19.1 Infrastructure Deployment on Azure cloud

Infrastructure deployment on Azure cloud is defined using terraform configurations. There are two different methods to deploy the infrastructure on Azure. Based on your requirement, you can choose to deploy the infrastructure either using a configuration generator or the configuration templates.

19.1.1 Deployment using the Configuration Generator

Perform the following steps to generate the configuration files using the Identity Manager Configuration Generator.

IMPORTANT:You must have a machine with docker installed and running to perform the following steps.

Create a shared volume. For more information, see Managing Container Volume Data.
Copy the certificates of your domain to the shared volume.

Run the following command to load the docker image:

docker load --input docker-images/IDM_486_idm_conf_generator.tar.gz

Navigate to the unzipped location and run the following command to deploy the configuration generator container:
```
docker run --rm -it --name=idm_conf_generator -v /data:/config idm_conf_generator:idm-4.8.6
```

The following table provides information on the new prompts:

NOTE:For all the existing prompts, refer the section Understanding the Configuration Parameters.

Prompt	Description
Do you want to deploy Identity Manager Containers on Azure? For secondary server deployment, please select n and proceed with silent property generation (y/n)?	Specify your choice to deploy Identity Manager Containers. (Conditional) If Yes, proceed with the next prompt. (Conditional) If No, enter silent property file name with absolute path. For example, /config/silent.properties. NOTE:For secondary server deployment, enter n and proceed with Creating the Silent Properties File.
Specify the namespace for Kubernetes Deployment.	Enter the namespace for Kubernetes Deployment. For example, idm.
Do you want to create a new Azure PostgreSQL Server instance?	Specify your choice to create a new Azure PostgreSQL Server instance. (Conditional) If Yes, specify the prefix for the Azure PostgreSQL server name. For example, idmpgserver. NOTE:The entered prefix will be appended by a hyphen and a randomly generated 14 digit number. (Conditional) If No, proceed with next prompt.
Enter the fully qualified domain name (FQDN) for accessing the Identity Manager web applications.	Specify the FQDN to access the identity manager web applications. For example, identitymanager.eastus.cloudapp.azure.com. NOTE:Identity Manager web applications include Identity Applications, Identity Reporting, SSPR, OSP and also Identity Console.
Enter the TLS certificate file.	Specify the TLS certificate file in PEM format, which contains the subject alternate name and common name for the domain specified above. For example, /config/tls.crt.
Enter the private key file for the TLS certificate.	Specify the private key file for the TLS certificate. For example, /config/tls.key.
Enter the number of instances you want to deploy on Azure for Identity Manager Engine (pod replicas)?	Specify the number of instances (pod replicas) to deploy on Azure for Identity Manager Engine. For example, 5.
Enter the number of instances you want to deploy on Azure for OSP (pod replicas)?	Specify the number of instances (pod replicas) to deploy on Azure for OSP. For example, 5.
Enter the number of instances you want to deploy on Azure for Identity Applications (pod replicas)?	Specify the number of instances (pod replicas) to deploy on Azure for Identity Applications. For example, 5.
Enter the Identity Vault Server Name.	Specify the Identity Vault Server Name. For example, IDVAULTSERVER.
Enter the Azure Service Principal ID.	Specify the Azure Service Principal ID generated in Section: Planning your deployment, Step 5.
Enter the Azure Service Password.	Specify the Azure service password generated in Section: Planning your deployment, Step 5.
Enter the Tenant ID of your Service Principal.	Specify the Tenant ID generated in Section: Planning your deployment, Step 5.
Enter the existing Azure Container Registry Server Name.	Specify the Azure Container Registry Server Name. Refer to Step 3.c.
Enter the Azure Container Registry user name.	Specify the Azure Container Registry user name. Refer to Step 3.c.
Enter the Azure Container Registry user password.	Specify the Azure Container Registry password. Refer to Step 3.c.
Enter the appropriate Azure Account ID printed above as-is without double quotes.	Specify the Azure Account ID generated in the above Step.
Enter the Azure Resource Group Name.	Specify the Azure Resource group name. For example, idvault-rg.
Enter the Azure Resource Group Location.	Specify the Resource Group Location. For example, eastus.

After answering all the prompts, Identity Manager configuration generator performs the following actions:

If there is no resource group available in azure then a resource group is created.
A Key vault and storage account is created under the resource group.
All the sensitive information is pushed to the Key vault.

NOTE:To access the sensitive information in Azure Key Vault, refer to Quickstart:Azure Key Vault.
IDM_4.8.6_Cloud_Deployment_files.zip file is created including Terraform files and Helm Charts under the shared volume.

