DFE-Digital · saliceti · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
@@ -9,25 +9,25 @@ title: Docker Desktop
 The following information has been put together using;
 
  *  Edition	Windows 11 Enterprise Version	22H2 Installed on	‎13/‎03/‎2023 OS build	22621.2283 Experience	Windows Feature Experience Pack 1000.22662.1000.0
- 
+
  *  all instruction are for use with DFE laptops with developer settings
- 
+
  *  all images are built using standard docker tooling
- 
+
  *  development IDE is visual studio code
- 
+
  *  visual studio code has docker extension installed
- 
+
  *  development code is running nodejs
 
  *  development code is using npm as its package manager
 
 ## Installing Docker
 You will need access to docker-users group on the system user groups of your machine in order to run docker and possibly an update to the wsl kernal (achieve this by requesting a meeting with system administrator who will be able to screen share and run the update for you)
 
-[Requests should be made through the service portal](https://dfe.service-now.com/serviceportal) 
+[Requests should be made through the IT Help Centre](https://dfe.service-now.com/ithelpcentre)
 
-Use [User Access to restricted Groups](https://dfe.service-now.com/serviceportal?id=sc_cat_item&sys_id=59d68b331bd13050199d6397b04bcb23)
+Use [User Access to restricted Groups](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=59d68b331bd13050199d6397b04bcb23)
 
 *  RequestedFor should be pre filled with your name
 
@@ -43,7 +43,7 @@ Use [User Access to restricted Groups](https://dfe.service-now.com/serviceportal
 
 and for the driver installation you should
 
-Use [Install device driver on my device](https://dfe.service-now.com/serviceportal?id=sc_cat_item&sys_id=c8748b941ba670904f999978b04bcb18&sysparm_category=09e18be6db2f8340865049ee3b96190f)
+Use [Install device driver on my device](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&sys_id=c8748b941ba670904f999978b04bcb18&sysparm_category=09e18be6db2f8340865049ee3b96190f)
 
 *  RequestedFor should be pre filled with your name, 'If you are doing this for another member of staff you can now change to there name
 
@@ -87,27 +87,27 @@ To get started, follow the steps below:
 
 * type in the terminal window 'npm init -y' this will build a simple project structure
 
-* once complete type in the terminal 'npm install express' 
+* once complete type in the terminal 'npm install express'
 
 * Create a file called index.js and add it to the root directory
 
-* Open index.js in the editor and add this line to the top of the file 
+* Open index.js in the editor and add this line to the top of the file
 
 ````
 
 const express = require('express');
 
 ````
 
-* Now below that add 
+* Now below that add
 
 ````
 
 const app = express();
 
 ````
 
-* and on the next line add 
+* and on the next line add
 
 ````
 
@@ -121,7 +121,7 @@ app.use(express.json());
 const PORT = process.env.PORT || 3000;
 
 ````
-* Now and add 
+* Now and add
 
 ```
 app.listen(PORT, () => {
@@ -135,15 +135,15 @@ app.get("/status", (request, response) => {
    const status = {
       "Status": "Running"
    };
-   
+
    response.send(status);
 });
 ````
 * Open package.json file and add to the script section of the file
 
 ````
- "start": "node index.js" 
- 
+ "start": "node index.js"
+
  ````
  making sure to add a comma to the end of the line above
 
@@ -175,14 +175,14 @@ app.get("/status", (request, response) => {
 
 * VSC will now build your image and your container and start it running which can be seen in the terminal window
 
-* Once started you can go back to your browser and enter 'http://localhost:3000/status' the browser should return 
+* Once started you can go back to your browser and enter 'http://localhost:3000/status' the browser should return
 ````
 {
   "Status": "Running"
 }
 ````
-* For more information on docker and compose goto: [How to use docker and compose](https://code.visualstudio.com/docs/containers/docker-compose) 
+* For more information on docker and compose goto: [How to use docker and compose](https://code.visualstudio.com/docs/containers/docker-compose)
 
