From d008f63b7a839acc6603ddc445e783e5d07dd24d Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Thu, 21 Nov 2024 10:34:42 +0000 Subject: [PATCH 1/3] Replace service portal with IT Help Centre - Update links - Update outdated content - Remove whitespaces --- .../infrastructure/docker/index.html.md.erb | 38 +++++++++---------- .../hosting/azure-cip/index.html.md.erb | 23 ++++------- .../hosting/dns/index.html.md.erb | 7 +--- .../monitoring/statuscake/index.html.md.erb | 4 +- .../managing-secrets/index.html.md.erb | 3 +- .../service-accounts/index.html.md.erb | 4 +- .../ssl-certificates/index.html.md.erb | 6 +-- .../infrastructure/support/index.html.md.erb | 26 +++++-------- 8 files changed, 46 insertions(+), 65 deletions(-) diff --git a/source/infrastructure/docker/index.html.md.erb b/source/infrastructure/docker/index.html.md.erb index fbd343bd..a2400e31 100644 --- a/source/infrastructure/docker/index.html.md.erb +++ b/source/infrastructure/docker/index.html.md.erb @@ -9,15 +9,15 @@ title: Docker Desktop The following information has been put together using; * Edition Windows 11 Enterprise Version 22H2 Installed on ‎13/‎03/‎2023 OS build 22621.2283 Experience Windows Feature Experience Pack 1000.22662.1000.0 - + * all instruction are for use with DFE laptops with developer settings - + * all images are built using standard docker tooling - + * development IDE is visual studio code - + * visual studio code has docker extension installed - + * development code is running nodejs * development code is using npm as its package manager @@ -25,9 +25,9 @@ The following information has been put together using; ## Installing Docker You will need access to docker-users group on the system user groups of your machine in order to run docker and possibly an update to the wsl kernal (achieve this by requesting a meeting with system administrator who will be able to screen share and run the update for you) -[Requests should be made through the service portal](https://dfe.service-now.com/serviceportal) +[Requests should be made through the IT Help Centre](https://dfe.service-now.com/ithelpcentre) -Use [User Access to restricted Groups](https://dfe.service-now.com/serviceportal?id=sc_cat_item&sys_id=59d68b331bd13050199d6397b04bcb23) +Use [User Access to restricted Groups](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=59d68b331bd13050199d6397b04bcb23) * RequestedFor should be pre filled with your name @@ -43,7 +43,7 @@ Use [User Access to restricted Groups](https://dfe.service-now.com/serviceportal and for the driver installation you should -Use [Install device driver on my device](https://dfe.service-now.com/serviceportal?id=sc_cat_item&sys_id=c8748b941ba670904f999978b04bcb18&sysparm_category=09e18be6db2f8340865049ee3b96190f) +Use [Install device driver on my device](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&sys_id=c8748b941ba670904f999978b04bcb18&sysparm_category=09e18be6db2f8340865049ee3b96190f) * RequestedFor should be pre filled with your name, 'If you are doing this for another member of staff you can now change to there name @@ -87,11 +87,11 @@ To get started, follow the steps below: * type in the terminal window 'npm init -y' this will build a simple project structure -* once complete type in the terminal 'npm install express' +* once complete type in the terminal 'npm install express' * Create a file called index.js and add it to the root directory -* Open index.js in the editor and add this line to the top of the file +* Open index.js in the editor and add this line to the top of the file ```` @@ -99,7 +99,7 @@ const express = require('express'); ```` -* Now below that add +* Now below that add ```` @@ -107,7 +107,7 @@ const app = express(); ```` -* and on the next line add +* and on the next line add ```` @@ -121,7 +121,7 @@ app.use(express.json()); const PORT = process.env.PORT || 3000; ```` -* Now and add +* Now and add ``` app.listen(PORT, () => { @@ -135,15 +135,15 @@ app.get("/status", (request, response) => { const status = { "Status": "Running" }; - + response.send(status); }); ```` * Open package.json file and add to the script section of the file ```` - "start": "node index.js" - + "start": "node index.js" + ```` making sure to add a comma to the end of the line above @@ -175,14 +175,14 @@ app.get("/status", (request, response) => { * VSC will now build your image and your container and start it running which can be seen in the terminal window -* Once started you can go back to your browser and enter 'http://localhost:3000/status' the browser should return +* Once started you can go back to your browser and enter 'http://localhost:3000/status' the browser should return ```` { "Status": "Running" } ```` -* For