Log in to the Azure portal.

NOTE:Azure Cloud Shell is automatically authenticated using the initial signed-in account. If you need to use a different account, run the az login command and sign-in to Azure-CLI.
Perform the following steps to upload the IDM_4.8.6_Cloud_Deployment_files.zip file to the azure cloud shell.
1. Click .
2. In the terminal window, click .
3. Select the zip file to upload to Azure.
Run the following command to extract the content of the zip file:
```
unzip IDM_4.8.6_Cloud_Deployment_files.zip
```
Navigate to the IDM_4.8.6_Cloud_Deployment_files directory.
(Optional) Review the following files.
- terraform.tfvars
- values.yaml
(Optional) Run the following command to create a storage account key:
```
ACCOUNT_KEY=$(az storage account keys list --resource-group $AZURE_RESOURCE_GROUP_NAME --account-name $AZURE_STORAGE_ACCOUNT_FOR_TFSTATE --query '[0].value' -o tsv)
```
For example,

ACCOUNT_KEY=$(az storage account keys list --resource-group idvault-rg --account-name stract10226600913781 --query '[0].value' -o tsv)
(Optional) Run the following command:

export ARM_ACCESS_KEY=$ACCOUNT_KEY
Run the following command to download all the required plug-ins needed for infrastructure deployment.
```
terraform init
```
Run the following command to plan and understand the deployment based on the input.
```
terraform plan
```
Run the following command to create the infrastructure as defined in the input.
```
terraform apply --auto-approve
```
NOTE:If you see any errors while running the Terraform commands, refer to troubleshooting Running the Terraform apply Command Displays an Exception.
(Optional) Run the following command to identify Azure account specific information such as storage account name, key vault name and database administrator details.
```
terraform output
```

Once the Terraform commands are executed successfully, perform the steps mentioned in the Identity Manager Container Deployment on Azure Kubernetes Service to complete the Identity Manager container deployment on Azure.

19.1.2 Deployment using the Configuration Templates

Perform the following steps to update the configuration templates in your virtual machine.

Navigate to the directory you have extracted the Identity_Manager_4.8.6_Containers.tar.gz file.
Navigate to the Identity_Manager_4.8.6_Containers/terraform/ directory and run the following command to extract the contents of the zip file.
```
unzip IDM_4.8.6_Azure_Terraform_Configuration.zip
```

Go the IDM_Azure_Terraform_Configuration folder and update the following fields in terraform.tfvars file.

Table 19-1

Fields	Description
resource_group_name	Specify the Azure Resource group name. For example, idvault-rg.
resource_group_location	Specify the Resource Group Location. For example, eastus.
resource_group_exists	Specify your choice to know the existing resource group. For example, true.
keyvault_name	Specify a unique key vault name.
keyvault_exists	Specify your choice to know the existing key vault. For example, true.
image_registry_server	Specify the Azure Container Registry Server Name.
image_registry_server_username	Specify the Azure Container Registry username.
image_registry_server_password	Specify the Azure Container Registry password.
aks_kubernetes_namespace	Enter the namespace for Kubernetes Deployment. For example, idm.
azure_postgres_server_name	Specify the Azure PostgreSQL server name. For example, idmpgserver.

NOTE:All the remaining fields are pre-filled while generating the terraform.tfvars file.

Run the following command and sign-in to Azure-CLI.
```
az login
```

Perform the following steps to store terraform state file in azure storage account:

Run the following command to create a storage account in azure.
```
az storage account create --name "${AZURE_STORAGE_ACCOUNT_FOR_TFSTATE}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --location "${AZURE_RESOURCE_GROUP_LOCATION}" --sku Standard_LRS --encryption-services blob
```
For example,

az storage account create --name stract10226600913781 --resource-group idvault-rg --location eastus --sku Standard_LRS --encryption-services blob
Run the following command to create a azure storage container:
```
az storage container create -n terraform-state --account-name "${AZURE_STORAGE_ACCOUNT_FOR_TFSTATE}"
```
For example,

az storage container create -n terraform-state --account-name stract10226600913781

Navigate to Identity_Manager_4.8.6_Containers/terraform/IDM_Azure_Terraform_Configuration/directory, go to main.tf file and update the following details under backend "azurerm" field.

Fields	Description
resource_group_name	Specify the azure Resource group name. For example, idvault-rg.
storage_account_name	Specify the azure storage account name. For example, stract89671501132193.
container_name	Indicates the azure container name. This field is auto generated.
key	Indicates the azure key name. This field is auto generated.

