Ppha-417: Create infra as code for hub resources

This will include the terraform root module that will deploy an Azure Virtual Desktop (AVD)

An ADO pipeline to deploy the hub terraform

Frontdoor

log analytics workspace

DNS

Firewall

Subnets

Author: mrlockstar

.azuredevops/pipelines/deploy.yml

@@ -0,0 +1,77 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: commitSHA
+    displayName: Commit SHA
+    type: string
+  - name: environment
+    displayName: Environment
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+    default: ''
+  - name: pool
+    displayName: ADO management pool
+    type: string
+
+stages:
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy to ${{ parameters.environment }} environment
+    pool:
+      name: ${{ parameters.pool }}
+    lockBehavior: sequential
+    isSkippable: false
+
+    jobs:
+      - deployment: DeployApp
+        displayName: Deploy application
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: UsePythonVersion@0
+                  inputs:
+                    versionSpec: '3.x'
+                    architecture: 'x64'
+
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
+
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: lung-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci ${{ parameters.environment }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
+
+                # - task: AzureCLI@2
+                #   displayName: Run database setup
+                #   inputs:
+                #     azureSubscription: lungcs-${{ parameters.environment }}
+                #     scriptType: bash
+                #     scriptLocation: inlineScript
+                #     addSpnToEnvironment: true
+                #     inlineScript: make ci ${{ parameters.environment }} db-setup PR_NUMBER=${{ parameters.prNumber }}
+
+                # - task: AzureCLI@2
+                #   displayName: Run notifications smoke test
+                #   inputs:
+                #     azureSubscription: lungcs-${{ parameters.environment }}
+                #     scriptType: bash
+                #     scriptLocation: inlineScript
+                #     addSpnToEnvironment: true
+                #     inlineScript: make ci ${{ parameters.environment }} notifications-smoke-test PR_NUMBER=${{ parameters.prNumber }}

.azuredevops/pipelines/hub-infrastructure-dev.yaml

@@ -0,0 +1,57 @@
+---
+name: $(Build.SourceBranchName)-$(Date:yyyyMMdd)_$(Rev:r)
+trigger: none
+pr: none
+
+pool:
+  name: private-pool-hub-nonlive-uks
+  # vmImage: ubuntu-latest
+
+resources:
+  repositories:
+    - repository: dtos-devops-templates
+      type: github
+      name: NHSDigital/dtos-devops-templates
+      ref: PPHA-417-Create-infra-as-code-for-Hub-resources
+      endpoint: NHSDigital
+
+variables:
+  - group: NON_LIVE_hub_backend
+  - name: TF_DIRECTORY
+    value: $(System.DefaultWorkingDirectory)/lung_cancer_screening/infrastructure/terraform/hub
+  - name: TF_VERSION
+    value: 1.14.3
+  - name: TF_PLAN_ARTIFACT
+    value: tf_plan_hub_art_NONLIVE_dev
+  - name: ENVIRONMENT
+    value: nonlive-hub
+
+stages:
+  - stage: terraform_plan
+    displayName: Terraform Plan
+    condition: eq(variables['Build.Reason'], 'Manual')
+    variables:
+      tfVarsFile: ../../environments/$(ENVIRONMENT)/variables.tfvars
+    jobs:
+      - job: init_and_plan
+        displayName: Init, plan, store artifact
+        steps:
+          - checkout: self
+          - checkout: dtos-devops-templates
+          - template: .azuredevops/templates/steps/tf_plan.yaml@dtos-devops-templates
+
+  - stage: terraform_apply
+    displayName: Terraform Apply
+    dependsOn: [terraform_plan]
+    condition: and(eq(dependencies.terraform_plan.outputs['init_and_plan.TerraformPlan.changesPresent'], 'true'), eq(variables['Build.Reason'], 'Manual'))
+    jobs:
+      - deployment: terraform_apply
+        displayName: Init, get plan artifact, apply
+        environment: $(ENVIRONMENT)
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                - checkout: dtos-devops-templates
+                - template: .azuredevops/templates/steps/tf_apply.yaml@dtos-devops-templates

.github/workflows/stage-1-commit.yaml

@@ -77,7 +77,7 @@ jobs:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
-  # Github actiuons dont have terrafomr installed at the moment
+  # GitHub actions dont have terraform installed at the moment
   # lint-terraform:
   #   name: "Lint Terraform"
   #   runs-on: ubuntu-latest

.gitleaksignore

@@ -29,8 +29,8 @@ infrastructure/bootstrap/main.bicep:generic-api-key:32
 infrastructure/bootstrap/modules/storage.bicep:generic-api-key:59
 infrastructure/bootstrap/modules/keyVault.bicep:generic-api-key:10
 infrastructure/bootstrap/modules/storage.bicep:generic-api-key:59
-infrastructure/terraform/hub/data.tf:generic-api-key:18
-infrastructure/terraform/hub/data.tf:generic-api-key:22
+infrastructure/terraform/hub/data.tf:generic-api-key:19
+infrastructure/terraform/hub/data.tf:generic-api-key:23
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:11
 infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10
 infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:30

docs/infrastructure/bootstrap.md

@@ -0,0 +1,30 @@
+# Bootstrap environment deployment
+
+## Deploy the bootstrap environment
+
+Run the bootstrap deployment for the required hub environment:
+
+```bash
+make <hub-environment> bootstrap
+```
+
+Example
+
+```bash
+make hub-nonlive bootstrap
+```
+
+## Find the AVD SP object id (run as someone with AAD read access)
+
+```bash
+az ad sp show --id <principle id> --query id
+```
+
+## Then assign the role (run as Owner)
+
+```bash
+az role assignment create \
+  --assignee-object-id <AVD_SP_OBJECT_ID> \
+  --role "Desktop Virtualization Power On Contributor" \
+  --scope /subscriptions/<SUBSCRIPTION_ID>
+```

