Making infrastructure changes via Terraform

Since the DDRC app is deployed into a Microsoft Azure account provided by the California Department of Technology (CDT)’s Office of Enterprise Technology (OET) team, as a first step, you’ll need to request access from them to the CDT Digital CA directory so you can get into the Azure portal, and to the CalEnterprise directory so you can access Azure DevOps. You can refer to Azure’s documentation for switching directories.

Setup for local development

1. Get access to the Azure account through the DevSecOps team.

   Secured Azure resources

   To run Terraform from your local machine, you must grant your IP address access to the secured Azure resources. Both the Azure Storage Account, where the Terraform state is stored, and the Azure Key Vaults are protected by firewalls that restrict access. Follow these steps to add your current public IP address to their firewall rules.

   Azure Storage Account

   1. In the Azure Portal, navigate to the production Storage Account
   2. From the left-hand menu, select Security+Networking, then click on Networking
   3. Under Resource settings: Virtual networks, IP addresses, and exceptions, click on Manage and add your IP address to the IPv4 Addresses list

   Azure Key Vault

   1. In the Azure Portal, navigate to the Key Vault
   2. From the left-hand menu, select Settings, then click on Networking
   3. Under Firewall, add your IP address to the IP address or CIDR list

   Note that the DevOps deploy pipeline also gets its IP address and gives itself access to these resources.

2. Install dependencies:

   • Azure CLI
   • Terraform - see exact version in deploy.yml

3. Authenticate using the Azure CLI.

   az login
   

4. Outside the dev container, navigate to the terraform/ directory.

5. Initialize Terraform. You can also use this script later to switch between environments.

   ./init.sh <env>
   

6. Create a local terraform.tfvars file (ignored by git) from the sample; fill in the *_OBJECT_ID variables with values from the Azure Pipeline definition.

Development process

When configuration changes to infrastructure resources are needed, they should be made to the resource definitions in Terraform and submitted via pull request.

1. Make changes to Terraform files.

2. Preview the changes, as necessary.

   terraform plan
   

3. Submit the changes via pull request.

Azure tags

For Azure resources, you need to ignore changes to tags, since they are automatically created by an Azure Policy managed by CDT.

lifecycle {
    ignore_changes = [tags]
}

Azure environment setup

These steps were followed when setting up our Azure deployment for the first time:

• CDT team creates the resources that they own
• terraform apply
• Set up Slack notifications by creating a Slack email for the #notify-benefits channel, then setting it as a Secret in the Key Vault named slack-benefits-notify-email
• Set required App Service configuration and configuration by setting values in Key Vault (the mapping is defined in app_service.tf)

This is not a complete step-by-step guide; more a list of things to remember.