Configuring BOSH Director on Azure Using Terraform

Page last updated:

This topic describes how to configure the BOSH Director for Pivotal Cloud Foundry (PCF) on Azure after Launching a BOSH Director Instance on Azure Using Terraform.

Note: You can also perform the procedures in this topic using the Ops Manager API. For more information, see the Using the Ops Manager API topic.

Prerequisite

To complete the procedures in this topic, you must have access to the output from when you ran terraform apply to create resources for this deployment. You can view this output at any time by running terraform output. You use the values in your Terraform output to configure the BOSH Director tile.

Step 1: Access Ops Manager

Note: For security, Ops Manager v1.7 and later require that you log in using a fully qualified domain name.

  1. In a web browser, navigate to the fully qualified domain name (FQDN) of the BOSH Director. Use the ops_manager_dns value from running terraform output.

  2. When Ops Manager starts for the first time, you must choose one of the following:

    • Internal Authentication: If you use Internal Authentication, PCF maintains your user database.
    • SAML Identity Provider: If you use a SAML Identity Provider (IdP), an external identity server maintains your user database.
    • LDAP Server: If you use a LDAP Server, an external identity server maintains your user database.

    Select authentication

Internal Authentication

  1. When redirected to the Internal Authentication page, you must complete the following steps:

    • Enter a Username, Password, and Password confirmation to create an Admin user.
    • Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Ops Manager datastore, and is not recoverable.
    • If you are using an HTTP proxy or HTTPS proxy, follow the instructions in the Configuring Proxy Settings for the BOSH CPI topic.
    • Read the End User License Agreement, and select the checkbox to accept the terms.
    • Click Setup Authentication.

    Om login

  2. Log in to Ops Manager with the Admin username and password you created in the previous step.

    Cf login

SAML Identity Provider

  1. Log in to your IdP console and download the IdP metadata XML. Optionally, if your IdP supports metadata URL, you can copy the metadata URL instead of the XML.

  2. Copy the IdP metadata XML or URL to the Ops Manager SAML Identity Provider login page.
    Meta om

    Note: The same IdP metadata URL or XML is applied for the BOSH Director. If you use a separate IdP for BOSH, copy the metadata XML or URL from that IdP and enter it into the BOSH IdP Metadata text box in the Ops Manager login page.

  3. Enter values for the fields listed below. Failure to provide values in these fields results in a 500 error.

    • SAML admin group: Enter the name of the SAML group that contains all Ops Manager administrators.
    • SAML groups attribute: Enter the groups attribute tag name with which you configured the SAML server.
  4. Enter your Decryption passphrase. Read the End User License Agreement, and select the checkbox to accept the terms.

  5. Your Ops Manager login page appears. Enter your username and password. Click Login.

  6. Download your SAML Service Provider metadata (SAML Relying Party metadata) by navigating to the following URLs:

    • 6a. Ops Manager SAML service provider metadata: https://OPS-MAN-FQDN:443/uaa/saml/metadata
    • 6b. BOSH Director SAML service provider metadata: https://BOSH-IP-ADDRESS:8443/saml/metadata

      Note: To retrieve your BOSH-IP-ADDRESS, navigate to the BOSH Director tile > Status tab. Record the BOSH Director IP address.

  7. Configure your IdP with your SAML Service Provider metadata. Import the Ops Manager SAML provider metadata from Step 6a above to your IdP. If your IdP does not support importing, provide the values below.

    • Single sign on URL: https://OPS-MAN-FQDN:443/uaa/saml/SSO/alias/OPS-MAN-FQDN
    • Audience URI (SP Entity ID): https://OP-MAN-FQDN:443/uaa
    • Name ID: Email Address
    • SAML authentication requests are always signed
  8. Import the BOSH Director SAML provider metadata from Step 6b to your IdP. If the IdP does not support an import, provide the values below.

    • Single sign on URL: https://BOSH-IP:8443/saml/SSO/alias/BOSH-IP
    • Audience URI (SP Entity ID): https://BOSH-IP:8443
    • Name ID: Email Address
    • SAML authentication requests are always signed
  9. Return to the BOSH Director tile, and continue with the configuration steps below.

Note: For an example of configuring SAML integration between Ops Manager and your IdP, see Configuring Active Directory Federation Services as an Identity Provider.

