Skip to content

create-environment.md

Latest commit

 

History

History
108 lines (85 loc) · 4.85 KB

create-environment.md

File metadata and controls

108 lines (85 loc) · 4.85 KB

Create an environment

This is the initial manual process to create a new environment like review, dev, production...

Hub

The environment requires a shared Azure front door profile created in the hub. The service name must be declared in the hub configuration. And run the Azure devops pipeline for the corresponding hub (non-live or live).

Image Gallery

  • create a new gallery in the Azure compute galleries with name nonlive_lungcs_compute_gallery
  • create a resource group with name rg_hub_nonlive_lungcs_compute_gallery

Code

  • Create the configuration files in infrastructure/environments/[environment]
  • Add the [environment]: target in scripts/terraform/terraform.mk
  • Add [environment] to the list of environments in deploy-stage step of cicd-2-main-branch.yaml. For the review environment, there is a single item in cicd-1-pull-request.yaml.
  • Set the fetch_secrets_from_app_key_vault terraform variable to false. This is to let terraform create the key vault and prevent reading before it is ready.

Entra ID

  • Create Entra ID groups in Digital screening Administrative Unit:
    • postgres_lungcs_[environment]_uks_admin
    • screening_lungcs_[environment]
  • Ask CCOE to assign role:
    • Form for PIM
    • Approver: Add someone from the infrastructure team
    • Role Name: Group.Read.All
    • Application Name: mi-lungcs-[environment]-adotoaz-uks
    • Application ID: [client.id] (would be of mi-lungcs-[environment]-ghtoado-uks)
    • Managed identity: mi-lungcs-[environment]-adotoaz-uks
    • Description: - Managed identity: mi-lungcs-[environment]-adotoaz-uks - Role: permanent on Directory

Bicep

Important

Required permissions: Owner role on both the hub and resource subscriptions

  • From AVD:
    • Login with Microsoft Graph scope: az login --scope https://graph.microsoft.com//.default -t HSCIC365.onmicrosoft.com
    • Run bicep: make [environment] resource-group-init

Infra secrets

Add the infrastructure secrets to the inf key vault kv-lungcs-[environment]-inf:

  • For entra ID authentication (when enable_entra_id_authentication is true): aad-client-audiences, aad-client-id, aad-client-secret
  • monitoring-email-address: email distribution list to receive alerts

Azure devops

  • Create ADO group
    • Name: Run pipeline - [environment]
    • Members: mi-lungcs-[environment]-ghtoado-uks. There may be more than 1 in the list. Check client id printed below the name.
    • Permissions:
      • View project-level information
  • Create new pipeline:
    • Name: Deploy to Azure - [environment]
    • Pipeline yaml: .azuredevops/pipelines/deploy.yml
  • Manage pipeline security:
    • Add group: Run pipeline - [environment]
    • Permissions:
      • Edit queue build configuration
      • Queue builds
      • View build pipeline
      • View builds
  • Create service connection (ADO)
    • Connection type: Azure Resource Manager
    • Identity type: Managed identity
    • Subscription for managed identity: Lung Cancer Risk Check - Non-live hub or Lung Cancer Risk Check - Live hub for prod.
    • Resource group for managed identity: rg-mi-[environment]-uks
    • Managed identity: mi-lungcs-[environment]-adotoaz-uks
    • Scope level: Subscription
    • Subscription: Digital Screening DToS - Core Services Dev
    • Resource group for Service connection: leave blank
    • Service Connection Name: lungcs-[environment]
    • Do NOT tick: Grant access permission to all pipelines
    • Security: allow Deploy to Azure - [environment] pipeline
  • Create ADO environment: [environment]
    • Set: exclusive lock (except for review)
    • Add pipeline permission for Deploy to Azure - [environment] pipeline

GitHub

  • Create GitHub environment [environment]
  • Add the protection rule (except in review):
    • Deselect Allow administrators to bypass configured protection rules
    • In Deployment branches and tags choose Selected branches and tags from the drop-down menu
    • Click Add deployment branch or tag rule and enter "main"
  • Add environment secrets, from mi-lungcs-[environment]-ghtoado-uks in GitHub
    • AZURE_CLIENT_ID
    • AZURE_SUBSCRIPTION_ID

First run

  • Test running terraform manually from the AVD (Optional)
  • Raise a pull request, review and merge to trigger the pipeline
  • Check ADO pipeline. You may be prompted to authorise:
    • Pipeline: service connection
    • Environment: service connection and agent pool

App secrets

  • Add the application secrets to the app key vault kv-lungcs-[environment]-app
  • Set fetch_secrets_from_app_key_vault terraform variable to true
  • Test running terraform manually from the AVD (Optional)
  • Raise a pull request, review and merge to trigger the pipeline