SBMTD Azure setup

[thekaveman]

Some tasks may need help from SBMTD IT.

Most of these tasks come from the notes doc when we did this with MST.

Azure basics

• [x] Create Azure user group for Compiler, roles:
  • Application developer
• [x] Add @angela-tran, @machikoyasuda, @thekaveman to group
• [x] Create Subscription, assign Compiler group the Contributor role

Azure DevOps

• [x] Create Azure DevOps organization
• [x] Install Terraform extension on organization
• [x] Create Azure DevOps project
• [x] Turn off services not in use (Project settings > Overview > services) -- only Pipelines is used
• [x] Add Compiler users (ideally via group)
• [x] Create service connection
  • Type: Azure Resource Manager
  • Method: Service principal (automatic)
  • https://learn.microsoft.com/en-us/training/modules/authenticate-azure-deployment-pipeline-service-principals/
• [x] Create pipeline by importing azure-pipelines.yml from this repo
  • Depends on #291
• [x] Set environment variables
  • [x] TF_IN_AUTOMATION=1
  • [x] TF_VAR_DEPLOYER_APP_OBJECT_ID
  • [x] TF_VAR_ENGINEERING_GROUP_OBJECT_ID
  • [x] TF_VAR_AGENCY_CARD_DATA_ETL_APP_OBJECT_ID (renamed from TF_VAR_VELOCITY_ETL_APP_OBJECT_ID)
  • [x] TF_VAR_IP_ADDRESS_WHITELIST_DEV/TEST/PROD
• [x] Create Environment named "Approval"
• [x] #362

Terraform

• [x] (Manual) Create Resource Group and storage account dedicated to the Terraform state: sbmtd-mobility-pass-tf
• [x] (Manual) Create container in storage account named tfstate
• [x] (Manual x3 environments) Create environment Resource Group, Region: West US
  • [x] sbmtd-mobility-pass-eligibility-dev
  • [x] sbmtd-mobility-pass-eligibility-test
  • [x] sbmtd-mobility-pass-eligibility-prod
• [x] (Manual x3 environments) Create Terraform workspace
• [x] Trigger a pipeline run to verify plan - https://dev.azure.com/sbmtd/eligibility-server/_build/results?buildId=7&view=results
• [x] Trigger a pipeline run to verify apply
• [x] Known chicken-and-egg: Terraform both creates the Key Vault and expects a secret within it, so will always fail on the first deploy

Application

• [x] Create a keypair for the eligibility verification API
  • [x] test
  • [x] prod
• [x] (x3 environments) Create settings.py with:
  • [x] AGENCY_NAME
  • [x] AUTH_HEADER
  • [x] AUTH_TOKEN
  • [x] CLIENT_KEY_PATH
  • [x] IMPORT_FILE_PATH
  • [x] SENTRY_DSN
  • [x] SENTRY_TRACES_SAMPLE_RATE
• [x] (x3 environments) Add settings.py and keys to storage account

[thekaveman]

We got stuck in SBMTD's Azure with an Azure AD issue, so the group for Compiler engineers is not yet created. SBMTD is going to work with their Azure consultant on this issue.

Most of the setup for Azure DevOps is complete, the remaining step of establishing a Service Connection depends on the fix for Azure AD.

[angela-tran]

• [x] (Manual x3 environments) Create environment Resource Group, Region: West US
  • [x] sbmtd-mobility-pass-dev
  • [x] sbmtd-mobility-pass-test
  • [x] sbmtd-mobility-pass-prod

Just noticed that our Terraform file expects this to be named sbmtd-mobility-pass-eligibility-dev, etc.: https://github.com/cal-itp/eligibility-server/blob/1fd61404435f5d4759997e1a6e5e3b449c0e24ed/terraform/environment.tf#L8

See the build failure at https://dev.azure.com/sbmtd/eligibility-server/_build/results?buildId=5&view=logs&j=ace7239b-ade7-5b52-2e3a-ab948f392fca&t=86fc3f94-fb9f-52ff-e1d4-fd3623140af8&l=22

I will recreate the Resource Groups to match this naming

[angela-tran]

For getting the values for TF_VAR_DEPLOYER_APP_OBJECT_ID and TF_VAR_DEPLOYER_APP_OBJECT_ID, make sure you go into the "Managed application in local directory" screen to get the Object ID

https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser#list-service-principals-associated-with-an-app

[thekaveman]

@angela-tran I think we are good to close this??

[angela-tran]

@thekaveman Yeah, I think so since all the infra is set up. The dev, test, and prod instances are just waiting for data, which isn't necessarily part of this issue

[thekaveman]

@angela-tran I wrote up this one earlier, I think we're covered :+1: https://github.com/cal-itp/benefits/issues/1783