Azure Sandbox Infrastructure Deployment

Welcome to the Azure Sandbox Infrastructure Deployment phase. Here you will be tasked to use Github Actions and Terraform to provision a set of assets needed for the deployment. All assets created should have the NFCC-POC : true tag applied.
The approximate time expected to complete these tasks is 30 minutes.

Deployment Prerequisites

  • Please make sure your engagement lead has provided the nfcc_azure_bootstrap.ps1 script file. This file will need to be uploaded to the Azure cloud shell momentarily. This file is also located in the scripts subfolder of the - Connect to preview repository.

  • Please be sure you have the following data points ready before proceeding:

    • CUSTOMER_NAME: Provided in your task system ticket.


1. Fork the Azure Deployment GitHub Repository

  1. Visit the Neverfail NFCC Azure Deployment Github repository and accept the invitation.

  1. Click the Fork button on the upper-right to fork the repository in your own Github account.

2. GitHub Actions Approval

In order to use GitHub Actions to build out the deployment, you will need to consent to using Github Actions:

  1. Click on the Actions tab located on the top navigation of the GitHub Portal.

  2. Click the I understand my workflows, go ahead and enable them.

3. Use the Github NFCC Functions Deployment Template

  1. Visit the NFCC Azure Functions Deployment Template Github repository and accept the pending invitation.

  1. Click Use this template to get to the “Create a new repository” screen.

  1. Change the Owner to your user.

  1. Enter “nfcc-azure-functions-deployment” in the Repository name field.

  1. Set to Private visibility.

  2. Click Create repository from template.

4. Automated Asset and Secret Creation

To expedite the creation of the numerous administrative and virtual assets required to support the deployment, a Powershell script has been made available for your use. The interactive script file needs to be uploaded into your Azure Portal Cloud Shell, then executed. Using your Github personal access token, it will populate GitHub Secrets for both the - Connect to preview and the repositories required.

Configuring a GitHub Personal Access Token

The GitHub Personal Access Token is used to populate the GitHub Secrets section with Secrets used for both Sandbox Infrastructure and Bot Deployment:

  1. Select the User icon and then Settings from the GitHub nav bar.

  2. Select Developer settings from the left column nav bar.

  3. Select Personal access tokens from the left column nav bar.

  4. Select Generate new token on the right-hand side.

  5. Enter “Azure Sandbox and Function Deployment” for the Note name, and select the top/first repo scope option.

  6. Scroll down and then select Generate new token.

  7. Copy (clipboard icon) theGithub Personal Access Token value and save it to your clipboard, because it is not retrievable later.

Upload Powershell Boostrap Script into Azure Cloud Shell

Before you proceed, if your Engagement Lead did not yet provide a copy of the nfcc_azure_bootstrap.ps1 script file, please access the file in the NFCC azure-deployment repository, view the raw data and save it as “nfcc_azure_bootstrap.ps1.”

  1. Login to

  2. Access your Azure Cloud Shell by clicking on the Cloud Shell icon in the top menu bar.

  1. If this is the first time using the shell, you will need to Create Storage.

  1. If prompted, select PowerShell as the environment.

  2. Select the Upload/Download Files button.

  3. Select the Upload button and upload the "nfcc_azure_bootstrap.ps1" file.

Run the Bootstrap Script in Azure Cloud Shell

  1. From the command line run the following command.

  2. ./nfcc_azure_bootstrap.ps1

  3. Enter the customer friendly name provided in your WIQ task ticket.

  4. Enter customer name provided by Neverfail:

  5. Enter increment number 1.

  6. Enter customer increment provided by Neverfail (Default is 1):

  7. Enter your valid Github token. This is token created above.

  8. Enter a valid Github token:

  9. You will be shown a list of subscriptions to choose from. Enter the index number of the subscription to use. The script will now create the administrative assets and Github Secrets required to proceed.

5. Trigger the Github Actions Workflow

To start the deployment process using GitHub Actions, follow the instructions below.

  1. Navigate to your /azure-deployment repository and click on Settings then Secrets, and confirm you see this set of entries.

  1. Click on the < > Code tab, then navigate to:

    • Azure deployment > terraform file

  2. Click Add file, then Create new file.

  1. Enter “apply” for the file extension name, then scroll down.

  2. Select Commit new file.

  3. Monitor the “Create Apply” Action on the Actions tab in your Github repository to view the deployment tasks and once complete, proceed to the manual tasks below.

Terraform Job General Troubleshooting

We have tried to capture and handle all possible scenarios during the infrastructure deployment, but due to the complexity of the operation, it is possible that something can go wrong. If you receive an error during the Terraform job, first, let the job complete, then afterwards, try re-running the job by clicking the Re-run jobs button on the top-right. If you still have problems, feel free to reach out to your engagement lead for assistance.

Terraform will run for the next 12 -15 minutes, take a moment to reflect on what's happening here.

Terraform is building out the following assets in your Azure infrastructure:
  • Production Resource Group
  • Regulatory Resource Group
  • Evidence Resource Group
  • Backup Policy
  • Production Storage Policy
  • Regulatory Storage Account
  • Evidence Storage Account
  • Immutable Storage Account
  • Linux Test VM
  • Storage Key Vault
  • Active Directory Standalone Server
  • Active Directory Server Important Notes

    The infrastructure deployment includes a VM running Active Directory services, to support a particular Control Test. Please note these important details about this VM:

    1. The VM can incur high costs due to the way Azure charges for bandwidth. We highly recommend you power down this server when not required. For details on how to schedule VM power downs, please visit

    2. This VM is on the public internet. It has TCP port 636 open to support LDAP over SSL connectivity required for the AD user password policy Control Test. It also has TCP port 64321 open for RDP access (non-default port).

    3. If you want to RDP to the server to modify the user properties, you will need to RDP to it’s public IP address on port 64321.

    4. The localhost\administrator password for this server was provided during the interactive script execution. It is also available in the Azure shell directory in file “github_secrets.txt.”

    Verification of Asset Creation

    For reporting purposes, every asset deployed will be tagged with key:value NFCC-POC: True. To review the provisioned assets, follow these steps:

    1. Visit the Tags section from All services in the Azure portal. Optionally, search “tags” in the Azure portal top search bar.

    2. Once in the Tags panel, click NFCC-POC : true.

    Stick a pin in this one, your Azure Infrastructure deployment is DONE!

    UP NEXT: Your next deployment task ticket (Bots) is waiting for you in JIRA.