 * For more information on docker extension in Vsc goto: [Overview of contaoners in VSC](https://code.visualstudio.com/docs/containers/overview)
 
-* For more information on docker and node starter kit in vsc goto: [Quick node starter page](https://code.visualstudio.com/docs/containers/quickstart-node)
+* For more information on docker and node starter kit in vsc goto: [Quick node starter page](https://code.visualstudio.com/docs/containers/quickstart-node)
@@ -13,17 +13,15 @@ It provides access to most Azure resources including App Services, Container Ins
 Portal: [https://portal.azure.com/](https://portal.azure.com/)
 
 ## Platform documentation
-* [CIP platform docs](https://docs.platform.education.gov.uk/index.html)
+* [CIP platform docs](https://docs.education.gov.uk/)
 
 ## Onboarding users
-Use this [service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items) to create the onboarding request:
+Use this [IT Help Centre form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d) to create the onboarding request:
 
 1. From _Request type_ dropdown, select: _Azure Portal and DevOps User Account Request_
 1. From _Add/Change/Remove_ dropdown, select: _Add_
 1. Enter new users' email addresses
 
-If access to the service portal is not possible, ask the helpdesk (See [Support](/infrastructure/support/#helpdesk)) to "Invite --username-- to the CIP AAD. FAO of the Infrastructure Operations Team"
-
 Ask in #cloud-platform on Slack if more help is required.
 
 The new user will receive an invitation by email. Then the service administrators can add them to the service Azure Active Directory groups of the subscriptions: Managers and Delivery team.
@@ -32,7 +30,7 @@ To access Azure DevOps, the new user must access the [Azure DevOps CIP instance]
 
 ## Privileged Identity Management (PIM) Requests
 
-[Privileged Identity Management (PIM)](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources at DfE such as access to staging and production environments.
+[Privileged Identity Management (PIM)](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources at DfE such as access to staging and production environments. We use it for *Azure resources* and *Groups*.
 
 To request access to your eligible assignments, follow the steps below:
 
@@ -46,7 +44,7 @@ To request access to your eligible assignments, follow the steps below:
 
 * Click on `My roles` on the left hand side of the page, under `Tasks`
 
-* Click on `Azure resources` under `Activate`
+* Click on either `Azure resources` or `Groups` under `Activate`
 
 * You may have to lengthen the resource section in order to see the full resource name, including the environment
 
@@ -61,7 +59,7 @@ however an administrator can navigate to PIM using the search box (as documented
 
 
 ## Onboarding a service
-Use this [service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items) to create the onboarding request and choose _Request type: On-Boarding request_. It should be filled in by a senior civil servant (G7 or above). This includes an onboarding form to attach. Finance must be agreed beforehand.
+Use this [IT Help Centre form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items) to create the onboarding request and choose _Request type: On-Boarding request_. It should be filled in by a senior civil servant (G7 or above). This includes an onboarding form to attach. Finance must be agreed beforehand.
 
 You will be given:
 
@@ -70,7 +68,7 @@ You will be given:
 * PIM (Privileged Identity Management) set up: members of the Delivery team can elevate their access themselves in staging, and request approval from a Manager in production.
 * A new project in Azure DevOps dfe-ssp organisation and corresponding service connections to the subscriptions
 
-The production subscription can be requested via the same [service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items).
+The production subscription can be requested via the same [IT Help Centre form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&referrer=recent_items).
 Choose _Request type: Request production subscription_.
 
 ## Provisioned Azure DevOps
@@ -81,19 +79,12 @@ When a service is onboarded to CIP, an Azure DevOps project is automatically pro
 ## Azure Development
 Deployments should always be done via infrastructure as code. We recommend using [Terraform](/infrastructure/dev-tools/#terraform) or [ARM templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview).
 
