Infrastructure as Code Connection Profiles

The following topics describe connection profiles for infrastructure as code platforms and services:

ConnectionProfile:AWS CloudFormationLink copied to clipboard

AWS CloudFormation enables you to create, configure, test, and manage your AWS infrastructure, which is a collection of AWS services and resources.

For more information about this plug-in, see Control-M for AWS CloudFormation.

The following examples show how to define an AWS CloudFormation connection profile.

  • This JSON creates a connection profile that authenticates with an AWS access key and secret:

    CopyCopied to clipboard 
    "CLOUDFORMATION":
    {
       "Type": "ConnectionProfile:AWS CloudFormation",
       "CloudFormation URL": "https://cloudformation.us-east-1.amazonaws.com",
       "AWS Region": "us-east-1",
       "Authentication": "Secret",
       "AWS Access key": "AXHARY7B2LKRSSG124769",
       "AWS Secret": "*****",
       "Connection Timeout": "30",
       "Description": "",
       "Centralized": true
    }

  • This JSON creates a connection profile that authenticates with an AWS IAM role from inside an EC2 instance:

    CopyCopied to clipboard 
    "AWS_CLOUDFORMATION_IAM": 
    {
       "Type": "ConnectionProfile:AWS CloudFormation",
       "CloudFormation URL": "https://cloudformation. us-east-1.amazonaws.com",
       "AWS Region": "us-east-1",
       "Authentication": "NoSecret",
       "IAM Role": "<IAM Role Name>",
       "Connection Timeout": "30",
       "Description": "",
       "Centralized": true
    }

The following table describes the AWS CloudFormation connection profile parameters.

Parameter

Description

CloudFormation URL

Defines the AWS CloudFormation API authentication endpoint, based on the following format:

https://cloudformation.<AWSRegion>.amazonaws.com

For more information about regional endpoints available for the AWS CloudFormation service, refer to the AWS documentation.

AWS Region

Determines the AWS region where the job is located.

us-east-2

Authentication

Determines one of the following authentication methods:

  • Secret: Authenticates with an AWS access key and secret, which are used for services outside the AWS infrastructure.

  • NoSecret: Authenticates with an AWS IAM role from within the AWS infrastructure, which removes the need to provide additional credentials.

AWS Access Key

Defines the access key assigned to the account with the relevant permissions to the AWS service.

AWS Secret

Defines the secret access key assigned to the account with the relevant permissions to the AWS service.

You can use Secrets in Code to hide this value in the code.

IAM Role

Defines the Identity and Access Management (IAM) role name for the AWS service connection.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 30

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:Azure Resource ManagerLink copied to clipboard

Azure Resource Manager enables you to create, configure, test, and manage your Azure resources infrastructure.

For more information about this plug-in, see Control-M for Azure Resource Manager.

The following examples show how to define an Azure Resource Manager connection profile:

  • This JSON creates a connection profile that authenticates with an Azure service principal.

    CopyCopied to clipboard 
    "AZURE_RESOURCE_MANAGER": 
    {
       "Type": "ConnectionProfile:Azure Resource Manager",
       "Azure Base URL": "https://management.azure.com",
       "Subscription ID": "e76056e0-89de-4da3-u02e-61293103154sdvs",
       "Authentication Method": "service",
       "Azure Login URL": "https://login.microsoftonline.com",
       "Tenant ID": "52b396c5-5839-20a6-8pd9-c1fwd32314vb",
       "App ID": "8f477ya3-1a1f-4877-ma80-f35bb127145123sd",
       "Client Secret": "*****",
       "Connection Timeout": "20",
       "Description": "",
       "Centralized": true
    }

  • This JSON creates a connection profile that authenticates with a managed identity.

    Managed Identity authentication is based on an Azure token that is valid, by default, for 24 hours. Token lifetime can be extended by Azure.

    CopyCopied to clipboard 
    "AZURE_RESOURCE_MANAGER_MANAGED_IDENTITY":
    {
       "Type": "ConnectionProfile:Azure Resource Manager",
       "Azure Base URL": "https://management.azure.com",
       "Subscription ID": "e76056e0-89de-4da3-u02e-61293103154sdvs",
       "Authentication Method": "identity",
       "Specify Managed Identity Client ID": "&client_id=",
       "Managed Identity Client ID": "8f477fb5-1a1f-4827-ba80-f39be561f3b8",
       "Connection Timeout": "20",
       "Description": "",
       "Centralized": true
    }

The following table describes the Azure Resource Manager connection profile parameters.

