Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 85 Next »

Deploy Azure Resources using DevOps pipeline

DevOps pipeline prerequisite
  • A “Service Connection” is required for each resource group and environment. This needs to be requested from TC Cloud Team.

  • Requires Document Service URL from Team Ninja Turtles

  • Azure ObjectID of the team who has to access the keyvault’s

Deployment DevOps Pipelines

Descriptions

Azure Resources Deployment 1 (Initial)

Will deploy keyvault, appserviceplan for Safsecsur & Eregistry and container registry for Safsecsur

Azure Resources Deployment 2 (Safsecsur)

Will deploy app service (for work management, LOV and service bus processing service), redisCache, appInsights(for work management, LOV and service bus processing service), postgreSQL, cosmosDB, serviceBus, storageAccount resources for Safsecsur

Azure Resources Deployment 3 (Eregistry)

Will deploy app service and appinsights (for Vessel Registry internal and external website) resources for Eregistry

  1. Review bicep deployment files (azuredeploy. *) under project repository folder AzureDeployment

    1. Review sku values for resources and update as necessary. The sku values are inside of bicep templates in repository: Infrastructure/AzureDeployment/azuredeploy.*.bicep

    2. In the same bicep files optionally set deployment flag to false if the associated resource did not need to be deployed. It is set to true by default.

  2. Configure the variables for each azure resource deployment DevOps pipelines

    1. Edit DevOps pipelines under Pipelines → All → Azure Deployment folder

    2. Configure variables listed for each deployment pipeline in Appendix section 1. For secured variables, need to re-create the value and check “Keep this value secret” checkbox after adding the value

  3. Run the first deployment pipeline Azure Resources Deployment 1 (Initial). This will create container registry, keyvault and app service plan resources

  4. Create a folder by environment name in DevOps pipeline and clone/create DevOps CI/CD pipelines in TK and TNT DevOps project.

  5. Configure new cloned/created DevOps CI/CD pipelines for specified resource groups, container image name and container image tag. Then build the pipelines. Please refer to the Appendix section 2 for the container name, image name and image tag.

  6. Update the deployment pipeline variables and run the remaining two: Azure Resources Deployment 2 (Safsecsur) and Azure Resources Deployment 3 (Eregistry). Verify the resources has been deployed successfully in Azure Portal → Resource Group → Deployments

  7. Add keyvault secrets used for applications from created resources. Please refer to the Appendix section 3 for the required application secrets (Optional: Configure Access Policies in the KeyVault)

  8. Create a Variable group in DevOps → Pipelines → Library. Toggle “Link Secrets” option, select appropriate Azure subscription → KeyVault name, add all the necessary keys and save the variable group

  9. Repeat above step in TNT project

  10. Add workmanagementservice appservice outbound IP addresses to Postgresql server connection security (Optional: Have to do this for documentmanagement service too)

  11. Run Vesselregistry and document service database script

  12. On all appservices, need to turn off & on continuous integration, save it. This should be done in order to create a webhook in container registry

  13. Disable public access to blob on storageaccount

  14. Add/Create a “Diagnostics Settings” to all the appservices on Azure portal

  15. Turn-on Identity in document api appservice and add the object id to safsecsur keyvault access policy

  16. Link and save the new variable group in all the DevOps CI/CD pipelines

  17. Make sure to use the correct branch(Develop/Master) on all the DevOps CI/CD pipelines

  18. Migrate LOV Azure Cosmos DB data using Microsoft tool or Console App

  19. Create Application Registration for Vessel Registration internal and external websites. Please refer to below Application Registration section.

  20. Run DevOps CI/CD pipelines of TK and TNT again and verify the applications runs as expected.

Application Registration

Script execution prerequisite
  • Install the Azure AD Module

  • Make sure you have Application Developer Role

  • Make sure you have Local Machine administrative rights

  • Make sure KeyVault exists and permission to write to it

  • Make sure you have the ability to configure Enterprise Applications in Azure AD

  • Make sure you have the ability to grant admin consent in App Registrations

Running the script

The script directory that you were given should contain the following content:

  • [Optional] Specify the configuration file path or the script will default to the app-registration-configuration.json in the same directory as the main.ps1 script file.

    • If the configuration file is not in the same directory, then the absolute path must be provided, and theisAbsolutePath switch parameter must be passed to the script

  • [Optional] You can specify the Tenant/Directory Id, otherwise, the script will use the current directory your user account is logged in under.

Run PowerShell in administrator mode navigate to the script folder, and execute the following commands:

If not providing the Tenant Id to the script:

.\main.ps1 -environment ['nca', 'ncd', 'nct', 'pcp']

If providing the Tenant Id to the script:

.\main.ps1 -environment ['nca', 'ncd', 'nct', 'pcp'] -tenantId [Guid]
Post Script Execution
  • In the newly created Vessel Registry App Registration → Manage → API permissions → click on the Grant admin consent

Appendix

Section1: Variables for Azure resource deployment

Environment Name

Descriptions

Location

ncd

Non-Production DEV

Canada Central

nct

Non-Production TEST

Canada Central

nca

Non-Production ACC

Canada Central

pcp

Production

Canada Central

Pipeline Name

Variable Name

IsSecured

Associated Resource

Deployment 1 (Initial)

EnvironmentName

TargetEnvironment

ContainerRegistrySKU

TeamKrakenAzureAdObjectId

Yes

KeyVault

TeamNinjaTurtlesAzureAdObjectId

Yes

KeyVault

AzureAdTenantId

Yes

KeyVault

EregistryResourceGroupName

Azure Portal

EregistryServiceConnectionName

Name of the service connection for the resource group and environment.

