Deploy the App to Azure (Beta Environment)

[pete-gov]

This ticket probably should've been closed and replaced but what is life. It is now:

Deploy Beta Site:

• [x] Create Blob Storage
• [x] Deploy Homepage app to blob storage
• [x] Deploy simplereport app to blob storage
• [x] Create Host Disk
• [x] Create VM
• [x] Configure VM
• [x] Refresh and deploy API containers
• [x] Tested API containers locally
• [x] Added a passthrough to improvised nginx for Blob Storage
• [x] Added a passthrough to improvesed nginx for API servers
• [x] Tested external access through Azure Gateway to App
• [x] Tested external access through Azure Gateway to API
• [x] Set up beta.simplereport.org domain name in DNS
• [x] Create SSL certificate
• [x] Upload pkcs12 version
• [x] Verify SSL
• [x] Create re-usable SSL request (even if janky)
• [x] Fix routing for react app
• [x] set up https redirect on application gateway
• [x] document everything
• [x] upgrade to wildcard cert for simplereport.org
• [x] point simplereport.org and www.simplereport.org at beta

Verification Person 1 (Katie):

• [x] https://simplereport.cdc.gov works and shows what is expected (or close to it for now)
• [x] https://simplereport.cdc.gov/api/actuator/health works and shows UP
• [x] https://simplereport.cdc.gov/app works and shows what is expected
• [x] https://simplereport.cdc.gov/app/organization/123/queue or any other link works when reloaded or going directly
• [x] ssl certificates are all good
• [x] app generally works correctly

Verification Person 2:

• [x] https://simplereport.cdc.gov works and shows what is expected (or close to it for now)
• [x] https://simplereport.cdc.gov/api/actuator/health works and shows UP
• [x] https://simplereport.cdc.gov/app works and shows what is expected
• [x] https://simplereport.cdc.gov/app/organization/123/queue or any other link works when reloaded or going directly
• [x] ssl certificates are all good
• [x] app generally works correctly

Bonus Engineer Verification:

• [ ] another engineer has deployed an updated version of the backend
• [ ] another engineer has deployed an updated version of the frontend
• [ ] another engineer has deployed an updated version of the public site

[pete-gov]

As of this morning, I'm looking at native services for this so we can responsively scale in production without managing a bunch of pets. I'm investigating setup for:

• Backend - Database: https://docs.microsoft.com/en-us/azure/postgresql/overview
• Backend - GraphQL via Springboot: https://azure.microsoft.com/en-us/services/spring-cloud/
• Frontend - Static Site: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website

[benwarfield-usds]

Worth interrogating as part of the DB setup: maintenance tasks (thinking of: running migrations) are handled very differently in different tool chains. It would be good to know if Azure has a "right" way.

[pete-gov]

Progress Updates:

I've familiarized myself with all of the processes for and have set up a proof of concept virtual network with appropriate subnets, security rules, etc. Inside this are a PostgreSQL managed database, a blob store with the static site, a bastion host for connecting into it, and a tiny linux vm to ssh to and do PostgreSQL stuff. I think this is a pretty good basic environment. What still needs to be tested is:

• Spring deployment of the API system
• Hooking that into DB
• Azure API Management deployment in front of it

Everything's been set up manually at the moment.

What's Next:

1. Working with OCIO and MS folks on Monday to figure out permissions that are necessary to do stuff with CICD, and will talk through with them at that point whether to use DevOps/Pipelines or GitHub Actions. Will also see if we can leverage them more to actually set up some of the integration.

2. Everything is set up in a dev/testing resource group right now and we need permanent resource groups set up. Will talk to the OCIO folks about this on Monday as well. Probably will just do this all manually again for dev+prod but then hook automation into deployments of updates.

bbwarfie: Worth interrogating as part of the DB setup: maintenance tasks (thinking of: running migrations) are handled very differently in different tool chains. It would be good to know if Azure has a "right" way.

Will poke into this as we get further along - I'm using the flexible managed service which if I remember correctly includes clones and whatnot, so it should be easy to do blue green style db updates.

[pete-gov]

Multiple attempts to deploy the API backend via various Azure services did not lead to any success. Pinning this for now, will find out if Spring Cloud is an option this afternoon and revisit based on that. More in slack here.

[pete-gov]

Updates: Still working through issues with OCIO.

