PPHA-417: Create infra as code for Hub resources

Author: mrlockstar

.azuredevops/pipelines/deploy.yml

@@ -0,0 +1,77 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: commitSHA
+    displayName: Commit SHA
+    type: string
+  - name: environment
+    displayName: Environment
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+    default: ''
+  - name: pool
+    displayName: ADO management pool
+    type: string
+
+stages:
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy to ${{ parameters.environment }} environment
+    pool:
+      name: ${{ parameters.pool }}
+    lockBehavior: sequential
+    isSkippable: false
+
+    jobs:
+      - deployment: DeployApp
+        displayName: Deploy application
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: UsePythonVersion@0
+                  inputs:
+                    versionSpec: '3.x'
+                    architecture: 'x64'
+
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
+
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: lung-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci ${{ parameters.environment }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
+
+                # - task: AzureCLI@2
+                #   displayName: Run database setup
+                #   inputs:
+                #     azureSubscription: lungcs-${{ parameters.environment }}
+                #     scriptType: bash
+                #     scriptLocation: inlineScript
+                #     addSpnToEnvironment: true
+                #     inlineScript: make ci ${{ parameters.environment }} db-setup PR_NUMBER=${{ parameters.prNumber }}
+
+                # - task: AzureCLI@2
+                #   displayName: Run notifications smoke test
+                #   inputs:
+                #     azureSubscription: lungcs-${{ parameters.environment }}
+                #     scriptType: bash
+                #     scriptLocation: inlineScript
+                #     addSpnToEnvironment: true
+                #     inlineScript: make ci ${{ parameters.environment }} notifications-smoke-test PR_NUMBER=${{ parameters.prNumber }}

.azuredevops/pipelines/hub-infrastructure-dev.yaml

@@ -0,0 +1,57 @@
+---
+name: $(Build.SourceBranchName)-$(Date:yyyyMMdd)_$(Rev:r)
+trigger: none
+pr: none
+
+pool:
+  name: private-pool-hub-nonlive-uks
+  # vmImage: ubuntu-latest
+
+resources:
+  repositories:
+    - repository: dtos-devops-templates
+      type: github
+      name: NHSDigital/dtos-devops-templates
+      ref: PPHA-417-Create-infra-as-code-for-Hub-resources
+      endpoint: NHSDigital
+
+variables:
+  - group: NON_LIVE_hub_backend
+  - name: TF_DIRECTORY
+    value: $(System.DefaultWorkingDirectory)/lung_cancer_screening/infrastructure/terraform/hub
+  - name: TF_VERSION
+    value: 1.14.3
+  - name: TF_PLAN_ARTIFACT
+    value: tf_plan_hub_art_NONLIVE_dev
+  - name: ENVIRONMENT
+    value: nonlive-hub
+
+stages:
+  - stage: terraform_plan
+    displayName: Terraform Plan
+    condition: eq(variables['Build.Reason'], 'Manual')
+    variables:
+      tfVarsFile: ../../environments/$(ENVIRONMENT)/variables.tfvars
+    jobs:
+      - job: init_and_plan
+        displayName: Init, plan, store artifact
+        steps:
+          - checkout: self
+          - checkout: dtos-devops-templates
+          - template: .azuredevops/templates/steps/tf_plan.yaml@dtos-devops-templates
+
+  - stage: terraform_apply
+    displayName: Terraform Apply
+    dependsOn: [terraform_plan]
+    condition: and(eq(dependencies.terraform_plan.outputs['init_and_plan.TerraformPlan.changesPresent'], 'true'), eq(variables['Build.Reason'], 'Manual'))
+    jobs:
+      - deployment: terraform_apply
+        displayName: Init, get plan artifact, apply
+        environment: $(ENVIRONMENT)
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                - checkout: dtos-devops-templates
+                - template: .azuredevops/templates/steps/tf_apply.yaml@dtos-devops-templates

.github/workflows/stage-1-commit.yaml

@@ -77,7 +77,7 @@ jobs:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
-  # Github actiuons dont have terrafomr installed at the moment
+  # GitHub actions dont have terraform installed at the moment
   # lint-terraform:
   #   name: "Lint Terraform"
   #   runs-on: ubuntu-latest

.gitleaksignore

@@ -34,3 +34,7 @@ infrastructure/terraform/hub/data.tf:generic-api-key:22
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:11
 infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10
 infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:30
+infrastructure/terraform/hub/virtual_desktop.tf:generic-api-key:22
+infrastructure/terraform/hub/virtual_desktop.tf:generic-api-key:23
+infrastructure/terraform/hub/virtual_desktop.tf:generic-api-key:24
+infrastructure/terraform/hub/virtual_desktop.tf:generic-api-key:25

docs/infrastructure/bootstrap.md

@@ -0,0 +1,11 @@
+make hub-nonlive bootstrap
+
+
+# Find the AVD SP object id (run as someone with AAD read access)
+az ad sp show --id <principle id> --query id
+
+# Then assign the role (run as Owner)
+az role assignment create \
+  --assignee-object-id <AVD_SP_OBJECT_ID> \
+  --role "Desktop Virtualization Power On Contributor" \
+  --scope /subscriptions/<SUBSCRIPTION_ID>

