Question 105270 in Azure Question posted in
The official documentation to get you started can be found here.

SentinelOne LinuxExtension – Azure

I am currently looking to deploy the SentinelOne agent via Terraform. There does not appear to be much documentation online for VM extension usage in terms of Terraform. Has anyone successfully deployed the S1 agent via Terraform extension? I am unclear on what to add to the settings/protected_settings blocks. Any help is appreciated.

  "azurerm_virtual_machine_extension" "example" {
  name                 = "hostname"
  virtual_machine_id   = azurerm_virtual_machine.example.id
  publisher            = "SentinelOne.LinuxExtension"
  type                 = "LinuxExtension"
  type_handler_version = "1.0"
Tags:

2

Answers


  1. 0

    To add to the settings/protected settings blocks in terraform

    resource "azurerm_virtual_machine_extension" "example" {
  name                 = "hostname"
  virtual_machine_id   = azurerm_virtual_machine.example.id
  publisher            = "SentinelOne.LinuxExtension"
  type                 = "LinuxExtension"
  type_handler_version = "1.0"
 
settings = <<SETTINGS
    {
        "commandToExecute": "powershell.exe -Command "${local.powershell_command}""
    }
SETTINGS
  tags = {
    environment = "Production"
  }

  depends_on = [
    azurerm_virtual_machine.example
  ]
}
    • Settings – The extension’s settings are provided as a string-encoded JSON object.
    • protected settings In the same way that settings are supplied as a JSON object in a string, the protected settings passed to the extension are also.

    The keys in the settings and protected settings blocks must be case sensitive according to some VM Extensions. Make sure they are consistent with how Azure expects them (for example, the keys for the JsonADDomainExtension extension the keys are supposed to be in TitleCase)

    Reference: azurerm_virtual_machine_extension

    Login or Signup to reply.
  2. 0

    Installing the plugin manually and checking the JSON output gives the following settings block:

    {
    "LinuxAgentVersion": "22.4.1.2",
    "SiteToken": "<your_site_token_here"
}

    Unfortunately, this leaves the one critical field required for installation out, since it’s a protected setting. That is the field name for the "Sentinel One Console API token".

    UPDATE:
    Working extension example after finding the correct JSON key value:

    resource "azurerm_virtual_machine_extension" "testserver-sentinelone-extension" {
  name                      = "SentinelOneLinuxExtension"
  virtual_machine_id        = azurerm_linux_virtual_machine.testserver.id
  publisher                 = "SentinelOne.LinuxExtension"
  type                      = "LinuxExtension"
  type_handler_version      = "1.2"
  automatic_upgrade_enabled = false
  settings                  = <<SETTINGS
    {
      "LinuxAgentVersion": "22.4.1.2",
      "SiteToken": "<your_site_token_here>"
    }
SETTINGS

  protected_settings = <<PROTECTEDSETTINGS
    {
      "SentinelOneConsoleAPIKey": "${var.sentinel_one_api_token}"
    }
PROTECTEDSETTINGS
}

    EDIT: Figured it out by once again manually installing the extension on another test system, and then digging into the waagent logs on that VM to see what value was being queried by the enable.sh script.

    # cat /var/lib/waagent/SentinelOne.LinuxExtension.LinuxExtension-1.2.0/scripts/enable.sh | grep Console
api_token=$(echo "$protected_settings_decrypted" | jq -r ".SentinelOneConsoleAPIKey")
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search