revert bootstrap-qs

adls/main.tf

@@ -0,0 +1,67 @@
+resource "random_id" "randomMachineId" {
+    keepers = {
+        # Generate a new ID only when a new resource group is defined
+        resource_group = var.resource_group_name
+    }
+    
+    byte_length = 5
+}
+
+resource "azurerm_storage_account" "saccount" {
+
+  name = var.storage_account_name != null? var.storage_account_name : "qmiadlsgen2${random_id.randomMachineId.hex}"
+
+  resource_group_name       = var.resource_group_name
+  location                  = var.location
+  account_kind              = "StorageV2"
+  account_tier              = "Standard"
+  access_tier               = "Hot"
+  account_replication_type  = "RAGRS"
+  is_hns_enabled            = "true"
+
+  tags = var.tags
+}
+
+resource "azurerm_storage_container" "scontainer" {
+
+  name                  = var.container_name != null? var.container_name : "qmicontainer"
+  storage_account_name  = azurerm_storage_account.saccount.name
+  #container_access_type = "container"
+}
+
+resource "azurerm_role_assignment" "data-contributor-role" {
+  scope                = azurerm_storage_account.saccount.id
+  role_definition_name = "Contributor"
+  principal_id         = var.tpm_app_registration_principal_id
+}
+
+resource "azurerm_role_assignment" "data-contributor-role2" {  
+  scope                = azurerm_storage_account.saccount.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.tpm_app_registration_principal_id
+}
+
+
+resource "azurerm_role_assignment" "data-contributor-dbricksapp1" {
+  scope                = azurerm_storage_account.saccount.id
+  role_definition_name = "Contributor"
+  principal_id         = var.dbricks_app_registration_principal_id
+}
+
+resource "azurerm_role_assignment" "data-contributor-dbricksapp2" { 
+  scope                = azurerm_storage_account.saccount.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.dbricks_app_registration_principal_id
+}
+
+
+###### EXTRA ASSIGN ROLE #######
+
+resource "azurerm_role_assignment" "machine_role_assignment" { 
+
+  count = var.principal_id_storage_blob_contributor != null? 1 : 0
+
+  scope                = azurerm_storage_account.saccount.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.principal_id_storage_blob_contributor
+}

adls/outputs.tf

@@ -0,0 +1,35 @@
+output "StorageAccount-Scope" {
+  value = azurerm_storage_account.saccount.id
+}
+
+output "StorageAccount-AccessKey" {
+  value = nonsensitive(azurerm_storage_account.saccount.primary_access_key)
+}
+
+output "StorageAccount-ConnectionString" {
+  value = nonsensitive(azurerm_storage_account.saccount.primary_connection_string)
+}
+
+output "StorageAccount-Name" {
+  value = azurerm_storage_account.saccount.name
+}
+
+output "StorageAccount-ContainerName" {
+  value = azurerm_storage_container.scontainer.name
+}
+
+output "StorageAccount-ContainerId" {
+  value = azurerm_storage_container.scontainer.id
+}
+
+output "Azure_Active_Directory_Tenant_ID" {
+  value = "c21eeb5f-f5a6-44e8-a997-124f2f7a497c"
+}
+
+output "Azure_Application_Registration_Client_ID" {
+  value = var.dbricks_app_registration_application_id
+}
+
+output "Azure_Application_Registration_Secret" {
+  value = "~qp8Q~utl~YJ3skNM9kAuq25VY~rKxxOWpaVYcnQ"
+}

adls/variable.tf

@@ -0,0 +1,38 @@
+variable "resource_group_name" {
+}
+
+variable "location" {
+  description = "The Azure Region in which the resources in this example should exist"
+  default = "East US"
+}
+
+variable "storage_account_name" {
+  default = null
+}
+
+variable "container_name" {
+  default = null
+}
+
+variable "tags" {
+    default = null
+}
+
+variable "tpm_app_registration_principal_id" {
+    description = "tpm"
+    default = "163a72e3-8ce3-4e33-baae-954383f87e3e"
+}
+
+variable "dbricks_app_registration_principal_id" {
+    description = "databricks-qmi"
+    default = "efeee17c-d2b3-4e7c-a163-9995b7d281e2"
+}
+
+variable "dbricks_app_registration_application_id" {
+    description = "databricks-qmi"
+    default = "9ccb0d99-3bba-4695-aa47-df77bf512084"
+}
+
+variable "principal_id_storage_blob_contributor" {
+  default = null
+}

appgateways/appgw-443-only/main.tf

@@ -151,6 +151,7 @@ resource "azurerm_application_gateway" "qmi-app-gw" {
     http_listener_name         = local.listener_name_https
     backend_address_pool_name  = local.backend_address_pool_qs
     backend_http_settings_name = local.http_setting_name_443
+    priority                   = 1
   }
   
 
@@ -167,6 +168,7 @@ resource "azurerm_application_gateway" "qmi-app-gw" {
     rule_type                   = "Basic"
     http_listener_name          = local.listener_name_http
     redirect_configuration_name = local.redirect_configuration_80
+    priority                    = 2
   }
 
 }

appgateways/appgw-443-only/output.tf

@@ -11,5 +11,5 @@ output "appgw_public_ip" {
 }
 
 output "appgw_backend_address_pool_0_id" {
-  value = azurerm_application_gateway.qmi-app-gw.backend_address_pool[0].id
+  value = tolist(azurerm_application_gateway.qmi-app-gw.backend_address_pool).0.id
 }

appgateways/appgw-qdc-qs/outputs.tf

@@ -10,10 +10,14 @@ output "appgw_public_ip" {
   value = azurerm_public_ip.appgw-ip.ip_address
 }
 
+locals {
+  backend_pools = tolist(azurerm_application_gateway.qmi-app-gw.backend_address_pool)
+}
+
 output "appgw_backend_address_pool_0_id" {
-  value = tolist(azurerm_application_gateway.qmi-app-gw.backend_address_pool).0.id
+  value = local.backend_pools[index(local.backend_pools.*.name, "${var.appgw_hostname}-qs-bp")].id
 }
 
 output "appgw_backend_address_pool_1_id" {
-  value = tolist(azurerm_application_gateway.qmi-app-gw.backend_address_pool).1.id
+  value = local.backend_pools[index(local.backend_pools.*.name, "${var.appgw_hostname}-qdc-bp")].id
 }

appgateways/appgw-qs/logs.tf

@@ -5,9 +5,9 @@ resource "azurerm_monitor_diagnostic_setting" "example" {
 
     log_analytics_workspace_id = var.log_analytics_workspace_id
 
-    log {
+    enabled_log {
         category = "ApplicationGatewayAccessLog"
-        enabled  = true
+        enabled= true
 
         retention_policy {
             enabled = true
@@ -15,7 +15,7 @@ resource "azurerm_monitor_diagnostic_setting" "example" {
         }
     }
 
-    log {
+    enabled_log {
         category = "ApplicationGatewayFirewallLog"
         enabled  = true
 

compose-install/main.tf

@@ -1,20 +1,9 @@
-data "azurerm_key_vault_secret" "compose-license" {
-  name         = "compose-license"
-  key_vault_id = var.key_vault_id
-}
-
-data "azurerm_key_vault_secret" "c4dw" {
-  name         = "compose-datawarehouse-license"
-  key_vault_id = var.key_vault_id
-}
-
 data "azurerm_key_vault_secret" "cert-password" {
   name         = "star-qmi-qlikpoc-com-password"
   key_vault_id = var.key_vault_id
 }
 
 locals {
-  composeLicense = (var.c_version == "c4dw")? nonsensitive(data.azurerm_key_vault_secret.c4dw.value) : nonsensitive(data.azurerm_key_vault_secret.compose-license.value)
   cert_password = nonsensitive(data.azurerm_key_vault_secret.cert-password.value)
 }
 
@@ -49,8 +38,8 @@ resource "null_resource" "install" {
     inline = [
       "powershell.exe -File C:/provision/compose-install/prep-files.ps1",
       "powershell.exe -File C:/provision/compose-install/di-compose-getBinary.ps1 -url ${var.download_url}",
-      "powershell.exe -File C:/provision/compose-install/di-compose-install.ps1 -url ${var.download_url} -version ${var.c_version}",
-      "powershell.exe -File C:/provision/compose-install/di-compose-setlicense.ps1 -composeLicense \"${local.composeLicense}\" -version ${var.c_version}",
+      "powershell.exe -File C:/provision/compose-install/di-compose-install.ps1 -url ${var.download_url}",
+      "powershell.exe -File C:/provision/compose-install/di-compose-setlicense.ps1 -version ${var.c_version}",
       "powershell.exe -File C:/provision/compose-install/di-compose-installQMICertificate.ps1 -CertPwd \"${local.cert_password}\" -version ${var.c_version}",
     ]
 

compose-install/scripts/Compose_install.iss

@@ -1,25 +1,20 @@
 [{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-DlgOrder]
 Dlg0={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdWelcome-0
 Count=5
-Dlg1={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdLicense2Rtf-0
+Dlg1={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdLicenseAgreement-0
 Dlg2={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdAskDestPath-0
 Dlg3={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdStartCopy-0
 Dlg4={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdFinish-0
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdWelcomeMaint-0]
-Result=1
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-MessageBox-0]
-Result=6
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdFinish-0]
-Result=1
-bOpt1=0
-bOpt2=0
 [{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdWelcome-0]
 Result=1
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdLicense2Rtf-0]
+[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdLicenseAgreement-0]
 Result=1
 [{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdAskDestPath-0]
 szDir=C:\Program Files\Qlik\Compose\
 Result=1
 [{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdStartCopy-0]
 Result=1
-
+[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdFinish-0]
+Result=1
+bOpt1=0
+bOpt2=0

compose-install/scripts/Compose_install_2021.8.0.iss

@@ -1,20 +0,0 @@
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-DlgOrder]
-Dlg0={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdWelcome-0
-Count=5
-Dlg1={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdLicenseAgreement-0
-Dlg2={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdAskDestPath-0
-Dlg3={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdStartCopy-0
-Dlg4={CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdFinish-0
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdWelcome-0]
-Result=1
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdLicenseAgreement-0]
-Result=1
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdAskDestPath-0]
-szDir=C:\Program Files\Qlik\Compose\
-Result=1
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdStartCopy-0]
-Result=1
-[{CC3EB4FA-1694-4961-93E6-D7F0DA630806}-SdFinish-0]
-Result=1
-bOpt1=0
-bOpt2=0

compose-install/scripts/compose-license.txt

@@ -0,0 +1,21 @@
+{
+  "$type": "ComposeLicense",
+  "product": "QlikCompose",
+  "issued_to": "Attunity Americas",
+  "issued_by": "Attunity US",
+  "license_type": "EVALUATION",
+  "serial_no": "85008595",
+  "expiration_date": "2023-12-31",
+  "hosts": "",
+  "product_version": "2022.5",
+  "notes": "Qlik internal use only ",
+  "host_role": "",
+  "source_db_types": "",
+  "dwh_type": "*",
+  "dl_type": "*",
+  "number_of_dms": "0",
+  "number_of_developers": "0",
+  "managed_dwh_size": "0",
+  "issue_time": "12/15/2022 7:06:16 PM",
+  "signature": "iDk5NujmAcxcI80BSt4JaOEaSj35u0vzoRXvRcYXy4NpWJLFVvCRJ67LfVcA1WuLwHmarnYWYA+RWT0CyqpH1e4n3nZPaJAwBgnU5Z074rIUrHZi+Z5Hmgux2ptNqXJIr7S1JNc6+fBMHuG//hxYppf9Knmk+5cx5rafxNpCYUU="
+}

compose-install/scripts/di-compose-install.ps1

@@ -9,26 +9,36 @@ Intent: Install the selected version of Attunity Replicate
 #>
 
 Param(
-    [string] $url,
-    [string] $version = "gen2"
+    [string] $url
 )
 
 Import-Module $PSScriptRoot\q-helper.psm1 | Out-Null
 
 $fileName = $url.Substring($url.LastIndexOf("/") + 1)
 
+Write-Host "--- Starting di-compose-install.ps1"
+
 $bin = "$PSScriptRoot\binaries\Attunity"
 Write-Host "Binary Path $($bin)"
-Write-Host "Starting di-c4dw-install.ps1"
+
+
 $issFile = "Compose_install.iss"
 
-if ( $version -ne "gen2" ) {
-    $issFile = "Compose_install_$version.iss" 
+if ( $url -Match "2021.2" ) {
+	$issFile="Compose_install_2021.2.0.iss"
+}
+if ( $url -Match "Attunity_Compose_for_Data_Warehouses" ) {
+	$issFile="Compose_install_c4dw.iss"
 }
 
+Write-Host "Using ISS file: $issFile"
 
 Write-Host $bin\$fileName
 
+if (Test-Path "$($bin)\Compose_silent_x64_install.log") {
+	Remove-Item -Path "$($bin)\Compose_silent_x64_install.log" -Force
+}
+
 If ((Test-Path $bin\$fileName))
 {
 	Write-Host "Installing Attunity Compose from $($bin)\$($fileName)"
@@ -40,16 +50,16 @@ If ((Test-Path $bin\$fileName))
 	$exec = Get-ChildItem $bin\$fileNoExtension\*.exe | Select-Object -ExpandProperty Name
     #Write-Host "Exec: $($exec)"
 
