This Repo set´s up the a secure provisioned Jumphost to deploy "Control Plane" for Pivotal Platform Automation. This is a privately maintained Repo for testing and training and no official Pivotal Repo

in Addition to the Documentation, Azure KeyVault an System managed identities are used to Store Secrets and Credentials

You will need

With this Guide you Create

This Repo will Provide

getting started

the next steps are to be performed on your local host

Prepare Azure Key Vault

use your existing or new key-vault to store secrets. The Template to deploy the JumpBox assumes that the Key-Vault is in the Same subscription but different ResourceGroup

create the KeyVault

set -u
AZURE_VAULT=<your vaultname, name must be unique for>
VAULT_RG=<your Vault Resource Group>
AZURE_REGION=<azure location, e.g. westus, westeurope>
## Create RG to set your KeyVault
az group create --name ${VAULT_RG} --location ${AZURE_REGION}
## Create keyVault
az keyvault create --name ${AZURE_VAULT} --resource-group ${VAULT_RG} --location ${AZURE_REGION}

create SP and assign values to the vault secrets

## Set temporary Variables
PIVNET_UAA_TOKEN=<your pivnet refresh token>
SERVICE_PRINCIPAL=$(az ad sp create-for-rbac --name ServicePrincipalforControlPlane --output json)
## SET the Following Secrets from the temporary Variables
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURECLIENTID" --value $(echo $SERVICE_PRINCIPAL | jq -r .appId) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURETENANTID" --value $(echo $SERVICE_PRINCIPAL | jq -r .tenant) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "AZURECLIENTSECRET" --value $(echo $SERVICE_PRINCIPAL | jq -r .password) --output none
az keyvault secret set --vault-name ${AZURE_VAULT} \
--name "PIVNETUAATOKEN" --value ${PIVNET_UAA_TOKEN} --output none
## unset the temporary variables

Prepare local env file

we will need local env file or a template parameter file variables to store names parameters used during deployment

example minimum .env file:

AZURE_VAULT=<your vault name>
VAULT_RG=<your vault rg>
JUMPBOX_RG=<your resource group for the jumpbox>
JUMPBOX_NAME=<your dns name for the jumpbox e.g. myccjumpbox>
ADMIN_USERNAME=<admin username for the jumpox>
CONTROLPLANE_DOMAIN_NAME=<your domain, e.g.>
CONTROLPLANE_SUBDOMAIN_NAME=<your subdomain for control plane, e.g.control>
BRANCH=master # the version of controlplane-jump-azure to use

you might also add some optional Parameters to override default values:

CONTROLPLANE_AUTOPILOT=<TRUE or FALSE> to start automatic install of Control Plane from BosH Release
USE_SELF_CERTS=<TRUE or FALSE> set tu False to use Let´s Encrypt

source the env file with

source ~/.env

create ssh key for the jumpbox

ssh-keygen -t rsa -f ~/${JUMPBOX_NAME} -C ${ADMIN_USERNAME}

start deployment


validate all things

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment validate --resource-group ${JUMPBOX_RG} \
    --template-uri$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    keyVaultName=${AZURE_VAULT} \

deploy all things using standard Parameters

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment create --resource-group ${JUMPBOX_RG} \
    --template-uri$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    keyVaultName=${AZURE_VAULT} \

deploy all using custom Parameters

az group create --name ${JUMPBOX_RG} --location ${AZURE_REGION}
az group deployment create --resource-group ${JUMPBOX_RG} \
    --template-uri$BRANCH/azuredeploy.json \
    --parameters \
    adminUsername=${ADMIN_USERNAME} \
    sshKeyData="$(cat ~/${JUMPBOX_NAME}.pub)" \
    JumphostDNSLabelPrefix=${JUMPBOX_NAME} \
    envName=${ENV_NAME} \
    envShortName=${ENV_SHORT_NAME} \
    useSelfCerts=${USE_SELF_CERTS} \
    keyVaultName=${AZURE_VAULT} \

after Provisioning finished

the base provisioning of the VM takes 5 to 10 Minutes on Azure. when provisioning is done, ssh into the Jumphost:


tail the installation log in the root directory

tail -f install.log

the log file will log the base provisioning once finisehd, the Opsman Bosh Director and Control Plane Installation Starts. the log will instruct you to

tail -f /home/bottkars/conductor/logs/*.log

you will get login credential for you controlplane at the end of he log, or by using: from the jumphost

eval "$(om --skip-ssl-validation --env om_meetup.env bosh-env --ssh-private-key opsman)"
credhub get -n $(credhub find | grep uaa_users_admin | awk '{print $3}')

clean/delete deployment

use this to delete the keyvault policy and remove all deployed resources

az keyvault delete-policy --name ${AZURE_VAULT} --object-id $(az vm identity show --resource-group ${JUMPBOX_RG} --name controlplanejumphost --query principalId --output tsv)
az group delete --name ${JUMPBOX_RG} --yes
az group delete --name ${ENV_NAME} --yes
ssh-keygen -R "${JUMPBOX_NAME}.${AZURE_REGION}"