Skip to content

Release Infrastructure (BC 2.2.19)

Changelog

Infrastructure 2.2 Changes PDF file

Pre-requisites

  • Tenant admin account to grant admin consent
  • User with Owner permissions for the Application registrations to update app registrations (or use Tenant admin account).
  • User with Owner permissions for Brief Connect azure resource group.
  • Existing Azure Front Door instance and user with Contribute permissions to configure it
  • Exchange Admin account
  • Teams administrator account
  • Azure DevOps Brief Connect project admin
  • Brief Connect Admin account

Deployment steps (in order)

Please refer to the Deployment Guide Wiki throughout this update guide.

1. Update existing Azure Resources

Migrate Classic CDN to Azure Front Door

Migrate existing Brief Connect CDN to Azure Front Door using this instruction: https://learn.microsoft.com/en-us/azure/cdn/migrate-tier Preserve CDN endpoint name and domain without changes.

Retain existing Log Analytics Workspace resource with existing logs

It was identified during the initial draft deployment, that LAW resource, associated with Application Insights resource is provisioned into separate resource group. This deployment will provision a new LAW resource in the Brief Connect resource group with other BC resources. Make sure you keep old LAW instance with existing logs for at least for 90 days after the deployment (default retention time for application logs)

2. Set up granular Mail.Send application permissions using Role Based Access Control (RBAC) in Exchange Online

  1. Execute "8.1 Mail.Send Application role assignment" step from the deployment guide.

3. Update Azure DevOps service connection application permissions

Update permissions for Brief Connect DevOps app registration or other service principal that is used for DevOps service connection to run release pipelines. Execute step "2.7.4 Assign permissions" from the deployment guide.

2.7.4 step describes minimal required roles. You can apply it or any higher role if needed. For example, if the app registration has Owner role assigned on RG level, you can keep it as-is and skip this step.

4. Update Azure DevOps Pipelines

Update variables in variable groups

Go to Brief Connect project - Pipelines - Library - Variables group, and update environment associated group.

New name Old name Value
- organizationsAllowedToAccess Delete variable
- skipCosmosDbDeployment Delete variable
- skipKeyVaultDeployment Delete variable
- skipRedisDeployment Delete variable
- skipStorageAccountDeployment Delete variable
- userAssignedIdentityName Delete variable
applicationDomainName - Domain name of the application. Example: cdne-syd-shared-tst-bc.azureedge.net
applicationName appName Rename variable name, validate value
authorizedGroupId authorizedGroupId Validate value
authorizedGroupName authorizedGroupName Validate value
azureFunctionDomainName - New value. Base API path, excluding protocol. You can find it in migrated AFD, for migrated endpoint. It has 2 domains there, for this variable you need an ugly auto-generated one. Example: cdne-syd-shared-tst-bc-bkaye7eye2hyckc8.a02.azurefd.net
azureRegion region Rename variable name, validate value
azureResourceGroupName resourceGroupName Rename variable name, validate value
azureResourcesNamePrefix main_prefix Rename variable name, validate value
azureStorageAccountDataName - New variable Data Storage account name (existing Brief Connect storage account name). For example stasydsharedtstbc
azureStorageAccountWebName - New variable Static Web Assets Storage account name (will be created). For example stasydsharedtstbcweb
clientAppRegistrationClientId - New variable Client ID of Brief Connect Client application registration
devOpsAppRegistrationClientId devops_app_registration_object_id Rename variable name, validate value
emailNotificationsServiceAccount emailNotificationsServiceAccount Validate value
serverAppRegistrationClientId serverAppRegistrationClientId Validate value
sharePointSiteUrl sharePointSiteUrl Validate value
teamsAppId - New variable Id of the teams app from teams manifest.json (aka 'External app ID' in Microsoft Teams admin centre)
tenantId tenantIdsForAuth Rename variable name, validate value
topHeaderBannerText - New variable Top header banner text. For example TEST environment or empty for PROD

Save the changes.

Update 'Deploy Brief Connect Azure Resources' release pipeline

You can find the release pipeline in Brief Connect project - Pipelines - Releases

  1. Clone existing release pipeline and keep a copy of it until the deployment is completed to all environments as a backup.
  2. Open the release pipeline, open 3-dots menu, and select Clone option.
  3. Update the name of the cloned pipeline and save it.
  4. Go to the original release pipeline (not the copy created) and edit it. Remove existing build artifacts
  5. Add new Artifact:
  6. Source type: Azure Repos Git
  7. Project: Brief Connect
  8. Source (repository): Brief Connect - Azure Resources
  9. Default branch: main
  10. Default version: Latest from the default branch
  11. Source alias: _AzureResources
  12. The rest keep as-is with default values
  13. Update tasks for each environment:
  14. Delete Extract files task

