From ae05f978742df4c338dd5fd4cffd1727fd743b41 Mon Sep 17 00:00:00 2001
From: Dan Runt <dan@rhinohealth.com>
Date: Wed, 8 Oct 2025 08:27:11 -0400
Subject: [PATCH 1/2] Add enroll secret to terraforms

---
 infrastructure/AWS/README.md      | 1 +
 infrastructure/AWS/main.tf        | 3 ++-
 infrastructure/AWS/variables.tf   | 6 ++++++
 infrastructure/Azure/README.md    | 1 +
 infrastructure/Azure/main.tf      | 3 ++-
 infrastructure/Azure/variables.tf | 6 ++++++
 infrastructure/GCP/README.md      | 1 +
 infrastructure/GCP/main.tf        | 5 +++--
 infrastructure/GCP/variables.tf   | 6 ++++++
 9 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/infrastructure/AWS/README.md b/infrastructure/AWS/README.md
index cde806f..73fd80b 100644
--- a/infrastructure/AWS/README.md
+++ b/infrastructure/AWS/README.md
@@ -48,6 +48,7 @@ This directory contains Terraform configuration files for deploying infrastructu
    - Create a file named `secret.auto.tfvars` (not committed to git) and set sensitive variables like:
      ```hcl
      rhino_agent_id                  = "<rhino-provided-agent-id>"
+     rhino_enroll_secret             = "<rhino-provided-enroll-secret>"
      rhino_package_registry_user     = "<rhino-provided-username>"
      rhino_package_registry_password = "<rhino-provided-password>"
      ```
diff --git a/infrastructure/AWS/main.tf b/infrastructure/AWS/main.tf
index 3b5e163..ac83e12 100644
--- a/infrastructure/AWS/main.tf
+++ b/infrastructure/AWS/main.tf
@@ -481,8 +481,9 @@ resource "aws_instance" "main" {
   }
 
   user_data = format(
-    "#!/bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
+    "#! /bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
     var.rhino_agent_id,
+    var.rhino_enroll_secret,
     var.rhino_package_registry_user,
     var.rhino_package_registry_password
   )
diff --git a/infrastructure/AWS/variables.tf b/infrastructure/AWS/variables.tf
index 7fd30d0..3a672c3 100644
--- a/infrastructure/AWS/variables.tf
+++ b/infrastructure/AWS/variables.tf
@@ -66,6 +66,12 @@ variable "rhino_agent_id" {
 }
 
 # --- Sensitive Variables ---
+variable "rhino_enroll_secret" {
+  description = "The Fleet Enrollment Secret"
+  type        = string
+  sensitive   = true
+}
+
 variable "rhino_package_registry_user" {
   description = "The user for the Rhino Health package registry."
   type        = string
diff --git a/infrastructure/Azure/README.md b/infrastructure/Azure/README.md
index 9eeea92..aafda3b 100644
--- a/infrastructure/Azure/README.md
+++ b/infrastructure/Azure/README.md
@@ -43,6 +43,7 @@ This directory contains Terraform configuration files for deploying infrastructu
    - Create a file named `secret.auto.tfvars` (not committed to git) and set sensitive variables like:
      ```hcl
      rhino_agent_id                  = "<rhino-provided-agent-id>"
+     rhino_enroll_secret             = "<rhino-provided-enroll-secret>"
      rhino_package_registry_user     = "<rhino-provided-username>"
      rhino_package_registry_password = "<rhino-provided-password>"
      ```
diff --git a/infrastructure/Azure/main.tf b/infrastructure/Azure/main.tf
index 343763f..33de28a 100644
--- a/infrastructure/Azure/main.tf
+++ b/infrastructure/Azure/main.tf
@@ -384,8 +384,9 @@ resource "azurerm_linux_virtual_machine" "main" {
   }
 
   custom_data = base64encode(format(
-    "#!/bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
+    "#! /bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
     var.rhino_agent_id,
+    var.rhino_enroll_secret,
     var.rhino_package_registry_user,
     var.rhino_package_registry_password
   ))
diff --git a/infrastructure/Azure/variables.tf b/infrastructure/Azure/variables.tf
index aeda460..3c6cc96 100644
--- a/infrastructure/Azure/variables.tf
+++ b/infrastructure/Azure/variables.tf
@@ -89,6 +89,12 @@ variable "rhino_agent_id" {
   sensitive   = true
 }
 