-    $C4DWInstall = "$($bin)\$($fileNoExtension)\$($exec) /s /f1$($PSScriptRoot)\$($issFile) /f2$($bin)\Compose_silent_x64_install.log"
+    $silentInstall = "$($bin)\$($fileNoExtension)\$($exec) /s /f1$($PSScriptRoot)\$($issFile) /f2$($bin)\Compose_silent_x64_install.log"
 
-	Write-Host "Run Compose silent installation : $($C4DWInstall)"
-    Invoke-Expression $C4DWInstall
+	Write-Host "Run Compose silent installation : $($silentInstall)"
+    Invoke-Expression $silentInstall
     while (!(Test-Path "$($bin)\Compose_silent_x64_install.log")) { 
         Write-Host "[Waiting Compose to be installed] ..."
         Start-Sleep 2
     }
-	$C4DWResults = Get-IniFile "$($bin)\Compose_silent_x64_install.log"
-	$testResult = $C4DWResults.ResponseResult.ResultCode
+	$resultLogs = Get-IniFile "$($bin)\Compose_silent_x64_install.log"
+	$testResult = $resultLogs.ResponseResult.ResultCode
 	Write-Host "Installation return code : $($testResult)"
 
 }

compose-install/scripts/di-compose-installQMICertificate.ps1

@@ -6,6 +6,11 @@ Param(
 
 try {
     Write-Host "Install qmi_qlik-poc_com certificate on Windows"
+
+    $ProgressPreference = 'SilentlyContinue'
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+    (New-Object System.Net.WebClient).DownloadFile("https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx", "$PSScriptRoot\wildcard_qmi_qlik-poc_com.pfx") 
+
     $secpasswd = ConvertTo-SecureString $CertPwd -AsPlainText -Force
     $sslCert = Import-PfxCertificate -FilePath $PSScriptRoot/wildcard_qmi_qlik-poc_com.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $secpasswd
     $thumb=$($sslCert.Thumbprint)

compose-install/scripts/di-compose-setlicense.ps1

@@ -9,14 +9,10 @@ Intent: Setting the DBs
 #>
 
 Param(
-    [string] $composeLicense,
     [string] $version = 'gen2'
 )
 
-Write-Host "ComposeLicenseJSON"
-Write-Host $composeLicense
-
-Set-Content $PSScriptRoot\compose-license.txt $composeLicense
+Write-Host "--- Setting Compose License"
 
 # TODO set license
 $bin = "C:\Program Files\Qlik\Compose\bin\"
@@ -26,16 +22,18 @@ if ( $version -eq "c4dw" ) {
 $bin = $bin -replace ' ','` '
 
 $cmd = "$($bin)ComposeCli.exe connect"
-Write-Host "Connect to Compose: $($cmd)"
+Write-Host "--- Connect to Compose: $($cmd)"
 $cmd = "$($bin)ComposeCli.exe connect"
 Invoke-Expression $cmd
 
 Start-Sleep 5
 
-if ( $version -eq "2021.8.0" ) {
-    $cmd = "$($bin)ComposeCli.exe register_license --infile $PSScriptRoot\compose-license.txt"
-} else {
+if ( $version -eq "2022.2.0" -or $version -eq "c4dw") {
+    # Old way
     $cmd = "$($bin)ComposeCli.exe register_license --req @$PSScriptRoot\compose-license.txt"
+} else {
+    # New way
+    $cmd = "$($bin)ComposeCli.exe register_license --infile $PSScriptRoot\compose-license.txt"
 }
 Write-Host "Apply Compose License: $($cmd)"
 Invoke-Expression $cmd

databases/aws-rds/main.tf

@@ -15,12 +15,15 @@ locals {
   aurora               = (var.engine == "aurora-mysql") ? true : (var.engine == "aurora-postgresql") ? true : false
   vpc_id               = (var.region == "eu-west-1") ? var.vpc_id_eu : (var.region == "us-east-1") ? var.vpc_id_us : var.vpc_id_ap
   subnet_ids           = (var.region == "eu-west-1") ? var.subnet_ids_eu : (var.region == "us-east-1") ? var.subnet_ids_us : var.subnet_ids_ap
-  port                 = (var.engine == "oracle-se2") ? "1521" : (var.engine == "postgres") ? "5432" : (var.engine == "aurora-postgresql") ? "5432" : (var.engine == "sqlserver-ex") ? "1433" : "3306"
+  
   name                 = (var.engine == "sqlserver-ex") ? null : (var.engine == "oracle-se2") ? "ora${local.provid5}" : "qmi${var.provision_id}"
   license              = (local.aurora == true) ? "general-public-license" : (var.engine == "mariadb") ? "general-public-license" : (var.engine == "postgres") ? "postgresql-license" : (var.engine == "mysql") ? "general-public-license" : "license-included"
-  engine_version       = (var.engine == "oracle-se2") ? "19.0.0.0.ru-2021-04.rur-2021-04.r1" : (var.engine == "postgres") ? "13.3" : (var.engine == "mysql") ? "8.0.25" : (var.engine == "aurora-postgresql") ? "12.6" : (var.engine == "aurora-mysql") ? "5.7.mysql_aurora.2.10.0" : (var.engine == "sqlserver-ex") ? "15.00.4073.23.v1" : "10.5"   #mariaDB
-  major_engine_version = (var.engine == "oracle-se2") ? "19" : (var.engine == "postgres") ? "13" : (var.engine == "mysql") ? "8.0" : (var.engine == "aurora-postgresql") ? "12" : (var.engine == "aurora-mysql") ? "5.7" : (var.engine == "sqlserver-ex") ? "15.00" : "10.5"                                                                         #mariaDB
-  family               = (var.engine == "oracle-se2") ? "oracle-se2-19" : (var.engine == "postgres") ? "postgres13" : (var.engine == "mysql") ? "mysql8.0" : (var.engine == "aurora-postgresql") ? "aurora-postgresql12" : (var.engine == "aurora-mysql") ? "aurora-mysql5.7" : (var.engine == "sqlserver-ex") ? "sqlserver-ex-15.0" : "mariadb10.5" #mariaDB
+  
+  port                 = var.port[var.engine] 
+  engine_version       = var.engine_version[var.engine]
+  major_engine_version = var.major_engine_version[var.engine]
+  family               = var.family[var.engine]
+
   tags = {
     Deployment = "QMI PoC"
     "Cost Center" = "3100"

databases/aws-rds/variables.tf

@@ -38,21 +38,6 @@ variable "engine" {
   description = "Accepted values are mysql, sqlserver-ex, postgres, oracle-se2, aurora-mysql, aurora-postgresql, mariadb"
 }
 
-variable "engine_version" {
-  default = "8.0.25"
-  description = "Not currently used"
-}
-
-variable "major_eng" {
-  default = "8.0"
-  description = "Not currently used"
-}
-
-variable "family" {
-  default = "mysql8.0"
-  description = "Not currently used"
-}
-
 variable "instance_size" {
   default = "db.t3.large"
 }
@@ -60,3 +45,64 @@ variable "instance_size" {
 variable "storage" {
   default = "20"
 }
+
+variable "engine_version" {
+  type = map
+
+  default = {
+    "mysql"  = "8.0.32"
+    "postgres"  = "13.3" 
+    "oracle-se2"  = "19.0.0.0.ru-2023-04.rur-2023-04.r1"
+    "sqlserver-ex" = "15.00.4236.7.v1"
+    "mariadb" = "10.5"
+    "aurora-mysql" = "8.0.mysql_aurora.3.02.3" #"5.7.mysql_aurora.2.11.2"
+    "aurora-postgresql"  = "14.5"
+  }
+  
+}
+
+variable "major_engine_version" {
+  type = map
+
+  default = {
+    "mysql"  = "8.0"  
+    "postgres"  = "13"
+    "oracle-se2"  = "19"
+    "sqlserver-ex" = "15.00"
+    "mariadb" = "10.5"
+    # for script compatibility only
+    "aurora-mysql" = "not_used"
+    "aurora-postgresql"  = "not_used"
+  }
+  
+}
+
+
+variable "family" {
+  type = map
+
+  default = {
+    "mysql"  = "mysql8.0"
+    "postgres"  = "postgres13"
+    "oracle-se2"  = "oracle-se2-19"
+    "sqlserver-ex" = "sqlserver-ex-15.0"
+    "mariadb" = "mariadb10.5"
+    # for script compatibility only
+    "aurora-mysql" = "not_used"
+    "aurora-postgresql"  = "not_used"
+  }
+}
+
+variable "port" {
+  type = map
+
+  default = {
+    "mysql"  = "3306"
+    "postgres"  = "5432"
+    "oracle-se2"  = "1521"
+    "sqlserver-ex" = "1433"
+    "mariadb" = "3306"
+    "aurora-mysql" = "3306"
+    "aurora-postgresql"  = "5432"
+  }
+}

databases/azure-hdinsight-hadoop/main.tf

@@ -0,0 +1,107 @@
+
+resource "random_password" "password1" {
+  length = 16
+  special = true
+  override_special = "_!@"
+  upper = true
+  lower = true
+  min_numeric = 2
+  min_lower = 2
+  min_upper = 2
+  min_special = 2
+}
+
+resource "random_password" "password2" {
+  length = 16
+  special = true
+  override_special = "_!@"
+  upper = true
+  lower = true
+  min_numeric = 2
+  min_lower = 2
+  min_upper = 2
+  min_special = 2
+}
+
+resource "random_id" "randomMachineId" {
+    keepers = {
+        # Generate a new ID only when a new resource group is defined
+        resource_group = var.resource_group_name
+    }
+    
+    byte_length = 5
+}
+
+resource "azurerm_storage_account" "example" {
+  name                     = "hdinsightstor${random_id.randomMachineId.hex}"
+  resource_group_name      = var.resource_group_name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  tags = var.tags
+}
+
+resource "azurerm_storage_container" "example" {
+  name                  = "hdinsight"
+  storage_account_name  = azurerm_storage_account.example.name
+  container_access_type = "private"
+}
+
+resource "azurerm_role_assignment" "data-contributor-dbricksapp1" {
+  scope                = azurerm_storage_account.example.id
+  role_definition_name = "Contributor"
+  principal_id         = var.dbricks_app_registration_principal_id
+}
+
+resource "azurerm_role_assignment" "data-contributor-dbricksapp2" { 
+  scope                = azurerm_storage_account.example.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.dbricks_app_registration_principal_id
+}
+
+resource "azurerm_hdinsight_hadoop_cluster" "example" {
+  name                = "hdicluster-${var.provision_id}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  cluster_version     = "4.0"
+  tier                = "Standard"
+
+  tags = var.tags
+
+  component_version {
+    hadoop = "3.1"
+  }
+
+  gateway {
+    username = "acctestusrgw"
+    password = random_password.password1.result
+  }
+
+  storage_account {
+    storage_container_id = azurerm_storage_container.example.id
+    storage_account_key  = azurerm_storage_account.example.primary_access_key
+    is_default           = true
+  }
+
+  roles {
+    head_node {
+      vm_size  = "Standard_D3_V2"
+      username = "acctestusrvm"
+      password = random_password.password2.result
+    }
+
+    worker_node {
+      vm_size               = "Standard_D3_V2"
+      username              = "acctestusrvm"
+      password              = random_password.password2.result
+      target_instance_count = 2
+    }
+
+    zookeeper_node {
+      vm_size  = "Standard_D3_V2"
+      username = "acctestusrvm"
+      password = random_password.password2.result
+    }
+  }
+}

databases/azure-hdinsight-hadoop/outputs.tf

@@ -0,0 +1,59 @@
+output "gateway-creds" {
+  value = {
+    username = "acctestusrgw"
+    password = nonsensitive(random_password.password1.result)
+  }
+}
+
+output "cluster-creds" {
+  value = {
+    username = "acctestusrvm"
+    password = nonsensitive(random_password.password2.result)
+  }
+}
+
+output "https_endpoint" {
+    value = azurerm_hdinsight_hadoop_cluster.example.https_endpoint
+}
+
+output "ssh_endpoint" {
+  value = azurerm_hdinsight_hadoop_cluster.example.ssh_endpoint
+}
+
+
+output "Azure_Active_Directory_Tenant_ID" {
+  value = "c21eeb5f-f5a6-44e8-a997-124f2f7a497c"
+}
+
+output "Azure_Application_Registration_Client_ID" {
+  value = var.dbricks_app_registration_application_id
+}
+
+output "Azure_Application_Registration_Secret" {
+  value = "~qp8Q~utl~YJ3skNM9kAuq25VY~rKxxOWpaVYcnQ"
+}
+
+
+output "adls_StorageAccount-Name" {
+  value = azurerm_storage_account.example.name
+}
+
+output "adls_StorageAccount-ContainerName" {
+  value = azurerm_storage_container.example.name
+}
+
+output "adls_StorageAccount-AccessKey" {
+  value = nonsensitive(azurerm_storage_account.example.primary_access_key)
+}
+
+output "adls_Azure_Active_Directory_Tenant_ID" {
+  value = "c21eeb5f-f5a6-44e8-a997-124f2f7a497c"
+}
+
+output "adls_Azure_Application_Registration_Client_ID" {
+  value = var.dbricks_app_registration_application_id
+}
+
+output "adls_Azure_Application_Registration_Secret" {
+  value = "~qp8Q~utl~YJ3skNM9kAuq25VY~rKxxOWpaVYcnQ"
+}

databases/azure-hdinsight-hadoop/variables.tf

@@ -0,0 +1,26 @@
+variable "resource_group_name" {
+  type = string
+}
+
+variable "provision_id" {
+  type = string
+}
+
+variable "location" {
+  type = string
+  default = "EAST US"
+}
+
+variable "tags" {
+    default = null
+}
+
+variable "dbricks_app_registration_principal_id" {
+    description = "databricks-qmi"
+    default = "efeee17c-d2b3-4e7c-a163-9995b7d281e2"
+}
+
+variable "dbricks_app_registration_application_id" {
+    description = "databricks-qmi"
+    default = "9ccb0d99-3bba-4695-aa47-df77bf512084"
+}

databases/dbricks/main.tf

@@ -5,65 +5,18 @@ terraform {
   required_providers {
     databricks = {
       source = "databricks/databricks"
-      version = ">= 0.3.0"
+      version = ">= 1.13.0"
     }
   }
 }
 