Good Stuff:

1. SimpleReport resource groups are created
2. Storage for dev and prod static sites are good to go
3. DNS is configured
4. All the various testing/dev instance junk has been cleaned up
5. Untested front end deployment actions created
6. OCIO is working on setting up Service Principal for these resources to allow us to move forward and some other stuff

Issues Working Through:

1. Without a service principal we can't do CICD. It's possible we can use personal credentials short term but I haven't figured out how to do this, am still exploring.
2. We don't have CDN capability, request open for that, can't host any sites on custom names until we get that
3. Waiting on an answer on if we can use Spring Cloud hopefully by today to make a call on that

Next Steps:

1. Rebuilding environments inside the new resource groups
2. Implementing things once we get all the perms and setup
3. Figuring out API deployment layer, whether that will be docker/ACS/SpringCloud/etc.

[pete-gov]

Switching gears from automated (waiting on service principals) to manual deployments, we were at the point where everything was ready to go except the API server deployment (and insight/monitoring). Nick has been working on that and has a couple working proof of concepts using containers and we'll stay away from SpringCloud et al.

With the switch to a single domain name that we don't have control over, everything has to move around though, so I'm working on setting up an application gateway to route traffic via URL paths - if that doesn't get us what we need working well enough by midday tomorrow, I'll look at alternatives such as just setting up my own haproxy instance which I know can handle blob storage use cases without having to re-design the entire static deployment and build webservers.

[willusds]

Added the checklist from this checkin this afternoon to the main body!

[pete-gov]

I've updated this with a more accurate checklist.

[pete-gov]

React routing is fixed.

Rudimentary automated check (just for reference, all URLs need to be doublechecked by hand when everything is done):

echo -n "beta.simplereport.org:                  "
curl -s https://beta.simplereport.org/ | grep "<title>" | awk -F"<title>" '{print $2}' | awk -F"<" '{print $1}'

echo -n "beta.simplereport.org/app:              "
curl -s https://beta.simplereport.org/app/ | grep "<title>" | awk -F"<title>" '{print $2}' | awk -F"<" '{print $1}'

echo -n "beta.simplereport.org/app/organization: "
curl -s https://beta.simplereport.org/app/organization/123/queue | grep "<title>" | awk -F"<title>" '{print $2}' | awk -F"<" '{print $1}'

echo -n "beta.simplereport.org/api:              "
curl -s https://beta.simplereport.org/api/actuator/health

echo ""
echo ""

echo -n "is simplereport.cdc.gov up yet? "
dig +short simplereport.cdc.gov

echo ""
echo ""

Good output:

beta.simplereport.org:                  Home | SimpleReport
beta.simplereport.org/app:              SimpleReport
beta.simplereport.org/app/organization: SimpleReport
beta.simplereport.org/api:              {"status":"UP"}

[pete-gov]

I'm moving the backup portion out of this ticket so the rest of it can undergo QA.

[katiealoisi]

Comments under "app generally works as expected":

Caveat: If I am raising issues that are already known and we have a plan for addressing, apologies in advance and please disregard!

(1) In Device Dropdown, I see "Select" and "Select Device" as separate drop-down options. I expect to see "Select Device" only. Screenshot below.

(2) I expect to see newest results at the top of the Results list. Currently, newest results appear at the end of the list.

(3) I expect to see consistent terminology for "Lookup ID" and "Unique ID". "Unique ID" is used everywhere other than the Profile, which uses "Lookup ID".

(4) I expect to see a drop-down for the State field in Global Settings.

(5) Should I be able to edit a patient profile? I attempted to edit Bobbity's middle name, hit save, and did not receive a success message. When I refreshed, my edit disappeared.

(6) Should I be able to add a new patient? I attempted to, hit save, and did not receive a confirmation. When I checked the people tab, the profile had not been created.

(7) Should I be able to edit everything in Global Settings?

• I can successfully add and remove Devices, and set defaults.

• When I attempt to edit Ordering Provider information, it allows me to click Save and I get a success message. When I refresh the page, my edits are not saved.

• When I attempt to edit Facility Information, it allows me to click Save but I do not get a success message. When I hit refresh, my edits are not saved.

[pete-gov]

I think all these things are software broken not infrastructure broken so they should all be reviewed as bugs, I added a link to the broken things ticket.

[aliciabeckett-gov]

Looked at Katie's comments. Those should be logged as bugs, and none of them are show stoppers.

[pete-gov]

Second verification actually happened in staff basically.

Engineering verification is probably something nobody is going to have any time to deal with until they have to, so I'll pass it for now.