Implementing in Azure

Setup and implementation is performed using Terraform, Helm, and AWS. Terraform is used to manage and provision infrastructure for the application. Helm is used to deploy and configure the component services.

Requirements

The following should be installed on your system for setup:

• Azure CLI
• Terraform
• GCLOUD CLI
• Prefect Provided GCP Service Account
• Helm
• kubectl

For specific details on a component, review the links below.

• Application Gateway
• AKS
• Azure Cache for Redis
• Azure Database for PostgreSQL
• Azure Keyvault
• Azure AD Users and Permissions

Setup

Setup and provisioning via Terraform and Helm is currently being ported to a more friendly setup and guided experience. Anticipate this page being re-designed to accomodate these changes on / around late March, early April.

Setting up Terraform Service Account

An account with sufficient administrative permissions is required to provision Terraform infrastructure. As subscription level resources are created / destroyed, this should typically be a service principal with write scope over the subscription. - https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal

Configuring GCP Service Account

For Artifact Registry, Prefect Terraform modules, and Helm charts, Prefect will provide a GCP Service Account as a .json file.

This can be configured and authenticated via:

export GOOGLE_APPLICATION_CREDENTIALS=~/sa.json
gcloud auth activate-service-account  --key-file=${GOOGLE_APPLICATION_CREDENTIALS}

Authenticating Azure Profile

Configure your azure-cli terminal session for the appropriate user.
This is typically done via one of the following:

• az login # User Login
• az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant> # Service Principal Login
• az login --identity --username <client_id|object_id|resource_id> # Managed Identity Login

Alternatively, a .auto.tfvars can be created in the Terraform directory, using service principal credentials. See an example below, and here for reference.

client_id="4ef-5e2ee25460a3"
client_secret="<removed>"
subscription_id="<removed>"
tenant_id="08713d6d5"

The user authenticated by this profile should have administrative permissions, to include:

• Create, Delete, Modify, Attach RBAC Roles
• Create, Delete Resource Groups
• Create, Delete, Attach VNets
• Create, Delete, Attach Subnets
• Create, Delete Azure Keyvault

Deploying

Running Terraform

Before running Terraform, ensure you have authenticated your Azure profile and your GCP service account. Once verified, ensure that .auto.tfvars for the Terraform modules have been provided and updated.

Setting Up Remote Terraform State

The Terraform state will be saved to a configured Azure storage account for future commands to modify / provision / de-provision infrastructure.

From the provided azure/infrastructure directory, build the required resources used to store the state file and lock file. Variables should be appropriately set in variables.tf or in .auto.tfvars, and profile set in provider.tf.

terraform init
terraform plan
terraform apply -var-file="auto.tfvars"