Document deployment

saliceti · saliceti · commit 0af2db4c4efa · 2025-08-15T16:20:05.000+01:00
diff --git a/README.md b/README.md
@@ -110,52 +110,9 @@ To generate a new app, run:
 poetry run ./manage.py startapp <app_name> manage_breast_screening/`
 ```
 
-## Manual Deployment
+## Deployment
 
-The build pipeline builds and pushes a docker image to [Github container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). The app is deployed to an [Azure container app](https://azure.microsoft.com/en-us/products/container-apps) using terraform.
-
-For each environment, e.g. 'dev':
-
-1. Connect to [Azure virtual desktop](https://azure.microsoft.com/en-us/products/virtual-desktop). Ask the platform team for access with Administrator role.
-1. If not present, install the following software: terraform (version 1.7.0), git, make, jq.
-   - Run a Command prompt as administrator
-   - choco install terraform --version 1.7.0
-   - choco install terraform git make jq
-1. Open git bash
-1. Clone the repository: `git clone https://github.com/NHSDigital/dtos-manage-breast-screening.git`
-1. Enter the directory and select the branch, tag, commit...
-1. Login: `az login`
-1. Create the resource group: `make dev resource-group-init`. This is only required when creating the environment from scratch.
-1. Deploy:
-   ```shell
-   make dev terraform-plan DOCKER_IMAGE_TAG=git-sha-af32637e7e6a07e36158dcb8d7ed90be49be1xyz
-   ```
-1. The web app URL will be displayed as output. Copy it into a browser on the AVD to access the app.
-
-## Manual deployment of the review environments
-
-Review environments differ slightly from other environments. They are lightweight versions of the application and are designed to share much of the core Azure infrastructure. As a result, there is a one-to-many relationship between the container apps and the container app environment.
-
-### Step 1
-If you run the following command *without* the `PR_NUMBER` parameter, it will apply only the infrastructure module:
-
-```shell
-make review terraform-apply
-```
-
-### Step 2
-
-If you include the `PR_NUMBER` parameter, it will apply the container_app module instead of the infrastructure module:
-
-```shell
-make review terraform-apply DOCKER_IMAGE_TAG=git-sha-01ecb79d561f55be60072a093dd167fe8eb5b42e PR_NUMBER=123
-```
-
-## Continuous deployment
-
-When a PR is merged, Github actions securely triggers the deployment pipeline on the Azure devops pool running on the internal network. It currently deploys the dev environment automatically.
-
-Access [Azure devops](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=86) to see the pipeline.
+See [Deployment](docs/infrastructure/deployment.md).
 
 ## Application secrets
 
diff --git a/docs/infrastructure/create-environment.md b/docs/infrastructure/create-environment.md
@@ -0,0 +1,56 @@
+# Create an environment
+
+This is the initial manual process to create a new environment like review, dev, production...
+- Create the configuration files in `infrastructure/environments/[environment]`
+- Create postgres Entra ID group in DTOS Administrative Unit (AU): `postgres_manbrs_[environment]_uks_admin`
+- Ask CCOE to assign role:
+	- [Form for PIM](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=28f3ab4f1bf3ca1078ac4337b04bcb78&sysparm_category=114fced51bdae1502eee65b9bd4bcbdc)
+	- Approver: Add someone from the infrastructure team
+	- Role Name: `Group.Read.All`
+	- Application Name: `mi-manbrs-[environment]-adotoaz-uks`
+	- Application ID: [client.id]
+	- Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
+	- Description:
+    	- Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
+    	- Role: permanent on Directory
+- Run bicep from AVD: `make [environment] resource-group-init`
+- Create ADO group
+	- Name: `Run pipeline - [environment]`
+	- Members: `mi-manbrs-[environment]-ghtoado-uks`. There may be more than 1 in the list. Check client id printed below the name.
