|
1 | 1 | # Getting Started |
2 | 2 |
|
3 | | -This page outlines how to deploy SUS. |
| 3 | +[Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep) is the IaC format used by the SUS project. The bicep template `urlShortener.bicep` is found in the `./infrastructureTemplates` folder. To deploy the template, you will need the [Entra ID Cloud Application Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) role or higher. |
4 | 4 |
|
5 | 5 | ## Steps |
6 | 6 |
|
7 | | -Coming soon! |
| 7 | +How to deploy bicep templates: <https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-powershell> |
| 8 | + |
| 9 | +If you want to set this up on-prem or in a different environment, please refer to the configurations in the bicep template for infra specific configurations. If you wish to not authenticate with a managed identity, please see here for alternate authentication configurations: <https://www.npmjs.com/package/@azure/identity#environment-variables> |
| 10 | + |
| 11 | +## Deployment Steps |
| 12 | + |
| 13 | +1. Navigate to `infrastructureTemplates` folder in the terminal. It is found in the root of the `URL-Shortener` repository. |
| 14 | + |
| 15 | +2. Issue the bicep build command: `bicep build .\urlShortener.bicep` |
| 16 | + |
| 17 | + !!! info "Azure Bicep Support" |
| 18 | + Whenever you issue the bicep build command against the bicep template it will compile it into an ARM template which is the language that Azure speaks. Azure does not support bicep natively. |
| 19 | + |
| 20 | +3. Ensure that you are logged into your Azure tenant and select the correct Azure Subscription. |
| 21 | +4. Make a new Azure resource group with the naming and location convention through the CLI: |
| 22 | + |
| 23 | + ```PowerShell |
| 24 | + New-AzResourceGroup -Name 'Host' -Location 'EastUs2' |
| 25 | + ``` |
| 26 | +
|
| 27 | + Note: Resource group has to be created before deployment. |
| 28 | +
|
| 29 | +5. Make a new Azure resource group deployment: |
| 30 | +
|
| 31 | + ```PowerShell |
| 32 | + New-AzResourceGroupDeployment -ResourceGroupName 'Host' -TemplateFile '.\urlShortener.json' |
| 33 | + ``` |
| 34 | +
|
| 35 | + It is pointed to the resource group name that was just created as well as the ARM resource that was just created. This will begin the deployment process. |
| 36 | +
|
| 37 | +6. Head over to your Azure portal at `https://portal.azure.com` and browse to Subscriptions -> `your subscription` -> Resource Groups -> `your resource group` -> Deployments. This will replicate your Deployment |
| 38 | +
|
| 39 | +7. The bicep template also creates an `SHI - URL Shortener` service principal to facilitate SSO. This is located at `https://entra.microsoft.com` be under `App Registrations` on the blade menu (left-most navigation menu). |
| 40 | +
|
| 41 | +8. Navigate to API Permissions inside the app that was registered and grant admin consent for your tenant. Once you admin consent, the end user is able to log in without needing to consent to permissions or reach out to an admin. |
| 42 | +
|
| 43 | + !!! note |
| 44 | + There are two parts of SUS where it is granted Graph API permissions. The App Registration and the web app's managed identity. After the web app is created, it updates the app registration with the login redirect URL which is mandatory for public client authentication where we don't need to have a secret ahead of time. This allows for perfect forward secrecy. You can view the single-page application Redirect URIs under App Registration > the app that was created > Manage > Authentication. |
| 45 | +
|
| 46 | +9. Now that the `SHI - URL Shortener` app is created - access must be granted to a user to be able to use the application. Inside the app that was registered go to Overview > Managed application in local directory and click the link. For the break glass users, add the intended user/group and Select a role > "Read and Write Everything" (`Everything.ReadWrite.All`) and assign it. Remove the Default Access role that is assigned. |
| 47 | +
|
| 48 | + !!! note |
| 49 | + If you do want access restricted, go to the End User Login > Manage > Properties and toggle "Assignment Required?" to Yes. For non-privileged access, you can grant the "General Access" (`Nothing.At.All`) role to the principals that are expected to operate it in a restricted context. |
| 50 | +
|
| 51 | +10. Return to your terminal and create a production build of the server: |
| 52 | +
|
| 53 | + ```PowerShell title="CWD: Project Root" |
| 54 | + npm install |
| 55 | + npm run build:Prod |
| 56 | + npm install --omit=dev |
| 57 | + Remove-Item -Path '.\bin\test\' -Force -Recurse |
