Skip to content

[DMS-1196] Add eng/azure-vm single + multi-tenant DMS deployment#1044

Open
simpat-jesus wants to merge 16 commits into
mainfrom
DMS-1196
Open

[DMS-1196] Add eng/azure-vm single + multi-tenant DMS deployment#1044
simpat-jesus wants to merge 16 commits into
mainfrom
DMS-1196

Conversation

@simpat-jesus

@simpat-jesus simpat-jesus commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds eng/azure-vm/ — tooling to stand up two DMS environments (single-tenant + multi-tenant with two isolated tenants) behind one NGINX gateway on a single Azure VM (Windows host running the Linux containers in WSL2), relational backend, Keycloak identity. Built for a third-party security review, but generic enough for any ST + MT-behind-a-gateway VM deployment.

Reuses the existing bootstrap (no duplication)

  • compose/bootstrap/bootstrap.ps1 imports the canonical eng/Dms-Management.psm1 and eng/docker-compose/setup-keycloak.ps1 — no vendored copies.
  • For standard single-stack bring-up + relational populated-template seeding, defer to eng/docker-compose/bootstrap-published-dms.ps1 (e.g. -SeedTemplate Populated). This folder adds only the delta that flow doesn't cover: the two-stack + gateway topology, the multi-tenant tenants, and the named review applications.

Contents

  • provision/ — Azure VM lifecycle + host setup. Windows + WSL2 is the canonical host (provision/windows/); the Linux/cloud-init flow is an alternative.
  • compose/ — two-stack docker-compose.yml, NGINX gateway, keycloak.yml, PostgreSQL init, seed scripts (grandbend.sh relational template restore, clone-data.sh multi-tenant clone), and bootstrap/bootstrap.ps1.
  • http/ — REST Client walkthroughs + a curl smoke sampler (placeholders only).
  • docs/infrastructure.md — architecture, endpoints, provisioning method, known issues.

Security-review hardening

Addressed review feedback on the deployment tooling:

  • OAuth metadata reachabilityAppSettings__AuthenticationService advertised an internal dms-keycloak URL via the Discovery API / OpenAPI tokenUrl, unreachable by external clients. It now advertises the public Keycloak token URL (${PUBLIC_BASE_URL}/auth/realms/<realm>/protocol/openid-connect/token); docs, .http samples, and the smoke sampler updated to match. (JWT validation is unaffected — it uses the internal MetadataAddress.)
  • Startup orderingsetup-env.ps1 (and the MANUAL.md / PORTAL.md / README.md runbooks) now bring up identity + CMS, run bootstrap, then start the DMS services (new -StartDms switch), instead of starting the full stack before bootstrap (which fail-fast crash-loops). up.sh now documents that bare invocation starts the full stack and is for restart/update only.
  • Secret handling — removed every prompt to copy generated secrets into the tracked docs/infrastructure.md; they go to a private vault / .env (gitignored).
  • Predictable credential — dropped the unused CMSAuthMetadataReadOnlyAccess Keycloak client, which was being created with the hardcoded default secret.
  • Keycloak DNS — added an explicit dms-keycloak network alias (hardening; it already resolved via the hostname: directive).

Upstream-fix reconciliation

Two constraints the tooling originally documented as open blockers are now fixed upstream and present in :pre images built ≥ 2026-06-24:

Docs reframed accordingly (docker compose … pull to update a deployed env). seed/clone-data.sh and grandbend.sh are kept as faster seeding paths, not bug workarounds.

Notes

  • Secret-free: no credentials, keys, or environment-specific hostnames are committed; per-deployment specifics live in a private deployment doc.
  • Tickets for constraints encountered during the review: multi-tenant XSD metadata (DMS-1230, fixed upstream), +/% client secrets vs HTTP Basic (DMS-1231, fixed upstream), fail-fast startup ordering (DMS-1093 / DMS-1109), and the relational populated template (DMS-1159).

🤖 Generated with Claude Code

@github-advanced-security github-advanced-security AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PSScriptAnalyzer found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@simpat-jesus simpat-jesus force-pushed the DMS-1196 branch 6 times, most recently from ba21c67 to 401e013 Compare July 6, 2026 22:43
…tup-env, infra-only reset, wget health checks
…no-new-privileges, nginx server_tokens, drop dead backend flags
…ApiSchema staging guards, Invoke-Az arg binding, repo clone path
…g smoke sampler, Basic-auth docs, MT discovery oauth known issue
…, named parameters, justified suppressions, drop dead insecureBootstrap flag
…eProxy forwarded-headers settings, ed-fi-api image repositories
…anted Keycloak realm-admin, clarify port-80 NSG intent, surgical portproxy mapping, fix SSH key guidance
…with confirmation, make seed val() fallbacks survive pipefail
…ained bootstrap under -SkipKeycloak, correct grandbend vs provisioning order in docs
…i.Api per DMS-1192 rebrand) so grandbend seeding resolves
… ConnectionStrings, CacheExpirationMinutes, HashingIterations) that bind to nothing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants