|
| 1 | +# Create an environment |
| 2 | + |
| 3 | +This is the initial manual process to create a new environment like review, dev, production... |
| 4 | + |
| 5 | +## Hub |
| 6 | + |
| 7 | +The environment requires a shared Azure front door profile created in the hub. The service name must be declared in [the hub configuration](https://github.com/NHSDigital/dtos-hub/tree/main/infrastructure/environments). And run the Azure devops pipeline for the corresponding hub (non-live or live). |
| 8 | + |
| 9 | +## Code |
| 10 | + |
| 11 | +- Create the configuration files in `infrastructure/environments/[environment]` |
| 12 | +- Add the `[environment]:` target in `scripts/terraform/terraform.mk` |
| 13 | +- Add [environment] to the list of environments in `deploy-stage` step of `cicd-2-main-branch.yaml`. For the review environment, there is a single item in `cicd-1-pull-request.yaml`. |
| 14 | +- Set the `fetch_secrets_from_app_key_vault` terraform variable to `false`. This is to let terraform create the key vault and prevent reading before it is ready. |
| 15 | + |
| 16 | +## Entra ID |
| 17 | + |
| 18 | +- Create Entra ID groups in `Digital screening` Administrative Unit: |
| 19 | + - `postgres_lungcs_[environment]_uks_admin` |
| 20 | + - `screening_lungcs_[environment]` |
| 21 | +- Ask CCOE to assign role: |
| 22 | + - [Form for PIM](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=28f3ab4f1bf3ca1078ac4337b04bcb78&sysparm_category=114fced51bdae1502eee65b9bd4bcbdc) |
| 23 | + - Approver: Add someone from the infrastructure team |
| 24 | + - Role Name: `Group.Read.All` |
| 25 | + - Application Name: `mi-lungcs-[environment]-adotoaz-uks` |
| 26 | + - Application ID: [client.id] (would be of `mi-lungcs-[environment]-ghtoado-uks`) |
| 27 | + - Managed identity: `mi-lungcs-[environment]-adotoaz-uks` |
| 28 | + - Description: - Managed identity: `mi-lungcs-[environment]-adotoaz-uks` - Role: permanent on Directory |
| 29 | + |
| 30 | +## Bicep |
| 31 | + |
| 32 | +> [!IMPORTANT] |
| 33 | +> **Required permissions**: Owner role on both the hub and resource subscriptions |
| 34 | +
|
| 35 | +- From AVD: |
| 36 | + - Login with Microsoft Graph scope: `az login --scope https://graph.microsoft.com//.default -t HSCIC365.onmicrosoft.com` |
| 37 | + - Run bicep: `make [environment] resource-group-init` |
| 38 | + |
| 39 | +## Infra secrets |
| 40 | + |
| 41 | +Add the infrastructure secrets to the _inf_ key vault `kv-lungcs-[environment]-inf`: |
| 42 | + |
| 43 | +- For entra ID authentication (when `enable_entra_id_authentication` is true): aad-client-audiences, aad-client-id, aad-client-secret |
| 44 | +- `monitoring-email-address`: email distribution list to receive alerts |
| 45 | + |
| 46 | +## Azure devops |
| 47 | + |
| 48 | +- Create ADO group |
| 49 | + - Name: `Run pipeline - [environment]` |
| 50 | + - Members: `mi-lungcs-[environment]-ghtoado-uks`. There may be more than 1 in the list. Check client id printed below the name. |
| 51 | + - Permissions: |
| 52 | + - View project-level information |
| 53 | +- Create new pipeline: |
| 54 | + - Name: `Deploy to Azure - [environment]` |
| 55 | + - Pipeline yaml: `.azuredevops/pipelines/deploy.yml` |
| 56 | +- Manage pipeline security: |
| 57 | + - Add group: `Run pipeline - [environment]` |
| 58 | + - Permissions: |
| 59 | + - Edit queue build configuration |
| 60 | + - Queue builds |
| 61 | + - View build pipeline |
| 62 | + - View builds |
| 63 | +- Create service connection (ADO) |
| 64 | + - Connection type: `Azure Resource Manager` |
| 65 | + - Identity type: `Managed identity` |
| 66 | + - Subscription for managed identity: `Digital Screening DToS - Devops` or `Digital Screening DToS - Core Services Prod Hub` for prod. |
| 67 | + - Resource group for managed identity: `rg-mi-[environment]-uks` |
| 68 | + - Managed identity: `mi-lungcs-[environment]-adotoaz-uks` |
| 69 | + - Scope level: `Subscription` |
| 70 | + - Subscription: `Digital Screening DToS - Core Services Dev` |
| 71 | + - Resource group for Service connection: leave blank |
| 72 | + - Service Connection Name: `lungcs-[environment]` |
| 73 | + - Do NOT tick: Grant access permission to all pipelines |
| 74 | + - Security: allow `Deploy to Azure - [environment]` pipeline |
| 75 | +- Create ADO environment: [environment] |
| 76 | + - Set: exclusive lock (except for review) |
| 77 | + - Add pipeline permission for `Deploy to Azure - [environment]` pipeline |
| 78 | + |
| 79 | +## Github |
| 80 | + |
| 81 | +- Create Github environment [environment] |
| 82 | +- Add the protection rule (except in review): |
| 83 | + - Deselect `Allow administrators to bypass configured protection rules` |
| 84 | + - In `Deployment branches and tags` choose `Selected branches and tags` from the drop-down menu |
| 85 | + - Click `Add deployment branch or tag rule` and enter "main" |
| 86 | +- Add environment secrets, from `mi-lungcs-[environment]-ghtoado-uks` in github |
| 87 | + - _AZURE_CLIENT_ID_ |
| 88 | + - _AZURE_SUBSCRIPTION_ID_ |
| 89 | + |
| 90 | +## First run |
| 91 | + |
| 92 | +- Test running terraform manually from the AVD (Optional) |
| 93 | +- Raise a pull request, review and merge to trigger the pipeline |
| 94 | +- Check ADO pipeline. You may be prompted to authorise: |
| 95 | + - Pipeline: service connection |
| 96 | + - Environment: service connection and agent pool |
| 97 | + |
| 98 | +## App secrets |
| 99 | + |
| 100 | +- Add the application secrets to the _app_ key vault `kv-lungcs-[environment]-app` |
| 101 | +- Set `fetch_secrets_from_app_key_vault` terraform variable to `true` |
| 102 | +- Test running terraform manually from the AVD (Optional) |
| 103 | +- Raise a pull request, review and merge to trigger the pipeline |
0 commit comments