LDAP Server

  • For Server URL, enter the URL that point your LDAP server. With multiple LDAP servers, separate their URLs with spaces. Each URL must include one of the following protocols:

    • ldap://: This specifies that the LDAP server uses an unencrypted connection.
    • ldaps://: This specifies that the LDAP server uses SSL for an encrypted connection and requires that the LDAP server holds a trusted certificate or that you import a trusted certificate to the JVM truststore. Ldap serv
  • For LDAP Username and LDAP Password, enter the LDAP Distinguished Name (DN) and the password for binding to the LDAP Server. Example DN: cn=administrator,ou=Users,dc=example,dc=com

    Note: Pivotal recommends that you provide LDAP credentials that grant read-only permissions on the LDAP Search Base and the LDAP Group Search Base. In addition to this, if the bind user belongs to a different search base, you must use the full DN.

    WARNING: Pivotal recommends against reusing LDAP service accounts across environments. LDAP service accounts should not be subject to manual lockouts, such as lockouts that result from users utilizing the same account. Also, LDAP service accounts should not be subject to automated deletions, since disruption to these service accounts could prevent user logins.

  • For User Search Base, enter the location in the LDAP directory tree from which any LDAP User search begins. The typical LDAP Search Base matches your domain name.

    For example, a domain named “cloud.example.com” typically uses the following LDAP User Search Base: ou=Users,dc=example,dc=com

  • For User Search Filter, enter a string that defines LDAP User search criteria. These search criteria allow LDAP to perform more effective and efficient searches. For example, the standard LDAP search filter cn=Smith returns all objects with a common name equal to Smith.

    In the LDAP search filter string that you use to configure PAS, use {0} instead of the username. For example, use cn={0} to return all LDAP objects with the same common name as the username.

    In addition to cn, other attributes commonly searched for and returned are mail, uid and, in the case of Active Directory, sAMAccountName.

    Note: For instructions for testing and troubleshooting your LDAP search filters, see the Configuring LDAP Integration with Pivotal Cloud Foundry Knowledge Base article.

  • For Group Search Base, enter the location in the LDAP directory tree from which the LDAP Group search begins.

    For example, a domain named “cloud.example.com” typically uses the following LDAP Group Search Base: ou=Groups,dc=example,dc=com

    Note: For the PAS runtime, see Adding Existing SAML or LDAP Users to a PCF Deployment to on-board individual LDAP users and map them to Ops Manager roles.

  • For Group Search Filter, enter a string that defines LDAP Group search criteria. The standard value is member={0}.

  • For Email Attribute, enter the attribute name in your LDAP directory that corresponds to the email address in each user record, for example mail.

  • For LDAP RBAC Admin Group Name, enter the DN of the LDAP group you want to have admin permissions in Ops Manager.

  • From the dropdown menu, select how the UAA handles LDAP server referrals out to other external user stores. The UAA can:

    • Automatically follow any referrals.
    • Ignore referrals and return partial result.
    • Throw exception for each referral and abort.
  • For Server SSL Cert, paste in the root certificate from your CA certificate or your self-signed certificate.

  • Enter a Decryption passphrase and the Decryption passphrase confirmation. This passphrase encrypts the Ops Manager datastore, and is not recoverable.

  • If you are using an HTTP proxy or HTTPS proxy, follow the instructions in Configuring Proxy Settings for the BOSH CPI.

  • Read the End User License Agreement, and select the checkbox to accept the terms.

  • Select Provision an admin client in the BOSH UAA. You can use this to enable BOSH automation with scripts and tooling. For more information, see Provision Admin Client in Creating UAA Clients for BOSH Director.

  • Click Setup Authentication.

  • Return to the BOSH Director tile, and continue with the configuration steps below.