+
 locals {
-  myRegex = "/[^[:alpha:]]/"
-  splitLower = split(" ", lower(var.user_id))
-  np0 = replace(element(local.splitLower,0), local.myRegex, "")
-  np1 = replace(element(local.splitLower,1), local.myRegex, "")
-  c_n1 = substr(local.np0, 0, 3)
-  c_n2 = substr(local.np1, 0, 1)
-  c_n3 = substr(strrev(local.np1), 0, 1)
-  
-  cluster_name = var.cluster_name != null? var.cluster_name : "${local.c_n1}${local.c_n2}${local.c_n3}"
-
-}
-
-resource "azurerm_databricks_workspace" "dbricksws" {
-
-  count = var.enabled == true? 1 : 0
-
-  location                      = var.location
-  name                          = "${local.cluster_name}-qlikdbricks-ws"
-  resource_group_name           = var.resource_group_name
-  sku                           = "standard"
-
-  tags = {
-    Deployment = "QMI PoC"
-    "Cost Center" = "3100"
-    QMI_user = var.user_id
-  }
-
-}
-
-resource "azurerm_role_assignment" "contributor-dbricks" {
-
-  count = var.enabled == true? 1 : 0
-  
-  scope                = azurerm_databricks_workspace.dbricksws[0].id
-  role_definition_name = "Contributor"
-  principal_id         = var.app_registration_principal_id
-}
-
-provider "databricks" {
-  alias = "mws"
-
-  azure_workspace_resource_id = var.enabled == true? azurerm_databricks_workspace.dbricksws[0].id : null
-  azure_client_id             = var.enabled == true? "9b4761fd-4823-4f9d-ab3a-a95af38e7c29" : null
-  azure_client_secret         = var.enabled == true? "FWH7Q~ByC.U5zNh0BaIDdK_poyxoy4SxW8hi1" : null
-  azure_tenant_id             = var.enabled == true? "c21eeb5f-f5a6-44e8-a997-124f2f7a497c" : null
+  cluster_nameUpper = upper(var.cluster_name)
 }
 
 /*resource "databricks_workspace_conf" "this" {
-
-  count = var.enabled == true? 1 : 0
   
-  provider = databricks.mws
-
   custom_config = {
     "enableIpAccessLists" : true
   }
@@ -71,10 +24,6 @@ provider "databricks" {
 
 resource "databricks_ip_access_list" "allowed-list" {
 
-  count = var.enabled == true? 1 : 0
-
-  provider = databricks.mws
-
   label     = "allow_in"
   list_type = "ALLOW"
   ip_addresses = [
@@ -107,41 +56,101 @@ resource "databricks_ip_access_list" "allowed-list" {
 }*/
 
 
-resource "databricks_user" "me" {
-  provider = databricks.mws
-  count = var.enabled == true? 1 : 0
+data "databricks_group" "admins" {
+  display_name = "admins"
+}
 
-  depends_on = [
-    azurerm_role_assignment.contributor-dbricks
-  ]
+
+resource "databricks_user" "aor" {
+  count = lower(var.user_email) != "aor@qlik.com"? 1 : 0
+  
+  allow_cluster_create = true
+  databricks_sql_access = true
+
+  user_name = "aor@qlik.com"
+  display_name = "Manuel Romero"
+}
+
+resource "databricks_user" "me" {
+
+  allow_cluster_create = true
+  databricks_sql_access = true
 
   user_name = var.user_email
   display_name = var.user_id
 }
 
 
+resource "databricks_group_member" "i-am-admin" {
+  group_id  = data.databricks_group.admins.id
+  member_id = databricks_user.me.id
+}
 
-resource "databricks_token" "pat" {
-  provider = databricks.mws
-  count = var.enabled == true? 1 : 0
-  
+
+resource "databricks_group_member" "i-am-admin-aor" {
+  count = lower(var.user_email) != "aor@qlik.com"? 1 : 0
+  group_id  = data.databricks_group.admins.id
+  member_id = databricks_user.aor[0].id
+}
+
+resource "databricks_secret_scope" "scopeapp" {
+
+    count = (var.sku == "premium")? 1 : 0
+
+    name = "${var.cluster_name}scope"
+}
+resource "databricks_secret" "publishing_api" {
+
+    count = (var.sku == "premium")? 1 : 0
+
+    key = "accesskey"
+    string_value = var.app_reg_secret
+    scope = databricks_secret_scope.scopeapp[0].name
+}
+
+resource "databricks_sql_endpoint" "sqlep" {
+
+  count = (var.sku == "premium")? 1 : 0
+
+  name             = "${local.cluster_nameUpper} SQL warehouse"
+  cluster_size     = var.cluster_size
+  max_num_clusters = 1
+
+}
+
+resource "databricks_sql_global_config" "this" {
+
+  count = (var.sku == "premium")? 1 : 0
+
+  security_policy      = "DATA_ACCESS_CONTROL"
+  data_access_config = {
+    "spark.hadoop.fs.azure.account.auth.type.${var.storage_account_name}.dfs.core.windows.net" : "OAuth",
+    "spark.hadoop.fs.azure.account.oauth.provider.type.${var.storage_account_name}.dfs.core.windows.net": "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider",
+    "spark.hadoop.fs.azure.account.oauth2.client.id.${var.storage_account_name}.dfs.core.windows.net" : var.app_reg_id,
+    "spark.hadoop.fs.azure.account.oauth2.client.secret.${var.storage_account_name}.dfs.core.windows.net" : "{{secrets/${var.cluster_name}scope/accesskey}}",
+    "spark.hadoop.fs.azure.account.oauth2.client.endpoint.${var.storage_account_name}.dfs.core.windows.net": "https://login.microsoftonline.com/c21eeb5f-f5a6-44e8-a997-124f2f7a497c/oauth2/token"
+  }
+
+  enable_serverless_compute = false
+  sql_config_params = {}
+}
+
+
+
+resource "databricks_token" "pat" {  
   depends_on = [
-    azurerm_role_assignment.contributor-dbricks,
-    databricks_user.me
+    databricks_user.me,
+    databricks_user.aor
   ]
   comment  = "qmi"
   lifetime_seconds = 8640000
 }
 
 resource "databricks_cluster" "dbrickscluster" {
-  provider = databricks.mws
-  count = (var.enabled == true && var.create_cluster == true)? 1 : 0
+  count = (var.cluster_name != null)? 1 : 0
 
-  depends_on = [
-    azurerm_role_assignment.contributor-dbricks
-  ]
 
-  cluster_name  = "cluster-${local.cluster_name}"
+  cluster_name  = "cluster-${var.cluster_name}"
   spark_version = var.spark_version
   node_type_id  = var.node_type_id
 
@@ -150,9 +159,12 @@ resource "databricks_cluster" "dbrickscluster" {
     "spark.databricks.delta.preview.enabled": true,
     "spark.databricks.repl.allowedLanguages": "sql,python,r",
     "spark.databricks.cluster.profile": "serverless",
-    "fs.azure.account.key.${var.storage_account_name}.dfs.core.windows.net": var.storage_account_accesskey
+    "fs.azure.account.key.${var.storage_account_name}.dfs.core.windows.net": var.storage_account_accesskey,
+    "spark.databricks.delta.properties.defaults.autoOptimize.autoCompact": true,
+    "spark.databricks.delta.properties.defaults.autoOptimize.optimizeWrite": true
   } 
 
+
   spark_env_vars = {
       "PYSPARK_PYTHON": "/databricks/python3/bin/python3"
   }
@@ -162,5 +174,5 @@ resource "databricks_cluster" "dbrickscluster" {
     max_workers = 4
   }
 
-  autotermination_minutes = 120
+  autotermination_minutes = 45
 }

databases/dbricks/outputs.tf

@@ -1,11 +1,25 @@
-output "databricks_workspace_url" {
-    value = var.enabled? azurerm_databricks_workspace.dbricksws[0].workspace_url : null
+output "cluster_id" {
+  value = (var.cluster_name != null)? databricks_cluster.dbrickscluster[0].id : null
 }
 
 output "databricks_token" {
-    value = var.enabled? nonsensitive(databricks_token.pat[0].token_value) : null
+    value = nonsensitive(databricks_token.pat.token_value)
 }
 
 output "cluster_name" {
-    value = "cluster-${local.cluster_name}"
-}
+    value = "cluster-${var.cluster_name}"
+}
+
+output "sql_endpoint_jdbc_url" {
+    value = var.sku == "premium"? databricks_sql_endpoint.sqlep[0].jdbc_url : null
+}
+
+output "sql_endpoint_data_source_id" {
+    value = var.sku == "premium"? databricks_sql_endpoint.sqlep[0].data_source_id : null
+}
+
+output "sql_endpoint_odbc_params" {
+    value = var.sku == "premium"? databricks_sql_endpoint.sqlep[0].odbc_params : null
+}
+
+ 

databases/dbricks/varaibles.tf

@@ -1,11 +1,3 @@
-variable "location" {
-    default = "East US"
-}
-
-variable "resource_group_name" {
-
-}
-
 variable "cluster_name" {
     default = null
 }
@@ -22,23 +14,26 @@ variable "user_id" {
 variable "user_email" {
 }
 
-variable "app_registration_principal_id" {
-    description = "tpm"
-    default = "163a72e3-8ce3-4e33-baae-954383f87e3e"
-}
-
-variable "enabled" {
-    default = false
-}
-
-variable "create_cluster" {
-    default = false
-}
-
 variable "spark_version" {
-    default = "7.3.x-scala2.12"
+    default = "10.4.x-scala2.12"
 }
 
 variable "node_type_id" {
     default = "Standard_DS3_v2"
+}
+
+variable "sku" {
+    default = "standard"
+}
+
+variable "app_reg_id" {
+  default = null
+}
+
+variable "app_reg_secret" {
+  default = null
+}
+
+variable "cluster_size" {
+  default = "Small"
 }

databases/firewall_ips/output.tf

@@ -7,6 +7,9 @@ locals {
   }
 
   q_routes = {
+    AMER_FULLVPN1   = ["144.121.57.103", "144.121.57.103"]
+    AMER_FULLVPN2   = ["50.239.179.6", "50.239.179.6"]
+    EMEA_FULLVPN   = ["193.15.228.246", "193.15.228.246"]
     ITG         = ["188.65.156.32", "188.65.156.47"]
     ITG1        = ["212.73.252.96", "212.73.252.103"]
     kfar_saba   = ["194.90.96.176", "194.90.96.183"]
@@ -60,6 +63,10 @@ output "ips" {
 
 output "cidr_blocks" {
   value = [
+    # EMEA/AMER FULL VPN TUNNEL
+    "144.121.57.103/32",
+    "193.15.228.246/32",
+    "50.239.179.6/32",
     # Azure QMI machines
     "52.249.189.38/32", 
     "13.67.39.86/32", 
@@ -98,6 +105,14 @@ output "cidr_blocks" {
     "3.24.52.178/32",
     "54.169.84.213/32",
     "13.213.173.37/32",
-    "13.213.113.162/32"
+    "13.213.113.162/32",
+    # QCS STAGING
+    "18.233.22.130/32",
+    "18.205.135.40/32",
+    "35.169.201.36/32",
+    "18.155.181.46/32",
+    "18.155.181.25/32",
+    "18.155.181.128/32",
+    "18.155.181.76/32"
   ]
 }

databases/synapse-ws/main.tf

@@ -33,6 +33,9 @@ resource "azurerm_synapse_workspace" "synapsews" {
   sql_administrator_login              = var.sql_administrator_login
   sql_administrator_login_password     = var.sql_administrator_login_password
 