| 58 | + ``` |
| 59 | +
|
| 60 | +11. Using the file archiver of your choice, such as *Windows File Explorer* or *7-Zip*, select the `bin` folder, `node_modules` folder, and the `package.json` file, and create a `.zip` package with them at the root. |
| 61 | +
|
| 62 | + !!! info "File/Folder Descriptions" |
| 63 | + - The `bin` folder contains all of the URL Shortener's business logic (the compiled app code). |
| 64 | + - The `node_modules` folder contains all of the runtime dependencies. |
| 65 | + - The `package.json` file contains the package manifest, which is used to launch the application. |
| 66 | +
|
| 67 | +12. Once the packaging is complete, you can now run the upload command which is: |
| 68 | +
|
| 69 | + ```PowerShell |
| 70 | + Publish-AzWebApp -ArchivePath '<full/path/to/zip/package>.zip' -ResourceGroupName 'Host' -Name '<name of webapp>' -Restart -Clean -Async |
| 71 | + ``` |
| 72 | +
|
| 73 | + Enter `Y` to Confirm |
| 74 | +
|
| 75 | + !!! note |
| 76 | + The name of the Web App may be a random string of numbers and letters which can be observed under Deployment details as its being deployed. The type that the resource is associated with should match to `Microsoft.Web/sites`. |
| 77 | +
|
| 78 | + !!! tip |
| 79 | + The default domain may prove to be an inconvenience and you may want to add a custom domain. This will be under Web App -> Settings > Custom domains. This is operating under the assumption that you are using a valid domain that you own. This allows the vHost to be able to process the HTTP traffic. After the domain is added, it will need to be added to the SUS UI to process the domain. |
| 80 | +
|
| 81 | +13. Next, you are going to set up the database schema. In the azure portal, navigate to the resource group > Overview and select the resource that coincides with the Type `SQL database`. Click on *Set Server Firewall* then under Public access choose Selected networks and under Firewall Rules and `Add your client IPv4 address` to create a rule to allow access to your personal IP address. |
| 82 | +
|
| 83 | +14. From here, you need to run the Migration command. Run `npm install` to get all your dependencies back since the migration script is technically a developer dependency. Next set an environment variable. This can be done by left clicking on Microsoft PowerToys and selecting Environment Variables, Underneath Default variables > User click on `Add variable`. |
| 84 | +
|
| 85 | + **Variable:** |
| 86 | +
|
| 87 | + Name: |
| 88 | +
|
| 89 | + ```text |
| 90 | + SUS_DB_Host |
| 91 | + ``` |
| 92 | +
|
| 93 | + Value: |
| 94 | +
|
| 95 | + ```text |
| 96 | + Value of the server name SQL database. This should end in .database.windows.net |
| 97 | + ``` |
| 98 | +
|
| 99 | +15. Next, retrieve a short-lived token Azure access token for the Azure SQL DB to put as a temp environment variable: |
| 100 | +
|
| 101 | + ```PowerShell |
| 102 | + [Microsoft.Azure.Commands.Profile.Models.PSSecureAccessToken]$DbToken = Get-AzAccessToken -ResourceUrl 'https://database.windows.net/' |
| 103 | + ``` |
| 104 | +
|
| 105 | + to retrieve the DB access token. You can confirm that it is associated by typing `$DbToken` into the terminal and you will see the associated Token. Convert this from secure string to a usable text format. |
| 106 | +
|
| 107 | + ```PowerShell |
| 108 | + $DbToken.Token | ConvertFrom-SecureString -AsPlainText |
| 109 | + ``` |
| 110 | +
|
| 111 | + Copy out the entire string and make it part of the environment variable `DB_ACCESS_TOKEN`, using a similar process to step 14. Relaunch your terminal (if using the IDE's terminal, you will need to relaunch the IDE) so that teh host process gets an updated list of the environment variables. Env vars are only injected into the process image at time of launch by the OS kernel. |
| 112 | +
|
| 113 | +16. In the terminal, run: |
| 114 | +
|
| 115 | + ```PowerShell |
| 116 | + npm run migrate:Up:Db:Prod |
| 117 | + ``` |
| 118 | +
|
| 119 | + Now the schema is in place and you can remove the environment variables. |
| 120 | +
|
| 121 | +17. In the azure portal in the Azure SQL Server, underneath Settings and Microsoft Entra ID, take the name of the application and search it and save it so that the application is an Entra Admin of the database. Disable the public network access and remove the firewall rule. |
| 122 | +
|
| 123 | + !!! note |
| 124 | + The intended way for this to be deployed is through a CI/CD process via GitHub Actions. |
| 125 | +
|
| 126 | +## See Also |
| 127 | +
|
| 128 | +- [Usage Guide](./Usage-Guide.md) |
0 commit comments