Update OSS Sandbox deployment scripts for IoMT Connector #108
Conversation
pallar-ms
commented
Jun 4, 2021
pallar-ms
commented
- Feature - USER STORY 82590
- Changes -
- Update provisioning of resources with the managed identity setup to be the default setup for sandbox environment
- Update sandbox creation script to reflect the above changes
- Remove legacy auth setup script
- Configure RBAC for the Azure API for FHIR and set the role for FHIR Data Contributor
- Configure RBAC for AKVs and set the role for Key Vault User
- Update documentation to reflect changes
- Note -
- Retaining other templates such as - consumption/premium/flexible (previously default) as is for now, although the sandbox script will not work as is if the IomtConnectorUrlTemplate is replaced with any of these, instead of the current default (managed-identity-azuredeploy).
- If the linked template deployment fails, the RBAC for FHIR will not be setup as it has a dependency on the linked template. Successful redeployment will trigger that.
- Seeing inconsistent failures with the app service deployment -
- BadRequest - Service Unavailable for Microsoft.Web/sites/host
- Principal does not exist - even though the principal type is set, but after updating to a diff api version, haven't seen this repro.
- Testing -
- Validated end to end script deployment, verified the resources were provisioned and the auth setup shows the roles assigned as intended.
- Validated running the new script on a previous setup works fine too
- Validated that the data is present in the FHIR server
- Validated end to end script deployment, verified the resources were provisioned and the auth setup shows the roles assigned as intended.
…ged identity setup * update sandbox creation script based on updated template * update documentation to reflect changes
pallar-ms
requested review from
namalu,
ms-teli,
dustinburson,
wi-y and
rogordon01
pallar-ms
changed the title
| @@ -409,7 +410,7 @@ | |||
| }, | |||
| { | |||
| "type": "Microsoft.EventHub/namespaces/eventhubs/providers/roleAssignments", | |||
| "apiVersion": "2018-07-01", | |||
| "apiVersion": "2018-09-01-preview", | |||
There was a problem hiding this comment.
Do we need to use the preview API? Is there an earlier version that has any updated functionality required that is GA?
There was a problem hiding this comment.
Agreed we should avoid using preview APIs where we can
There was a problem hiding this comment.
For roleAssignments, I'm only seeing preview versions listed, and the one I used is the min version needed to fix the intermittent failures due to replication delay. Didn't want to update to latest preview in case it brought in some unwanted changes that we aren't ready for. But let me know if I am looking at the wrong place, or if its okay to update to the latest preview version listed.
https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments?tabs=json
There was a problem hiding this comment.
I'm actually quite confused on how to interpret the versions to use for role assignments. We aren't going by the Microsoft.Authorization/roleAssignments in these templates, but using resourcetype/providers/roleAssignments instead because of scope issues.
The only reason I updated it here because it seems like to address the "Principal doesn't exist" based on this https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal and that actually seems to have solved it.
