d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8649ad41242e8aa5e73c5a026a43ea7762b4db2e
the_order/docs/deployment/DEPLOYMENT_STEPS_SUMMARY.md
defiQUG 8649ad4124 feat: implement naming convention, deployment automation, and infrastructure updates 
- Add comprehensive naming convention (provider-region-resource-env-purpose)
- Implement Terraform locals for centralized naming
- Update all Terraform resources to use new naming convention
- Create deployment automation framework (18 phase scripts)
- Add Azure setup scripts (provider registration, quota checks)
- Update deployment scripts config with naming functions
- Create complete deployment documentation (guide, steps, quick reference)
- Add frontend portal implementations (public and internal)
- Add UI component library (18 components)
- Enhance Entra VerifiedID integration with file utilities
- Add API client package for all services
- Create comprehensive documentation (naming, deployment, next steps)

Infrastructure:
- Resource groups, storage accounts with new naming
- Terraform configuration updates
- Outputs with naming convention examples

Deployment:
- Automated deployment scripts for all 15 phases
- State management and logging
- Error handling and validation

Documentation:
- Naming convention guide and implementation summary
- Complete deployment guide (296 steps)
- Next steps and quick start guides
- Azure prerequisites and setup completion docs

Note: ESLint warnings present - will be addressed in follow-up commit
2025-11-12 08:22:51 -08:00

16 KiB
Raw Blame History

Deployment Steps Summary - Ordered by Execution Sequence

Last Updated: 2025-01-27
Purpose: Complete list of all deployment steps grouped by execution order

Overview

This document lists all deployment steps in the exact order they must be executed. Steps are grouped into phases that can be executed sequentially, with some phases able to run in parallel (noted below).

Total Phases: 15
Estimated Total Time: 8-12 weeks (with parallelization)

Phase 1: Prerequisites ⚙️

Duration: 1-2 days
Can Run In Parallel: No
Dependencies: None

1.1 Development Environment

  1. Install Node.js >= 18.0.0
  2. Install pnpm >= 8.0.0
  3. Install Azure CLI
  4. Install Terraform >= 1.5.0
  5. Install kubectl
  6. Install Docker (for local dev)
  7. Clone repository
  8. Initialize git submodules
  9. Install dependencies (pnpm install)
  10. Build all packages (pnpm build)

1.2 Azure Account

  1. Create Azure subscription (if needed)
  2. Login to Azure CLI (az login)
  3. Set active subscription
  4. Verify permissions (Contributor/Owner role)

1.3 Local Services (Optional)

  1. Start Docker Compose services (PostgreSQL, Redis, OpenSearch)

Phase 2: Azure Infrastructure Setup 🏗️

Duration: 4-6 weeks
Can Run In Parallel: Yes (with Phase 3)
Dependencies: Phase 1

2.1 Azure Subscription Preparation

  1. Run ./infra/scripts/azure-setup.sh
  2. Run ./infra/scripts/azure-register-providers.sh
  3. Run ./infra/scripts/azure-check-quotas.sh
  4. Review quota reports
  5. Verify all 13 resource providers registered

2.2 Terraform Infrastructure

  1. Navigate to infra/terraform
  2. Run terraform init
  3. Create Terraform state storage (resource group, storage account, container)
  4. Configure remote state backend in versions.tf
  5. Re-initialize Terraform with terraform init -migrate-state
  6. Run terraform plan
  7. Deploy resource groups
  8. Deploy storage accounts
  9. Deploy AKS cluster (configuration to be added)
  10. Deploy Azure Database for PostgreSQL (configuration to be added)
  11. Deploy Azure Key Vault (configuration to be added)
  12. Deploy Azure Container Registry (configuration to be added)
  13. Deploy Virtual Network (configuration to be added)
  14. Deploy Application Gateway/Load Balancer (configuration to be added)

2.3 Kubernetes Configuration

  1. Get AKS credentials (az aks get-credentials)
  2. Verify cluster access (kubectl get nodes)
  3. Configure Azure CNI networking
  4. Install External Secrets Operator
  5. Configure Azure Key Vault Provider for Secrets Store CSI
  6. Attach ACR to AKS (az aks update --attach-acr)
  7. Enable Azure Monitor for Containers
  8. Configure Log Analytics workspace

Phase 3: Entra ID Configuration 🔐

Duration: 1-2 days
Can Run In Parallel: Yes (with Phase 2)
Dependencies: Phase 1

3.1 Azure AD App Registration

  1. Create App Registration in Azure Portal
  2. Note Application (client) ID
  3. Note Directory (tenant) ID
  4. Configure API permissions (Verifiable Credentials Service)
  5. Grant admin consent for permissions
  6. Create client secret
  7. Save client secret securely (only shown once)
  8. Configure redirect URIs for portals
  9. Configure logout URLs