+	- Permissions:
+		- View project-level information
+- Create new pipeline:
+    - Name: `Deploy to Azure - [environment]`
+    - Pipeline yaml: `.azuredevops/pipelines/deploy.yml`
+- Manage pipeline security:
+	- Add group: `Run pipeline - [environment]`
+	- Permissions:
+		- Edit queue build configuration
+		- Queue builds
+		- View build pipeline
+		- View builds
+- Create ADO environment: [environment]
+	- Set: exclusive lock (except for review)
+	- Add pipeline permission for `Deploy to Azure - [environment]` pipeline
+- Create Github environment [environment]
+- Add environment secrets, from `mi-manbrs-[environment]-ghtoado-uks` in github
+	- AZURE_CLIENT_ID
+	- AZURE_SUBSCRIPTION_ID
+[TODO]- Add branch protection rule so only the main branch can be deployed (except for review) [TODO]
+- Create service connection (ADO)
+	- Connection type: `Azure Resource Manager`
+	- Identity type: `Managed identity`
+	- Subscription for managed identity: `Digital Screening DToS - Devops`
+	- Resource group for managed identity: `rg-mi-[environment]-uks`
+	- Managed identity: `mi-manbrs-[environment]-adotoaz-uks`
+	- Scope level: `Subscription`
+	- Subscription: `Digital Screening DToS - Core Services Dev`
+	- Resource group for Service connection: leave blank
+	- Service Connection Name: `manbrs-[environment]`
+	- Do NOT tick: Grant access permission to all pipelines
+	- Security: allow `Deploy to Azure - [environment]` pipeline
+- Add environment to the list of environments in `deploy-stage` step of `cicd-2-main-branch.yaml`. For the review enviornment, there is a single item in `cicd-1-pull-request.yaml`.
+- Run Github workflow
+- Check ADO pipeline. You may be prompted to authorise:
+	- Pipeline: service connection
+	- Environment: service connection and agent pool
diff --git a/docs/infrastructure/deployment.md b/docs/infrastructure/deployment.md
@@ -0,0 +1,81 @@
+# Deployment
+
+## Infrastructure
+The code is packaged into a docker image which is deployed to [Azure container apps](https://learn.microsoft.com/en-us/azure/container-apps/). The main app is a web application, with an HTTP ingress. And the second one is an [Azure container app job](https://learn.microsoft.com/en-us/azure/container-apps/jobs?tabs=azure-cli), triggered on demand to run the database migration.
+
+The web application does not have a public endpoint. It is only accessible via [Azure front door](https://learn.microsoft.com/en-us/azure/frontdoor/) which is a CDN providing TLS certificates, firewall, scaling and caching. The internal endpoint is accessible via [Azure Virtual Desktop](https://learn.microsoft.com/en-us/azure/virtual-desktop/).
+
+The data is hosted on [Azure postgres flexible server](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview).
+
+## Docker build
+The build pipeline builds and pushes a docker image to [Github container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). The image is tagged with:
+- branch name: for docker build caching
+- commit SHA: to uniquely identify the image during deployment, prefixed by "git-sha-".
+- image digest sha: immutable tag
+
+## Automated deployment
+The deployment is split between:
+- [Github actions](https://github.com/features/actions) for Continuous Integration (CI)
+- [Azure devops](https://azure.microsoft.com/en-us/products/devops) pipelines for Continuous Deployment (CD)
+
+### Github actions
+Runs on Github hosted runners on the internet. They run all our tests (unit, functional, security, linting...). They don't have access to our internal network nor any sensitive data.
+
+To deploy an environment, they authenticate to Azure and delegate the work to [Azure devops piplines](#azure-devops-pipelines).
+
+See [all Github actions](https://github.com/NHSDigital/dtos-manage-breast-screening/actions).
+
+### Azure devops pipelines
+We use a public repository as required by the [NHS Service standard](https://service-manual.nhs.uk/standards-and-technology/service-standard-points/12-make-new-source-code-open). For security reasons, deployments cannot run from Github actions and run instead on Azure devops private runners inside our internal network. They have access to the network and any Azure resource deployed onto it.
+
+See [all Azure devops pipelines](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build).
+
+### Pull request
+When a pull request is raised, add a "deploy" label to deploy a review app (concept borrowed from [Heroku](https://devcenter.heroku.com/articles/github-integration-review-apps)). It triggers the [CI/CD pull request](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-1-pull-request.yaml) Github action workflow, which runs tests then authenticates to Azure and triggers the [Deploy review app](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=102) Azure devops pipeline. It runs terraform to deploy the application, database and front door configuration.
+
+To make this process faster and less costly, most of the infrastructure is reused for all review apps: networking, key vaults, container app environments... The base infrastructure is only updated by the pipeline on the main branch.
+
+When the pull request is closed or merged, and if it has the "deploy" label, the [Delete review app](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-1-pull-request-closed.yaml) workflow is triggered, followed by the [Delete review app](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=103) Azure devops pipeline. It runs *terraform destroy* to delete the resources.