DevOps->Project Settings->Service connections

SafsecsurResourceGroupName

Azure Portal

SafsecsurServiceConnectionName

Name of the service connection for the resource group and environment.

DevOps->Project Settings->Service connections

Deployment 2 (Safsecsur)

EnvironmentName

TargetEnvironment

ServiceConnection

Name of the service connection for the resource group and environment.

DevOps->Project Settings->Service connections

ResourceGroupName

Azure Portal

ContainerRegistryPassword

Yes

PsqlAdminName

Yes

PostreSQL Database

PsqlAdminPassword

Yes

PostreSQL Database

PsqlFirewallIpAddress

PostreSQL Database

Deployment 3 (Eregistry)

EnvironmentName

TargetEnvironment

ServiceConnection

Name of the service connection for the resource group and environment.

DevOps->Project Settings->Service connections

ResourceGroupName

Azure Portal

ContainerRegistryPassword

Yes

Section2: Container Registry related name for app servicesncd|nct|nca|pcp

  • Container Registry Name: '{environmentName}safsecsurcr' e.g 'ncdsafsecsurcr'

  • Container Registry Image Name: '{environmentName}safsecsur-{servicename}'

  • Container Registry Image Tag: 'safsecsur-{servicename}'

EnvironmentName:

Environment Name

Descriptions

Location

ncd

Non-Production DEV

Canada Central

nct

Non-Production TEST

Canada Central

nca

Non-Production ACC

Canada Central

pcp

Production

Canada Central

TargetEnvironment:

Target Environment

Descriptions

Location

Development

Non-Production DEV

Canada Central

Testing

Non-Production TEST

Canada Central

Acceptance

Non-Production ACC

Canada Central

Production

Production

Canada Central

ApplicationGroup:

Application Group

Descriptions

Shared Applications

safsecsur

Marine safety and security

Yes

eregistry

Vessel Registry

No

ApplicationName:

Application Name

Descriptions

work-management-service

Work Management Service

lov-service

List Of Value Service

vessel-registry-internal

VR Internal Website

vessel-registry-external

VR External Website

queue-message-processing-service

Queue Message Processing Service

Section 3: Application Secrets

Key Name

Value or Derived from

Required for

ResourceGroup to be updated

LOVAppInsightsInstrumentationKey

Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key

  • List Of Value Service

  • SAFESECSUR

WorkManagementServiceAppInsightsInstrumentationKey

Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key

  • Work Management Service

  • SAFESECSUR

MessageProcessingServiceAppInsightsInstrumentationKey

Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key

  • Queue Message Processing Service

  • SAFESECSUR

VRInternalAppInsightsInstrumentationKey

Deployment Environment Resource Group → Application Insights → {Application Insight Name} → Overview → Instrumentation Key

  • VR Internal Website

  • EREGISTRY

ServiceBusConnectionString

Deployment Environment Resource Group → Service Bus → {Service Bus Name} → Settings → Shared access policies → Policy → Primary Connection String

  • List Of Value Service

  • Queue Message Processing Service

  • Work Management Service

  • SAFESECSUR

  • EREGISTRY

ListOfValueConnectionString

Deployment Environment Resource Group → Azure Cosmos DB → { Cosmos DB Name } → Settings → Connection String → Primary Connection String

  • List Of Value Service

  • SAFESECSUR

ConnectionStringRedisCache

Deployment Environment Resource Group → Azure Cache For Redis → { Azure Cache Redis Name } → Settings → Access Keys → Primary Connection String (StackExchange.Redis)

  • List Of Value Service

  • VR Internal Website

  • SAFESECSUR

  • EREGISTRY

WorkManagementServiceConnectionString

Deployment Environment Resource Group → Azure Database for PostgreSQL servers → { PostreSQL Server Name } → Settings → Connection Strings → ADO.NET

After obtaining the ADO.NET connectionstring, replace {your_database} and {your_password} values with database name and database/server password respectively

  • Work Management Service

  • SAFESECSUR

DocumentStorageDatabase

Deployment Environment Resource Group → Azure Database for PostgreSQL servers → { PostreSQL Server Name } → Settings → Connection Strings → ADO.NET

After obtaining the ADO.NET connectionstring, replace {your_database} and {your_password} values with database name and database/server password respectively

  • Document Management Service

  • SAFESECSUR

BlobStorageConnectionString

Deployment Environment Resource Group → Storage accounts → Access keys → Click on “Show keys” → Connection string

  • Queue Message Processing Service

  • SAFESECSUR

CanadaPostAddressCompleteAPIKey

The API key can be obtained by checking with Walter Hoban, or Team Kraken.

  • VR Internal Website

  • EREGISTRY

PostgresqlServerAdminPassword

Add the postgresql server admin password. This is passed as a variable in Deployment pipeline 2

  • SAFESECSUR

PostgresqlServerAdminName

Add the postgresql server admin name. This is passed as a variable in Deployment pipeline 2

  • SAFESECSUR

OnPremiseResourceEncryptionKey

Manually generated by developers.

  • vrdu-api

  • vrdu-gw

  • QMPS

  • EREGISTRY

App Registration Flowchart

  • Script reads the contents of the app-registration-configuration.json and loops over each one of them

    • Script associates owners with the app registration if there are any

    • Script assigns oauth2 permissions with the app registration if there are any

    • Script links any required resource permissions to the app registration

    • Script adds any oauth2 redirect uris to the app registration

    • Script adds certificates or secrets(currently only secrets) to the app registration

    • Repeats the process for each app registration

  • No labels