3.2 Microsoft Entra VerifiedID

  1. Enable Verified ID service in Azure Portal
  2. Wait for service activation
  3. Create credential manifest
  4. Define credential type
  5. Define claims schema
  6. Note Manifest ID
  7. Verify Issuer DID format
  8. Test DID resolution

3.3 Azure Logic Apps (Optional)

  1. Create Logic App workflows (eIDAS, VC issuance, document processing)
  2. Note workflow URLs
  3. Generate access keys OR configure managed identity
  4. Grant necessary permissions
  5. Test workflow triggers

Phase 4: Database & Storage Setup 💾

Duration: 1-2 days
Dependencies: Phase 2

4.1 PostgreSQL

  1. Create databases (dev, stage, prod)
  2. Create database users
  3. Grant privileges
  4. Configure firewall rules for AKS
  5. Test database connection

4.2 Storage Accounts

  1. Verify storage accounts created
  2. Create container: intake-documents
  3. Create container: dataroom-deals
  4. Create container: credentials
  5. Configure managed identity access
  6. Configure CORS (if needed)
  7. Enable versioning and soft delete

4.3 Redis Cache (If using Azure Cache)

  1. Create Azure Cache for Redis (Terraform to be added)
  2. Configure firewall rules
  3. Set up access keys
  4. Test connection

4.4 OpenSearch (If using managed service)

  1. Create managed OpenSearch cluster (Terraform to be added)
  2. Configure access
  3. Set up indices
  4. Test connection

Phase 5: Container Registry Setup 📦

Duration: 1 day
Dependencies: Phase 2

5.1 Azure Container Registry

  1. Verify ACR created
  2. Enable admin user (or configure managed identity)
  3. Get ACR credentials
  4. Attach ACR to AKS (az aks update --attach-acr)
  5. Test ACR access from AKS

Phase 6: Application Build & Package 🔨

Duration: 2-4 hours
Dependencies: Phase 1, Phase 5

6.1 Build Packages

  1. Build shared packages (pnpm build)
  2. Build @the-order/ui
  3. Build @the-order/auth
  4. Build @the-order/api-client
  5. Build @the-order/database
  6. Build @the-order/storage
  7. Build @the-order/crypto
  8. Build @the-order/schemas

6.2 Build Frontend Apps

  1. Build portal-public
  2. Build portal-internal

6.3 Build Backend Services

  1. Build @the-order/identity
  2. Build @the-order/intake
  3. Build @the-order/finance
  4. Build @the-order/dataroom

6.4 Create Docker Images

  1. Create services/identity/Dockerfile (to be created)
  2. Create services/intake/Dockerfile (to be created)
  3. Create services/finance/Dockerfile (to be created)
  4. Create services/dataroom/Dockerfile (to be created)
  5. Create apps/portal-public/Dockerfile (to be created)
  6. Create apps/portal-internal/Dockerfile (to be created)
  7. Login to ACR (az acr login)
  8. Build and push identity image
  9. Build and push intake image
  10. Build and push finance image
  11. Build and push dataroom image
  12. Build and push portal-public image
  13. Build and push portal-internal image
  14. Sign all images with Cosign (security best practice)

Phase 7: Database Migrations 🗄️

Duration: 1-2 hours
Dependencies: Phase 4, Phase 6

7.1 Run Migrations

  1. Set DATABASE_URL for dev environment
  2. Run migrations for dev (pnpm --filter @the-order/database migrate up)
  3. Verify schema created (check tables)
  4. Set DATABASE_URL for staging environment
  5. Run migrations for staging
  6. Verify schema created
  7. Set DATABASE_URL for production environment
  8. Run migrations for production
  9. Verify schema created
  10. Run seed scripts (if needed)

Phase 8: Secrets Configuration 🔒

Duration: 2-4 hours
Dependencies: Phase 2, Phase 3

8.1 Store Secrets in Key Vault

  1. Store database-url-dev in Key Vault
  2. Store database-url-stage in Key Vault
  3. Store database-url-prod in Key Vault
  4. Store entra-tenant-id in Key Vault
  5. Store entra-client-id in Key Vault
  6. Store entra-client-secret in Key Vault
  7. Store entra-credential-manifest-id in Key Vault
  8. Store storage-account-name in Key Vault
  9. Store jwt-secret in Key Vault
  10. Store kms-key-id in Key Vault
  11. Store payment-gateway-api-key in Key Vault
  12. Store ocr-service-api-key in Key Vault
  13. Store eidas-api-key in Key Vault
  14. Store other service-specific secrets