+
+Note: terraform currently deploys a postgres server with a locked database. It must be deleted manually from the Azure portal before the pipeline runs.
+
+### Main branch
+When a pull request is merged to the main branch, the [CI/CD main branch](https://github.com/NHSDigital/dtos-manage-breast-screening/actions/workflows/cicd-2-main-branch.yaml) is triggered. It runs tests then authenticates to Azure and triggers the [Deploy to Azure](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=93) Azure devops pipeline. It runs terraform to deploy the entire environment, including both infrastructure and applications. Any manual change is overwritten by terraform.
+
+## Manual deployment
+For each environment, e.g. 'dev':
+
+1. Connect to [Azure virtual desktop](https://azure.microsoft.com/en-us/products/virtual-desktop). Ask the platform team for access with Administrator role.
+1. If not present, install the following software: terraform (version 1.7.0), git, make, jq.
+   - Run a Command prompt as administrator
+   - choco install terraform --version 1.7.0
+   - choco install terraform git make jq
+1. Open git bash
+1. Clone the repository: `git clone https://github.com/NHSDigital/dtos-manage-breast-screening.git`
+1. Enter the directory and select the branch, tag, commit...
+1. Login: `az login`
+1. Create the resource group: `make dev resource-group-init`. This is only required when creating the environment from scratch.
+1. Deploy:
+   ```shell
+   make dev terraform-plan DOCKER_IMAGE_TAG=git-sha-af32637e7e6a07e36158dcb8d7ed90be49be1xyz
+   ```
+1. The web app URL will be displayed as output. Copy it into a browser on the AVD to access the app.
+
+## Manual deployment of the review environments
+
+Review environments differ slightly from other environments. They are lightweight versions of the application and are designed to share much of the core Azure infrastructure. As a result, there is a one-to-many relationship between the container apps and the container app environment.
+
+### Step 1
+If you run the following command *without* the `PR_NUMBER` parameter, it will apply only the infrastructure module:
+
+```shell
+make review terraform-apply
+```
+
+### Step 2
+
+If you include the `PR_NUMBER` parameter, it will apply the container_app module instead of the infrastructure module:
+
+```shell
+make review terraform-apply DOCKER_IMAGE_TAG=git-sha-01ecb79d561f55be60072a093dd167fe8eb5b42e PR_NUMBER=123
+```
diff --git a/docs/infrastructure/infra-faq.md b/docs/infrastructure/infra-faq.md
@@ -1,4 +1,12 @@
-## Import into terraform state file
+# Infra FAQ
+
+- [Terraform](#terraform)
+- [Github action triggering Azure devops pipeline](#github-action-triggering-azure-devops-pipeline)
+- [Bicep errors](#bicep-errors)
+
+
+## Terraform
+### Import into terraform state file
 
 To import Azure resources into the Terraform state file, you can use the following command. If you're working on an AVD machine, you may need to set the environment variables:
 - `ARM_USE_AZUREAD` to use Azure AD instead of a shared key
@@ -13,7 +21,7 @@ export MSYS_NO_PATHCONV=true
 terraform -chdir=infrastructure/terraform import  -var-file ../environments/${ENV_CONFIG}/variables.tfvars module.infra[0].module.postgres_subnet.azurerm_subnet.subnet  /subscriptions/xxx/resourceGroups/rg-manbrs-review-uks/providers/Microsoft.Network/virtualNetworks/vnet-review-uks-manbrs/subnets/snet-postgres
 ```
 
-## Error: Failed to load state
+### Error: Failed to load state
 This happens when running terraform commands accessing the state file like [import](#import-into-terraform-state-file), `state list` or `force-unlock`.
 ```
 Failed to load state: blobs.Client#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="KeyBasedAuthenticationNotPermitted" Message="Key based authentication is not permitted on this storage account.
@@ -24,3 +32,105 @@ By default terraform tries using a shared key, which is not allowed. To force us
 ```shell
 ARM_USE_AZUREAD=true terraform force-unlock xxx-yyy
 ```
+
+## Github action triggering Azure devops pipeline
+### Application with identifier '***' was not found in the directory
+Example:
+```
+Running Azure CLI Login.
+...
+Attempting Azure CLI login by using OIDC...
+Error: AADSTS700016: Application with identifier '***' was not found in the directory 'NHS Strategic Tenant'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: xxx Correlation ID: xxx Timestamp: xxx
+
+Error: Interactive authentication is needed. Please run:
+az login
+```
+The managed identity does not exist or Github secrets are not set correctly
+
+### The client '***' has no configured federated identity credentials
+Example:
+```
+Running Azure CLI Login.