Review the modified details in terraform.tfvars and main.tf file and then upload the updated IDM_4.8.6_Azure_Terraform_Configuration.zip file into azure cloud shell.
Run the following command to download all the required plug-ins needed for infrastructure deployment.
```
terraform init
```
Run the following command to plan and understand the deployment based on the input.
```
terraform plan
```
Run the following command to create the infrastructure as defined in the input.
```
terraform apply --auto-approve
```
NOTE:If you see any errors while running the terraform commands, refer to troubleshooting Running the Terraform apply Command Displays an Exception.
(Optional) Run the following command to identify Azure account specific information such as storage account name, key vault name and database administrator details.
```
terraform output
```
Run the following command to create a secret value in the key vault.
```
az keyvault secret set --name idm-common-password --vault-name <key vault name> --value "novell@123"
```
NOTE:As per your requirement, you can specify multiple secret values using Values.yaml file.
Navigate to the directory you have generated the TLS certificates, run the following command to export the certificate and key to .pfx format.
```
openssl pkcs12 -export -out tls.pfx -inkey tls.key -in tls.crt -passout pass:''
```
NOTE:The tls.pfx file will be used in the key vault to validate the secret values and keys.
Upload the tls.pfx file in the azure cloud shell and run the following command to import the file to the key vault.
```
az keyvault certificate import --vault-name <key vault name> -n "ingress-tls-cert" -f tls.pfx
```
For example,

az keyvault certificate import --vault-name idmkv20220712 -n "ingress-tls-cert" -f tls.pfx

Navigate to the Identity_Manager_4.8.6_Containers/helm_charts/ directory and update the following fields in values.yaml file.