more information on docker and compose goto: [How to use docker and compose](https://code.visualstudio.com/docs/containers/docker-compose) +* For more information on docker and compose goto: [How to use docker and compose](https://code.visualstudio.com/docs/containers/docker-compose) * For more information on docker extension in Vsc goto: [Overview of contaoners in VSC](https://code.visualstudio.com/docs/containers/overview) -* For more information on docker and node starter kit in vsc goto: [Quick node starter page](https://code.visualstudio.com/docs/containers/quickstart-node) \ No newline at end of file +* For more information on docker and node starter kit in vsc goto: [Quick node starter page](https://code.visualstudio.com/docs/containers/quickstart-node) diff --git a/source/infrastructure/hosting/azure-cip/index.html.md.erb b/source/infrastructure/hosting/azure-cip/index.html.md.erb index f8710c83..a47a461e 100644 --- a/source/infrastructure/hosting/azure-cip/index.html.md.erb +++ b/source/infrastructure/hosting/azure-cip/index.html.md.erb @@ -13,17 +13,15 @@ It provides access to most Azure resources including App Services, Container Ins Portal: [https://portal.azure.com/](https://portal.azure.com/) ## Platform documentation -* [CIP platform docs](https://docs.platform.education.gov.uk/index.html) +* [CIP platform docs](https://docs.education.gov.uk/) ## Onboarding users -Use this [service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items) to create the onboarding request: +Use this [IT Help Centre form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d) to create the onboarding request: 1. From _Request type_ dropdown, select: _Azure Portal and DevOps User Account Request_ 1. From _Add/Change/Remove_ dropdown, select: _Add_ 1. Enter new users' email addresses -If access to the service portal is not possible, ask the helpdesk (See [Support](/infrastructure/support/#helpdesk)) to "Invite --username-- to the CIP AAD. FAO of the Infrastructure Operations Team" - Ask in #cloud-platform on Slack if more help is required. The new user will receive an invitation by email. Then the service administrators can add them to the service Azure Active Directory groups of the subscriptions: Managers and Delivery team. @@ -32,7 +30,7 @@ To access Azure DevOps, the new user must access the [Azure DevOps CIP instance] ## Privileged Identity Management (PIM) Requests -[Privileged Identity Management (PIM)](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources at DfE such as access to staging and production environments. +[Privileged Identity Management (PIM)](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources at DfE such as access to staging and production environments. We use it for *Azure resources* and *Groups*. To request access to your eligible assignments, follow the steps below: @@ -46,7 +44,7 @@ To request access to your eligible assignments, follow the steps below: * Click on `My roles` on the left hand side of the page, under `Tasks` -* Click on `Azure resources` under `Activate` +* Click on either `Azure resources` or `Groups` under `Activate` * You may have to lengthen the resource section in order to see the full resource name, including the environment @@ -61,7 +59,7 @@ however an administrator can navigate to PIM using the search box (as documented ## Onboarding a service -Use this [service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items) to create the onboarding request and choose _Request type: On-Boarding request_. It should be filled in by a senior civil servant (G7 or above). This includes an onboarding form to attach. Finance must be agreed beforehand. +Use this [IT Help Centre form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items) to create the onboarding request and choose _Request type: On-Boarding request_. It should be filled in by a senior civil servant (G7 or above). This includes an onboarding form to attach. Finance must be agreed beforehand. You will be given: @@ -70,7 +68,7 @@ You will be given: * PIM (Privileged Identity Management) set up: members of the Delivery team can elevate their access themselves in staging, and request approval from a Manager in production. * A new project in Azure DevOps dfe-ssp organisation and corresponding service connections to the subscriptions -The production subscription can be requested via the same [service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items). +The production subscription can be requested via the same [IT Help Centre form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items). Choose _Request type: Request production subscription_. ## Provisioned Azure DevOps @@ -81,19 +79,12 @@ When a service is