-## Access from/to Internet
-Static public IPs are not permitted by default in CIP. Instead, Azure provides unique domain names but the IP may change.
-
-Should you require a static IP, it is possible to request an [Internet Access Service](https://docs.platform.education.gov.uk/docs/articles/resource-management/platform-firewalls/internet-access-service.html?q=internet). It provides routing from/to the internet via a static IP and a firewall. URLs accessed via the firewall must be whitelisted.
-
-Contact #cloud-platform to set it up.
-
 ## Azure service principal
 To be able to access Azure from an external system like Github actions, a service account is required. It is called a
 *service principal* in Azure, or *App regisration*. See the [Azure documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals).
 
 ### Create service principal
-In this example we create a service principal which has a custom role created in [Managing secrets](/infrastructure/security/managing-secrets/#request-roles). Submit a [CIP Request](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&searchTerm=cip) on Service Now using your education.gov.uk identity. Example:
+In this example we create a service principal which has a custom role created in [Managing secrets](/infrastructure/security/managing-secrets/#request-roles). Submit a [CIP Request](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d&searchTerm=cip) on Service Now. Example:
 
 ```
 Please create a new service principal named [subscription-prefix]-[service-abbreviation]-contributor. It will be used to deploy Azure resources from GitHub repositories in the DFE-Digital Github organisation.

@@ -16,12 +16,9 @@ Domain names are normally maintained by the [Infrastructure Operations](/infrast
 First a normal request is required to assign an engineer to the task and define the change window. Then a change request is raised to detail the implementation plan.
 
 ### Normal request
-Raise it in the [Service Now portal](https://dfe.service-now.com/serviceportal) portal:
+Raise it in the [IT Help Centre](https://dfe.service-now.com/ithelpcentre?id=ticket&table=sc_req_item&sys_id=dc46ab681bc6d250cace6283b24bcbbc&view=sp):
 
-* Request something
-* Categories: Non-standard
-* Any other request
-* Short description: Describe briefly the purpose of the request and mention it's a route53 domain change
+* Short description: Describe briefly the purpose of the request and mention it is a route53 domain change
 * Click "I confirm that the above results aren't relevant to my request"
 * Working from: Select either Home or Office
 * Category: Non-standard

@@ -21,6 +21,9 @@ Prometheus is the brains of the system providing the following functions:
 ### Influxdb
 Is a time series database to store metrics reliably and query them.
 
+### Thanos
+Alternative to Influxdb to store metrics using different storage backends, including Azure storage accounts.
+
 ### Alertmanager
 Receives alerts from prometheus and notifies users on various channels.
 

@@ -10,12 +10,12 @@ link_in_toc: true
 Statuscake is a cloud based tool used to constantly monitor the availability of websites and alert when they are not present.
 
 ### Access to the DfE account
-Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21),
+Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21),
 choose *Request account access* and enter your email address. This will give you access to the DFEStatusCake subaccount and you will be able to see
 all checks in DfE, modify contact groups and integrations. Checks can't be created manually, it is only allowed via an API key.
 
 ### Request API key
-Each service or service area (shared key) can request an API key to create the checks via automation. Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21),
+Each service or service area (shared key) can request an API key to create the checks via automation. Use the [StatusCake form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=e7a004df1b399c502fe864606e4bcb21),
 choose *Request API key*. Enter the team's email address and the name of the service or service area.
 
 ### Contact Group

@@ -37,8 +37,7 @@ You will need to raise a request in Service Now to request roles for both the se
 The sample request may be used for all the subscriptions or one at a time.
 
 ### Sample Request
-Create a request in Service Now: Request something, Non-Standard, Any Other Request,
-Select an appropriate Category: Non Standard, Business Service: Shared IT Core services, Service Offering: CIP Platform
+Create a request using the [CIP Request form](https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&table=sc_cat_item&sys_id=51b0b9c5db1ff7809402e1aa4b96197d). Example for a new "s146-getintoteachingwebsite-Contributor and Key Vault editor" custom role:
 
 ```
 Configure PIM access to Key Vault following the pattern in https://docs.platform.education.gov.uk/docs/blogs/platform-engineering/key-vault-rbac.html :
@@ -67,50 +66,4 @@ The secrets can then be retrieved using the [Azure/get-keyvault-secrets](https:/
 ## Access secrets from Terraform
 Login using the [service principal](/infrastructure/hosting/azure-cip/#github-actions) in Terraform.
 
