Shared-Infra Provisioning Steps

Shared Infra Provisioning

Before running app services infra repo, one must run shared-infra to provision all require dependency which are needed for infra services. This steps is need because we are using private hosted runner to run our pipeline and all our services are private including key vault, storage webapp and databases.

Go to shared infra repo at keyvault.tf, first verify the key vault policy is provided to the repo, if not than check for service principal, to create service principle please look bootstrapping.
once service principal is there , please use data.tf file to import the service principal and use the object id to give access to keyvault permission.

data "azuread_application" "pms" {
  display_name = "aad-sp-pms-ingest-infra-${var.tags.environment_short}"
}

data "azuread_service_principal" "pms" {
  client_id = data.azuread_application.pms.client_id
}

keyvault.tf

resource "azurerm_key_vault_access_policy" "pms_infra_kv_reader" {
  key_vault_id            = azurerm_key_vault.vault.id
  tenant_id               = data.azurerm_client_config.current.tenant_id
  object_id               = data.azuread_service_principal.pms.object_id
  secret_permissions      = ["Get", "List"]
  key_permissions         = ["Get", "List"]
  certificate_permissions = ["Get", "List"]
}

Database provisioning

In order to provision the new database server, we already have terraform in place.

use shared infra repo[] to provision the new mysql flexible server.
for shared database server use this mysql_server_database.tf
for customer alias new db server use this mysql_server_database_customer_aliases.tf, we have dynamic provisioning for new db server.
we have tfvars directory that contains common.tfvars for different customer aliases.
for example if we need new mysql server for xyz customer that, just need to add new customer alias like this
```
customer_aliases = [
  "xyz",
  "abc"
]
```
all db servers are dynamically updating the configuration for logs. if other new configuration needs to be added the terrraform code like this with new server configuration.

configuration

resource "azurerm_mysql_flexible_server_configuration" "ca_audit_log_events" {
  count               = var.tags.environment_short == "dev" ? 0 : length(var.customer_aliases)
  name                = "audit_log_events"
  resource_group_name = azurerm_resource_group.main.name
  server_name         = azurerm_mysql_flexible_server.customer_aliases_server.*.name[count.index]
  value               = "CONNECTION,GENERAL,TABLE_ACCESS"
}

new db server will have new server name, customer alias db name, sever password and db connection string, that will be saved on keyvault, and kv is accessible able via avd.

Note

please remember to check the requirement for mysql server db, it will always be provisioned with default charset and collation. for shared look for this tf file

for customer alias

charset             = "utf8mb4"
collation           = "utf8mb4_general_ci"

DNS provisioning for new customer alias

once db server has been provisioned than we can goto reg1-dashboard-infra to add dns record. 1. Goto tfvars directory and choose the environment where we want our customer to add. 2. for example if we have customer for nonproduction that goto tfvars/nonproduction.tfvars, and at this section just update new customer alias previously addeded on db server.

customer_aliases = [
  "xyz",
  "abc"
]

Admin dashboard provisioning for new customer alias

Once the DNS has been setup using previous step, goto admin-dashboard-infra to provision admin dashboard and this repo will update dns zone with the cname record with new alias.

same as above step inside tfvars/nonproduction add new customer alias.

customer_aliases = [
  "xyz",
  "abc"
]