+
+  managed_virtual_network_enabled      = true
+
   identity {
     type = "SystemAssigned"
   }

linux-common/centos/common/extract-certs.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+
+BASEDIR=$(dirname "$0")
+
+mkdir -p $BASEDIR/qmicerts
+wget --quiet https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx -O $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx
+
+PASSWORD=$1
+# Extract the private key
+openssl pkcs12 -in $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx -nocerts -nodes -out $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.key -passin pass:$PASSWORD
+# Extract the public key
+openssl pkcs12 -in $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx -clcerts -nokeys -out $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.crt -passin pass:$PASSWORD
+# Extract the CA cert chain
+openssl pkcs12 -in $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx -cacerts -nokeys -chain -out $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-ca.crt -passin pass:$PASSWORD
+
+cat $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.crt $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-ca.crt >> $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-fullchain.crt
+
+rm -fr $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.crt $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-ca.crt
+
+echo $PASSWORD > $BASEDIR/qmicerts/pfx-cert-password.txt

linux-common/centos/common/falcon.sh

@@ -1,20 +1,22 @@
 #!/bin/bash
 
+echo "--- Executing: $0 $@"
+
 BASEDIR=$(dirname "$0")
 
-
-centos_ver=`rpm --eval %{centos_ver}`
+cVer=`rpm -E %{rhel}`
 binary='falcon-sensor-5.29.0-9403.el7.x86_64.rpm'
-if [ $centos_ver -eq '8' ]; then
+if [ $cVer -eq '8' ]; then
     binary='falcon-sensor-5.27.0-9104.el8.x86_64.rpm'
 fi
-echo $binary
 
-
-echo "Installing CrowdStrike falcon agent"
+echo "--- Installing CrowdStrike falcon agent --> $binary"
 echo "CID=$1"
+
+wget --quiet https://d7ipctdjxxii4.cloudfront.net/others/$binary -O $BASEDIR/$binary
+
 if ! rpm -qa | grep -qw falcon-sensor; then
-    sudo yum install $BASEDIR/$binary -y
+    sudo yum -y --quiet install $BASEDIR/$binary
 fi
 sudo /opt/CrowdStrike/falconctl -s -f --cid=$1
 sudo systemctl start falcon-sensor 

linux-common/centos/common/resizedisk.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+echo "--- Executing: $0 $@"
+
 echo "Resizing main partition to max available disk"
 (
 echo u # Change the units to sectors

linux-common/centos/common/save-cert.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+BASEDIR=$(dirname "$0")
+
+echo $1 > $BASEDIR/qmicerts/myserver.crt
+
+echo $2 > $BASEDIR/qmicerts/myserver.key
+
+

linux-common/centos/common/tenable.sh

@@ -1,14 +1,23 @@
 #!/bin/bash
 
+echo "--- Executing: $0 $@"
+
 BASEDIR=$(dirname "$0")
 
-echo "Installing Tenable Nessus Agent..."
 KEY=$1
 echo "KEY=$KEY"
 
-sudo yum install $BASEDIR/NessusAgent-10.2.0-es7.x86_64.rpm -y
+cVer=`rpm -E %{rhel}`
 
-echo "Linking Tenable Nessus Agent..."
+FILE="NessusAgent-10.2.1-es$cVer.x86_64.rpm"
+
+echo "--- Installing Tenable Nessus Agent --> $FILE"
+
+wget --quiet https://d7ipctdjxxii4.cloudfront.net/others/$FILE -O $BASEDIR/$FILE
+
+sudo /bin/yum -y --quiet install $BASEDIR/$FILE -y
+
+echo "--- Linking Tenable Nessus Agent..."
 sudo /bin/systemctl start nessusagent.service
 sudo /opt/nessus_agent/sbin/nessuscli agent link --key=$KEY --groups="Qlik IT Cloud Agents" --host=cloud.tenable.com --port=443
 

linux-common/centos/common/update.sh

@@ -0,0 +1,2 @@
+echo 'Updating OS. This will take a around 10 minutes'
+yum -y --quiet update

linux-common/main.tf

@@ -8,14 +8,27 @@ data "azurerm_key_vault_secret" "tenable-key" {
   key_vault_id = var.key_vault_id
 }
 
+data "azurerm_key_vault_secret" "cert_password" {
+  name         = "star-qmi-qlikpoc-com-password"
+  key_vault_id = var.key_vault_id
+}
+
+#data "azurerm_key_vault_certificate_data" "cert-data" {
+#  name         = "star-qmi-qlikpoc-com-cert"
+#  key_vault_id = var.key_vault_id
+#}
+
+
 locals {
   falcon_id     = nonsensitive(data.azurerm_key_vault_secret.cid.value)
   tenable_key   = nonsensitive(data.azurerm_key_vault_secret.tenable-key.value)
-}
+  cert_password = nonsensitive(data.azurerm_key_vault_secret.cert_password.value)
+  #cert_pem =  nonsensitive(data.azurerm_key_vault_certificate_data.cert-data.pem)
+  #cert_key =  nonsensitive(data.azurerm_key_vault_certificate_data.cert-data.key)
+} 
 
-resource "null_resource" "post-linux-vm" {
-    
-    provisioner "file" {
+resource "null_resource" "files" {
+  provisioner "file" {
         connection {
             type     = "ssh"
             host     = var.private_ip_address
@@ -27,6 +40,13 @@ resource "null_resource" "post-linux-vm" {
         source      = "${path.module}/${var.os_type}/common"
         destination = "/home/${var.admin_username}"
     }
+}
+
+resource "null_resource" "post-linux-vm" {
+    
+    depends_on = [
+      null_resource.files
+    ]
 
     provisioner "remote-exec" {
         connection {
@@ -43,6 +63,35 @@ resource "null_resource" "post-linux-vm" {
             "sudo /home/${var.admin_username}/common/falcon.sh '${local.falcon_id}'",
             "sudo /home/${var.admin_username}/common/resizedisk.sh",
             "sudo /home/${var.admin_username}/common/tenable.sh '${local.tenable_key}'",
+            "sudo /home/${var.admin_username}/common/extract-certs.sh '${local.cert_password}'",
+            #"sudo /home/${var.admin_username}/common/save-cert.sh '${local.cert_pem}' '${local.cert_key}'",
         ]
     }
-}
+}
+
+resource "null_resource" "update" {
+
+  count = var.update? 1 : 0
+
+  depends_on = [
+      null_resource.files,
+      null_resource.post-linux-vm
+  ]
+
+  provisioner "remote-exec" {
+        connection {
+            type     = "ssh"
+            host     = var.private_ip_address
+            user     = var.admin_username
+            password = var.admin_password
+            timeout  = "60s"
+            #private_key = "${file("~/.ssh/id_rsa")}"
+        }
+
+        inline = [
+            "echo ${var.admin_password} | sudo -S chmod u+x /home/${var.admin_username}/common/*.sh",
+            "sudo /home/${var.admin_username}/common/update.sh",
+        ]
+  }
+}
+

linux-common/ubuntu/common/extract-certs.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+
+BASEDIR=$(dirname "$0")
+
+mkdir -p $BASEDIR/qmicerts
+wget --quiet https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx -O $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx
+
+PASSWORD=$1
+# Extract the private key
+openssl pkcs12 -in $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx -nocerts -nodes -out $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.key -passin pass:$PASSWORD
+# Extract the public key
+openssl pkcs12 -in $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx -clcerts -nokeys -out $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.crt -passin pass:$PASSWORD
+# Extract the CA cert chain
+openssl pkcs12 -in $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.pfx -cacerts -nokeys -chain -out $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-ca.crt -passin pass:$PASSWORD
+
+cat $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.crt $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-ca.crt >> $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-fullchain.crt
+
+rm -fr $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com.crt $BASEDIR/qmicerts/wildcard_qmi_qlik-poc_com-ca.crt
+
+echo $PASSWORD > $BASEDIR/qmicerts/pfx-cert-password.txt

linux-common/ubuntu/common/falcon.sh

@@ -1,11 +1,21 @@
 #!/bin/bash
 
+echo "--- Executing: $0 $@"
+
 BASEDIR=$(dirname "$0")
 
-echo "Installing CrowdStrike falcon agent"
+binary="falcon-sensor_5.17.0-8103_amd64.deb"
+
+echo "--- Installing CrowdStrike falcon agent --> $binary"
 echo "CID=$1"
+
+#sudo apt -qq -y update
+sudo apt install libnl-3-200 libnl-genl-3-200 -qq -y
+
+wget --quiet https://d7ipctdjxxii4.cloudfront.net/others/$binary -O $BASEDIR/$binary
+
 if ! dpkg -l | grep -qw falcon-sensor; then
-    sudo dpkg -i $BASEDIR/falcon-sensor_5.17.0-8103_amd64.deb
+    sudo dpkg -i $BASEDIR/$binary
 fi
 
 sudo /opt/CrowdStrike/falconctl -s -f --cid=$1

linux-common/ubuntu/common/resizedisk.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+echo "--- Executing: $0 $@"
+
 echo "Resizing main partition to max available disk"
 (
 echo p # List the partitions details

linux-common/ubuntu/common/tenable.sh

@@ -1,14 +1,21 @@
 #!/bin/bash
 
+echo "--- Executing: $0 $@"
+
 BASEDIR=$(dirname "$0")
 
-echo "Installing Tenable Nessus Agent..."
 KEY=$1
 echo "KEY=$KEY"
 
-sudo dpkg -i $BASEDIR/NessusAgent-10.2.0-ubuntu1110_amd64.deb
+FILE="NessusAgent-10.2.1-ubuntu1404_amd64.deb"
 
-echo "Linking Tenable Nessus Agent..."
+echo "--- Installing Tenable Nessus Agent --> $FILE"
+
+wget --quiet https://d7ipctdjxxii4.cloudfront.net/others/$FILE -O $BASEDIR/$FILE
+
+sudo dpkg -i $BASEDIR/$FILE
+
+echo "--- Linking Tenable Nessus Agent..."
 sudo /bin/systemctl start nessusagent.service
 sudo /opt/nessus_agent/sbin/nessuscli agent link --key=$KEY --groups="Qlik IT Cloud Agents" --host=cloud.tenable.com --port=443
 

linux-common/ubuntu/common/update.sh

@@ -0,0 +1,3 @@
+echo 'Updating OS. This will take a around 10 minutes'
+apt -qq -y update
+apt --fix-broken -qq -y upgrade

linux-common/variables.tf

@@ -8,9 +8,16 @@ variable "admin_password" {
 }
 
 variable "os_type" { 
+  description = "Either 'centos' or 'ubuntu'"
+  default = "centos"
 }
 
 variable "key_vault_id" {
   default = "/subscriptions/62ebff8f-c40b-41be-9239-252d6c0c8ad9/resourceGroups/QMI-Machines/providers/Microsoft.KeyVault/vaults/qmisecrets"
 }
 
+variable "update" {
+  type = bool
+  default = true
+}
+

qmi-nic/mainf.tf

@@ -71,7 +71,7 @@
   address_prefix       = "10.0.2.0/24"
 }*/
 
-resource "azurerm_public_ip" "publicip" {
+/*resource "azurerm_public_ip" "publicip" {
 
   count = var.isExternal? 1 : 0
   
@@ -80,7 +80,7 @@ resource "azurerm_public_ip" "publicip" {
   location            = var.location
   allocation_method   = "Dynamic"
   domain_name_label   = lower(var.prefix)
-}
+}*/
 
 resource "azurerm_network_interface" "nic" {
   name                = "${var.prefix}-nic"
@@ -92,7 +92,6 @@ resource "azurerm_network_interface" "nic" {
     name                          = "${var.prefix}-ip-cfg"
     subnet_id                     = var.subnet_id
     private_ip_address_allocation = "Dynamic"
-    public_ip_address_id          = var.isExternal? azurerm_public_ip.publicip[0].id : null
   }
 
   tags = {

qmi-nic/outputs.tf

@@ -8,12 +8,4 @@ output "private_ip_address" {
 
 output "ip_configuration_name" {
   value = "${var.prefix}-ip-cfg"
-}
-
-output "public_ip_address" {
-  value = var.isExternal? azurerm_public_ip.publicip[0].ip_address : null
-}
-
-output "fqdn" {
-  value = var.isExternal? azurerm_public_ip.publicip[0].fqdn : null
 }

replicate-install/main.tf

@@ -62,7 +62,7 @@ resource "null_resource" "install" {
     inline = [
       "powershell.exe -File C:/provision/replicate-install/di-replicate-getBinary.ps1 -url ${var.download_url}",
       "powershell.exe -File C:/provision/replicate-install/di-replicate-install.ps1 -url ${var.download_url}",
-      "powershell.exe -File C:/provision/replicate-install/di-replicate-installQMICertificate.ps1 -CertPwd \"${local.cert_password}\"",
+      "powershell.exe -File C:/provision/replicate-install/di-replicate-installQMICertificate.ps1 -CertPwd \"${local.cert_password}\" -url ${var.download_url}",
       "powershell.exe -File C:/provision/replicate-install/di-em-register-replicate.ps1 -user ${var.vm_admin_username} -pass ${var.vm_admin_password} -domain ${local.domain}",
     ]
 

replicate-install/scripts/Replicate_install_2022.iss

@@ -0,0 +1,32 @@
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-DlgOrder]
+Dlg0={9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdWelcome-0
+Count=8
+Dlg1={9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdLicenseAgreement-0
+Dlg2={9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdWelcome-1
+Dlg3={9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdAskDestPath-0
+Dlg4={9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdAskDestPath-1
+Dlg5={9C614355-28A0-4C2A-98DF-DB9FD674826F}-AskOptions-0
+Dlg6={9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdStartCopy-0
+Dlg7={9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdFinish-0
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdWelcome-0]
+Result=1
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdLicenseAgreement-0]
+Result=1
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdWelcome-1]
+Result=1
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdAskDestPath-0]
+szDir=C:\Program Files\Attunity\Replicate\
+Result=1
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdAskDestPath-1]
+szDir=C:\Program Files\Attunity\Replicate\data
+Result=1
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-AskOptions-0]
+Result=1
+Sel-0=1
+Sel-1=0
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdStartCopy-0]
+Result=1
+[{9C614355-28A0-4C2A-98DF-DB9FD674826F}-SdFinish-0]
+Result=1
+bOpt1=0
+bOpt2=0

replicate-install/scripts/di-em-register-replicate.ps1

@@ -38,4 +38,4 @@ Write-Host "--- Registering Replicate server in Enterprise Manager with name '$r
 Invoke-RestMethod -Uri "https://di.qmi.qlik-poc.com/attunityenterprisemanager/api/v1/servers/$replsrvName/def" -Method "PUT" -Headers $Headers2 -Body $body_json
 