+variable "rhino_enroll_secret" {
+  description = "The Fleet Enrollment Secret"
+  type        = string
+  sensitive   = true
+}
+
 variable "rhino_package_registry_user" {
   description = "The user for the Rhino Health package registry."
   type        = string
diff --git a/infrastructure/GCP/README.md b/infrastructure/GCP/README.md
index 60367f7..4642f58 100644
--- a/infrastructure/GCP/README.md
+++ b/infrastructure/GCP/README.md
@@ -40,6 +40,7 @@ This directory contains Terraform configuration files for deploying infrastructu
    - Create a file named `secret.auto.tfvars` (not committed to git) and set sensitive variables like:
      ```hcl
      rhino_agent_id                  = "<rhino-provided-agent-id>"
+     rhino_enroll_secret             = "<rhino-provided-enroll-secret>"
      rhino_package_registry_user     = "<rhino-provided-username>"
      rhino_package_registry_password = "<rhino-provided-password>"
      ```
diff --git a/infrastructure/GCP/main.tf b/infrastructure/GCP/main.tf
index 432413f..28529bf 100644
--- a/infrastructure/GCP/main.tf
+++ b/infrastructure/GCP/main.tf
@@ -232,8 +232,9 @@ resource "google_compute_instance" "main" {
 
   # metadata_startup_script = file("${path.module}/install.sh")
   metadata_startup_script = format(
-    "#! /bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
+    "#! /bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
     var.rhino_agent_id,
+    var.rhino_enroll_secret,
     var.rhino_package_registry_user,
     var.rhino_package_registry_password
   )
@@ -275,4 +276,4 @@ resource "google_project_iam_audit_config" "all" {
   audit_log_config {
     log_type = "DATA_WRITE"
   }
-}
\ No newline at end of file
+}
diff --git a/infrastructure/GCP/variables.tf b/infrastructure/GCP/variables.tf
index ed9d754..35997ff 100644
--- a/infrastructure/GCP/variables.tf
+++ b/infrastructure/GCP/variables.tf
@@ -55,6 +55,12 @@ variable "rhino_agent_id" {
   sensitive   = true
 }
 
+variable "rhino_enroll_secret" {
+  description = "The Fleet Enrollment Secret"
+  type        = string
+  sensitive   = true
+}
+
 variable "rhino_package_registry_user" {
   description = "The user for the Rhino Health package registry."
   type        = string

From 4ca123557f469cf9304d79dfaee1a2b94f5fadee Mon Sep 17 00:00:00 2001
From: dan-rhino <dan@rhinohealth.com>
Date: Thu, 9 Oct 2025 08:08:37 -0400
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: rkrolikov-rhinohealth <roman.krolikov@rhinohealth.com>
---
 infrastructure/AWS/main.tf   | 2 +-
 infrastructure/Azure/main.tf | 2 +-
 infrastructure/GCP/main.tf   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/infrastructure/AWS/main.tf b/infrastructure/AWS/main.tf
index ac83e12..86bbf00 100644
--- a/infrastructure/AWS/main.tf
+++ b/infrastructure/AWS/main.tf
@@ -481,7 +481,7 @@ resource "aws_instance" "main" {
   }
 
   user_data = format(
-    "#! /bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
+    "#!/bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
     var.rhino_agent_id,
     var.rhino_enroll_secret,
     var.rhino_package_registry_user,
diff --git a/infrastructure/Azure/main.tf b/infrastructure/Azure/main.tf
index 33de28a..70f3898 100644
--- a/infrastructure/Azure/main.tf
+++ b/infrastructure/Azure/main.tf
@@ -384,7 +384,7 @@ resource "azurerm_linux_virtual_machine" "main" {
   }
 
   custom_data = base64encode(format(
-    "#! /bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
+    "#!/bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
     var.rhino_agent_id,
     var.rhino_enroll_secret,
     var.rhino_package_registry_user,
diff --git a/infrastructure/GCP/main.tf b/infrastructure/GCP/main.tf
index 28529bf..67b3ac9 100644
--- a/infrastructure/GCP/main.tf
+++ b/infrastructure/GCP/main.tf
@@ -232,7 +232,7 @@ resource "google_compute_instance" "main" {
 
   # metadata_startup_script = file("${path.module}/install.sh")
   metadata_startup_script = format(
-    "#! /bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
+    "#!/bin/bash\ncurl -fsS --proto '=https' https://activate.rhinohealth.com | sudo RHINO_AGENT_ID='%s' FLEET_ENROLL_SECRET='%s' PACKAGE_REGISTRY_USER='%s' PACKAGE_REGISTRY_PASSWORD='%s' SKIP_HW_CHECK=True bash -",
     var.rhino_agent_id,
     var.rhino_enroll_secret,
     var.rhino_package_registry_user,