docs/infrastructure/create-environment.md

@@ -0,0 +1,108 @@
+# Create an environment
+
+This is the initial manual process to create a new environment like review, dev, production...
+
+## Hub
+
+The environment requires a shared Azure front door profile created in the hub. The service name must be declared in [the hub configuration](https://github.com/NHSDigital/dtos-hub/tree/main/infrastructure/environments). And run the Azure devops pipeline for the corresponding hub (non-live or live).
+
+## Image Gallary
+
+- create a new gallerie in the Azure compute galleries with name nonlive_lungcs_compute_gallery
+- create a resource group with name rg_hub_nonlive_lungcs_compute_gallery
+
+## Code
+
+- Create the configuration files in `infrastructure/environments/[environment]`
+- Add the `[environment]:` target in `scripts/terraform/terraform.mk`
+- Add [environment] to the list of environments in `deploy-stage` step of `cicd-2-main-branch.yaml`. For the review environment, there is a single item in `cicd-1-pull-request.yaml`.
+- Set the `fetch_secrets_from_app_key_vault` terraform variable to `false`. This is to let terraform create the key vault and prevent reading before it is ready.
+
+## Entra ID
+
+- Create Entra ID groups in `Digital screening` Administrative Unit:
+  - `postgres_lungcs_[environment]_uks_admin`
+  - `screening_lungcs_[environment]`
+- Ask CCOE to assign role:
+  - [Form for PIM](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=28f3ab4f1bf3ca1078ac4337b04bcb78&sysparm_category=114fced51bdae1502eee65b9bd4bcbdc)
+  - Approver: Add someone from the infrastructure team
+  - Role Name: `Group.Read.All`
+  - Application Name: `mi-lungcs-[environment]-adotoaz-uks`
+  - Application ID: [client.id] (would be of `mi-lungcs-[environment]-ghtoado-uks`)
+  - Managed identity: `mi-lungcs-[environment]-adotoaz-uks`
+  - Description: - Managed identity: `mi-lungcs-[environment]-adotoaz-uks` - Role: permanent on Directory
+
+## Bicep
+
+> [!IMPORTANT]
+> **Required permissions**: Owner role on both the hub and resource subscriptions
+
+- From AVD:
+  - Login with Microsoft Graph scope: `az login --scope https://graph.microsoft.com//.default -t HSCIC365.onmicrosoft.com`
+  - Run bicep: `make [environment] resource-group-init`
+
+## Infra secrets
+
+Add the infrastructure secrets to the _inf_ key vault `kv-lungcs-[environment]-inf`:
+
+- For entra ID authentication (when `enable_entra_id_authentication` is true): aad-client-audiences, aad-client-id, aad-client-secret
+- `monitoring-email-address`: email distribution list to receive alerts
+
+## Azure devops
+
+- Create ADO group
+  - Name: `Run pipeline - [environment]`
+  - Members: `mi-lungcs-[environment]-ghtoado-uks`. There may be more than 1 in the list. Check client id printed below the name.
+  - Permissions:
+    - View project-level information
+- Create new pipeline:
+  - Name: `Deploy to Azure - [environment]`
+  - Pipeline yaml: `.azuredevops/pipelines/deploy.yml`
+- Manage pipeline security:
+  - Add group: `Run pipeline - [environment]`
+  - Permissions:
+    - Edit queue build configuration
+    - Queue builds
+    - View build pipeline
+    - View builds
+- Create service connection (ADO)
+  - Connection type: `Azure Resource Manager`
+  - Identity type: `Managed identity`
+  - Subscription for managed identity: `Lung Cancer Risk Check - Non-live hub` or `Lung Cancer Risk Check - Live hub` for prod.
+  - Resource group for managed identity: `rg-mi-[environment]-uks`
+  - Managed identity: `mi-lungcs-[environment]-adotoaz-uks`
+  - Scope level: `Subscription`
+  - Subscription: `Digital Screening DToS - Core Services Dev`
+  - Resource group for Service connection: leave blank
+  - Service Connection Name: `lungcs-[environment]`
+  - Do NOT tick: Grant access permission to all pipelines
+  - Security: allow `Deploy to Azure - [environment]` pipeline
+- Create ADO environment: [environment]
+  - Set: exclusive lock (except for review)
+  - Add pipeline permission for `Deploy to Azure - [environment]` pipeline
+
+## Github
+
+- Create Github environment [environment]
+- Add the protection rule (except in review):
+  - Deselect `Allow administrators to bypass configured protection rules`
+  - In `Deployment branches and tags` choose `Selected branches and tags` from the drop-down menu
+  - Click `Add deployment branch or tag rule` and enter "main"
+- Add environment secrets, from `mi-lungcs-[environment]-ghtoado-uks` in github
+  - _AZURE_CLIENT_ID_
+  - _AZURE_SUBSCRIPTION_ID_
+
+## First run
+
+- Test running terraform manually from the AVD (Optional)
+- Raise a pull request, review and merge to trigger the pipeline
+- Check ADO pipeline. You may be prompted to authorise:
+  - Pipeline: service connection
+  - Environment: service connection and agent pool
+
+## App secrets
+
+- Add the application secrets to the _app_ key vault `kv-lungcs-[environment]-app`
+- Set `fetch_secrets_from_app_key_vault` terraform variable to `true`
+- Test running terraform manually from the AVD (Optional)
+- Raise a pull request, review and merge to trigger the pipeline