 Write-Host "--- Setting Replicate server license through EM API"
-Invoke-WebRequest -UseBasicParsing -Uri "https://di.qmi.qlik-poc.com/attunityenterprisemanager/api/v1/servers/$replsrvName/license/def" -Method "PUT" -Infile "$PSScriptRoot\replicate_license_exp2022-12-31_ser60026541.txt" -Headers $Headers2
+Invoke-WebRequest -UseBasicParsing -Uri "https://di.qmi.qlik-poc.com/attunityenterprisemanager/api/v1/servers/$replsrvName/license/def" -Method "PUT" -Infile "$PSScriptRoot\replicate_license.txt" -Headers $Headers2

replicate-install/scripts/di-replicate-install.ps1

@@ -18,12 +18,27 @@ if ( $url -Match "2021" ) {
 	$issFile="Replicate_install_2021.iss"
 }
 
+if ( $url -Match "2022" ) {
+	$issFile="Replicate_install_2022.iss"
+}
+
 Import-Module $PSScriptRoot\q-helper.psm1 | Out-Null
 
 $fileName = $url.Substring($url.LastIndexOf("/") + 1)
 
 $bin = "$PSScriptRoot\binaries\Attunity"
 
+if (Test-Path "$($bin)\Replicate_silent_x64_install.log") {
+	Remove-Item -Path "$($bin)\Replicate_silent_x64_install.log" -Force
+}
+
+if (Test-Path "C:\Program Files\Attunity\Replicate") {
+	Remove-Item -Path "C:\Program Files\Attunity\Replicate" -Recurse -Force
+}
+
+
+Write-Host "Using ISS file: $issFile"
+
 If ((Test-Path $bin\$fileName))
 {
 	Write-Host "Installing Attunity Replicate Server from $($bin)\$($fileName)"

replicate-install/scripts/di-replicate-installQMICertificate.ps1

@@ -1,11 +1,17 @@
  
 Param(
-    [string] $CertPwd
+    [string] $CertPwd,
+    [string] $url
 )
 
 try {
 
     Write-Host "Install qmi_qlik-poc_com certificate on Windows"
+    
+    $ProgressPreference = 'SilentlyContinue'
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+    (New-Object System.Net.WebClient).DownloadFile("https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx", "$PSScriptRoot\wildcard_qmi_qlik-poc_com.pfx") 
+
     $secpasswd = ConvertTo-SecureString $CertPwd -AsPlainText -Force
     $sslCert = Import-PfxCertificate -FilePath $PSScriptRoot/wildcard_qmi_qlik-poc_com.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $secpasswd
     $thumb=$($sslCert.Thumbprint)
@@ -13,16 +19,25 @@ try {
     Start-Sleep 20
     
     Write-Host "Set SSL qmi_qlik-poc_com for Replicate"
-    
+
     Stop-Service AttunityReplicateConsole
-    Stop-Service AttunityReplicateServer
+    if ( $url -Match "2022.11" ) {  
+        Stop-Service QlikReplicateServer
+    } else {
+        Stop-Service AttunityReplicateServer
+    }
 
     Start-Process -FilePath "C:\Program Files\Attunity\Replicate\bin\RepUiCtl.exe" -ArgumentList "certificate clean" -Wait -NoNewWindow
 
     netsh http add sslcert ipport=0.0.0.0:443 certhash=$thumb appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}'
 
     Start-Service AttunityReplicateConsole 
-    Start-Service AttunityReplicateServer
+    if ( $url -Match "2022.11" ) {  
+        Start-Service QlikReplicateServer
+    } else {
+        Start-Service AttunityReplicateServer
+    }
+    
 
     Start-Sleep 10
     Write-Host "Replicate services restarted!"

replicate-install/scripts/license_exp2021-09-30_ser60020486.txt

@@ -1,18 +0,0 @@
-#
-# Attunity  License
-# Generated on 30-Sep-2020 20:41:19.3216+03:00 
-# License Comment: Qlik Internal use only 
-#
-license_type=TERM_LICENSE
-licensed_to=Qlik Tech
-licensed_by=Attunity US
-serial_no=60020486
-expiration_date=2021-09-30
-hosts=
-source_types=
-target_types=
-features=
-version=6.6
-issue_date=2020-09-30
-checksum=3H2K3-9KQ42-J2938-EF235
-

replicate-install/scripts/license_exp2021-12-31_ser60021240.txt

@@ -1,18 +0,0 @@
-#
-# Attunity  License
-# Generated on 30-Nov-2020 19:36:15.5200+02:00 
-# License Comment: 
-#
-license_type=EVALUATION_LICENSE
-licensed_to=ADA Demo License 2021
-licensed_by=Attunity US
-serial_no=60021240
-expiration_date=2021-12-31
-hosts=
-source_types=
-target_types=
-features=
-version=7.0
-issue_date=2020-11-30
-checksum=5ERRJ-EQ395-79QQ8-C92F2
-

replicate-install/scripts/replicate_license.txt

@@ -0,0 +1,17 @@
+#
+# Qlik  License
+# Generated on 15-Dec-2022 19:01:15.1383+02:00 
+# License Comment: Qlik internal use only 
+#
+license_type=EVALUATION_LICENSE
+licensed_to=Attunity Americas
+licensed_by=Attunity US
+serial_no=60031826
+expiration_date=2023-12-31
+hosts=
+source_types=
+target_types=
+features=
+version=2022.11
+issue_date=2022-12-15
+checksum=F4CK8-H36JR-8H58Q-833KH

replicate-install/scripts/replicate_license_exp2022-12-31_ser60026541.txt

@@ -1,18 +0,0 @@
-#
-# Qlik  License
-# Generated on 07-Dec-2021 18:01:15.5540+02:00 
-# License Comment: For internal Qlik use only 
-#
-license_type=EVALUATION_LICENSE
-licensed_to=Attunity Americas
-licensed_by=Attunity US
-serial_no=60026541
-expiration_date=2022-12-31
-hosts=
-source_types=
-target_types=
-features=
-version=2021.11
-issue_date=2021-12-07
-checksum=5Q9FQ-27467-KRC52-77598
-

replicate-install/variables.tf

@@ -11,8 +11,6 @@ variable "vm_admin_password" {
 }
 
 variable "download_url" {
-   //default = "https://da3hntz84uekx.cloudfront.net/QlikReplicate/2021.5/3/_MSI/AttunityReplicate_2021.5.0.924_X64.zip"
-   default = "https://github.com/qlik-download/replicate/releases/download/v2021.11.1/QlikReplicate_2021.11.0.165_X64.zip"
 }
 
 variable "key_vault_id" {

s3-bucket-sftp-public/main.tf

@@ -0,0 +1,229 @@
+
+terraform {
+
+  required_version = ">= 0.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "= 3.74.1"
+    }
+  }
+}
+
+locals {
+  tags = {
+    Deployment = "QMI"
+    "Cost Center" = "3100"
+    QMI_user = var.user_id
+    ProvID   = var.provision_id
+    Name     = "sftp-${var.provision_id}"
+  }
+}
+
+resource "tls_private_key" "sftp-key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+
+}
+
+resource "aws_key_pair" "generated_key" {    
+  key_name   = "key-${var.provision_id}"
+  public_key = tls_private_key.sftp-key.public_key_openssh
+
+  tags = local.tags
+}
+
+## Public_secret
+
+resource "aws_secretsmanager_secret" "public_key" {
+  name = "pub-${var.provision_id}"
+
+  tags = local.tags
+}
+
+resource "aws_secretsmanager_secret_version" "public_key" {
+  secret_id = aws_secretsmanager_secret.public_key.id
+  secret_string = aws_key_pair.generated_key.public_key
+
+}
+
+## Private Secret
+
+resource "aws_secretsmanager_secret" "private_key" {
+  name = "priv-${var.provision_id}"
+
+  tags = local.tags
+}
+
+resource "aws_secretsmanager_secret_version" "private_key" {
+  secret_id = aws_secretsmanager_secret.private_key.id
+  secret_string = nonsensitive(tls_private_key.sftp-key.private_key_pem)
+
+}
+
+
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  version = "~> 2.1.0"
+
+  bucket = "sftp-${var.provision_id}"
+  acl    = "private"
+
+  versioning = {
+    enabled = false
+  }
+
+  force_destroy = true
+
+  tags = local.tags
+
+}
+
+###
+
+resource "aws_s3_bucket_public_access_block" "sftp-block" {
+  bucket = module.s3_bucket.s3_bucket_id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+}
+
+###
+
+resource "aws_iam_role" "logging" {
+  name  = "${var.provision_id}-transfer-logging"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "transfer.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "logging" {
+  name  = "${var.provision_id}-transfer-logging"
+  role   = aws_iam_role.logging.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:DescribeLogStreams",
+        "logs:CreateLogGroup",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_transfer_server" "public" {
+  endpoint_type          = var.sftp_type 
+  protocols              = var.protocols 
+  identity_provider_type = var.identity_provider_type 
+  url                    = var.api_gw_url
+  invocation_role        = var.invocation_role
+  logging_role           = aws_iam_role.logging.arn
+  force_destroy          = var.force_destroy 
+  security_policy_name   = var.security_policy_name
+
+  tags = local.tags
+}
+
+
+resource "aws_iam_role" "user" {
+  for_each           = var.sftp_users
+  name               = "${var.provision_id}-sftp-user-${each.key}"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "transfer.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+
+resource "aws_iam_role_policy" "user" {
+  for_each = var.sftp_users
+  name     = "${var.provision_id}-sftp-user-${each.key}"
+  role     = aws_iam_role.user[each.key].id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowListingOfUserFolder",
+      "Action": [
+        "s3:ListBucket",
+        "s3:GetBucketLocation"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+       "${join("", ["arn:aws:s3:::", module.s3_bucket.s3_bucket_id])}"
+      ]
+    },
+    {
+      "Sid": "HomeDirObjectAccess",
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObjectVersion",
+        "s3:DeleteObject",
+        "s3:GetObjectVersion"
+      ],
+      "Resource": "${join("", ["arn:aws:s3:::", module.s3_bucket.s3_bucket_id, "/", each.value, "/*"])}"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_transfer_user" "this" {
+  for_each       = var.sftp_users
+  server_id      = aws_transfer_server.public.id
+  user_name      = each.key
+  home_directory = "/${module.s3_bucket.s3_bucket_id}/${each.value}"
+  role           = aws_iam_role.user[each.key].arn
+
+  tags = local.tags
+}
+
+
+resource "aws_transfer_ssh_key" "this" {
+  for_each   = { "sftpusr" = aws_secretsmanager_secret_version.public_key.secret_string }
+  server_id  = aws_transfer_server.public.id
+  user_name  = each.key
+  body       = each.value
+  depends_on = [aws_transfer_user.this]
+
+}

s3-bucket-sftp-public/outputs.tf

@@ -0,0 +1,20 @@
+
+output "id" {
+  value       = aws_transfer_server.public.id
+  description = "ID of transfer server"
+}
+
+output "endpoint" {
+  value       = aws_transfer_server.public.endpoint
+  description = "Endpoint of transfer server"
+}
+
+output "username" {
+  value = "sftpusr"
+}
+
+output "sftp-private" {
+  value = nonsensitive(aws_secretsmanager_secret_version.private_key.secret_string)
+}
+
+

