Implementing in Azure¶
Setup and implementation is performed using Terraform, Helm, and AWS. Terraform is used to manage and provision infrastructure for the application. Helm is used to deploy and configure the component services.
Requirements¶
The following should be installed on your system for setup:
For specific details on a component, review the links below.
- Application Gateway
- AKS
- Azure Cache for Redis
- Azure Database for PostgreSQL
- Azure Keyvault
- Azure AD Users and Permissions
Setup¶
Setup and provisioning via Terraform and Helm is currently being ported to a more friendly setup and guided experience. Anticipate this page being re-designed to accomodate these changes on / around late March, early April.
Setting up Terraform Service Account¶
An account with sufficient administrative permissions is required to provision Terraform infrastructure. As subscription level resources are created / destroyed, this should typically be a service principal with write scope over the subscription. - https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal
Configuring GCP Service Account¶
For Artifact Registry, Prefect Terraform modules, and Helm charts, Prefect will provide a GCP Service Account as a .json
file.
This can be configured and authenticated via:
export GOOGLE_APPLICATION_CREDENTIALS=~/sa.json
gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}
Authenticating Azure Profile¶
Configure your azure-cli
terminal session for the appropriate user.
This is typically done via one of the following:
az login
# User Loginaz login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
# Service Principal Loginaz login --identity --username <client_id|object_id|resource_id>
# Managed Identity Login
Alternatively, a .auto.tfvars
can be created in the Terraform directory, using service principal credentials.
See an example below, and here for reference.
client_id="4ef-5e2ee25460a3"
client_secret="<removed>"
subscription_id="<removed>"
tenant_id="08713d6d5"
The user authenticated by this profile should have administrative permissions, to include:
- Create, Delete, Modify, Attach RBAC Roles
- Create, Delete Resource Groups
- Create, Delete, Attach VNets
- Create, Delete, Attach Subnets
- Create, Delete Azure Keyvault
Deploying¶
Running Terraform¶
Before running Terraform, ensure you have authenticated your Azure profile and your GCP service account.
Once verified, ensure that .auto.tfvars
for the Terraform modules have been provided and updated.
Setting Up Remote Terraform State¶
The Terraform state will be saved to a configured Azure storage account for future commands to modify / provision / de-provision infrastructure.
From the provided azure/infrastructure
directory, build the required resources used to store the state file and lock file.
Variables should be appropriately set in variables.tf
or in .auto.tfvars
, and profile
set in provider.tf
.
terraform init
terraform plan
terraform apply -var-file="auto.tfvars"