8.2 Configure External Secrets Operator

  1. Create SecretStore for Azure Key Vault (YAML to be created)
  2. Create ExternalSecret resources (YAML to be created)
  3. Apply SecretStore configuration
  4. Apply ExternalSecret configuration
  5. Verify secrets synced to Kubernetes

Phase 9: Infrastructure Services Deployment 🛠️

Duration: 1-2 days
Dependencies: Phase 2, Phase 8

9.1 External Secrets Operator

  1. Install External Secrets Operator
  2. Wait for operator to be ready
  3. Verify SecretStore working

9.2 Monitoring Stack

  1. Add Prometheus Helm repository
  2. Install Prometheus stack
  3. Configure Grafana
  4. Deploy OpenTelemetry Collector
  5. Configure exporters
  6. Set up trace collection

9.3 Logging Stack

  1. Deploy OpenSearch (if not using managed service)
  2. Configure Fluent Bit/Fluentd
  3. Configure log forwarding
  4. Set up log retention policies

Phase 10: Backend Services Deployment 🚀

Duration: 2-4 days
Dependencies: Phase 6, Phase 7, Phase 8, Phase 9

10.1 Create Kubernetes Manifests

  1. Create infra/k8s/base/identity/deployment.yaml (to be created)
  2. Create infra/k8s/base/identity/service.yaml (to be created)
  3. Create infra/k8s/base/intake/deployment.yaml (to be created)
  4. Create infra/k8s/base/intake/service.yaml (to be created)
  5. Create infra/k8s/base/finance/deployment.yaml (to be created)
  6. Create infra/k8s/base/finance/service.yaml (to be created)
  7. Create infra/k8s/base/dataroom/deployment.yaml (to be created)
  8. Create infra/k8s/base/dataroom/service.yaml (to be created)

10.2 Deploy Identity Service

  1. Apply Identity Service manifests
  2. Verify pods running
  3. Check logs
  4. Test health endpoint
  5. Verify service accessible

10.3 Deploy Intake Service

  1. Apply Intake Service manifests
  2. Verify pods running
  3. Check logs
  4. Test health endpoint

10.4 Deploy Finance Service

  1. Apply Finance Service manifests
  2. Verify pods running
  3. Check logs
  4. Test health endpoint

10.5 Deploy Dataroom Service

  1. Apply Dataroom Service manifests
  2. Verify pods running
  3. Check logs
  4. Test health endpoint

10.6 Verify Service Communication

  1. Test internal service-to-service communication
  2. Verify service discovery working

Phase 11: Frontend Applications Deployment 🎨

Duration: 1-2 days
Dependencies: Phase 6, Phase 10

11.1 Portal Public

  1. Create infra/k8s/base/portal-public/deployment.yaml (to be created)
  2. Create infra/k8s/base/portal-public/service.yaml (to be created)
  3. Create infra/k8s/base/portal-public/ingress.yaml (to be created)
  4. Apply Portal Public manifests
  5. Verify pods running
  6. Check logs
  7. Test application in browser

11.2 Portal Internal

  1. Create infra/k8s/base/portal-internal/deployment.yaml (to be created)
  2. Create infra/k8s/base/portal-internal/service.yaml (to be created)
  3. Create infra/k8s/base/portal-internal/ingress.yaml (to be created)
  4. Apply Portal Internal manifests
  5. Verify pods running
  6. Check logs
  7. Test application in browser

Phase 12: Networking & Gateways 🌐

Duration: 2-3 days
Dependencies: Phase 10, Phase 11

12.1 Configure Ingress

  1. Deploy NGINX Ingress Controller (if not using Application Gateway)
  2. Create Ingress resources (YAML to be created)
  3. Apply Ingress configuration
  4. Verify ingress rules

12.2 Configure Application Gateway (If using)

  1. Create backend pools
  2. Configure routing rules
  3. Configure SSL termination
  4. Set up health probes

12.3 Configure DNS

  1. Create DNS record for api.theorder.org
  2. Create DNS record for portal.theorder.org
  3. Create DNS record for admin.theorder.org
  4. Verify DNS resolution

12.4 Configure SSL/TLS

  1. Install cert-manager (if using Let's Encrypt)
  2. Create ClusterIssuer
  3. Configure certificate requests
  4. Verify certificates issued
  5. Test HTTPS access

12.5 Configure WAF

  1. Set up OWASP rules
  2. Configure custom rules
  3. Set up rate limiting
  4. Configure IP allow/deny lists

Phase 13: Monitoring & Observability 📊

Duration: 2-3 days
Dependencies: Phase 9, Phase 10, Phase 11

13.1 Application Insights

  1. Create Application Insights resource
  2. Add instrumentation keys to services
  3. Configure custom metrics
  4. Set up alerts