s3-bucket-sftp-public/variables.tf

@@ -0,0 +1,56 @@
+variable "region" {
+    default = "us-east-1"
+}
+
+variable "provision_id" { 
+}
+
+variable "user_id" {
+}
+
+variable "sftp_type" {
+  type        = string
+  default     = "PUBLIC"
+  description = "Type of SFTP server. **Valid values:** `PUBLIC`, `VPC` or `VPC_ENDPOINT`"
+}
+
+variable "protocols" {
+  type        = list(string)
+  default     = ["SFTP"]
+  description = "List of file transfer protocol(s) over which your FTP client can connect to your server endpoint. **Possible Values:** FTP, FTPS and SFTP"
+}
+
+variable "identity_provider_type" {
+  type        = string
+  default     = "SERVICE_MANAGED"
+  description = "Mode of authentication to use for accessing the service. **Valid Values:** `SERVICE_MANAGED`, `API_GATEWAY`, `AWS_DIRECTORY_SERVICE` or `AWS_LAMBDA`"
+}
+
+variable "api_gw_url" {
+  type        = string
+  default     = null
+  description = "URL of the service endpoint to authenticate users when `identity_provider_type` is of type `API_GATEWAY`"
+}
+
+variable "invocation_role" {
+  type        = string
+  default     = null
+  description = "ARN of the IAM role to authenticate the user when `identity_provider_type` is set to `API_GATEWAY`"
+}
+
+variable "force_destroy" {
+  type        = bool
+  default     = true
+  description = "Whether to delete all the users associated with server so that server can be deleted successfully. **Note:** Supported only if `identity_provider_type` is set to `SERVICE_MANAGED`"
+}
+
+variable "security_policy_name" {
+  type        = string
+  default     = "TransferSecurityPolicy-2020-06"
+  description = "Specifies the name of the [security policy](https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html) to associate with the server"
+}
+
+variable "sftp_users" {
+  type    = map(string)
+  default = { sftpusr = "sftpusr" }
+}

s3-bucket/main.tf

@@ -47,6 +47,11 @@ module "s3_bucket" {
 
   force_destroy = true
 
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
   tags = {
     Deployment = "QMI"
     "Cost Center" = "3100"

vm-centos/main.tf

@@ -57,8 +57,8 @@ resource "azurerm_linux_virtual_machine" "vm" {
   }
 
   source_image_reference {
-    publisher = "OpenLogic"
-    offer     = "CentOS"
+    publisher = var.publisher
+    offer     = var.offer
     sku       = var.sku
     version   = "latest"
   }

vm-centos/outputs.tf

@@ -24,12 +24,4 @@ output "nic_private_ip_address" {
 
 output "nic_ip_configuration_name" {
   value = module.qmi-nic.ip_configuration_name
-}
-
-output "nic_fqdn" {
-  value = var.isExternal? module.qmi-nic.fqdn : null
-}
-
-output "nic_public_ip_address" {
-  value = var.isExternal? module.qmi-nic.public_ip_address : null
 }

vm-centos/variables.tf

@@ -35,6 +35,14 @@ variable "sku" {
   default = "7.5"
 }
 
+variable "publisher" {
+  default = "OpenLogic"
+}
+
+variable "offer" {
+  default = "CentOS"
+}
+
 variable "user_id" {
   default = null
 }

vm-fromsnapshot-linux/main.tf

@@ -96,6 +96,10 @@ resource "azurerm_virtual_machine" "vm" {
     disable_password_authentication = false
   }
 
+  identity {
+    type = "SystemAssigned"
+  }
+
   tags = {
     "Deployment" = "QMI PoC"
     "Cost Center" = "3100"

vm-fromsnapshot-linux/outputs.tf

@@ -24,4 +24,8 @@ output "nic_private_ip_address" {
 
 output "nic_ip_configuration_name" {
   value = module.qmi-nic.ip_configuration_name
+}
+
+output "principal_id" {
+  value = azurerm_virtual_machine.vm.identity.0.principal_id
 }

vm-oraclelinux/main.tf

@@ -1,86 +0,0 @@
-resource "random_id" "randomMachineId" {
-    keepers = {
-        # Generate a new ID only when a new resource group is defined
-        resource_group = var.resource_group_name
-    }
-    
-    byte_length = 3
-}
-
-resource "random_password" "password" {
-  length = 16
-  special = false
-  override_special = "_"
-  upper = true
-  lower = true
-  min_lower = 2
-  min_upper = 2
-  min_special = 0
-  min_numeric = 2
-}
-
-locals {
-  virtual_machine_name = "${var.prefix}-${random_id.randomMachineId.hex}"
-  admin_username = var.admin_username
-  admin_password = random_password.password.result
-}
-
-module "qmi-nic" {
-  source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//qmi-nic"
-  
-  prefix = local.virtual_machine_name
-  location = var.location
-  subnet_id = var.subnet_id
-  
-  resource_group_name = var.resource_group_name
-  user_id = var.user_id
-  
-}
-
-resource "azurerm_virtual_machine" "vm" {
-  name                  = local.virtual_machine_name
-  location              = var.location
-  resource_group_name   = var.resource_group_name
-  network_interface_ids = [module.qmi-nic.id]
-  vm_size               = var.vm_type
-
-  delete_os_disk_on_termination = true
-  delete_data_disks_on_termination = true
-
-  storage_image_reference {
-    # this is the Oracle linux image I found.
-    # az vm image list --all --publisher Oracle  -o table
-    publisher = "Oracle"
-    offer     = "Oracle-Linux"
-    sku       = "77"
-    version   = "latest"
-  }
-
-  storage_os_disk {
-    name              = "${local.virtual_machine_name}-osdisk"
-    caching           = "ReadWrite"
-    create_option     = "FromImage"
-    managed_disk_type = var.managed_disk_type
-    disk_size_gb      = var.disk_size_gb
-  }
-
-  os_profile_linux_config {
-      disable_password_authentication = false
-  }
-
-  os_profile {
-    computer_name  = local.virtual_machine_name
-    admin_username = local.admin_username
-    admin_password = local.admin_password
-  }
-
-  tags = {
-    Deployment = "QMI PoC"
-    "Cost Center" = "3100"
-    "ProvId"  = var.provId != null? var.provId : null
-    "QMI_user" = var.user_id != null? var.user_id : null
-    "24x7" = var.is_24x7 == true? "" : null
-    "ShutdownTime": var.is_24x7 == false? var.shutdownTime : null
-    "StartupTime": var.is_24x7 == false? var.startupTime : null
-  }
-}

vm-oraclelinux/outputs.tf

@@ -1,27 +0,0 @@
-output "virtual_machine_id" {
-  value = azurerm_virtual_machine.vm.id
-}
-
-output "virtual_machine_name" {
-    value = "${var.prefix}-${random_id.randomMachineId.hex}"
-}
-
-output "admin_username" {
-  value = var.admin_username
-}
-
-output "admin_password" {
-  value = random_password.password.result
-}
-
-output "nic_id" {
-  value = module.qmi-nic.id
-}
-
-output "nic_private_ip_address" {
-  value = module.qmi-nic.private_ip_address
-}
-
-output "nic_ip_configuration_name" {
-  value = module.qmi-nic.ip_configuration_name
-}

vm-oraclelinux/variables.tf

@@ -1,56 +0,0 @@
-variable "subnet_id" {
-  default = "/subscriptions/62ebff8f-c40b-41be-9239-252d6c0c8ad9/resourceGroups/QMI-infra-vnet/providers/Microsoft.Network/virtualNetworks/QMI-Automation-Vnet/subnets/QMI-VM-Deployments"
-}
-
-variable "prefix" {
-  description = "The Prefix used for all resources in this example"
-  default = "QMI-ORACLELINUX"
-}
-
-variable "location" {
-  default = "East US"
-}
-
-variable "resource_group_name" {
-}
-
-variable "vm_type" {
-  default = "Standard_DS3_v2"
-}
-
-variable "managed_disk_type" {
-  default = "Premium_LRS"
-}
-
-variable "disk_size_gb" {
-  default = "128"
-}
-
-variable "admin_username" {
-  default = "qmi"
-}
-
-variable "user_id" {
-  default = null
-}
-
-variable "provId" {
-  default = null
-}
-
-variable "is_24x7"{
-  type = bool
-  default = null
-}
-
-variable "shutdownTime"{
-  default = null
-}
-
-variable "startupTime"{
-  default = null
-}
-
-# variable "subnet_id" {
-#   default = "/subscriptions/1f3d4c1d-6509-4c52-8dee-c15fb83f2920/resourceGroups/lkn-rg/providers/Microsoft.Network/virtualNetworks/lkn-vn/subnets/default"
-# }

vm-oraclelinux81/main.tf

@@ -37,43 +37,37 @@ module "qmi-nic" {
   
 }
 
-resource "azurerm_virtual_machine" "vm" {
-  name                  = local.virtual_machine_name
-  location              = var.location
-  resource_group_name   = var.resource_group_name
-  network_interface_ids = [module.qmi-nic.id]
-  vm_size               = var.vm_type
+resource "azurerm_linux_virtual_machine" "vm" {
+  name                = local.virtual_machine_name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  size                = var.vm_type
+  admin_username      = local.admin_username
+  admin_password      = local.admin_password
+  disable_password_authentication = false
+  
+  network_interface_ids = [
+    module.qmi-nic.id,
+  ]
 
-  delete_os_disk_on_termination = true
-  delete_data_disks_on_termination = true
+  os_disk {
+    name                 = "${local.virtual_machine_name}-osdisk"
+    caching              = "ReadWrite"
+    storage_account_type = var.managed_disk_type
+    disk_size_gb         = var.disk_size_gb
+  }
 
-  storage_image_reference {
-    # this is the Oracle linux image I found.
-    # az vm image list --all --publisher Oracle  -o table
+  identity {
+    type = "SystemAssigned"
+  }
+
+  source_image_reference {
     publisher = "Oracle"
     offer     = "Oracle-Linux"
     sku       = "81"
     version   = "latest"
   }
 
-  storage_os_disk {
-    name              = "${local.virtual_machine_name}-osdisk"
-    caching           = "ReadWrite"
-    create_option     = "FromImage"
-    managed_disk_type = var.managed_disk_type
-    disk_size_gb      = var.disk_size_gb
-  }
-
-  os_profile_linux_config {
-      disable_password_authentication = false
-  }
-
-  os_profile {
-    computer_name  = local.virtual_machine_name
-    admin_username = local.admin_username
-    admin_password = local.admin_password
-  }
-
   tags = {
     Deployment = "QMI PoC"
     "Cost Center" = "3100"
@@ -83,4 +77,20 @@ resource "azurerm_virtual_machine" "vm" {
     "ShutdownTime": var.is_24x7 == false? var.shutdownTime : null
     "StartupTime": var.is_24x7 == false? var.startupTime : null
   }
-}
+}
+
+module "linux-common" {
+
+  source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//linux-common"
+
+  depends_on = [
+    azurerm_linux_virtual_machine.vm
+  ]
+  
+  os_type             = "centos"
+  private_ip_address  = module.qmi-nic.private_ip_address
+  admin_username      = local.admin_username
+  admin_password      = local.admin_password  
+  
+}
+

vm-oraclelinux81/outputs.tf

@@ -1,5 +1,5 @@
 output "virtual_machine_id" {
-  value = azurerm_virtual_machine.vm.id
+  value = azurerm_linux_virtual_machine.vm.id
 }
 
 output "virtual_machine_name" {
@@ -24,4 +24,8 @@ output "nic_private_ip_address" {
 
 output "nic_ip_configuration_name" {
   value = module.qmi-nic.ip_configuration_name
+}
+
+output "principal_id" {
+  value = azurerm_linux_virtual_machine.vm.identity.0.principal_id
 }

vm-qdc/main.tf

@@ -123,5 +123,6 @@ module "linux-common" {
   private_ip_address  = module.qmi-nic.private_ip_address
   admin_username      = local.admin_username
   admin_password      = local.admin_password  
+  update              = false
   
 }

vm-qdc/outputs.tf

@@ -38,12 +38,4 @@ output "mysql_demo_password" {
   value = "Qlik1234!"
 }
 
-output "nic_fqdn" {
-  value = var.isExternal? module.qmi-nic.fqdn : null
-}
-
-output "nic_public_ip_address" {
-  value = var.isExternal? module.qmi-nic.public_ip_address : null
-}
-
 

vm-qdc/scripts/feb2022/1-qdc-nextgen-xml.sh

@@ -13,6 +13,7 @@ if [[ $2 == *"4.9.0"* ]]; then
  sudo cp /home/qmi/scripts/feb2022/tomcat.service /etc/systemd/system/
 fi
 