Table 19-2

Sections	Fields	Description
Advanced Edition of Identity Manager	IS_ADVANCED_EDITION	Specify your choice to deploy Advanced Edition of Identity Manager.(true/false)
Azure PostgreSQL Server instance	AZURE_POSTGRESQL_REQUIRED	Specify your choice to use Azure PostgreSQL server instance as Database Server for Identity Applications and Reporting.(y/n)
Registry credentials for Identity Manager docker images	registry	Specify the Azure Container Registry Server Name.
Registry credentials for Identity Manager docker images	name	Specify the name of the Kubernetes secret which contains the login credentials of the registry.
Data Persistence	Persistent Storage for Identity Engine volumeClaimTemplate: storageClassName storageSize	Specify the storage class name and the storage size for the Volume Claim Template to be used by Identity Engine.
Data Persistence	Shared Persistent Storage existingClaim dynamicClaim: storageClassName storageSize	If you want to use an existing Persistent Volume Claim (PVC), enter the name of the existing claim. Else, for dynamic provisioning of PVC, specify the storage class name and the storage size.
Secret Manager for sensitive data such as passwords, keys and certificates	azureKeyVaultName:	Specify name of the Azure Key Vault.
	azureKeyVaultTenantId	Specify the azure key vault TenantId. Refer to terraform output Step 10.
	azureUserAssignedIdentityID	Specify the Client ID of the user-defined Managed Identity used by the Azure Key Vault Secret Provider. You can run the following az cli command to retrieve the Client ID of the identity: az aks show -g <Resource Group> -n <AKS Cluster Name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv
Ingress Configuration	host	Specify the domain name for accessing the Identity Manager web applications.
Ingress Configuration	azureKeyVaultCertificateName	Specify the name of the Azure Key Vault Certificate containing the TLS certificate and the private key.
Identity Engine Configuration	deploy	Specify your choice to deploy Identity Engine.(true/false)
	replicaCount	Specify the number of Identity Engine replica pods. For example: ‘2’.
	ID_VAULT_TREENAME	Specify Identity Vault tree name.
	ID_VAULT_SERVER_CONTEXT	Specify Identity Vault Server Context.
	ID_VAULT_DRIVER_SET	Specify Identity Vault Default Driver Set Name.
	ID_VAULT_DEPLOY_CTX	Specify Identity Vault Default Driver Set Deploy Context.
	ID_VAULT_ADMIN_LDAP	Specify Identity Vault Admin DN.
	ID_VAULT_PASSWORD: secret	Specify Azure Key Vault secret containing Identity Vault Admin Password.
	ID_VAULT_RSA_KEYSIZE	Specify Key size for creation of RSA certificate authority keys and server keys.
	ID_VAULT_EC_CURVE	Specify Curve for the creation of EC certificate authority keys and server keys.
	ID_VAULT_CA_LIFE	Specify Certificate life for the creation of default server certificates.
	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for Identity Engine. for more details refer Resource Management for Pods and Containers
One SSO Provider (OSP) Configuration	deploy	Specify your choice to deploy OSP. (true/false)
	replicaCount	Specify the number of Identity Engine replica pods. For example: ‘2’.
	OSP_CUSTOM_NAME	Specify OSP custom login screen name.
	SSO_SERVICE_PWD: secret	Specify Azure Key Vault secret containing OSP Client Password.
	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for OSP. for more details refer Resource Management for Pods and Containers
Identity Applications Configuration	deploy	Specify your choice to deploy Identity application.(true/false)
	replicaCount	Specify the number of Identity Engine replica pods. For example: ‘2’.
	UA_ADMIN	Specify Identity Applications Administrator DN
	UA_ADMIN_PWD: secret	Specify Azure Key Vault secret containing Identity Applications Administrator Password.
	UA_WFE_DB_PLATFORM_OPTION	Specify Identity Applications and Workflow Engine Database Platform. The supported values are: postgres, oracle and mssql
	UA_ORACLE_DATABASE_TYPE	If Database Platform is Oracle, Specify the configuration of database.(sid/service)
	UA_WFE_DB_HOST	Specify Identity Applications and Workflow Engine Database Server Host.
	UA_WFE_DB_PORT	Specify Identity Applications and Workflow Engine Database Server Port number.
	UA_DATABASE_NAME	Specify Identity Applications Database Name.
	WFE_DATABASE_NAME	Specify Workflow Engine Database Name.
	UA_WFE_DATABASE_USER	Specify Identity Applications Database Username.
	UA_WFE_DATABASE_PWD: secret	Specify Azure Key Vault secret containing Identity Applications Database User Password.
	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for Identity Application. for more details refer Resource Management for Pods and Containers
Form Renderer Configuration	deploy	Specify your choice to deploy Form renderer. (true/false)
Form Renderer Configuration	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for Form renderer. for more details refer Resource Management for Pods and Containers
ActiveMQ Configuraion	deploy	Specify your choice to deploy ActiveMQ. (true/false)
ActiveMQ Configuraion	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for Form renderer. for more details refer Resource Management for Pods and Containers
Identity Reporting Configuration	deploy	Specify your choice to deploy Identity reporting.(true/false)
	RPT_ADMIN	Specify Identity Reporting Administrator DN
	RPT_ADMIN_PWD: secret	Specify Azure Key Vault secret containing Identity Reporting Administrator Password.
	RPT_DATABASE_PLATFORM_OPTION	Specify Identity Repoting Database Platform. The supported values are: postgres, oracle and mssql
	RPT_ORACLE_DATABASE_TYPE	If Database Platform is Oracle, Specify the configuration of database.(sid/service)
	RPT_DATABASE_HOST	Specify Identity Reporting Database Host.
	RPT_DATABASE_PORT	Specify Identity Reporting Database Port number.
	RPT_DATABASE_NAME	Specify Identity Reporting Database Name.
	RPT_DATABASE_USER	Specify Identity Reporting Database User.
	RPT_DATABASE_SHARE_PASSWORD: secret	Specify Azure Key Vault secret containing Identity Reporting Database Account Password
	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for Form renderer. for more details refer Resource Management for Pods and Containers
Self Service Password Reset (SSPR) Configuration	deploy	Specify your choice to deploy SSPR. (true/false)
	CONFIGURATION_PWD: secret:	Specify the password that you want to create for an administrator to configure SSPR.
	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for SSPR. for more details refer Resource Management for Pods and Containers
Identity Console Configuration	deploy	Specify your choice to deploy Identity console.(true/false)
	ID_CONSOLE_USE_OSP	Do you want to use One SSO Provider (OSP) as the login method for Identity Console. For example ‘n’
	Resource requests and limits cpu memory	Specify the cpu and memory values of resource requests and limits for Identity Console. for more details refer Resource Management for Pods and Containers
Advanced Configuration	DATA_CONTAINERS: DATA_CONTAINERS_LDIF ROOT_CONTAINER GROUP_ROOT_CONTAINER USER_CONTAINER ADMIN_CONTAINER	Specify LDIF configuration for creating the data containers. Specify DNs for Root container, Group root container, User Container and Admin container
Advanced Configuration	Kubernetes Cluster Domain: KUBE_SUB_DOMAIN	Specify Kubernetes Cluster Domain

After updating the terraform.tfvars and values.yaml file, follow the steps mentioned in the Identity Manager Container Deployment on Azure Kubernetes Service to complete the Identity Manager Container deployment on azure.