Welcome to the Azure Sandbox Infrastructure Deployment phase. Here you will be tasked to use Github Actions and Terraform to provision a set of assets needed for the deployment. All assets created should have the NFCC-POC : true tag applied. The approximate time expected to complete these tasks is 30 minutes.
The GitHub Personal Access Token is used to populate the GitHub Secrets section with Secrets used for both Sandbox Infrastructure and Bot Deployment:
Select the User icon and then Settings from the GitHub nav bar.
Select Developer settings from the left column nav bar.
Select Personal access tokens from the left column nav bar.
Select Generate new token on the right-hand side.
Enter “Azure Sandbox and Function Deployment” for the Note name, and select the top/first repo scope option.
Scroll down and then select Generate new token.
Copy (clipboard icon) theGithub Personal Access Token value and save it to your clipboard, because it is not retrievable later.
Upload Powershell Boostrap Script into Azure Cloud Shell
Before you proceed, if your Engagement Lead did not yet provide a copy of the nfcc_azure_bootstrap.ps1 script file, please access the file in the NFCC azure-deployment repository, view the raw data and save it as “nfcc_azure_bootstrap.ps1.”
Access your Azure Cloud Shell by clicking on the Cloud Shell icon in the top menu bar.
If this is the first time using the shell, you will need to Create Storage.
If prompted, select PowerShell as the environment.
Select the Upload/Download Files button.
Select the Upload button and upload the "nfcc_azure_bootstrap.ps1" file.
Run the Bootstrap Script in Azure Cloud Shell
From the command line run the following command.
Enter the customer friendly name provided in your WIQ task ticket.
Enter customer name provided by Neverfail:
Enter increment number 1.
Enter customer increment provided by Neverfail (Default is 1):
Enter your valid Github token. This is token created above.
Enter a valid Github token:
You will be shown a list of subscriptions to choose from. Enter the index number of the subscription to use. The script will now create the administrative assets and Github Secrets required to proceed.
5. Trigger the Github Actions Workflow
To start the deployment process using GitHub Actions, follow the instructions below.
Navigate to your /azure-deployment repository and click on Settings then Secrets, and confirm you see this set of entries.
Click on the < > Code tab, then navigate to:
Azure deployment > terraform file
Click Add file, then Create new file.
Enter “apply” for the file extension name, then scroll down.
Select Commit new file.
Monitor the “Create Apply” Action on the Actions tab in your Github repository to view the deployment tasks and once complete, proceed to the manual tasks below.
We have tried to capture and handle all possible scenarios during the infrastructure deployment, but due to the complexity of the operation, it is possible that something can go wrong. If you receive an error during the Terraform job, first, let the job complete, then afterwards, try re-running the job by clicking the Re-run jobs button on the top-right. If you still have problems, feel free to reach out to your engagement lead for assistance.
Terraform will run for the next 12 -15 minutes, take a moment to reflect on what's happening here.
Terraform is building out the following assets in your Azure infrastructure:
Production Resource Group
Regulatory Resource Group
Evidence Resource Group
Production Storage Policy
Regulatory Storage Account
Evidence Storage Account
Immutable Storage Account
Linux Test VM
Storage Key Vault
Active Directory Standalone Server
Active Directory Server Important Notes
The infrastructure deployment includes a VM running Active Directory services, to support a particular Control Test. Please note these important details about this VM:
This VM is on the public internet. It has TCP port 636 open to support LDAP over SSL connectivity required for the AD user password policy Control Test. It also has TCP port 64321 open for RDP access (non-default port).
If you want to RDP to the server to modify the user properties, you will need to RDP to it’s public IP address on port 64321.
The localhost\administrator password for this server was provided during the interactive script execution. It is also available in the Azure shell directory in file “github_secrets.txt.”
Verification of Asset Creation
For reporting purposes, every asset deployed will be tagged with key:value NFCC-POC: True. To review the provisioned assets, follow these steps:
Visit the Tags section from All services in the Azure portal. Optionally, search “tags” in the Azure portal top search bar.
Once in the Tags panel, click NFCC-POC : true.
Stick a pin in this one, your Azure Infrastructure deployment is DONE!
UP NEXT: Your next deployment task ticket (Bots) is waiting for you in JIRA.