-The secrets can then be retrieved using the [azurerm_key_vault data source](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault).
-
-## Store multiple values per secret
-
-The name of a secret must be hard coded in the systems retrieving it. When using infrastructure as code, this name may be present in multiple files which creates a burden to rename or add more secrets.
-
-An alternative is to store a file containing multiple secrets as key-value pairs, for example with `YAML`. The secrets can be added, removed or updated in the file without changing anything in the code.
-There are a number of ways to edit or read the secrets.
-
-### Edit using Azure CLI
-Create a YAML local file and upload it:
-
-```shell
-az keyvault secret set  --vault-name sXXXd01-kv --name TTA-KEYS --file local_file.yml
-```
-_Make sure to delete the local file after use._
-
-### Read using Azure CLI
-Print the file content:
-
-```shell
-az keyvault secret show  --vault-name sXXXd01-kv --name TTA-KEYS
-```
-_Make sure to clear the command line after use._
-
-Download to a local file:
-
-```shell
-az keyvault secret download  --vault-name sXXXd01-kv --name TTA-KEYS --file local_file.yml
-```
-_Make sure to delete the local file after use._
-
-### Read using GitHub Actions
-Use the [keyvault-yaml-secret action](https://github.com/DFE-Digital/keyvault-yaml-secret) to retrieve a secret from the YAML file.
-
-### Read using Terraform
-Use the [yamldecode](https://www.terraform.io/docs/language/functions/yamldecode.html) function to parse the YAML file and access individual values:
-
-```hcl
-infra_secrets = yamldecode(data.azurerm_key_vault_secret.infra_secrets.value)
-paas_password = infra_secrets["paas_password"]
-```
-
-### Read and write using the fetch_config.rb script
-[fetch_config.rb](https://github.com/DFE-Digital/bat-platform-building-blocks/tree/master/scripts/fetch_config) is a convenient ruby script to read and write securely to and from Azure Key Vault and transform into multiple formats.
-
-It is routinely used by developers. See `print-app-secrets` and `edit-app-secrets` in this [Makefile](https://github.com/DFE-Digital/publish-teacher-training/blob/master/Makefile) for example.
+The secrets can then be retrieved using the [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault), [azurerm_key_vault_secrets](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secrets) and [azurerm_key_vault_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) data sources.
@@ -15,10 +15,10 @@ and are able to reset the password. See below.
 
 ## Shared email
 ### Outlook distribution list
-This creates a new email address and when emails are sent to it, the members of the distribution list receive them in their own inbox. To create it, use the [Distribution Lists service now form](https://dfe.service-now.com.mcas.ms/serviceportal?id=sc_cat_item&sys_id=a28540a5dbeeee005ca2fddabf961968).
+This creates a new email address and when emails are sent to it, the members of the distribution list receive them in their own inbox. To create it, use the [Distribution Lists service now form](https://dfe.service-now.com.mcas.ms/ithelpcentre?id=sc_cat_item&sys_id=a28540a5dbeeee005ca2fddabf961968).
 
 ### Outlook shared mailbox
-This creates a mailbox that can be shared with multiple users. It is displayed separately in Outlook and emails are stored there. Create a shared mailbox using [the service portal form](https://dfe.service-now.com.mcas.ms/serviceportal/?id=sc_cat_item&sys_id=5daf935837189240c033a16043990ecf&referrer=popular_items).
+This creates a mailbox that can be shared with multiple users. It is displayed separately in Outlook and emails are stored there. Create a shared mailbox using [the service now form](https://dfe.service-now.com.mcas.ms/ithelpcentre/?id=sc_cat_item&sys_id=5daf935837189240c033a16043990ecf&referrer=popular_items).
 
 ## Github account
 Request a new user from [Digital tools](<%= data.site.digital_tools %>).