Parameter

Description

Azure Base URL

Defines the Azure Resource Manager authentication endpoint base URL.

Default: https://management.azure.com
Subscription ID

Defines the Azure account ID of your organization.

You can retrieve the subscription ID from the Subscription menu in the Azure portal.
Authentication Method

Determines one of the following authentication methods:

  • identity: Access protected Azure services and resources based on roles assigned to the Service Principal by the Azure administrator. The Service Principal is also known as an App Registration. Use this method if the Control-M/Agent is installed on-premises or with another (non-Azure) cloud vendor.

  • service: Access protected Azure services and resources using a key created and managed by the Azure platform, without login credentials. Use this method if the Control-M/Agent is installed on an Azure virtual machine that has a Managed Identity with the required permissions.

Azure Login URL

(Service Principal) Defines the base URL of the Microsoft Entra/Azure AD authentication endpoint.

Default: https://login.microsoftonline.com

Tenant ID

(Service Principal) Defines the Azure tenant ID for your organization.

App ID

(Service Principal) Defines the Registered App for the Azure service in your Microsoft Entra/Azure AD tenant. The corresponding Service Principal must be assigned the Owner or Contributor role for the Azure service.

Client Secret

(Service Principal)Defines the password associated with the Service Principal/registered application.

You can use Secrets in Code to hide this value in the code.
Specify Managed Identity Client ID

(Managed identity authentication) Determines whether the managed identity is specified by the Managed Identity Client ID parameter.

This parameter must be included when you use the Managed Identity authentication method and there are multiple managed identities defined on your Azure VM.

Valid Values:

  • "&client_id=": The Managed Identity Client ID parameter contains the managed identity used for authentication. You must specify this value when your Azure VM has multiple managed identities.

  • "": The Managed Identity Client ID parameter does not contain a managed identity value. The managed identity is automatically retrieved from the Azure VM.

Managed Identity Client ID

(Managed identity authentication) Defines the client ID of the managed identity used for access.

This parameter requires a value only if there are multiple managed identities defined on your Azure VM and you included the Specify Managed Identity Client ID parameter.

If there is only one managed identity, it is detected automatically.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:GCP Deployment ManagerLink copied to clipboard

GCP Deployment Manager enables you to create, configure, test, and manage your GCP resources infrastructure.

For more information about this plug-in, see Control-M for GCP Deployment Manager.

The following example shows how to define a GCP Deployment Manager connection profile.

This JSON creates a connection profile that authenticates with a service account:

CopyCopied to clipboard 
"DEPLOY_MANAGEMENT": 
{
   "Type": "ConnectionProfile:GCP Deployment Manager",
   "Identity Type": "service_account",
   "Deployment Manager URL": "https://www.googleapis.com/deploymentmanager/v2/projects/",
   "Service Account Key": "*****",
   "Connection Timeout": "30",
   "Description": "",
   "Centralized": true
}

The following table describes the GCP Deployment Manager connection profile parameters.

Parameter

Description

Identity Type

Determines one of the following authentication types with GCP Access Control:

  • service_account: Authenticates with an application ID (service account) and client secret.

  • os_user: Authenticates based on a detected IAM role, which removes the need to provide additional credentials.

Deployment Manager URL

Defines the Google Cloud Platform (GCP) authentication endpoint for Deployment Manager.

Default: https://www.googleapis.com/deploymentmanager/v2/projects/

Service Account Key

(Service Account) Defines a service account that is associated with an RSA key pair.

You can use Secrets in Code to hide this value in the code.

Connection timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:TerraformLink copied to clipboard

Terraform is an open-source Infrastructure as Code (IaC) tool that enables you to create, configure, test, and manage your infrastructure on multiple platforms in a declarative way, using configuration files that describe the desired state of your infrastructure.

For more information about this plug-in, see Control-M for Terraform.

The following example shows how to define a Terraform connection profile:

CopyCopied to clipboard 
"TERRAFORM": 
{
   "Type": "ConnectionProfile:Terraform",
   "Terraform Org Name": "Organization Name",
   "Token": "*****",
   "Connection Timeout": "20",
   "Description": "",
   "Centralized": true
}

The following table describes the Terraform connection profile parameters.

Parameter

Description

Terraform Org Name

Defines the organization name where the Terraform workspace is located.

Token

Defines a Terraform token for authentication of connections to the Terraform workspace.

You can use Secrets in Code to hide this value in the code.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.