From c8fc3731b5a762ccbc91c00ee01fcccadad4d87d Mon Sep 17 00:00:00 2001 From: Alkesh Vaghmaria Date: Thu, 21 Nov 2024 14:57:41 +0000 Subject: [PATCH 1/4] connecting to azure doc --- docs/connecting-to-azure.md | 77 +++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 docs/connecting-to-azure.md diff --git a/docs/connecting-to-azure.md b/docs/connecting-to-azure.md new file mode 100644 index 0000000000..47ef8a414a --- /dev/null +++ b/docs/connecting-to-azure.md @@ -0,0 +1,77 @@ +# Connect to an instance running in Azure + +This Rails app runs on the +[Teacher Services Cloud](https://github.com/DFE-Digital/teacher-services-cloud) +Kubernetes infrastructure in Azure. + +Follow these instructions to [run a Rake task](#run-a-rake-task) or +[open a Rails console](#open-a-rails-console). + +## 1. Authenticate to the Kubernetes cluster + +You'll need to configure your command line console so it can connect to the +Kubernetes cluster. Your authenticated state should persist for several days, +but you may need to re-authenticate every once in a while. + +1. Login to the [Microsoft Azure portal](https://portal.azure.com) + + > Use your `@digitalauth.education.gov.uk` account. + > + > Make sure it says "DfE Platform Identity" in the top right corner of the + > screen below your name. If not, click the settings/cog icon and choose it + > from the list of directories. + +2. Open a console. Navigate to the `npq-registration` repo + directory and run: + + ```shell + az login + ``` + + You'll be asked to select development, test or production. + +3. Install kubetctl: + + ```shell + brew install Azure/kubelogin/kubelogin + ``` + +> Accessing production deployments requires a +> [PIM (Privileged Identity Management) request](#privileged-identity-management-requests). + +### Run a Rake task + +To get shell access on a review app for a given PR_NUMBER, run the following: + +```shell +make review aks-ssh PULL_REQUEST_NUMBER=[PR_NUMBER] +``` +From there, the rake task can be run + +To get shell access on production, run: + +```shell +make ci production aks-ssh +``` + +### Open a Rails console + +To get a rails console on a review app for a given PR_NUMBER, run the following: + +```shell +make review aks-console PULL_REQUEST_NUMBER=[PR_NUMBER] +``` + +To get a rails console on production, run the following: + +```shell +make ci production aks-console +``` + +### Environments + +There are other environments apart from review apps and production, documented in [Environments](environments.md). + +## Useful links + +- [Teacher Services Cloud developer documentation](https://github.com/DFE-Digital/teacher-services-cloud/blob/main/documentation/developer-onboarding.md) From 046aa97dfe8874832f563a44d66c25a8b5f9fad9 Mon Sep 17 00:00:00 2001 From: Alkesh Vaghmaria Date: Mon, 25 Nov 2024 14:18:51 +0000 Subject: [PATCH 2/4] add PIM request section --- docs/connecting-to-azure.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/connecting-to-azure.md b/docs/connecting-to-azure.md index 47ef8a414a..504897d19e 100644 --- a/docs/connecting-to-azure.md +++ b/docs/connecting-to-azure.md @@ -68,6 +68,23 @@ To get a rails console on production, run the following: make ci production aks-console ``` +### Privileged Identity Management requests + +Accessing resources in the production environment requires elevated privileges. +We do this through Microsoft Entra Privileged Identity Management (PIM) request system. + +To make a PIM request: + +1. Visit + [this page](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadgroup). +2. Activate the 'Member' role for the `s189 CPD production PIM` group. +3. Give a reason for your request and submit. +4. The request must now be approved by another team member + +You can view all pending requests +[here](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ApproveRequestMenuBlade/~/aadmigratedroles). + + ### Environments There are other environments apart from review apps and production, documented in [Environments](environments.md). From c0b5af0475a995117a0380c6642ea0d03d12ed97 Mon Sep 17 00:00:00 2001 From: Alkesh Vaghmaria Date: Mon, 25 Nov 2024 14:42:07 +0000 Subject: [PATCH 3/4] mention review apps are part of test --- docs/connecting-to-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/connecting-to-azure.md b/docs/connecting-to-azure.md index 504897d19e..02907761af 100644 --- a/docs/connecting-to-azure.md +++ b/docs/connecting-to-azure.md @@ -28,7 +28,7 @@ but you may need to re-authenticate every once in a while. az login ``` - You'll be asked to select development, test or production. + You'll be asked to select development, test (used for review apps) or production. 3. Install kubetctl: From b66e9618adf7f175b6c8f0ec7b03f59d33064f54 Mon Sep 17 00:00:00 2001 From: Alkesh Vaghmaria Date: Thu, 19 Dec 2024 14:44:45 +0000 Subject: [PATCH 4/4] mention aks-download-tmp-file --- docs/connecting-to-azure.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/connecting-to-azure.md b/docs/connecting-to-azure.md index 02907761af..fb12a33927 100644 --- a/docs/connecting-to-azure.md +++ b/docs/connecting-to-azure.md @@ -68,6 +68,15 @@ To get a rails console on production, run the following: make ci production aks-console ``` +### Copy a file + +To copy a file from the `tmp` directory on a review app: +```shell +make review aks-download-tmp-file PULL_REQUEST_NUMBER=[PR_NUMBER] FILENAME=somefile.csv +``` + +The file ends up locally in a subdirectory matching the pod name. + ### Privileged Identity Management requests Accessing resources in the production environment requires elevated privileges.