[Team Kraken] Deployment Procedure Runbook

Deploy Azure Resources using DevOps pipeline

DevOps pipeline prerequisite

A “Service Connection” is required for each resource group and environment. This needs to be requested from TC Cloud Team.
Requires Document Service URL from Team Ninja Turtles
Azure ObjectID of the team who has to access the keyvault’s

Deployment DevOps Pipelines	Descriptions

Deployment DevOps Pipelines	Descriptions
Azure Resources Deployment 1 (Initial)	Will deploy keyvault, appserviceplan for Safsecsur & Eregistry and container registry for Safsecsur
Azure Resources Deployment 2 (Safsecsur)	Will deploy app service (for work management, LOV and service bus processing service), redisCache, appInsights(for work management, LOV and service bus processing service), postgreSQL, cosmosDB, serviceBus, storageAccount resources for Safsecsur
Azure Resources Deployment 3 (Eregistry)	Will deploy app service and appinsights (for Vessel Registry internal and external website) resources for Eregistry

Review bicep deployment files (azuredeploy. *) under project repository folder AzureDeployment
1. Review sku values for resources and update as necessary. The sku values are inside of bicep templates in repository: Infrastructure/AzureDeployment/azuredeploy.*.bicep
2. In the same bicep files optionally set deployment flag to false if the associated resource did not need to be deployed. It is set to true by default.
Configure the variables for each azure resource deployment DevOps pipelines
1. Edit DevOps pipelines under Pipelines → All → Azure Deployment folder
2. Configure variables listed for each deployment pipeline in Appendix section 1. For secured variables, need to re-create the value and check “Keep this value secret” checkbox after adding the value
Run the first deployment pipeline Azure Resources Deployment 1 (Initial). This will create container registry, keyvault and app service plan resources
Create a folder by environment name in DevOps pipeline and clone/create DevOps CI/CD pipelines in TK and TNT DevOps project.
Configure new cloned/created DevOps CI/CD pipelines for specified resource groups, container image name and container image tag. Then build the pipelines. Please refer to the Appendix section 2 for the container name, image name and image tag.
Update the deployment pipeline variables and run the remaining two: Azure Resources Deployment 2 (Safsecsur) and Azure Resources Deployment 3 (Eregistry). Verify the resources has been deployed successfully in Azure Portal → Resource Group → Deployments
Add keyvault secrets used for applications from created resources. Please refer to the Appendix section 3 for the required application secrets (Optional: Configure Access Policies in the KeyVault)
Create a Variable group in DevOps → Pipelines → Library. Toggle “Link Secrets” option, select appropriate Azure subscription → KeyVault name, add all the necessary keys and save the variable group
Repeat above step in TNT project
Add workmanagementservice appservice outbound IP addresses to Postgresql server connection security (Optional: Have to do this for documentmanagement service too)
Run Vesselregistry and document service database script
On all appservices, need to turn off & on continuous integration, save it. This should be done in order to create a webhook in container registry
Disable public access to blob on storageaccount
Add/Create a “Diagnostics Settings” to all the appservices on Azure portal
Turn-on Identity in document api appservice and add the object id to safsecsur keyvault access policy
Link and save the new variable group in all the DevOps CI/CD pipelines
Make sure to use the correct branch(Develop/Master) on all the DevOps CI/CD pipelines
Migrate LOV Azure Cosmos DB data using Microsoft tool or Console App
Create Application Registration for Vessel Registration internal and external websites. Please refer to below Application Registration section.
Run DevOps CI/CD pipelines of TK and TNT again and verify the applications runs as expected.
Configure the App Configuration Resource [Applicable only for the NCD / PCP Environments] after completing the deployment of Azure Resources Deployment 1 (Initial) and Azure Resources Deployment 2 (Safsecsur).
1. In the [nprd/prod]-vrappconfig App Configuration / Settings / Identity / System assigned → Copy the Object (principal) ID
2. In the [environment]eregistrykv / Settings / Keys → Click the Generate/Import button, and use the following configuration:
  1. Options: Generate
  2. Name: [nprd / prod]-vr-appconfiguration-key
  3. Key type: RSA
  4. RSA key size 4096
  5. Enabled: Yes
3. Under [environment]eregistrykv / Settings / Access policies → Click the Add Access Policy and apply the following settings
  1. Key permissions → Get, Unwrap, Wrap
  2. Select principal → Search for the Object (principal) ID you copied from step a
4. In the [nprd/prod]-vrappconfig App Configuration / Settings / Encryption → Check the “Customer Managed Key“ and apply the following settings:
  1. Identity: System assigned
  2. Encryption Key: Select from Key Vault
  3. Key Vault:
    1. Subscription: NPRD / PROD
    2. Key vault: [environment]eregistrykv
    3. Key: [nprd / prod]-vr-appconfiguration-key
  4. Ensure you save the encryption settings