docs/infrastructure/create-environment.md

@@ -0,0 +1,108 @@
+# Create an environment
+
+This is the initial manual process to create a new environment like review, dev, production...
+
+## Hub
+
+The environment requires a shared Azure front door profile created in the hub. The service name must be declared in [the hub configuration](https://github.com/NHSDigital/dtos-hub/tree/main/infrastructure/environments). And run the Azure devops pipeline for the corresponding hub (non-live or live).
+
+## Image Gallery
+
+- create a new gallery in the Azure compute galleries with name nonlive_lungcs_compute_gallery
+- create a resource group with name rg_hub_nonlive_lungcs_compute_gallery
+
+## Code
+
+- Create the configuration files in `infrastructure/environments/[environment]`
+- Add the `[environment]:` target in `scripts/terraform/terraform.mk`
+- Add [environment] to the list of environments in `deploy-stage` step of `cicd-2-main-branch.yaml`. For the review environment, there is a single item in `cicd-1-pull-request.yaml`.
+- Set the `fetch_secrets_from_app_key_vault` terraform variable to `false`. This is to let terraform create the key vault and prevent reading before it is ready.
+
+## Entra ID
+
+- Create Entra ID groups in `Digital screening` Administrative Unit:
+  - `postgres_lungcs_[environment]_uks_admin`
+  - `screening_lungcs_[environment]`
+- Ask CCOE to assign role:
+  - [Form for PIM](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=28f3ab4f1bf3ca1078ac4337b04bcb78&sysparm_category=114fced51bdae1502eee65b9bd4bcbdc)
+  - Approver: Add someone from the infrastructure team
+  - Role Name: `Group.Read.All`
+  - Application Name: `mi-lungcs-[environment]-adotoaz-uks`
+  - Application ID: [client.id] (would be of `mi-lungcs-[environment]-ghtoado-uks`)
+  - Managed identity: `mi-lungcs-[environment]-adotoaz-uks`
+  - Description: - Managed identity: `mi-lungcs-[environment]-adotoaz-uks` - Role: permanent on Directory
+
+## Bicep
+
+> [!IMPORTANT]
+> **Required permissions**: Owner role on both the hub and resource subscriptions
+
+- From AVD:
+  - Login with Microsoft Graph scope: `az login --scope https://graph.microsoft.com//.default -t HSCIC365.onmicrosoft.com`
+  - Run bicep: `make [environment] resource-group-init`
+
+## Infra secrets
+
+Add the infrastructure secrets to the _inf_ key vault `kv-lungcs-[environment]-inf`:
+
+- For entra ID authentication (when `enable_entra_id_authentication` is true): aad-client-audiences, aad-client-id, aad-client-secret
+- `monitoring-email-address`: email distribution list to receive alerts
+
+## Azure devops
+
+- Create ADO group
+  - Name: `Run pipeline - [environment]`
+  - Members: `mi-lungcs-[environment]-ghtoado-uks`. There may be more than 1 in the list. Check client id printed below the name.
+  - Permissions:
+    - View project-level information
+- Create new pipeline:
+  - Name: `Deploy to Azure - [environment]`
+  - Pipeline yaml: `.azuredevops/pipelines/deploy.yml`
+- Manage pipeline security:
+  - Add group: `Run pipeline - [environment]`
+  - Permissions:
+    - Edit queue build configuration
+    - Queue builds
+    - View build pipeline
+    - View builds
+- Create service connection (ADO)
+  - Connection type: `Azure Resource Manager`
+  - Identity type: `Managed identity`
+  - Subscription for managed identity: `Lung Cancer Risk Check - Non-live hub` or `Lung Cancer Risk Check - Live hub` for prod.
+  - Resource group for managed identity: `rg-mi-[environment]-uks`
+  - Managed identity: `mi-lungcs-[environment]-adotoaz-uks`
+  - Scope level: `Subscription`
+  - Subscription: `Digital Screening DToS - Core Services Dev`
+  - Resource group for Service connection: leave blank
+  - Service Connection Name: `lungcs-[environment]`
+  - Do NOT tick: Grant access permission to all pipelines
+  - Security: allow `Deploy to Azure - [environment]` pipeline
+- Create ADO environment: [environment]
+  - Set: exclusive lock (except for review)
+  - Add pipeline permission for `Deploy to Azure - [environment]` pipeline
+
+## GitHub
+
+- Create GitHub environment [environment]
+- Add the protection rule (except in review):
+  - Deselect `Allow administrators to bypass configured protection rules`
+  - In `Deployment branches and tags` choose `Selected branches and tags` from the drop-down menu
+  - Click `Add deployment branch or tag rule` and enter "main"
+- Add environment secrets, from `mi-lungcs-[environment]-ghtoado-uks` in GitHub
+  - _AZURE_CLIENT_ID_
+  - _AZURE_SUBSCRIPTION_ID_
+
+## First run
+
+- Test running terraform manually from the AVD (Optional)
+- Raise a pull request, review and merge to trigger the pipeline
+- Check ADO pipeline. You may be prompted to authorise:
+  - Pipeline: service connection
+  - Environment: service connection and agent pool
+
+## App secrets
+
+- Add the application secrets to the _app_ key vault `kv-lungcs-[environment]-app`
+- Set `fetch_secrets_from_app_key_vault` terraform variable to `true`
+- Test running terraform manually from the AVD (Optional)
+- Raise a pull request, review and merge to trigger the pipeline