This is the initial manual process to create a new environment like review, dev, production...
The environment requires a shared Azure front door profile created in the hub. The service name must be declared in the hub configuration. And run the Azure devops pipeline for the corresponding hub (non-live or live).
- create a new gallery in the Azure compute galleries with name nonlive_lungcs_compute_gallery
- create a resource group with name rg_hub_nonlive_lungcs_compute_gallery
- Create the configuration files in
infrastructure/environments/[environment] - Add the
[environment]:target inscripts/terraform/terraform.mk - Add [environment] to the list of environments in
deploy-stagestep ofcicd-2-main-branch.yaml. For the review environment, there is a single item incicd-1-pull-request.yaml. - Set the
fetch_secrets_from_app_key_vaultterraform variable tofalse. This is to let terraform create the key vault and prevent reading before it is ready.
- Create Entra ID groups in
Digital screeningAdministrative Unit:postgres_lungcs_[environment]_uks_adminscreening_lungcs_[environment]
- Ask CCOE to assign role:
- Form for PIM
- Approver: Add someone from the infrastructure team
- Role Name:
Group.Read.All - Application Name:
mi-lungcs-[environment]-adotoaz-uks - Application ID: [client.id] (would be of
mi-lungcs-[environment]-ghtoado-uks) - Managed identity:
mi-lungcs-[environment]-adotoaz-uks - Description: - Managed identity:
mi-lungcs-[environment]-adotoaz-uks- Role: permanent on Directory
The Azure Virtual Desktop Service Principal Object ID must be stored in the Azure DevOps variable group:
- Variable Group:
<environment>_hub_backend - Variable Name:
TF_VAR_AVD_OBJECT_ID
Run the following Azure CLI command:
az ad sp list --all \
--query "[?contains(displayName,'Azure Virtual Desktop')].{Name:displayName,Id:id}" \
-o tableImportant
Required permissions: Owner role on both the hub and resource subscriptions
- From AVD:
- Login with Microsoft Graph scope:
az login --scope https://graph.microsoft.com//.default -t HSCIC365.onmicrosoft.com - Run bicep:
make [environment] resource-group-init
- Login with Microsoft Graph scope:
Add the infrastructure secrets to the inf key vault kv-lungcs-[environment]-inf:
- For entra ID authentication (when
enable_entra_id_authenticationis true): aad-client-audiences, aad-client-id, aad-client-secret monitoring-email-address: email distribution list to receive alerts
- Create ADO group
- In project settings -> permissions -> New Group
- Name:
Run pipeline - [environment] - Members:
mi-lungcs-[environment]-ghtoado-uks. There may be more than 1 in the list. Check client id printed below the name. - Permissions:
- View project-level information
- Create new pipeline:
- Name:
Deploy to Azure - [environment] - Pipeline yaml:
.azuredevops/pipelines/deploy.yml
- Name:
- Manage pipeline security:
- Add group:
Run pipeline - [environment] - Permissions:
- Edit queue build configuration
- Queue builds
- View build pipeline
- View builds
- Add group:
- Create service connection (ADO)
- Connection type:
Azure Resource Manager - Identity type:
Managed identity - Subscription for managed identity:
Lung Cancer Risk Check - Non-live huborLung Cancer Risk Check - Live hubfor prod. - Resource group for managed identity:
rg-mi-[environment]-uks - Managed identity:
mi-lungcs-[environment]-adotoaz-uks - Scope level:
Subscription - Subscription:
Digital Screening DToS - Core Services Dev - Resource group for Service connection: leave blank
- Service Connection Name:
sc-lungcs-[environment]-spoke - Do NOT tick: Grant access permission to all pipelines
- Security: allow
Deploy to Azure - [environment]pipeline
- Connection type:
- Create ADO environment: [environment]
- Set: exclusive lock (except for review)
- Add pipeline permission for
Deploy to Azure - [environment]pipeline
- Create GitHub environment [environment]
- Add the protection rule (except in review):
- Deselect
Allow administrators to bypass configured protection rules - In
Deployment branches and tagschooseSelected branches and tagsfrom the drop-down menu - Click
Add deployment branch or tag ruleand enter "main"
- Deselect
- Add environment secrets, from
mi-lungcs-[environment]-ghtoado-uksin GitHub- AZURE_CLIENT_ID
- AZURE_SUBSCRIPTION_ID
- Test running terraform manually from the AVD (Optional)
- Raise a pull request, review and merge to trigger the pipeline
- Check ADO pipeline. You may be prompted to authorise:
- Pipeline: service connection
- Environment: service connection and agent pool
- Assign yourself "Key Vault Secrets User" to application key vault to run the terraform code from the CLI inside the AVD when first trying to deploy the application.
- Assign yourself "Storage Blob Contributor" to State file storage account
salungcs[environment]tfstateto run the terraform code from the CLI inside the AVD when first trying to deploy the application.
- Add the application secrets to the app key vault
kv-lungcs-[environment]-app - Set
fetch_secrets_from_app_key_vaultterraform variable totrue - Test running terraform manually from the AVD (Optional)
- Raise a pull request, review and merge to trigger the pipeline
- assign yourself "Key Vault Secrets User" to application key vault to run the terraform code from the CLI inside the AVD when first trying to deploy the application.
- assign yourself "Data Blob Reader" to State file storage account to run the terraform code from the CLI inside the AVD when first trying to deploy the application.
- Add your user as a member to the respective Entra ID group:
postgres_lungcs_[environment]_uks_admin
- Log into the correct ADV for your environment type (either nonlive or live)
- Run the following commands on the CLI to log into the database: -
export PGPASSWORD="$(az account get-access-token --resource https://ossrdbms-aad.database.windows.net --query accessToken --output tsv)"psql "host=postgres-lungcs-[environment]-uks.postgres.database.azure.com \ port=5432 \ dbname=[database] \ user=postgres_lungcs_[environment]_uks_admin \ sslmode=require"