+wget --quiet https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx -O /home/qmi/scripts/wildcard_qmi_qlik-poc_com.pfx
 sudo cp /home/qmi/scripts/wildcard_qmi_qlik-poc_com.pfx /usr/local/qdc
 
 if [[ $2 == *"4.13.0"* ]]; then

vm-qdc/scripts/feb2022/2-core_env_setup.sh

@@ -7,6 +7,9 @@ TOMCAT_HOME=$BASE/$TOMCAT
 BASEDIR=$(dirname "$0")
 
 echo "Replacing server.xml for Tomcat - Stopping Tomcat"
+wget --quiet https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx -O /home/qmi/scripts/wildcard_qmi_qlik-poc_com.pfx
+sudo cp /home/qmi/scripts/wildcard_qmi_qlik-poc_com.pfx /usr/local/qdc
+
 sudo cp /home/qmi/scripts/wildcard_qmi_qlik-poc_com.pfx /usr/local/qdc
 sudo systemctl stop tomcat.service
 mv $TOMCAT_HOME/conf/server.xml $TOMCAT_HOME/conf/server.xml_backup

vm-qdc/scripts/feb2022/nextgen-xml_server.xml

@@ -99,7 +99,7 @@
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="/usr/local/qdc/wildcard_qmi_qlik-poc_com.pfx"
     keystoreType="PKCS12"
-    keystorePass="QJ]5M$>m,X)t=_:BNNt:mwFks7NqocSMbR@/zA" />   
+    keystorePass="8@afBR2AwKMb@4Rj" />   
      
     <!--
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

vm-qs-alerting/scripts/qs-post-cfg.ps1

@@ -117,6 +117,11 @@ While( (Connect-Qlik $($env:COMPUTERNAME) -TrustAllCerts -UseDefaultCredentials
 
 ### Install qlik-poc_com certificate
 Write-Log -Message "Install 'qmi.qlik-poc.com' certificate, set thumbsprint and whitelist domain in QS central virtual proxy"
+
+$ProgressPreference = 'SilentlyContinue'
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+(New-Object System.Net.WebClient).DownloadFile("https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx", "C:\provision\wildcard_qmi_qlik-poc_com.pfx") 
+
 try {
     $secpasswd = ConvertTo-SecureString $CertPwd -AsPlainText -Force
     $sslCert=Import-PfxCertificate -FilePath C:/provision/wildcard_qmi_qlik-poc_com.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $secpasswd

vm-qs/main.tf

@@ -13,6 +13,8 @@ resource "random_password" "password" {
   override_special = "_!@"
   upper = true
   lower = true
+  numeric = true
+  min_numeric = 2
   min_lower = 2
   min_upper = 2
   min_special = 2
@@ -24,6 +26,8 @@ resource "random_password" "qlikpassword" {
   override_special = "_!@"
   upper = true
   lower = true
+  numeric = true
+  min_numeric = 2
   min_lower = 2
   min_upper = 2
   min_special = 2
@@ -86,57 +90,6 @@ resource "azurerm_windows_virtual_machine" "vm" {
 
   source_image_id =  var.image_reference
 
-  
-  
-  provisioner "file" {
-    connection {
-      type     = "winrm"
-      host     = module.qmi-nic.private_ip_address
-      user     = local.admin_username
-      password = local.admin_password
-      port     = 5985
-      https    = false
-      timeout  = "3m"
-    }
-    source      = "${path.module}/main"
-    destination = "C:/provision"
-  }
-
-  provisioner "remote-exec" {
-    connection {
-      type     = "winrm"
-      host     = module.qmi-nic.private_ip_address
-      user     = local.admin_username
-      password = local.admin_password
-      port     = 5985
-      https    = false
-      timeout  = "3m"
-    }
-
-    inline = [
-      "powershell.exe -File C:/provision/prep-files.ps1",
-      "powershell.exe -File C:/provision/bootstrap-qs.ps1 -ModuleName vm-qs",
-      "powershell.exe -File C:/provision/gen-jwt.ps1"
-    ]
-  }
-
-  provisioner "remote-exec" {
-    connection {
-      type     = "winrm"
-      host     = module.qmi-nic.private_ip_address
-      user     = local.admin_username
-      password = local.admin_password
-      port     = 5985
-      https    = false
-      timeout  = "3m"
-    }
-
-    inline = [
-      "powershell.exe -File C:/provision/qs-post-cfg.ps1 -Hostname ${var.resource_group_name}.qmi.qlik-poc.com -Serial ${local.serial} -Control ${local.control} -CertPwd \"${local.cert_password}\" -QlikUserPwd ${local.qlikpassword}",
-      "powershell.exe -File C:/provision/webconnectors/q-WebConnectors.ps1",
-    ]
-  }
-
   tags = {
     Deployment = "QMI PoC"
     "Cost Center" = "3100"
@@ -148,43 +101,101 @@ resource "azurerm_windows_virtual_machine" "vm" {
   }
 }
 
+
+/*resource "azurerm_virtual_machine_extension" "prepfiles" {
+  depends_on = [
+    azurerm_windows_virtual_machine.vm
+  ]
+
+  name = "vm-extension-prepfiles"
+  virtual_machine_id   = azurerm_windows_virtual_machine.vm.id
+  
+  publisher = "Microsoft.Compute"
+  type = "CustomScriptExtension"
+  type_handler_version = "1.10"
+  auto_upgrade_minor_version  = true
+  
+  settings = <<SETTINGS
+    {
+        "fileUris": [
+            "https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/vm-qs/main/prep-files.ps1"
+        ],
+        "commandToExecute": "start powershell.exe -NoProfile -ExecutionPolicy unrestricted -File prep-files.ps1"
+    }
+    SETTINGS
+}*/
+
+
+resource "null_resource" "vm-qs-post" {
+
+  depends_on = [
+    azurerm_windows_virtual_machine.vm
+  ]
+
+  /*provisioner "local-exec" {
+    command = "echo 'Waiting 20 seconds for PrepFiles to finish'; sleep 20;"
+  }*/
+
+  provisioner "remote-exec" {
+    
+    connection {
+      type     = "winrm"
+      host     = module.qmi-nic.private_ip_address
+      user     = local.admin_username
+      password = local.admin_password
+      port     = 5985
+      https    = false
+      timeout  = "10m"
+    }
+
+    inline = [
+      "powershell -NoProfile -File C:\\Temp\\prep-files.ps1 -scenario vm-qs",
+      "powershell -NoProfile -File C:\\provision\\bootstrap-qs.ps1 -ModuleName vm-qs",
+      "powershell -NoProfile -File C:\\provision\\qs-post-cfg.ps1 -Hostname ${var.resource_group_name}.qmi.qlik-poc.com -Serial ${local.serial} -Control ${local.control} -CertPwd \"${local.cert_password}\" -QlikUserPwd ${local.qlikpassword}",
+      "powershell -NoProfile -File C:\\provision\\q-WebConnectors.ps1",
+    ]
+  }
+
+}
+
+
+resource "null_resource" "vm-is-qdc" {
+
+  count = var.isWithQDC? 1 : 0
+  
+  depends_on = [
+    azurerm_windows_virtual_machine.vm,
+    null_resource.vm-qs-post
+    
+  ]
+
+  provisioner "file" {
+    connection {
+      type     = "winrm"
+      host     = module.qmi-nic.private_ip_address
+      user     = local.admin_username
+      password = local.admin_password
+      port     = 5985
+      https    = false
+      timeout  = "10m"
+    }
+    source      = "${path.module}/scripts-qdc"
+    destination = "C:/provision/qdc"
+  }
+
+}
+
 module "win-common" {
 
   source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//win-common"
 
   depends_on = [
-    azurerm_windows_virtual_machine.vm
+    azurerm_windows_virtual_machine.vm,
+    null_resource.vm-qs-post,
+    null_resource.vm-is-qdc
   ]
   
   private_ip_address  = module.qmi-nic.private_ip_address
   admin_username      = local.admin_username
   admin_password      = local.admin_password  
-}
-
-/*
-resource "null_resource" "post-win-common" {
-    
-    depends_on = [
-      module.win-common
-    ]
-
-    provisioner "remote-exec" {
-      connection {
-        type     = "winrm"
-        host     = module.qmi-nic.private_ip_address
-        user     = local.admin_username
-        password = local.admin_password
-        port     = 5985
-      insecure = true
-      use_ntlm = false
-        https    = false
-        timeout  = "3m"
-      }
-
-      inline = [
-        "powershell.exe -File C:/provision/win-common/sharepoint-pnp/install.ps1",
-        "powershell.exe -File C:/provision/win-common/onedrive-install.ps1",      
-      ]
-    }
-}
-*/
+}

vm-qs/outputs.tf

@@ -26,14 +26,6 @@ output "nic_private_ip_address" {
   value = module.qmi-nic.private_ip_address
 }
 
-output "nic_fqdn" {
-  value = var.isExternal? module.qmi-nic.fqdn : null
-}
-
-output "nic_public_ip_address" {
-  value = var.isExternal? module.qmi-nic.public_ip_address : null
-}
-
 output "nic_ip_configuration_name" {
   value = module.qmi-nic.ip_configuration_name
 }

vm-qs/scripts/bootstrap-qs.ps1

@@ -9,11 +9,13 @@ function New-Credential($u,$p) {
     return New-Object System.Management.Automation.PSCredential ($u, $secpasswd)
 }
 
-Write-Log "Current logged-on user: $env:USERNAME"
+Write-Log "--- Current logged-on user: $env:USERNAME"
+
+New-NetFirewallRule -DisplayName "Qlik Sense More" -Direction Inbound -LocalPort 4244,4242, 4432, 4444, 5355, 5353, 80, 4248, 3090, 4000, 5555, 5556, 4993, 4994 -Protocol TCP -Action Allow -ea Stop | Out-Null
 
 REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
 
-Set-Service -Name "QlikLoggingService" -StartupType Automatic
+#Set-Service -Name "QlikLoggingService" -StartupType Automatic
 Set-Service -Name "QlikSenseServiceDispatcher" -StartupType Automatic
 Set-Service -Name "QlikSenseProxyService" -StartupType Automatic
 Set-Service -Name "QlikSenseEngineService"  -StartupType Automatic
@@ -22,17 +24,12 @@ Set-Service -Name "QlikSenseSchedulerService"  -StartupType Automatic
 Set-Service -Name "QlikSenseRepositoryService"  -StartupType Automatic
 Set-Service -Name "QlikSenseRepositoryDatabase"  -StartupType Automatic
 
-Write-Log "Bootstrap Qlik Sense..."
-
-Write-Log "Starting only QlikSenseRepositoryDatabase and QlikSenseServiceDispatcher services ..."
-Stop-Service QlikSenseRepositoryService
-Start-Service QlikSenseRepositoryDatabase
-Start-Service QlikSenseServiceDispatcher
+Write-Log "===== Bootstrap Qlik Sense ====="
 
 #Delete certificates
 #Write-Log "Deleting old certificates files..."
 #Get-ChildItem "$($env:ProgramData)\Qlik\Sense\Repository\Exported Certificates\" | Remove-Item -Recurse
-Write-Log "Deleting old certificates from keyStore..."
+Write-Log "--- Deleting old certificates from keyStore..."
 $Certs = Get-ChildItem cert:"CurrentUser\My"
 $Certs | ForEach-Object{Remove-Item -path $_.PSPath -recurse -Force}
 $Certs = Get-ChildItem cert:"LocalMachine\My"
@@ -40,44 +37,51 @@ $Certs | ForEach-Object{Remove-Item -path $_.PSPath -recurse -Force}
 $Certs = Get-ChildItem cert:"LocalMachine\Root" | Where-Object { $_.Subject -match 'GEN-QS' -or $_.Subject -match 'QMI' }
 $Certs | ForEach-Object{Remove-Item -path $_.PSPath -recurse -Force}
 
-Write-Log "Setting new hostname ($($env:computername)) in to Host.cfg file..."
+Write-Log "--- Starting only QlikSenseRepositoryDatabase and QlikSenseServiceDispatcher services ..."
+Stop-Service QlikSenseRepositoryService
+Start-Service QlikSenseRepositoryDatabase
+Start-Service QlikSenseServiceDispatcher
+
+Write-Log "--- Setting new hostname ($($env:computername)) in to Host.cfg file..."
 $enchostname = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("$($env:computername)"))
 Set-Content -Path C:\ProgramData\Qlik\Sense\Host.cfg -Value $enchostname
 
 
-Write-Log "Executing ... Repository.exe -bootstrap -standalone -restorehostname"
+Write-Log "--- Executing ... Repository.exe -bootstrap -standalone -restorehostname"
 $waiting=20
 if ( $env:USERNAME -eq "qservice" ) {
     $waiting=50
-    Write-Log "The user executing this script is already 'qservice'"
+    Write-Log "--- The user executing this script is already 'qservice'"
     Start-Process powershell.exe -ArgumentList "Start-Process cmd.exe -Verb runAs -ArgumentList '/k C:\PROGRA~1\Qlik\Sense\Repository\Repository.exe -bootstrap -standalone -restorehostname'"
 
 } else {
-    Write-Log "The user executing this script is NOT 'qservice'"
+    Write-Log "--- The user executing this script is NOT 'qservice'"
     $cred = New-Credential "qservice" "Qlik1234"
     Start-Process powershell.exe -Credential $cred -ArgumentList "Start-Process cmd.exe -Verb runAs -ArgumentList '/k C:\PROGRA~1\Qlik\Sense\Repository\Repository.exe -bootstrap -standalone -restorehostname'"
 }
 