Application Registration

Script execution prerequisite

Install the Azure AD Module
Make sure you have Application Developer Role
Make sure you have Local Machine administrative rights
Make sure KeyVault exists and permission to write to it
Make sure you have the ability to configure Enterprise Applications in Azure AD
Make sure you have the ability to grant admin consent in App Registrations

Running the script

The script directory that you were given should contain the following content:

[Optional] Specify the configuration file path or the script will default to the app-registration-configuration.json in the same directory as the main.ps1 script file.
- If the configuration file is not in the same directory, then the absolute path must be provided, and theisAbsolutePath switch parameter must be passed to the script
[Optional] You can specify the Tenant/Directory Id, otherwise, the script will use the current directory your user account is logged in under.

Run PowerShell in administrator mode navigate to the script folder, and execute the following commands:

If not providing the Tenant Id to the script:

.\main.ps1 -environment ['nca', 'ncd', 'nct', 'pcp']

If providing the Tenant Id to the script:

.\main.ps1 -environment ['nca', 'ncd', 'nct', 'pcp'] -tenantId [Guid]

Post Script Execution

In the newly created Vessel Registry App Registration → Manage → API permissions → click on the Grant admin consent

Appendix

Section1: Variables for Azure resource deployment

Environment Name	Descriptions	Location

Environment Name	Descriptions	Location
ncd	Non-Production DEV	Canada Central
nct	Non-Production TEST	Canada Central
nca	Non-Production ACC	Canada Central
pcp	Production	Canada Central

Pipeline Name	Variable Name	IsSecured	Associated Resource

Pipeline Name	Variable Name	IsSecured	Associated Resource
Deployment 1 (Initial)	EnvironmentName
	TargetEnvironment
	ContainerRegistrySKU
	TeamKrakenAzureAdObjectId	Yes	KeyVault
	TeamNinjaTurtlesAzureAdObjectId	Yes	KeyVault
	AzureAdTenantId	Yes	KeyVault
	EregistryResourceGroupName		Azure Portal
	EregistryServiceConnectionName		Name of the service connection for the resource group and environment. DevOps->Project Settings->Service connections
	SafsecsurResourceGroupName		Azure Portal
	SafsecsurServiceConnectionName		Name of the service connection for the resource group and environment. DevOps->Project Settings->Service connections
Deployment 2 (Safsecsur)	EnvironmentName
	TargetEnvironment
	ServiceConnection		Name of the service connection for the resource group and environment. DevOps->Project Settings->Service connections
	ResourceGroupName		Azure Portal
	ContainerRegistryPassword	Yes
	PsqlAdminName	Yes	PostreSQL Database
	PsqlAdminPassword	Yes	PostreSQL Database
	PsqlFirewallIpAddress		PostreSQL Database
Deployment 3 (Eregistry)	EnvironmentName
	TargetEnvironment
	ServiceConnection		Name of the service connection for the resource group and environment. DevOps->Project Settings->Service connections
	ResourceGroupName		Azure Portal
	ContainerRegistryPassword	Yes

Section2: Container Registry related name for app services`ncd|nct|nca|pcp`

Container Registry Name: '{environmentName}safsecsurcr' e.g 'ncdsafsecsurcr'
Container Registry Image Name: '{environmentName}safsecsur-{servicename}'
Container Registry Image Tag: 'safsecsur-{servicename}'

EnvironmentName:

Environment Name	Descriptions	Location

Environment Name	Descriptions	Location
ncd	Non-Production DEV	Canada Central
nct	Non-Production TEST	Canada Central
nca	Non-Production ACC	Canada Central
pcp	Production	Canada Central

TargetEnvironment:

Target Environment	Descriptions	Location

Target Environment	Descriptions	Location
Development	Non-Production DEV	Canada Central
Testing	Non-Production TEST	Canada Central
Acceptance	Non-Production ACC	Canada Central
Production	Production	Canada Central

ApplicationGroup:

Application Group	Descriptions	Shared Applications

Application Group	Descriptions	Shared Applications
`safsecsur`	Marine safety and security	Yes
`eregistry`	Vessel Registry	No

ApplicationName:

Application Name	Descriptions

Application Name	Descriptions
`work-management-service`	Work Management Service
`lov-service`	List Of Value Service
`vessel-registry-internal`	VR Internal Website
`vessel-registry-external`	VR External Website
`queue-message-processing-service`	Queue Message Processing Service
`client-detail-service`	Microservice which manages the vessel owner information. This will be replaced once the Stakeholder Management Service is ready for consumption.
`vessel-detail-service`	Microservice which manages (creates/updates/soft delete) the details about a vessel.
`vessel-history-service`	Microservice which manages the history surrounding a vessel. It stores amendments and a snapshot of a vessel at a particular point of time.
`vessel-registry-service`	Microservice which manages the registration of a vessel, and holds information about Certificate Expiry Date, and vessel ownership (Contains a cross reference table linking owners to vessels).
`vessel-registry-gateway`	A Backends for Frontend application. Uses the BFF pattern Backends for Frontends pattern - Cloud Design Patterns \| Microsoft Docs

Section 3: Application Secrets

Key Name	Value or Derived from	Required for	ResourceGroup to be updated

Key Name	Value or Derived from	Required for	ResourceGroup to be updated
`LOVAppInsightsInstrumentationKey`	Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key	List Of Value Service	SAFESECSUR
`WorkManagementServiceAppInsightsInstrumentationKey`	Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key	Work Management Service	SAFESECSUR
`MessageProcessingServiceAppInsightsInstrumentationKey`	Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key	Queue Message Processing Service	SAFESECSUR
`VRInternalAppInsightsInstrumentationKey`	Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key	VR Internal Website	EREGISTRY
`ServiceBusConnectionString`	Deployment Environment Resource Group → Service Bus → {Service Bus Name} → Settings → Shared access policies → Policy → Primary Connection String	List Of Value Service Queue Message Processing Service Work Management Service	SAFESECSUR EREGISTRY
`ListOfValueConnectionString`	Deployment Environment Resource Group → Azure Cosmos DB → { Cosmos DB Name } → Settings → Connection String → Primary Connection String	List Of Value Service	SAFESECSUR
`ConnectionStringRedisCache`	Deployment Environment Resource Group → Azure Cache For Redis → { Azure Cache Redis Name } → Settings → Access Keys → Primary Connection String (StackExchange.Redis)	List Of Value Service VR Internal Website	SAFESECSUR EREGISTRY
`WorkManagementServiceConnectionString`	Deployment Environment Resource Group → Azure Database for PostgreSQL servers → { PostreSQL Server Name } → Settings → Connection Strings → ADO.NET After obtaining the ADO.NET connectionstring, replace {your_database} and {your_password} values with database name and database/server password respectively	Work Management Service	SAFESECSUR
`DocumentStorageDatabase`	Deployment Environment Resource Group → Azure Database for PostgreSQL servers → { PostreSQL Server Name } → Settings → Connection Strings → ADO.NET After obtaining the ADO.NET connectionstring, replace {your_database} and {your_password} values with database name and database/server password respectively	Document Management Service	SAFESECSUR
`BlobStorageConnectionString`	Deployment Environment Resource Group → Storage accounts → Access keys → Click on “Show keys” → Connection string	Queue Message Processing Service	SAFESECSUR
`CanadaPostAddressCompleteAPIKey`	The API key can be obtained by checking with Walter Hoban, or Team Kraken.	VR Internal Website	EREGISTRY
`PostgresqlServerAdminPassword`	Add the postgresql server admin password. This is passed as a variable in Deployment pipeline 2		SAFESECSUR
`PostgresqlServerAdminName`	Add the postgresql server admin name. This is passed as a variable in Deployment pipeline 2		SAFESECSUR
`OnPremiseResourceEncryptionKey`	Manually generated by developers using powershell. `Add-Type -AssemblyName System.Web [System.Web.Security.Membership]::GeneratePassword(128,20)`	vrdu-api vrdu-gw QMPS	EREGISTRY
`VrAppConfiguration`	[nprd/prod]-vrappconfig App Configuration → Settings → Access keys → Read-only keys → Connection string	Introduce to services as needed	EREGISTRY SAFESECSUR

App Registration Flowchart

Script reads the contents of the app-registration-configuration.json and loops over each one of them
- Script associates owners with the app registration if there are any
- Script assigns oauth2 permissions with the app registration if there are any
- Script links any required resource permissions to the app registration
- Script adds any oauth2 redirect uris to the app registration
- Script adds certificates or secrets(currently only secrets) to the app registration
- Repeats the process for each app registration