  15. Update Bicep param file task:

    • Working Directory: $(System.DefaultWorkingDirectory)/_AzureResources/Bicep

    • Script:

      • Update redisCacheSku param with existing provisioned configuration (was hardcoded in bicep template or in param file)
      • Update functionAppServicePlan, userAssignedIdentityName with existing provisioned resources for this environment
      • Set logAnalyticsWorkspaceName with existing resource name (Log Analytics Workspace associated with Application Insights resource)
      • Set storageAccountFuncName with value (New resource will be created with this name)
      • Validate all remaining params that they match existing resource names
      • Update apiAppServicePlan to name: 'B1' and tier: 'Basic' values or higher.
      $file_content = @"
using './main.bicep'

var main_prefix = '${ENV:azureResourcesNamePrefix}'
param region = '${ENV:azureRegion}'
param authorizedGroupId = '${ENV:authorizedGroupId}'
param authorizedGroupName = '${ENV:authorizedGroupName}'
param serverAppRegistrationClientId = '${ENV:serverAppRegistrationClientId}'
param clientAppRegistrationClientId = '${ENV:clientAppRegistrationClientId}'
param m365tenantId = '${ENV:tenantId}'
param sharePointSiteUrl = '${ENV:sharePointSiteUrl}'

param redisCacheSku = {
name: 'Basic'
family: 'C'
capacity: 0
}

param apiServicePlanName = 'apip-`${main_prefix}'
param apiAppServicePlan = {
name: 'B1'
tier: 'Basic'
}

param functionAppServicePlanName =  'pfa-ap-`${main_prefix}'
param functionAppServicePlan = {
name: 'EP1'
tier: 'ElasticPremium'
}

param redisInstanceName = 'rc-`${main_prefix}'
param userAssignedIdentityName = 'briefconnect-managed-identity-test'
param apiAppName = 'api-`${main_prefix}'
param functionAppName = 'func-`${main_prefix}'
param keyVaultName = 'kv-`${main_prefix}'
param logAnalyticsWorkspaceName = 'managed-ai-`${main_prefix}-ws'
param applicationInsightsName = 'ai-`${main_prefix}'

param storageAccountWebName = '${ENV:azureStorageAccountWebName}'
param storageAccountFuncName = 'stasydsharedtstbcfunc'
param storageAccountDataName = '${ENV:azureStorageAccountDataName}'
param cosmosDbAccountName = 'cdb-`${toLower(main_prefix)}'
"@

$file_content | Out-File -FilePath "parameters.bicepparam" -Encoding utf8

#prints the content of the file
Get-Content -Path "parameters.bicepparam"

  16. Update Azure CLI task:

    • Inline Script: az deployment group create --resource-group "$(azureResourceGroupName)" --template-file main.bicep --parameters parameters.bicepparam
    • Working Directory: $(System.DefaultWorkingDirectory)/_AzureResources/Bicep

  17. Save the updated pipeline.

Update 'Deploy Brief Connect App and Config' release pipeline

You can find the release pipeline in Brief Connect project - Pipelines - Releases

  1. Clone existing release pipeline and keep a copy of it until the deployment is completed to all environments as a backup.
  2. Open the release pipeline, open 3-dots menu, and select Clone option.

  3. Update the name of the cloned pipeline and save it.

  4. Go to Variables section

  5. Delete all existing pipeline variables
  6. Add new pipeline variable:
    • Name: Package Version
    • Value: empty
    • Scope: Release
    • Settable at release time: Yes
  7. In Variables groups section, link all variable groups to related environments (TEST to TEST, UAT to UAT, etc.)

  8. Options tab - Release name format: set the value to v$(Package Version) ($(rev:r))

  9. Update Validate package versions task

  10. Script:

    $packageVersion = "$(Package Version)";

if (!$packageVersion -or ($packageVersion -eq "*"))
{
   Write-Error "Please specify correct version for the package"
}

  11. Update Download Client task

  12. Version: $(Package Version)

  13. Update Download Server task

  14. Version: $(Package Version)

  15. Update Server: Backend API task:

  16. App settings (under Application and Configuration Settings): set it blank
  17. Add new task after Server: Backend API:
  18. Type: Azure App Service Settings
  19. Display name: Server: Backend API Config
  20. Azure subscription: select same service connection as in Server: Backend API task
  21. App Service name: select same function app as in Server: Backend API task
  22. Resource group: select resource group where the app is hosted
  23. Slot: leave value by default