Step 2: Azure Config Page

  1. Click the BOSH Director tile.

    Director tile azure

  2. Select Azure Config.

    Azure config

  3. Complete the following fields with information you obtained in the Preparing to Deploy PCF on Azure topic.

    • Subscription ID: Enter the ID of your Azure subscription.
    • Tenant ID: Enter your TENANT_ID.
    • Application ID: Enter the APPLICATION_ID that you created in the Create an Azure Active Directory Application step of the Preparing to Deploy PCF on Azure topic.
    • Client Secret: Enter your CLIENT_SECRET.
  4. Complete the following fields:

    • Resource Group Name: Enter the name of your resource group, which is exported from Terraform as the output pcf_resource_group_name.
    • BOSH Storage Account Name: Enter the name of your storage account, which is exported from Terraform as the output bosh_root_storage_account.
  5. For Cloud Storage Type, select Use Storage Accounts and enter the wildcard_vm_storage_account output from Terraform. Storage accounts

  6. For Default Security Group, enter the bosh_deployed_vms_security_group_name output from Terraform.

  7. For SSH Public Key, enter the ops_manager_ssh_public_key output from Terraform.

  8. For SSH Private Key, enter the ops_manager_ssh_private_key output from Terraform.

  9. For Azure Environment, select the Azure cloud you want to use. Pivotal recommends Azure Commercial Cloud for most Azure environments.

    Note: If you selected Azure Stack or Azure Government Cloud as your Azure environment, you must set custom VM types. For more information, see Prerequisites for Azure Stack or Azure Government Cloud.

  10. Click Save.

Step 3: Director Config Page

  1. In Ops Manager, select Director Config.

  2. In the NTP Servers (comma delimited) field, enter a comma-separated list of valid NTP servers.

    Note: The NTP server configuration only updates after VM recreation. Ensure that you select the Recreate all VMs checkbox if you modify the value of this field.

  3. Leave the JMX Provider IP Address field blank.

    Note: Starting in PCF v2.0, BOSH-reported component metrics are available in the Loggregator Firehose by default. If you continue to use PCF JMX Bridge to consume these component metrics outside of the Firehose, you may receive duplicate data. To prevent this, leave the JMX Provider IP Address field blank. For additional guidance, see BOSH System Metrics Available in Loggregator Firehose in the PCF v2.0 Release Notes.

  4. Leave the Bosh HM Forwarder IP Address field blank.

    Note: Starting in PCF v2.0, BOSH-reported component metrics are available in the Loggregator Firehose by default. If you continue to use the BOSH HM Forwarder to consume these component metrics, you may receive duplicate data. To prevent this, leave the Bosh HM Forwarder IP Address field blank. For additional guidance, see BOSH System Metrics Available in Loggregator Firehose in the PCF v2.0 Release Notes.

  5. Select the Enable VM Resurrector Plugin checkbox to enable the Ops Manager Resurrector functionality and increase your runtime availability.

  6. Select Enable Post Deploy Scripts to run a post-deploy script after deployment. This script allows the job to execute additional commands against a deployment.

    Note: You must enable post-deploy scripts to install PKS.

  7. Select Recreate all VMs to force BOSH to recreate all VMs on the next deploy. This process does not destroy any persistent disk data.

  8. Select Recreate All Persistent Disks to force BOSH to migrate and recreate persistent disks for the BOSH Director and all tiles. This process does not destroy any persistent disk data.

  9. Select Enable bosh deploy retries to instruct Ops Manager to retry failed BOSH operations up to five times.

  10. (Optional) Disable Allow Legacy Agents if all of your tiles have stemcells v3468 or later. Disabling the field will allow Ops Manager to implement TLS secure communications.

  11. Select Keep Unreachable Director VMs if you want to preserve BOSH Director VMs after a failed deployment for troubleshooting purposes.

  12. Select HM Pager Duty Plugin to enable Health Monitor integration with PagerDuty. Director hm pager

    • Service Key: Enter your API service key from PagerDuty.
    • HTTP Proxy: Enter an HTTP proxy for use with PagerDuty.
  13. Select HM Email Plugin to enable Health Monitor integration with email. Director hm email

    • Host: Enter your email hostname.
    • Port: Enter your email port number.
    • Domain: Enter your domain.
    • From: Enter the address for the sender.
    • Recipients: Enter comma-separated addresses of intended recipients.
    • Username: Enter the username for your email server.
    • Password: Enter the password for your email server.
    • Enable TLS: Select this checkbox to enable Transport Layer Security.
  14. For CredHub Encryption Provider, you can choose whether BOSH CredHub stores its encryption key internally on the BOSH Director and CredHub VM, or in an external hardware security module (HSM). The HSM option is more secure.

    Before configuring an HSM encryption provider in the Director Config pane, you must follow the procedures and collect information described in Preparing CredHub HSMs for Configuration.