 Start-Sleep -s $waiting
 
-Write-Log "Restarting Service Dispatcher"
+Write-Log "--- Restarting Service Dispatcher"
 Restart-Service QlikSenseServiceDispatcher -Force
 
-Start-Sleep -s 20
+Start-Sleep -s 30
 
 Write-Log "Restarting all Qlik Sense services"
 #Restart-Service QlikSenseServiceDispatcher -Force
-Restart-Service QlikLoggingService -Force
+#Restart-Service QlikLoggingService -Force
 Restart-Service QlikSenseRepositoryService -Force
+Start-Sleep -s 10
 Restart-Service QlikSenseProxyService -Force
 Restart-Service QlikSenseEngineService -Force
 Restart-Service QlikSenseSchedulerService -Force 
 Restart-Service QlikSensePrintingService -Force 
 
+
 REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
 
 #### Recreate QS desktop shortcuts
-Write-Log "Recreating Qlik Sense desktop shortcuts..."
+Write-Log "--- Recreating Qlik Sense desktop shortcuts..."
 $sourcepath="C:\Users\Public\Desktop\Qlik Management Console.lnk"
 $destination="C:\Users\Public\Desktop\Qlik Management Console2.lnk"
 Copy-Item $sourcepath $destination  ## Get the lnk we want to use as a template
@@ -102,11 +106,11 @@ Rename-Item -Path $destination -NewName "Qlik Sense Hub.lnk"
 ####
 
 
-Write-Log "New Certs: CurrentUser\My"
+Write-Log "--- New Certs: CurrentUser\My"
 Get-ChildItem cert:"CurrentUser\My"
-Write-Log "New Certs: LocalMachine\My"
+Write-Log "--- New Certs: LocalMachine\My"
 Get-ChildItem cert:"LocalMachine\My"
-Write-Log "New Certs: LocalMachine\Root"
+Write-Log "--- New Certs: LocalMachine\Root"
 Get-ChildItem cert:"LocalMachine\Root" | Where-Object { $_.Subject -match 'QMI' }
 $NewCerts = Get-ChildItem cert:"LocalMachine\Root" | Where-Object { $_.Subject -match 'QMI' }
 
@@ -114,17 +118,18 @@ if ($NewCerts) {
 
     if ( $ModuleName -ne "vm-qs" ) {
         Start-Sleep -s 20
-        Write-Log "Recovering Qlik Sense users"
+        Write-Log "--- Recovering Qlik Sense users"
         Start-Process powershell.exe -ArgumentList "Start-Process cmd.exe -Verb runAs -ArgumentList '/c $PSScriptRoot\qs-reset-users.bat'"
         Restart-Service QlikSenseRepositoryService -Force
     }
 
-    Write-Log "Boostrap Qlik Sense completed!!"
+    Write-Log "===== Boostrap Qlik Sense completed!! ======"
 
     # May 2021 needs a new restart of QlikSenseServiceDispatcher 
     Restart-Service QlikSenseServiceDispatcher -Force
 
 } else {
-    Write-Error "Error Bootstraping Qlik Sense"
+    Write-Error "==== Error Bootstraping Qlik Sense ====="
     throw "Error Bootstraping Qlik Sense"
 }
+

vm-qs/scripts/q-WebConnectors.ps1

@@ -16,7 +16,7 @@ Dependencies:
 #>
 
 Param(
-    [string] $DownloadURL = "https://github.com/qlik-download/qwc-standalone/releases/download/v2.122.1/QlikWebConnectorsMarch2022.zip"
+    [string] $DownloadURL = "https://github.com/qlik-download/qwc-standalone/releases/download/v2.140.0/QlikWebConnectorsDecember2022.zip"
 )
 
 if(!(Test-Path c:\qmi\QMIError)){

vm-qs/scripts/qs-post-cfg.ps1

@@ -243,6 +243,13 @@ restartQse
 
 ### Install qlik-poc_com certificate
 Write-Log -Message "Install qmi_qlik-poc_com certificate on Windows"
+
+$ProgressPreference = 'SilentlyContinue'
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+(New-Object System.Net.WebClient).DownloadFile("https://gitlab.com/qmi/qmi-cloud-tf-modules/-/raw/master/qmicerts/wildcard_qmi_qlik-poc_com.pfx", "C:\provision\wildcard_qmi_qlik-poc_com.pfx") 
+
+write-log -Message "Cert password is: $CertPwd"
+
 try {
     $secpasswd = ConvertTo-SecureString $CertPwd -AsPlainText -Force
     $sslCert=Import-PfxCertificate -FilePath C:/provision/wildcard_qmi_qlik-poc_com.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $secpasswd

vm-qs/scripts/webconnectors/deploy.config

@@ -1,227 +0,0 @@
-<Deploy>
-
-  <!--
-  You will need to restart Qlik Web Connectors if you make changes to this file.
-  -->
-
-  <!--
-  *************************************************************************
-  Settings between these lines are supported in current version.
-  -->
-  <Port>5555</Port>
-
-  <Authentication>
-
-    <!--
-    Set to
-    None
-    This will run Qlik Web Connectors without any concept of users or access tokens, which have been 
-    introduced in the new web version to support users accessing the application from separate machines.
-      
-    This is the quickest and easiest way to get up and running and if used in conjunction with 
-    AllowRemoteAccess set to false is a straight swap in replacement for the WinForms edition.
-
-    or
-    FormsAuthentication
-    Use this value if you would like users to sign in to Qlik Web Connectors from other machines and be able to 
-    generate load scripts which are secured with an access token and whitelisted IP addresses.
-    -->
-    <Type>None</Type>
-
-    <FormsAuthentication>
-      <CryptographyConfiguration>
-        <!--
-        These values are used when encrypting the authentication cookies used for maintaining 
-        a users logged in status with Forms authentication.
-        -->
-        <RijndaelEncryptionProvider_Passphrase>SuperSecretPass123</RijndaelEncryptionProvider_Passphrase>
-        <DefaultHmacProvider_Passphrase>UberSuperSecure123</DefaultHmacProvider_Passphrase>
-      </CryptographyConfiguration>
-      <!--
-      The PasswordChecker element should contain one of the following. SaltedPBKDF2SHA1PasswordChecker 
-      is recommended as it is the most secure. Setting the EnableUserManagement element to true and 
-      using the inbuilt UI to manage users is also recommended.
-      
-      PlainTextPasswordChecker - User XML element should contain a Password element containing plain text password.
-      SHA512PasswordChecker - User XML element should contain a PasswordHash element containing UTF8 SHA512 base 64 encoded password hash.
-      SaltedPBKDF2SHA1PasswordChecker - Uses a salted hash (RECOMMENDED).
-      -->
-      <PasswordChecker>PlainTextPasswordChecker</PasswordChecker>
-    </FormsAuthentication>
-
-  </Authentication>
-
-  <Proxy>
-    <UseProxy>false</UseProxy>
-    <ProxyAddress></ProxyAddress>
-    <ProxyUsername></ProxyUsername>
-    <ProxyDomain></ProxyDomain>
-    <ProxyPassword></ProxyPassword>
-  </Proxy>
-
-  <!--
-  Whether to allow access from remote machines (i.e. non localhost).
-  -->
-  <AllowRemoteAccess>true</AllowRemoteAccess>
-
-  <!-- 
-  ******************************************************************************************************
-  ********** This replaces the <AllowConnectorsFileSystemAccess> element in previous versions **********
-  ******************************************************************************************************
-  
-  Some connectors can read/write to disk, this element lets you whitelist which paths the connectors are permitted to access.
-    
-  Notes:
-  * Multiple paths should be delimited with a semicolon (;).
-  * If you want to white list ALL paths use a *
-  * This setting applies across all connectors.
-  * The account running the connector exe must also have permission to access any file in question.
-  * Leaving it empty is equivalent to denying the connectors file system access.
-  
-  Some Examples:
-  <FileSystemAccessAllowedPaths>c:\QWC\TempFiles;c:\SomeOtherDirectory</FileSystemAccessAllowedPaths>
-  <FileSystemAccessAllowedPaths>c:\</FileSystemAccessAllowedPaths>
-  <FileSystemAccessAllowedPaths>*</FileSystemAccessAllowedPaths>
-  -->
-  <FileSystemAccessAllowedPaths></FileSystemAccessAllowedPaths>
-
-  <ConnectorConfig>
-    <!-- Some connectors have connector specific configuration options which are managed here -->
-    <Connector>
-      <WebConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </WebConnector>
-      <SugarCRMConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </SugarCRMConnector>
-      <TextAnalyser_RepustateConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </TextAnalyser_RepustateConnector>
-      <MSCRMConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </MSCRMConnector>
-      <MSCRMConnectorV2>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </MSCRMConnectorV2>
-      <ODataConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </ODataConnector>
-      <JIRAConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </JIRAConnector>
-      <SMTPConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </SMTPConnector>
-      <MailboxIMAPConnector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </MailboxIMAPConnector>
-      <MailboxPOP3Connector>
-        <AllowLocalHostAccess>true</AllowLocalHostAccess>
-      </MailboxPOP3Connector>
-    </Connector>
-  </ConnectorConfig>
-  
-  <!-- Valid values: Off, Error, Warn, Info, Trace - We would recommend you have at least Error set. -->
-  <LoggingLevel>Info</LoggingLevel>
-
-  <!-- This shows the user management API and enables the API which supports it. -->
-  <EnableUserManagement>true</EnableUserManagement>
-
-  <!--
-  This is the name used in the generated load script.
-  This is set automatically to localhost or machine name depending on your 
-  other settings but you can also override it here (if AllowRemoteAccess is set 
-  to true).
-  -->
-  <HostnameOverride></HostnameOverride>
-
-  <!--
-  Default allowed IP addresses for new users.
-  From most to least secure:
-  <empty>
-  <comma separated list of ip addresses>
-  {current_ip_address}
-  any
-  -->
-  <DefaultAllowedIpAddresses></DefaultAllowedIpAddresses>
-
-  <RequireSSL>false</RequireSSL>
-    
-  <!--
-  Settings between these lines are supported in current version.
-  *************************************************************************
-  -->
-
-  <!--
-  *************************************************************************
-  We would not recommend editing the following settings at present.
-  -->
-
-  <Theme>default</Theme>
-
-  <CompressHTTP>true</CompressHTTP>
-
-  <!-- 
-  Comma separated List of Connector IDs to be excluded from this deployment.
-  
-  They will be shown in the connector list but if you try to use them an error will occur.
-  -->
-  <DisabledConnectors></DisabledConnectors>
-
-  <!--
-  Set this to limit the maximum number of rows which will be generated for a request in 
-  the UI. This can help improve performance. Note at present you may still get more rows 
-  than this but this system will attempt to cancel any more API requests after this 
-  threshold is reached.
-  
-  Set to 0 to ignore this.
-  -->
-  <MaxRowsInUI>5000</MaxRowsInUI>
-
-  <Providers>
-
-    <!--
-    Only used for forms auth.
-    -->
-    <FormsUsers provider="FileBasedFormsUsersProvider" config="{app_root}/logins.xml"></FormsUsers>
-
-    <!--
-    User specific data, for both connector configuration and global
-    Implementation of APIConnectorInterfaces.Interfaces.Connector_Services.ISettingsStorer
-    Which takes a config string in the constructor.
-    -->
-    <UserSettings provider="FileBasedSettingsProvider" config="{app_root}/App_Data/{user_id}/UserSettings.xml"></UserSettings>
-
-    <!--
-    Connector settings for a specific user.
-    -->
-    <ConnectorSettings provider="FileBasedSettingsProvider" config="{app_root}/App_Data/{user_id}/ConnectorSettings.xml"></ConnectorSettings>
-
-    <!--
-    User specific log implementation. Note that the logging level is currently set using 
-    the LoggingLevel element in deploy.config and if this is set to Off it will also 
-    override this setting.
-    -->
-    <UserLogs enabled="true" provider="FileBasedLogger" config="{app_root}/App_Data/{user_id}/Logs"></UserLogs>
-
-    <!--
-    System wide log implementation. Note that the logging level is currently set using 
-    the LoggingLevel element in deploy.config and if this is set to Off it will also 
-    override this setting.
-    -->
-    <GlobalLogs enabled="true" provider="FileBasedLogger" config="{app_root}/App_Data/Logs"></GlobalLogs>
-
-    <!--
-    User specific API call logger.
-    -->
-    <UserAPICallLogs enabled="true" provider="FileBasedLogger" config="{app_root}/App_Data/{user_id}/Logs/APICalls"></UserAPICallLogs>
-
-    <!--
-    User specific cached data Implementation of APIConnectorInterfaces.Interfaces.Connector_Services.ICache
-    Which takes a config string in the constructor.   
-    -->
-    <Cache provider="FileBasedCacheProvider" config="{app_root}/App_Data/{user_id}/{connector_id}_Cache/"></Cache>
-
-  </Providers>
-
-</Deploy>