  24. App Settings:

    [
   {
   "name": "TopHeaderBannerText",
   "value": "$(topHeaderBannerText)",
   "slotSetting": false
   },
   {
   "name": "AppUrl",
   "value": "https://$(applicationDomainName)",
   "slotSetting": false
   },
   {
   "name": "AppName",
   "value": "$(applicationName)",
   "slotSetting": false
   }
]

  25. Update Server: External API task

  26. App settings (under Application and Configuration Settings): -AppUrl "https://$(applicationDomainName)"

  27. Update Client: Create environment config file task

  28. Script:

    '{
    "tenantId": "$(tenantId)",
    "clientId": "$(clientAppRegistrationClientId)",
    "apiScope": "api://$(applicationDomainName)/$(serverAppRegistrationClientId)/access_as_user",
    "baseUrl": "https://$(azureFunctionDomainName)"
}'| Out-File "$(System.DefaultWorkingDirectory)/web/config.json" -Encoding utf8 -Force

  29. Update Client: Deploy static CDN files task

  30. Display name: Client: Deploy static files

  31. Inline script

    [CmdletBinding()]
Param(
   [string]$storageAccountName,
   [string]$workingDirectory
)

Write-Host ""
Write-Host "DELETE OLD FILES"
Write-Host ""
az storage blob delete-batch --source `$`web --account-name $storageAccountName

Write-Host ""
Write-Host "UPLOAD NEW FILES"
Write-Host ""
az storage blob upload-batch --source $workingDirectory/web --destination `$`web --account-name $storageAccountName

  32. Script Arguments: -storageAccountName $(azureStorageAccountWebName) -workingDirectory $(System.DefaultWorkingDirectory)

5. Update Entra ID app registrations

Update Entra ID app registrations

Role required: Brief Connect Entra ID App Registration Owner (assigned Owner role for all 3 app registrations) or higher

  1. Execute "2.13 Update Entra ID Apps" step from the deployment guide. Leave all optional parameters for UpdateAppRegistrations.ps1 script empty, set values only for required params.

  2. Open Brief Connect Client application registration and update Authentication settings:

  3. Uncheck all token options and save the changes. If it asks a confirmation to disable implicit flow - confirm to disable it.

image.png

  1. Open Brief Connect Server application registration and update Authentication settings:
  2. Uncheck all token options.
  3. Remove all platforms from Platform configurations section.

  4. Save the changes. If it asks a confirmation to disable implicit flow - confirm to disable it.

    image.png

Grant Entra ID app permissions

Role required: Global Administrator

Execute next step for all application registrations (Client, Server, DevOps)

  1. Execute "2.14 Grant Admin Consent" step from the deployment guide.

After granting admin consent for configured permissions, remove all permissions from "Other permissions granted for..." section.

==image_0==.png

6. Update Azure Resources

Key Vault permissions update

  1. Open Brief Connect Key Vault resource instance in Azure Portal
  2. Go to Settings - Access Configuration
  3. Change Permission model to * Azure role-based access control (recommended) value and save the changes.

7. Run 'Deploy Brief Connect Azure Resources' pipeline

Create a new release using latest infrastructure code and run the new release pipeline for a target stage.

8. Update Azure Resources

Key Vault certificate update

  1. Open Brief Connect Key Vault resource instance in Azure Portal
  2. Go to Access control and provide yourself Key Vault Administrator role
  3. Go to Certificates, open existing certificate, open current version of the certificate and 'Download in PFX/PEM format' and save it locally.
  4. Go back to Certificates page, and Import PFX/PEM certificate file from the previous step.
  5. For the certificate name, set "BriefConnect-Server-App" value.
  6. Soft-delete the old certificate (it can be restored during retention period)
  7. Go to Access control and remove provided roles for the current account (if necessary)

9. Integration with Azure Front Door

  1. Open Azure Front Door instance in Azure Portal
  2. Apply settings from step 5 from section "2.12 Integration with existing Azure Front Door instance" of the deployment guide to the existing default origin group that was created by CDN profile migration. Make sure, that updated Host name and Origin host header values linked to the static website hosted by newly provisioned storage (see azureStorageAccountWebName variable).
  3. Execute step 6 from section "2.12 Integration with existing Azure Front Door instance" of the deployment guide.
  4. Apply settings from step 7 from section 2.12 of the deployment guide to the existing default origin route created by CDN profile migration, instead of creating one. Do not change domain association, keep it associated with 2 domains.
  5. Execute steps 8-9 from section "2.12 Integration with existing Azure Front Door instance" of the deployment guide.
  6. Open Brief Connect resource group, and go to Data Storage account (azureStorageAccountDataName variable name in DevOps library group)
  7. Go to Data management - Static website, Disable static website and save the changes.

10. Run 2.2.19 release deployment guide

Go through 2.2.19 deployment guide and deploy it to the target environment.