This page contains an example of using a remote-exec Terraform provisioner to install the Cmd Control agent on a VM hosted on AWS.

This example assumes:

  • SSH access has already been allowed in any applicable firewalls.

  • The target VMs are configured to allow Terraform to access them via SSH, with its public key.

Last-tested version of Terraform:

This was last tested with Terraform v0.12.24.


  1. Choose a directory. This example uses a directory called terraform_cmd .

  2. In the terraform_cmd directory, create the two files shown below
    ( and ).

  3. Change the following variables in :

  • CMD_API_KEY — Your Cmd project key.

  • CMD_ARCH — Currently, the only valid value is amd64 (includes x86_64).

  • CMD_PKG_FORMAT — Either deb or rpm , depending on the target OS.

  • CMD_PKG_VERSION — The version of the agent you wish to download. Use a supported version number, or leave it blank for the latest version.

  • CMD_AGENT_TYPE — Choose whether to install the Cmd Control or Cmd Audit agent. Use ccf for the Cmd Control agent, or cmd for the Cmd Audit agent. (Make sure that the version number you specify matches the agent_type .)

  • CMD_SUB — Your Cmd instance's subdomain. For example if your Cmd web app is at , use "sub1". If it's at , use "sub2".

4. In the terraform_cmd directory, run terraform apply .

5. After the command completes, Cmd will begin monitoring the VM.

The terraform configuration file:
This terraform configuration file creates a VM using AWS, then uses the script below
( ) to install the Cmd Control agent on the VM.

provider "aws" {
region = "us-west-2"

data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
filter {
name = "virtualization-type"
values = ["hvm"]
owners = ["099720109477"] # Canonical

resource "aws_instance" "web" {
ami =
instance_type = "t2.micro"

provisioner "file" {
source = ""
destination = "/tmp/"
connection {
user = "ubuntu"
host = self.public_ip
provisioner "remote-exec" {
inline = [
"chmod +x /tmp/",
"sudo /tmp/"
connection {
user = "ubuntu"
host = self.public_ip

This script uses your Cmd api key to download the specified version of the Cmd Control agent, and installs it.

CMD_ARCH="amd64" #Supported architecture: amd64
CMD_PKG_FORMAT="deb" #Supported formats: rpm, deb
CMD_PKG_VERSION="" #A supported version number, or "" for latest
CMD_AGENT_TYPE="ccf" #Supported values: cmd, ccf
CMD_SUB="sub2" #Your Cmd webapp subdomain(e.g. sub1, sub2, sub3)

mkdir -p /etc/cmd/
cat <<- EOF > /etc/cmd/config.ini

echo "${CMD_API_KEY}" > /etc/cmd/cmd.prj
chown root:root /etc/cmd/cmd.prj /etc/cmd/config.ini
chmod 0644 /etc/cmd/cmd.prj /etc/cmd/config.ini

curl -L -o /tmp/${CMD_AGENT_TYPE}-${CMD_PKG_VERSION}.${CMD_PKG_FORMAT} -H "project-key: ${CMD_API_KEY}" "https://${CMD_SUB}${CMD_AGENT_TYPE}?architecture=${CMD_ARCH}&format=${CMD_PKG_FORMAT}&version=${CMD_PKG_VERSION}"

systemctl restart cmd

Related resources

Did this answer your question?