onboarded to CIP, an Azure DevOps project is automatically pro ## Azure Development Deployments should always be done via infrastructure as code. We recommend using [Terraform](/infrastructure/dev-tools/#terraform) or [ARM templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview). -## Access from/to Internet -Static public IPs are not permitted by default in CIP. Instead, Azure provides unique domain names but the IP may change. - -Should you require a static IP, it is possible to request an [Internet Access Service](https://docs.platform.education.gov.uk/docs/articles/resource-management/platform-firewalls/internet-access-service.html?q=internet). It provides routing from/to the internet via a static IP and a firewall. URLs accessed via the firewall must be whitelisted. - -Contact #cloud-platform to set it up. - ## Azure service principal To be able to access Azure from an external system like Github actions, a service account is required. It is called a *service principal* in Azure, or *App regisration*. See the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals). ### Create service principal -In this example we create a service principal which has a custom role created in [Managing secrets](/infrastructure/security/managing-secrets/#request-roles). Submit a [CIP Request](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&searchTerm=cip) on Service Now using your education.gov.uk identity. Example: +In this example we create a service principal which has a custom role created in [Managing secrets](/infrastructure/security/managing-secrets/#request-roles). Submit a [CIP Request](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&searchTerm=cip) on Service Now. Example: ``` Please create a new service principal named [subscription-prefix]-[service-abbreviation]-contributor. It will be used to deploy Azure resources from GitHub repositories in the DFE-Digital Github organisation. diff --git a/source/infrastructure/hosting/dns/index.html.md.erb b/source/infrastructure/hosting/dns/index.html.md.erb index 7d23f9c1..fae45952 100644 --- a/source/infrastructure/hosting/dns/index.html.md.erb +++ b/source/infrastructure/hosting/dns/index.html.md.erb @@ -16,12 +16,9 @@ Domain names are normally maintained by the [Infrastructure Operations](/infrast First a normal request is required to assign an engineer to the task and define the change window. Then a change request is raised to detail the implementation plan. ### Normal request -Raise it in the [Service Now portal](https://dfe.service-now.com/serviceportal) portal: +Raise it in the [IT Help Centre](https://dfe.service-now.com/ithelpcentre?id=ticket&table=sc_req_item&sys_id=dc46ab681bc6d250cace6283b24bcbbc&view=sp): -* Request something -* Categories: Non-standard -* Any other request -* Short description: Describe briefly the purpose of the request and mention it's a route53 domain change +* Short description: Describe briefly the purpose of the request and mention it is a route53 domain change * Click "I confirm that the above results aren't relevant to my request" * Working from: Select either Home or Office * Category: Non-standard diff --git a/source/infrastructure/monitoring/statuscake/index.html.md.erb b/source/infrastructure/monitoring/statuscake/index.html.md.erb index bff63b88..bd0a665f 100644 --- a/source/infrastructure/monitoring/statuscake/index.html.md.erb +++ b/source/infrastructure/monitoring/statuscake/index.html.md.erb @@ -10,12 +10,12 @@ link_in_toc: true Statuscake is a cloud based tool used to constantly monitor the availability of websites and alert when they are not present. ### Access to the DfE account -Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21), +Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21), choose *Request account access* and enter your email address. This will give you access to the DFEStatusCake subaccount and you will be able to see all checks in DfE, modify contact groups and integrations. Checks can't be created manually, it is only allowed via an API key. ### Request API key -Each service or service area (shared key) can request an API key to create the checks via automation. Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21), +Each service or service area (shared key) can request an API key to create the checks via automation. Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21), choose *Request API key*. Enter the team's email address and the name of the service or service area. ### Contact Group diff --git a/source/infrastructure/security/managing-secrets/index.html.md.erb b/source/infrastructure/security/managing-secrets/index.html.md.erb index a9f2f5b7..40006b6f 100644 --- a/source/infrastructure/security/managing-secrets/index.html.md.erb +++ b/source/infrastructure/security/managing-secrets/index.html.md.erb @@ -37,8 +37,7 @@ You will need to raise a request in Service Now to request roles for both the se The sample request may be used for all the subscriptions or one at a time. ### Sample Request -Create a request in Service Now: Request something, Non-Standard, Any Other Request, -Select an appropriate Category: Non Standard, Business Service: Shared IT Core services, Service Offering: CIP Platform +Create a request using the [CIP Request form](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d). Example for a new "s146-getintoteachingwebsite-Contributor and Key Vault editor" custom role: ``` Configure PIM access to Key Vault following the pattern in https://docs.platform.education.gov.uk/docs/blogs/platform-engineering/key-vault-rbac.html : diff --git a/source/infrastructure/security/service-accounts/index.html.md.erb b/source/infrastructure/security/service-accounts/index.html.md.erb index 766a2ed7..0a5192ca 100644 --- a/source/infrastructure/security/service-accounts/index.html.md.erb +++ b/source/infrastructure/security/service-accounts/index.html.md.erb @@ -15,10 +15,10 @@ and are able to reset the password. See below. ## Shared email ### Outlook distribution list -This creates a new email address and when emails are sent to it, the members of the distribution list receive them in their own inbox. To create it, use the [Distribution Lists service now form](https://dfe.service-now.com.mcas.ms/serviceportal?id=sc_cat_item&sys_id=a28540a5dbeeee005ca2fddabf961968). +This creates a new email address and when emails are sent to it, the members of the distribution list receive them in their own inbox. To create it, use the [Distribution Lists service now form](https://dfe.service-now.com.mcas.ms/ithelpcentre?id=sc_cat_item&sys_id=a28540a5dbeeee005ca2fddabf961968). ### Outlook shared mailbox -This creates a mailbox that can be shared with multiple users. It is displayed separately in Outlook and emails are stored there. Create a shared mailbox using [the service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=5daf935837189240c033a16043990ecf&referrer=popular_items). +This creates a mailbox that can be shared with multiple users. It is displayed separately in Outlook and emails are stored there. Create a shared mailbox using [the service now form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=5daf935837189240c033a16043990ecf&referrer=popular_items). ## Github account Request a new user from [Digital tools](<%= data.site.digital_tools %>). diff --git a/source/infrastructure/security/ssl-certificates/index.html.md.erb b/source/infrastructure/security/ssl-certificates/index.html.md.erb index 6fad7525..8c4ef32a 100644 --- a/source/infrastructure/security/ssl-certificates/index.html.md.erb +++ b/source/infrastructure/security/ssl-certificates/index.html.md.erb @@ -17,7 +17,7 @@ Certificates generated on the CAs are paid for centrally by the [Platform suppor This documentation doesn't apply to Azure managed certificates in [App service](https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#create-a-free-managed-certificate) or [Front door](https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain#afd-managed-certificates-for-non-azure-pre-validated-domain). ## Create account -Use the [External Digital Certificates form](https://dfe.service-now.com.us.cas.ms/serviceportal?id=sc_cat_item&sys_id=8fe3fae3dbd77f809402e1aa4b9619d0) on the service portal and choose: _Request type: Request an account_ +Use the [External Digital Certificates form](https://dfe.service-now.com.us.cas.ms/ithelpcentre?id=sc_cat_item&sys_id=8fe3fae3dbd77f809402e1aa4b9619d0) on the IT Help Centre and choose: _Request type: Request an account_ ## Generate manually ### Create CSR and private key @@ -115,8 +115,8 @@ openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in cert.cer ### Key vault account A special "Key vault account" is required and must be approved on case by case basis. It can be requested via the -[Non-standard / Any Other Request](https://dfe.service-now.com.mcas.ms/serviceportal?id=sc_cat_item&sys_id=3ab186f8db2c2b403b929334ca961998&sysparm_category=19d07bc3dbff17003b929334ca9619bd) -service portal form. The business service is _Shared IT core services_ and the offering is _SSL Certificate Authority Systems (external)_. +[Non-standard / Any Other Request](https://dfe.service-now.com.mcas.ms/ithelpcentre?id=sc_cat_item&sys_id=3ab186f8db2c2b403b929334ca961998&sysparm_category=19d07bc3dbff17003b929334ca9619bd) +IT Help Centre form. The business service is _Shared IT core services_ and the offering is _SSL Certificate