east-1.amazonaws.com",
       "AWS Region": "us-east-1",
       "Authentication": "Secret",
       "AWS Access key": "AXHARY7B2LKRSSG124769",
       "AWS Secret": "*****",
       "Connection Timeout": "30",
       "Description": "",
       "Centralized": true
    }
  • This JSON creates a connection profile that authenticates with an AWS IAM role from inside an EC2 instance:

    Copy
    "AWS_CLOUDFORMATION_IAM"
    {
       "Type": "ConnectionProfile:AWS CloudFormation",
       "CloudFormation URL": "https://cloudformation. us-east-1.amazonaws.com",
       "AWS Region": "us-east-1",
       "Authentication": "NoSecret",
       "IAM Role": "<IAM Role Name>",
       "Connection Timeout": "30",
       "Description": "",
       "Centralized": true
    }

The following table describes the AWS CloudFormation connection profile parameters.

Parameter

Description

CloudFormation URL

Defines the AWS CloudFormation API authentication endpoint, based on the following format:

https://cloudformation.<AWSRegion>.amazonaws.com

For more information about regional endpoints available for the AWS CloudFormation service, refer to the AWS documentation.

AWS Region

Determines the region where the AWS CloudFormation jobs are located.

Authentication

Determines one of the following authentication methods:

  • Secret: Authenticates with an AWS access key and secret.

  • NoSecret: Authenticates with an AWS IAM role from within the AWS infrastructure.

AWS Access Key

Defines the AWS CloudFormation account access key.

AWS Secret

Defines the AWS CloudFormation account secret access key. You can use Secrets in Code to hide this value in the code.

IAM Role

Defines the Identity and Access Management (IAM) role for the AWS CloudFormation connection.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to AWS CloudFormation before a timeout occurs.

Default: 30

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:Azure Resource Manager

Azure Resource Manager enables you to create, configure, test, and manage your Azure resources infrastructure.

The following examples show how to define an Azure Resource Manager connection profile:

  • This JSON creates a connection profile that authenticates with an Azure service principal.

    Copy
    "AZURE_RESOURCE_MANAGER"
    {
       "Type": "ConnectionProfile:Azure Resource Manager",
       "Azure Base URL": "https://management.azure.com",
       "Subscription ID": "e76056e0-89de-4da3-u02e-61293103154sdvs",
       "Authentication Method": "service",
       "Azure Login URL": "https://login.microsoftonline.com",
       "Tenant ID": "52b396c5-5839-20a6-8pd9-c1fwd32314vb",
       "App ID": "8f477ya3-1a1f-4877-ma80-f35bb127145123sd",
       "Client Secret": "*****",
       "Connection Timeout": "20",
       "Description": "",
       "Centralized": true
    }
  • This JSON creates a connection profile that authenticates with a managed identity.

    Managed Identity authentication is based on an Azure token that is valid, by default, for 24 hours. Token lifetime can be extended by Azure.

    Copy
    "AZURE_RESOURCE_MANAGER_MANAGED_IDENTITY":
    {
       "Type": "ConnectionProfile:Azure Resource Manager",
       "Azure Base URL": "https://management.azure.com",
       "Subscription ID": "e76056e0-89de-4da3-u02e-61293103154sdvs",
       "Authentication Method": "identity",
       "Specify Managed Identity Client ID": "&client_id=",
       "Managed Identity Client ID": "8f477fb5-1a1f-4827-ba80-f39be561f3b8",
       "Connection Timeout": "20",
       "Description": "",
       "Centralized": true
    }

The following table describes the Azure Resource Manager connection profile parameters.

Parameter

Description

Azure Base URL

Defines the Azure Resource Manager authentication endpoint base URL.

Default: https://management.azure.com

Subscription ID

Defines the registered subscription ID for the Azure Resource Manager service.

You can retrieve the subscription ID from the Subscription menu in the Azure portal.

Authentication Method

Determines one of the following authentication types:

  • identity: Managed identity - Authenticates using an Azure Active Directory token, which removes the need to provide additional credentials.

  • service: Service Principal - Authenticates using an application ID (service account) and client secret.

Azure Login URL

(Service Principal) Defines the Azure Active Directory authentication endpoint URL.

Default: https://login.microsoftonline.com

Tenant ID

(Service Principal) Defines the Azure tenant ID, which represents your organization.

App ID

(Service Principal) Defines the Azure AD application ID for Resource Manager.

The Service Principal must be an Azure Resource Manager workspace user with a Contributor or Owner role.

Client Secret

(Service Principal) Defines the password associated with the Azure user and the Azure AD application ID. You can use Secrets in Code to hide this value in the code.

Specify Managed Identity Client ID

(Managed Identity) Determines whether the client ID for your Managed Identity is specified by the Managed Identity Client ID parameter.

Include this parameter only if you are using the Managed Identity authentication method and you have multiple Managed Identities defined on your Azure virtual machine. Set its value to &client_id=.

Managed Identity Client ID

(Managed Identity) Determines which client ID to use as the Managed Identity.

This parameter requires a value only if you have multiple Managed Identities defined on your Azure virtual machine and you included the Specify Managed Identity Client ID parameter.

If you have only one Managed Identity, it is detected automatically.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Azure Resource Manager before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:GCP Deployment Manager

GCP Deployment Manager enables you to create, configure, test, and manage your GCP resources infrastructure.

The following example shows how to define a GCP Deployment Manager connection profile.

This JSON creates a connection profile that authenticates with a service account:

Copy
"DEPLOY_MANAGEMENT"
{
   "Type": "ConnectionProfile:GCP Deployment Manager",
   "Identity Type": "service_account",
   "Deployment Manager URL": "https://www.googleapis.com/deploymentmanager/v2/projects/",
   "Service Account Key": "*****",
   "Connection Timeout": "30",
   "Description": "",
   "Centralized": true
}

The following table describes the GCP Deployment Manager connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types using GCP Access Control:

  • service_account: Authenticates using an application ID (service account) and client secret.

  • os_user: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Deployment Manager URL

Defines the Google Cloud Platform (GCP) authentication endpoint for Deployment Manager.

Default: https://www.googleapis.com/deploymentmanager/v2/projects/

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair. You can use Secrets in Code to hide this value in the code.

Connection timeout

Determines the number of seconds to wait after Control-M initiates a connection request to GCP Cloud Deployment Manager before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:Terraform

Terraform is an open-source Infrastructure as Code (IaC) tool that enables you to create, configure, test, and manage your infrastructure on multiple platforms in a declarative way, using configuration files that describe the desired state of your infrastructure.

The following example shows how to define a Terraform connection profile:

Copy
"TERRAFORM"
{
   "Type": "ConnectionProfile:Terraform",
   "Terraform Org Name": "Organization Name",
   "Token": "*****",
   "Connection Timeout": "20",
   "Description": "",
   "Centralized": true
}

The following table describes the Terraform connection profile parameters.

Parameter

Description

Terraform Org Name

Defines the organization name where the Terraform workspace is located.

Token

Defines a Terraform token for authentication of connections to the Terraform workspace. You can use Secrets in Code to hide this value in the code.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Terraform before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.