[DMS-1196] Add eng/azure-vm single + multi-tenant DMS deployment#1044
Open
simpat-jesus wants to merge 16 commits into
Open
[DMS-1196] Add eng/azure-vm single + multi-tenant DMS deployment#1044simpat-jesus wants to merge 16 commits into
simpat-jesus wants to merge 16 commits into
Conversation
Contributor
There was a problem hiding this comment.
PSScriptAnalyzer found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
ba21c67 to
401e013
Compare
…tup-env, infra-only reset, wget health checks
…no-new-privileges, nginx server_tokens, drop dead backend flags
…ApiSchema staging guards, Invoke-Az arg binding, repo clone path
…g smoke sampler, Basic-auth docs, MT discovery oauth known issue
…, named parameters, justified suppressions, drop dead insecureBootstrap flag
…eProxy forwarded-headers settings, ed-fi-api image repositories
…anted Keycloak realm-admin, clarify port-80 NSG intent, surgical portproxy mapping, fix SSH key guidance
…with confirmation, make seed val() fallbacks survive pipefail
…ained bootstrap under -SkipKeycloak, correct grandbend vs provisioning order in docs
…i.Api per DMS-1192 rebrand) so grandbend seeding resolves
… ConnectionStrings, CacheExpirationMinutes, HashingIterations) that bind to nothing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
eng/azure-vm/— tooling to stand up two DMS environments (single-tenant + multi-tenant with two isolated tenants) behind one NGINX gateway on a single Azure VM (Windows host running the Linux containers in WSL2), relational backend, Keycloak identity. Built for a third-party security review, but generic enough for any ST + MT-behind-a-gateway VM deployment.Reuses the existing bootstrap (no duplication)
compose/bootstrap/bootstrap.ps1imports the canonicaleng/Dms-Management.psm1andeng/docker-compose/setup-keycloak.ps1— no vendored copies.eng/docker-compose/bootstrap-published-dms.ps1(e.g.-SeedTemplate Populated). This folder adds only the delta that flow doesn't cover: the two-stack + gateway topology, the multi-tenant tenants, and the named review applications.Contents
provision/— Azure VM lifecycle + host setup. Windows + WSL2 is the canonical host (provision/windows/); the Linux/cloud-init flow is an alternative.compose/— two-stackdocker-compose.yml, NGINX gateway,keycloak.yml, PostgreSQL init, seed scripts (grandbend.shrelational template restore,clone-data.shmulti-tenant clone), andbootstrap/bootstrap.ps1.http/— REST Client walkthroughs + a curl smoke sampler (placeholders only).docs/infrastructure.md— architecture, endpoints, provisioning method, known issues.Security-review hardening
Addressed review feedback on the deployment tooling:
AppSettings__AuthenticationServiceadvertised an internaldms-keycloakURL via the Discovery API / OpenAPItokenUrl, unreachable by external clients. It now advertises the public Keycloak token URL (${PUBLIC_BASE_URL}/auth/realms/<realm>/protocol/openid-connect/token); docs,.httpsamples, and the smoke sampler updated to match. (JWT validation is unaffected — it uses the internalMetadataAddress.)setup-env.ps1(and theMANUAL.md/PORTAL.md/README.mdrunbooks) now bring up identity + CMS, run bootstrap, then start the DMS services (new-StartDmsswitch), instead of starting the full stack before bootstrap (which fail-fast crash-loops).up.shnow documents that bare invocation starts the full stack and is for restart/update only.docs/infrastructure.md; they go to a private vault /.env(gitignored).CMSAuthMetadataReadOnlyAccessKeycloak client, which was being created with the hardcoded default secret.dms-keycloaknetwork alias (hardening; it already resolved via thehostname:directive).Upstream-fix reconciliation
Two constraints the tooling originally documented as open blockers are now fixed upstream and present in
:preimages built ≥ 2026-06-24:DMS-1230([DMS-1230] Fix 404 on multi-tenant XSD metadata file endpoint #1048) — multi-tenant XSD metadata 404; MT can now be API-seeded directly.DMS-1231([DMS-1231] Restrict generated client secrets to Basic/form-safe characters #1047) — generated client secrets are now Basic/form-safe by construction.Docs reframed accordingly (
docker compose … pullto update a deployed env).seed/clone-data.shandgrandbend.share kept as faster seeding paths, not bug workarounds.Notes
DMS-1230, fixed upstream),+/%client secrets vs HTTP Basic (DMS-1231, fixed upstream), fail-fast startup ordering (DMS-1093/DMS-1109), and the relational populated template (DMS-1159).🤖 Generated with Claude Code