    Note: After you deploy Ops Manager with an HSM encryption provider, you cannot change BOSH CredHub to store encryption keys internally.

    CredHub Encryption Provider options in the Director Config pane

    • Internal: Select this option for internal CredHub key storage. This option is selected by default and requires no additional configuration.
    • Luna HSM: Select this option to use a SafeNet Luna HSM as your permanent CredHub encryption provider, and fill in the following fields:
      1. Encryption Key Name: Any name to identify the key that the HSM uses to encrypt and decrypt the CredHub data. Changing this key name after you deploy Ops Manager can cause service downtime.
      2. Provider Partition: The partition that stores your encryption key. Changing this partition after you deploy Ops Manager could cause service downtime. For this value and the ones below, use values gathered in Preparing CredHub HSMs for Configuration.
      3. Provider Partition Password
      4. Provider Client Certificate: The certificate that validates the identity of the HSM when CredHub connects as a client.
      5. Provider Client Certificate Private Key
      6. HSM Host Address
      7. HSM Port Address: If you do not know your port address, enter 1792.
      8. Partition Serial Number
      9. HSM Certificate: The certificate that the HSM presents to CredHub to establish a two-way mTLS connection.

  15. Select a Blobstore Location to either configure the blobstore as an internal server or an external endpoint. Because the internal server is unscalable and less secure, Pivotal recommends that you configure an external blobstore.

    Note: After you deploy Ops Manager, you cannot change the blobstore location.

    Blobstore location options in the Director Config pane

    • Internal: Select this option to use an internal blobstore. Ops Manager creates a new VM for blob storage. No additional configuration is required.
      • Enable TLS: Select this checkbox to enable TLS.

        Note: If you are using PAS for Windows 2016, make sure you have downloaded Windows stemcell v1709.10 or higher before enabling TLS.

    • S3 Compatible Blobstore: Select this option to use an external S3-compatible endpoint. Follow the procedures in Sign up for Amazon S3 and Creating a Bucket in the AWS documentation. When you have created an S3 bucket, complete the following steps:
      1. S3 Endpoint: Navigate to the Regions and Endpoints topic in the AWS documentation.
        1. Locate the endpoint for your region in the Amazon Simple Storage Service (S3) table and construct a URL using your region’s endpoint. For example, if you are using the us-west-2 region, the URL you create would be https://s3-us-west-2.amazonaws.com. Enter this URL into the S3 Endpoint field.
        2. On a command line, run ssh ubuntu@OPS-MANAGER-FQDN to SSH into the Ops Manager VM. Replace OPS-MANAGER-FQDN with the fully qualified domain name of Ops Manager.
        3. Copy the custom public CA certificate you used to sign the S3 endpoint into /etc/ssl/certs on the Ops Manager VM.
        4. On the Ops Manager VM, run sudo update-ca-certificates -f -v to import the custom CA certificate into the Ops Manager VM truststore.

          Note: You must also add this custom CA certificate into the Trusted Certificates field in the Security page. See Complete the Security Page for instructions.

      2. Bucket Name: Enter the name of the S3 bucket.
      3. Access Key and Secret Key: Enter the keys you generated when creating your S3 bucket.
      4. Select V2 Signature or V4 Signature. If you select V4 Signature, enter your Region.

        Note: AWS recommends using Signature Version 4. For more information about AWS S3 Signatures, see Authenticating Requests in the AWS documentation.

    • GCS Blobstore: Select this option to use an external GCS endpoint. To create a GCS bucket, you must have a GCS account. Follow the procedures in Creating Storage Buckets in the GCS documentation to create a GCS bucket. When you have created a GCS bucket, complete the following steps:
      1. Bucket Name: Enter the name of your GCS bucket.
      2. Storage Class: Select the storage class for your GCS bucket. See Storage Classes in the GCP documentation for more information.
      3. Service Account Key: Follow the steps in the Set Up an IAM Service Account section of Preparing to Deploy PCF on GCP to download a JSON file with a private key. Enter the contents of the JSON file into the field.

  16. For Database Location, select Internal.

  17. (Optional) Modify the Director Workers value, which sets the number of workers available to execute Director tasks. This field defaults to 5.

  18. (Optional) Max Threads sets the maximum number of threads that the BOSH Director can run simultaneously. Pivotal recommends that you leave the field blank to use the defaul value, unless doing so results in rate limiting or errors on your IaaS.