+...
+Attempting Azure CLI login by using OIDC...
+Error: AADSTS70025: The client '***'(mi-manbrs-ado-review-temp) has no configured federated identity credentials. Trace ID: xxx Correlation ID: xxx Timestamp: xxx
+
+Error: Interactive authentication is needed. Please run:
+az login
+```
+Federated credentials are not configured.
+
+### No subscriptions found for ***
+Example:
+```
+Running Azure CLI Login.
+...
+Attempting Azure CLI login by using OIDC...
+Error: No subscriptions found for ***.
+```
+Give the managed identity Reader role on a subscription (normally Devops)
+
+### Pipeline permissions
+Examples:
+```
+ERROR: TF401444: Please sign-in at least once as ***\***\xxx in a web browser to enable access to the service.
+Error: Process completed with exit code 1.
+```
+Or
+```
+ERROR: TF400813: The user 'xxx' is not authorized to access this resource.
+Error: Process completed with exit code 1.
+```
+Or
+```
+ERROR: VS800075: The project with id 'vstfs:///Classification/TeamProject/' does not exist, or you do not have permission to access it.
+Error: Process completed with exit code 1.
+```
+The Github secret must reflect the right managed identity, the managed identity must have the following permissions on the pipeline, via its ADO group:
+- Edit queue build configuration
+- Queue builds
+- View build pipeline
+
+The ADO group must have the "View project-level information" permission.
+
+### The service connection does not exist
+Example:
+```
+The pipeline is not valid. Job DeployApp: Step input azureSubscription references service connection manbrs-review which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz. Job DeployApp: Step input azureSubscription references service connection manbrs-review which could not be found. The service connection does not exist, has been disabled or has not been authorized for use. For authorization details, refer to https://aka.ms/yamlauthz.
+```
+The Azure service connection manbrs-[environment] is missing
+
+## Bicep errors
+### RoleAssignmentUpdateNotPermitted
+Example:
+```
+ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/xxx/providers/Microsoft.Resources/deployments/main","message":"At least one reson failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"RoleAssignmentUpdateNotPermitted","message":"Tenprincipal ID, and scope are not allowed to be updated."},{"code":"RoleAssignmentUpdateNotPermitted","message":"Tenant ID, application ID, principal ID, and scope are not allowed to be updated."},{"cteNotPermitted","message":"Tenant ID, application ID, principal ID, and scope are not allowed to be updated."}]}}
+```
+When deleting a MI, its role assignment is not deleted. When recreating the MI, bicep tries to update the role assignment and is not allowed to. Solution:
+- Find the role assignment id. Here: abcd-123
+- Navigate to subscriptions and resource group IAM and search for the role assignment id
+- Delete the role assignment via the portal
+
+If you can't find the right scope, follow this process:
+- Find the role assignment id. Here: abcd-123
+```
+ ~ Microsoft.Authorization/roleAssignments/abcd-123 [2022-04-01]
+    ~ properties.principalId: "xxx" => "[reference('/subscriptions/xxx/resourceGroups/rg-mi-review-uks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-manbrs-ado-review-uks', '2024-11-30').principalId]"
+```
+- Get the subscription id
+- List role assignments: `az role assignment list --scope "/subscriptions/[subscription id]"`
+- Look for the role assignment id abcd-123 to retrieve the other details. It may named: Unknown.
+- Delete the role assignment via the portal
+
+### PrincipalNotFound
+Example:
+```
+ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/exxx/providers/Microsoft.Resources/deployments/main","message":"At least one reson failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"PrincipalNotFound","message":"Principal xxx does not exist in the directory xxx. Check that you have the correct principal ID. If you are creating this principal and then immediately assigning a role, this era replication delay. In this case, set the role assignment principalType property to a value, such as ServicePrincipal, User, or Group.  See https://aka.ms/docs-principaltype"}...
+```
+Race condition: the managed identity is not created in time for the resources that depend on it. Solution: rerun the command.
+
+### The client does not have permission
+```
+{"code": "InvalidTemplateDeployment", "message": "Deployment failed with multiple errors: 'Authorization failed for template resource 'xxx' of type 'Microsoft.Authorization/roleAssignments'. The client 'xxx' with object id 'xxx' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/xxx/providers/Microsoft.Authorization/roleAssignments/xxx'...
+```
+Request Owner role on subscriptions via PIM.