13.2 Log Analytics

  1. Create Log Analytics workspace
  2. Set up container insights
  3. Configure log forwarding
  4. Set up log queries

13.3 Set Up Alerts

  1. Create alert rule for high error rate
  2. Create alert rule for high latency
  3. Create alert rule for resource usage
  4. Configure email notifications
  5. Configure webhook actions
  6. Set up PagerDuty integration (if needed)

13.4 Configure Dashboards

  1. Create Grafana dashboard for service health
  2. Create Grafana dashboard for performance metrics
  3. Create Grafana dashboard for business metrics
  4. Create Grafana dashboard for error tracking
  5. Create Azure custom dashboards
  6. Configure shared dashboards
  7. Set up access permissions

Phase 14: Testing & Validation

Duration: 3-5 days
Dependencies: All previous phases

14.1 Health Checks

  1. Verify all pods running
  2. Check all service endpoints
  3. Verify all health endpoints responding
  4. Check service logs for errors

14.2 Integration Testing

  1. Test Identity Service API endpoints
  2. Test Intake Service API endpoints
  3. Test Finance Service API endpoints
  4. Test Dataroom Service API endpoints
  5. Test Portal Public application
  6. Test Portal Internal application
  7. Test authentication flow
  8. Test API integration from frontend

14.3 End-to-End Testing

  1. Test user registration flow
  2. Test application submission flow
  3. Test credential issuance flow
  4. Test payment processing flow
  5. Test document upload flow
  6. Test complete user journeys

14.4 Performance Testing

  1. Run load tests (k6, Apache Bench, or JMeter)
  2. Verify response times acceptable
  3. Verify throughput meets requirements
  4. Verify resource usage within limits
  5. Optimize based on results

14.5 Security Testing

  1. Run Trivy security scan
  2. Check for exposed secrets
  3. Verify network policies configured
  4. Verify RBAC properly set up
  5. Verify TLS/SSL working
  6. Verify authentication required
  7. Test authorization controls

Phase 15: Production Hardening 🔒

Duration: 2-3 days
Dependencies: Phase 14

15.1 Production Configuration

  1. Update replica counts for production
  2. Configure resource limits and requests
  3. Configure liveness probes
  4. Configure readiness probes
  5. Set up horizontal pod autoscaling
  6. Configure pod disruption budgets

15.2 Backup Configuration

  1. Configure database backups
  2. Configure storage backups
  3. Enable blob versioning
  4. Configure retention policies
  5. Set up geo-replication (if needed)
  6. Test backup restore procedures

15.3 Disaster Recovery

  1. Document backup procedures
  2. Test restore procedures
  3. Set up automated backups
  4. Configure multi-region deployment (if needed)
  5. Configure DNS failover
  6. Test disaster recovery procedures

15.4 Documentation

  1. Update deployment documentation
  2. Document all configuration
  3. Create operational runbooks
  4. Document troubleshooting steps
  5. Create incident response procedures
  6. Document escalation procedures

Summary Statistics

  • Total Steps: 296
  • Phases: 15
  • Estimated Duration: 8-12 weeks
  • Critical Path: Phases 1 → 2 → 4 → 6 → 7 → 8 → 10 → 11 → 12 → 14 → 15
  • Can Run in Parallel: Phases 2 & 3

Quick Status Tracking

Completed Phases

  • Phase 1: Prerequisites
  • Phase 2: Azure Infrastructure Setup
  • Phase 3: Entra ID Configuration
  • Phase 4: Database & Storage Setup
  • Phase 5: Container Registry Setup
  • Phase 6: Application Build & Package
  • Phase 7: Database Migrations
  • Phase 8: Secrets Configuration
  • Phase 9: Infrastructure Services Deployment
  • Phase 10: Backend Services Deployment
  • Phase 11: Frontend Applications Deployment
  • Phase 12: Networking & Gateways
  • Phase 13: Monitoring & Observability
  • Phase 14: Testing & Validation
  • Phase 15: Production Hardening

Next Steps After Deployment

  1. Monitor: Watch logs and metrics for first 24-48 hours
  2. Optimize: Adjust resource allocations based on actual usage
  3. Document: Update runbooks with lessons learned
  4. Train: Train operations team on new infrastructure
  5. Iterate: Plan next deployment cycle improvements

See DEPLOYMENT_GUIDE.md for detailed instructions for each step.
See DEPLOYMENT_QUICK_REFERENCE.md for quick command reference.

Reference in New Issue View Git Blame Copy Permalink