  19. (Optional) To add a custom URL for your BOSH Director, enter a valid hostname in Director Hostname. You can also use this field to configure a load balancer in front of your BOSH Director.

    WARNING: In Ops Manager v2.3.2 and earlier, if you change the Director Hostname after your initial deployment, VMs become unavailable. This causes PCF downtime. To restore VM availability, enable Recreate All VMs and redeploy. This issue is resolved in Ops Manager 2.3.3 and later.

    Director workers

  20. (Optional) Enter your list of comma-separated Excluded Recursors to declare which IP addresses and ports should not be used by the DNS server.

  21. (Optional) To set a custom banner that users see when logging in to the Director using SSH, enter text in the Custom SSH Banner field.

  22. (Optional) Enter your comma-separated custom Identification Tags. For example, iaas:foundation1, hello:world. You can use the tags to identify your foundation when viewing VMs or disks from your IaaS.

    Note: Azure has limited space for identification tags. Pivotal recommends entering no more than five tags.

  23. Click Save.

Step 4: Create Networks Page

Select Create Networks and follow the procedures in this section to add the network configuration you created for your VPC.

Create the Management Network

  1. Click Add Network.

  2. (Optional) Select Enable ICMP checks to enable ICMP on your networks. Ops Manager uses ICMP checks to confirm that components within your network are reachable.

  3. For Name, enter the name of the network you want to create. For example, Management.

  4. Under Subnets, complete the following fields:

    • Azure Network Name: Enter NETWORK-NAME/SUBNET-NAME, where NETWORK-NAME is the network_name output from Terraform and SUBNET-NAME is the management_subnet_name output from Terraform.

      Note: The Azure portal sometimes displays the names of resources with incorrect capitalization. Always use the Azure CLI to retrieve the correctly capitalized name of a resource.

    • CIDR: Enter the CIDR listed under management_subnet_cidrs output from Terraform. For example, 10.0.8.0/26.
    • Reserved IP Ranges: Enter the first 9 IP addresses of the subnet. For example, 10.0.8.1-10.0.8.9.
    • DNS: Enter 168.63.129.16.
    • Gateway: Enter the first IP address of the subnet. For example, 10.0.8.1. Create networks management
  5. Click Save.

    Note: After you deploy Ops Manager, you add subnets with overlapping Availability Zones to expand your network. For more information about configuring additional subnets, see Expanding Your Network with Additional Subnets.

Create the PAS Network

  1. Click Add Network.

  2. (Optional) Select Enable ICMP checks to enable ICMP on your networks. Ops Manager uses ICMP checks to confirm that components within your network are reachable.

  3. For Name, enter the name of the network you want to create. For example, PAS.

  4. Under Subnets, complete the following fields:

    • Azure Network Name: Enter NETWORK-NAME/SUBNET-NAME, where NETWORK-NAME is the network_name output from Terraform and SUBNET-NAME is the pas_subnet_name output from Terraform.
    • CIDR: Enter the CIDR listed under pas_subnet_cidrs output from Terraform. For example, 10.0.0.0/22.
    • Reserved IP Ranges: Enter the first 9 IP addresses of the subnet. For example, 10.0.0.1-10.0.0.9.
    • DNS: Enter 168.63.129.16.
    • Gateway: Enter the first IP address of the subnet. For example, 10.0.0.1. Create networks deployment
  5. Click Save.

Create the Services Network

  1. (Optional) Select Enable ICMP checks to enable ICMP on your networks. Ops Manager uses ICMP checks to confirm that components within your network are reachable.

  2. For Name, enter the name of the network you want to create. For example, Services.

  3. Under Subnets, complete the following fields:

    • Azure Network Name: Enter NETWORK-NAME/SUBNET-NAME, where NETWORK-NAME is the network_name output from Terraform and SUBNET-NAME is the services_subnet_name output from Terraform.
    • CIDR: Enter the CIDR listed under services_subnet_cidrs output from Terraform. For example, 10.0.4.0/22.
    • Reserved IP Ranges: Enter the first 9 IP addresses of the subnet. For example, 10.0.4.1-10.0.4.9.
    • DNS: Enter 168.63.129.16.
    • Gateway: Enter the first IP address of the subnet. For example, 10.0.4.1. Create networks services
  4. Click Save. If you do not have Enable ICMP checks selected, you may see red warnings which you can safely ignore.