Authority Systems (external)_. ### Digicert CA - If you don't have an API key, first login to Digicert with the Key vault account diff --git a/source/infrastructure/support/index.html.md.erb b/source/infrastructure/support/index.html.md.erb index e79cda81..523e7089 100644 --- a/source/infrastructure/support/index.html.md.erb +++ b/source/infrastructure/support/index.html.md.erb @@ -8,26 +8,21 @@ weight: 100 ## Helpdesk For general queries: -- [Service Portal](https://dfe.service-now.com/serviceportal/) +- [IT Help Centre](https://dfe.service-now.com/ithelpcentre/) - Telephone: 0300 1234 888 -## Access to service portal -The [service portal](https://dfe.service-now.com/serviceportal/) is the standard tool to request IT changes in DfE. It is based on [ServiceNow](https://www.servicenow.com/). - -Civil servants automatically receive an `@education.gov.uk` account and access to the service portal. - -Contractors may not be onboarded automatically. Should they require it, their line manager can onboard them using the [New starter form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=590c8b70dbb313003b929334ca9619f6&referrer=popular_items). -They can request a DfE device with VPN access, or an account with web only access called _Bring your own device_ (BYOD). +## Access to IT Help Centre +The [IT Help Centre](https://dfe.service-now.com/ithelpcentre/) is the standard tool to request IT changes in DfE. It is based on [ServiceNow](https://www.servicenow.com/). ## Service now ITIL view Employees working in IT can have access to the [full Service now interface](https://dfe.service-now.com/) to create changes and incidents, give approvals, chase a ticket, etc. -They gain access when they are added to a group using [the Service Portal - Groups/Permissions form](https://dfe.service-now.com/serviceportal/?id=sc_cat_item&sys_id=6cdeb1f2dbf898509402e1aa4b96197f). +They gain access when they are added to a group using [the IT Help Centre - Groups/Permissions form](https://dfe.service-now.com/ithelpcentre/?id=sc_cat_item&sys_id=6cdeb1f2dbf898509402e1aa4b96197f). ## Infrastructure and Network Operations For requests related to DNS, Azure CIP, Azure DfE (Tier 1), Azure DevOps... -Use the [Any other request form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=3ab186f8db2c2b403b929334ca961998&sysparm_category=19d07bc3dbff17003b929334ca9619bd): +Use the [Any other request form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=3ab186f8db2c2b403b929334ca961998&sysparm_category=19d07bc3dbff17003b929334ca9619bd): - Category: Non-standard - Business service: Shared IT core services @@ -42,27 +37,26 @@ Email: ## CIP engineering - Slack: [#cloud-platform](https://ukgovernmentdfe.slack.com/archives/C7L4D0LM9) - Email: -- Service Now: [form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&sysparm_category=19d07bc3dbff17003b929334ca9619bd) +- [Service Now](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&sysparm_category=19d07bc3dbff17003b929334ca9619bd) ## Platform support For requests related to SSL certificates, StatusCake, Github (_ESFA_ organisation), Non-CIP Azure DevOps and Heroku _dfe_ team. - Email: -- Service portal: - - [SSL certificates form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=8fe3fae3dbd77f809402e1aa4b9619d0&sysparm_category=19d07bc3dbff17003b929334ca9619bd), [StatusCake form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21&sysparm_category=19d07bc3dbff17003b929334ca9619bd), [Azure DevOps form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=5447e6e91bdbbb802fe864606e4bcba4) - - General advice: [Non-standard / Any Other Request form](https://dfe.service-now.com.mcas.ms/serviceportal?id=sc_cat_item&sys_id=3ab186f8db2c2b403b929334ca961998&sysparm_category=19d07bc3dbff17003b929334ca9619bd) +- IT Help Centre: + - [SSL certificates form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=8fe3fae3dbd77f809402e1aa4b9619d0&sysparm_category=19d07bc3dbff17003b929334ca9619bd), [StatusCake form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21&sysparm_category=19d07bc3dbff17003b929334ca9619bd), [Azure DevOps form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=5447e6e91bdbbb802fe864606e4bcba4) + - General advice: [Non-standard / Any Other Request form](https://dfe.service-now.com.mcas.ms/ithelpcentre?id=sc_cat_item&sys_id=3ab186f8db2c2b403b929334ca961998&sysparm_category=19d07bc3dbff17003b929334ca9619bd) (Business service: _Shared IT core services_, offering: _SSL_, _StatusCake_, _Heroku_, _Github_). ## Teacher services infrastructure Cloud infrastructure and automation for Teacher services - Slack channel: [#teacher-services-infra](https://ukgovernmentdfe.slack.com/archives/C011EM7HU85) -- Email: +- Email: ## Digital Tools Support For requests related to Gsuite, Slack, Github (_DFE-Digital_ organisation), DockerHub, Logit.io, Sentry, Heroku... -- Website: [Digital Tools Support](https://sites.google.com/digital.education.gov.uk/digitaltools/home?authuser=0) - Slack channel: [#digital-tools-support](https://ukgovernmentdfe.slack.com/archives/CMS9V0JQL) - Email: From 408ce0212a2551e2befdd234c223ff3302778654 Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Thu, 21 Nov 2024 10:47:18 +0000 Subject: [PATCH 2/3] Remove yaml secrets The guidance is to use individual secrets --- .../managing-secrets/index.html.md.erb | 48 +------------------ 1 file changed, 1 insertion(+), 47 deletions(-) diff --git a/source/infrastructure/security/managing-secrets/index.html.md.erb b/source/infrastructure/security/managing-secrets/index.html.md.erb index 40006b6f..76771245 100644 --- a/source/infrastructure/security/managing-secrets/index.html.md.erb +++ b/source/infrastructure/security/managing-secrets/index.html.md.erb @@ -66,50 +66,4 @@ The secrets can then be retrieved using the [Azure/get-keyvault-secrets](https:/ ## Access secrets from Terraform Login using the [service principal](/infrastructure/hosting/azure-cip/#github-actions) in Terraform. -The secrets can then be retrieved using the [azurerm_key_vault data source](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault). - -## Store multiple values per secret - -The name of a secret must be hard coded in the systems retrieving it. When using infrastructure as code, this name may be present in multiple files which creates a burden to rename or add more secrets. - -An alternative is to store a file containing multiple secrets as key-value pairs, for example with `YAML`. The secrets can be added, removed or updated in the file without changing anything in the code. -There are a number of ways to edit or read the secrets. - -### Edit using Azure CLI -Create a YAML local file and upload it: - -```shell -az keyvault secret set --vault-name sXXXd01-kv --name TTA-KEYS --file local_file.yml -``` -_Make sure to delete the local file after use._ - -### Read using Azure CLI -Print the file content: - -```shell -az keyvault secret show --vault-name sXXXd01-kv --name TTA-KEYS -``` -_Make sure to clear the command line after use._ - -Download to a local file: - -```shell -az keyvault secret download --vault-name sXXXd01-kv --name TTA-KEYS --file local_file.yml -``` -_Make sure to delete the local file after use._ - -### Read using GitHub Actions -Use the [keyvault-yaml-secret action](https://github.com/DFE-Digital/keyvault-yaml-secret) to retrieve a secret from the YAML file. - -### Read using Terraform -Use the [yamldecode](https://www.terraform.io/docs/language/functions/yamldecode.html) function to parse the YAML file and access individual values: - -```hcl -infra_secrets = yamldecode(data.azurerm_key_vault_secret.infra_secrets.value) -paas_password = infra_secrets["paas_password"] -``` - -### Read and write using the fetch_config.rb script -[fetch_config.rb](https://github.com/DFE-Digital/bat-platform-building-blocks/tree/master/scripts/fetch_config) is a convenient ruby script to read and write securely to and from Azure Key Vault and transform into multiple formats. - -It is routinely used by developers. See `print-app-secrets` and `edit-app-secrets` in this [Makefile](https://github.com/DFE-Digital/publish-teacher-training/blob/master/Makefile) for example. +The secrets can then be retrieved using the [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault), [azurerm_key_vault_secrets](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secrets) and [azurerm_key_vault_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) data sources. From 1c24f8e0f5914ca17510a55a780f74dae7eefa6e Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Thu, 21 Nov 2024 11:20:50 +0000 Subject: [PATCH 3/3] Add thanos to prometheus --- source/infrastructure/monitoring/prometheus/index.html.md.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source/infrastructure/monitoring/prometheus/index.html.md.erb b/source/infrastructure/monitoring/prometheus/index.html.md.erb index 7e0b3fdc..c3d5122c 100644 --- a/source/infrastructure/monitoring/prometheus/index.html.md.erb +++ b/source/infrastructure/monitoring/prometheus/index.html.md.erb @@ -21,6 +21,9 @@ Prometheus is the brains of the system providing the following functions: ### Influxdb Is a time series database to store metrics reliably and query them. +### Thanos +Alternative to Influxdb to store metrics using different storage backends, including Azure storage accounts. + ### Alertmanager Receives alerts from prometheus and notifies users on various channels.