Step 5: Assign Networks Page

  1. Select Assign Networks.

    Assign networks

  2. Use the drop-down menu to select the management network for your BOSH Director.

  3. Click Save.

Step 6: Security Page

  1. Select Security.

    Om security

  2. In Trusted Certificates, enter your custom certificate authority (CA) certificates to insert into your organization’s certificate trust chain. This feature enables all BOSH-deployed components in your deployment to trust custom root certificates.

    To enter multiple certificates, paste your certificates one after the other. For example, format your certificates like the following:

    -----BEGIN CERTIFICATE-----
    ABCDEFGH12345678ABCDEFGH12345678ABCDEFGH12345678AB
    EFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABCDEF
    GH12345678ABCDEFGH12345678ABCDEFGH12345678...
    ------END CERTIFICATE------
    -----BEGIN CERTIFICATE-----
    BCDEFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABB
    EFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABCDEF
    GH12345678ABCDEFGH12345678ABCDEFGH12345678...
    ------END CERTIFICATE------
    -----BEGIN CERTIFICATE-----
    CDEFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABBB
    EFGH12345678ABCDEFGH12345678ABCDEFGH12345678ABCDEF
    GH12345678ABCDEFGH12345678ABCDEFGH12345678...
    ------END CERTIFICATE------

    Note: If you want to use Docker Registries for running app instances in Docker containers, enter the certificate for your private Docker Registry in this field. See Using Docker Registries for more information on running app instances in PAS using Docker Registries.

  3. Choose Generate passwords or Use default BOSH password. Pivotal recommends that you use the Generate passwords option for greater security.

  4. Click Save. To view your saved Director password, click the Credentials tab.

Step 8: Syslog Page

  1. Select Syslog. Syslog bosh

  2. (Optional) Select Yes to send BOSH Director system logs to a remote server.

  3. In the Address field, enter the IP address or DNS name for the remote server.

  4. In the Port field, enter the port number that the remote server listens on.

  5. In the Transport Protocol dropdown menu, select TCP, UDP, or RELP. This selection determines which transport protocol is used to send the logs to the remote server.

  6. (Optional) Pivotal strongly recommends that you enable TLS encryption when forwarding logs as they may contain sensitive information. For example, these logs may contain cloud provider credentials. To enable TLS, perform the following steps.

    • In the Permitted Peer field, enter either the name or SHA1 fingerprint of the remote peer.
    • In the SSL Certificate field, enter the SSL certificate for the remote server.
  7. Click Save.

Step 9: Resource Config Page

  1. Select Resource Config. Om resource config

  2. Adjust any values as necessary for your deployment. Under the Instances, Persistent Disk Type, and VM Type fields, choose Automatic from the drop-down menu to allocate the recommended resources for the job. If the Persistent Disk Type field reads None, the job does not require persistent disk space.

    Note: Pivotal recommends provisioning a BOSH Director VM with at least 8 GB memory.

    Note: If you set a field to Automatic and the recommended resource allocation changes in a future version, Ops Manager automatically uses the new recommended allocation.

    Note: If you install PAS for Windows, provision your Master Compilation Job with at least 100 GB of disk space.

  3. (Optional) For Load Balancers, enter your Azure application gateway name for each associated job. To create an application gateway, follow the procedures in Configure an application gateway for SSL offload by using Azure Resource Manager from the Azure documentation. When you create the application gateway, associate the gateway’s IP with your PCF system domain.

  4. Click Save.

Step 10: (Optional) Add Custom VM Extensions

Use the Ops Manager API to add custom properties to your VMs such as associated security groups and load balancers. For more information, see Managing Custom VM Extensions.

Step 11: Complete the BOSH Director Installation

  1. Click the Installation Dashboard link to return to the Installation Dashboard.

  2. Click Review Pending Changes, then **Apply Changes. If the following ICMP error message appears, click Ignore errors and start the install.

    Install error

  3. BOSH Director installs. This may take a few moments. When the installation process successfully completes, the Changes Applied window appears.

    Ops manager complete

  4. After you complete this procedure, follow the instructions in the Deploying PAS on Azure Using Terraform topic.

Create a pull request or raise an issue on the source for this page in GitHub