Infrastructure deployment on Azure cloud is defined using terraform configurations. There are two different methods to deploy the infrastructure on Azure. Based on your requirement, you can choose to deploy the infrastructure either using a configuration generator or the configuration templates.
Perform the following steps to generate the configuration files using the Identity Manager Configuration Generator.
IMPORTANT:You must have a machine with docker installed and running to perform the following steps.
Create a shared volume. For more information, see Managing Container Volume Data.
Copy the certificates of your domain to the shared volume.
Run the following command to load the docker image:
docker load --input docker-images/IDM_487_idm_conf_generator.tar.gz
Navigate to the unzipped location and run the following command to deploy the configuration generator container:
docker run --rm -it --name=idm_conf_generator -v /data:/config idm_conf_generator:idm-4.8.7
The following table provides information on the new prompts:
NOTE:For all the existing prompts, refer the section Understanding the Configuration Parameters.
Prompt |
Description |
---|---|
Do you want to deploy Identity Manager Containers on Azure? For secondary server deployment, please select n and proceed with silent property generation (y/n)? |
Specify your choice to deploy Identity Manager Containers.
|
Specify the namespace for Kubernetes Deployment. |
Enter the namespace for Kubernetes Deployment. For example, idm. |
Do you want to create a new Azure PostgreSQL Server instance? |
Specify your choice to create a new Azure PostgreSQL Server instance.
|
Enter the fully qualified domain name (FQDN) for accessing the Identity Manager web applications. |
Specify the FQDN to access the identity manager web applications. For example, identitymanager.eastus.cloudapp.azure.com. NOTE:Identity Manager web applications include Identity Applications, Identity Reporting, SSPR, OSP and also Identity Console. |
Enter the TLS certificate file. |
Specify the TLS certificate file in PEM format, which contains the subject alternate name and common name for the domain specified above. For example, /config/tls.crt. |
Enter the private key file for the TLS certificate. |
Specify the private key file for the TLS certificate. For example, /config/tls.key. |
Enter the number of instances you want to deploy on Azure for Identity Manager Engine (pod replicas)? |
Specify the number of instances (pod replicas) to deploy on Azure for Identity Manager Engine. For example, 5. |
Enter the number of instances you want to deploy on Azure for OSP (pod replicas)? |
Specify the number of instances (pod replicas) to deploy on Azure for OSP. For example, 5. |
Enter the number of instances you want to deploy on Azure for Identity Applications (pod replicas)? |
Specify the number of instances (pod replicas) to deploy on Azure for Identity Applications. For example, 5. |
Enter the Identity Vault Server Name. |
Specify the Identity Vault Server Name. For example, IDVAULTSERVER. |
Enter the Azure Service Principal ID. |
Specify the Azure Service Principal ID generated in Section: Planning your deployment, Step 5. |
Enter the Azure Service Password. |
Specify the Azure service password generated in Section: Planning your deployment, Step 5. |
Enter the Tenant ID of your Service Principal. |
Specify the Tenant ID generated in Section: Planning your deployment, Step 5. |
Enter the existing Azure Container Registry Server Name. |
Specify the Azure Container Registry Server Name. Refer to Step 3.c. |
Enter the Azure Container Registry user name. |
Specify the Azure Container Registry user name. Refer to Step 3.c. |
Enter the Azure Container Registry user password. |
Specify the Azure Container Registry password. Refer to Step 3.c. |
Enter the appropriate Azure Account ID printed above as-is without double quotes. |
Specify the Azure Account ID generated in the above Step. |
Enter the Azure Resource Group Name. |
Specify the Azure Resource group name. For example, idvault-rg. |
Enter the Azure Resource Group Location. |
Specify the Resource Group Location. For example, eastus. |
After answering all the prompts, Identity Manager configuration generator performs the following actions:
If there is no resource group available in azure then a resource group is created.
A Key vault and storage account is created under the resource group.
All the sensitive information is pushed to the Key vault.
NOTE:To access the sensitive information in Azure Key Vault, refer to Quickstart:Azure Key Vault.
IDM_4.8.7_Cloud_Deployment_files.zip file is created including Terraform files and Helm Charts under the shared volume.
Log in to the Azure portal.
NOTE:Azure Cloud Shell is automatically authenticated using the initial signed-in account. If you need to use a different account, run the az login command and sign-in to Azure-CLI.
Perform the following steps to upload the IDM_4.8.7_Cloud_Deployment_files.zip file to the azure cloud shell.
Click .
In the terminal window, click .
Select the zip file to upload to Azure.
Run the following command to extract the content of the zip file:
unzip IDM_4.8.7_Cloud_Deployment_files.zip
Navigate to the IDM_4.8.7_Cloud_Deployment_files directory.
(Optional) Review the following files.
terraform.tfvars
values.yaml
(Optional) Run the following command to create a storage account key:
ACCOUNT_KEY=$(az storage account keys list --resource-group $AZURE_RESOURCE_GROUP_NAME --account-name $AZURE_STORAGE_ACCOUNT_FOR_TFSTATE --query '[0].value' -o tsv)
For example,
ACCOUNT_KEY=$(az storage account keys list --resource-group idvault-rg --account-name stract10226600913781 --query '[0].value' -o tsv)
(Optional) Run the following command:
export ARM_ACCESS_KEY=$ACCOUNT_KEY
Run the following command to download all the required plug-ins needed for infrastructure deployment.
terraform init
Run the following command to plan and understand the deployment based on the input.
terraform plan
Run the following command to create the infrastructure as defined in the input.
terraform apply --auto-approve
NOTE:If you see any errors while running the Terraform commands, refer to troubleshooting Running the Terraform apply Command Displays an Exception.
(Optional) Run the following command to identify Azure account specific information such as storage account name, key vault name and database administrator details.
terraform output
Once the Terraform commands are executed successfully, perform the steps mentioned in the Identity Manager Container Deployment on Azure Kubernetes Service to complete the Identity Manager container deployment on Azure.
Perform the following steps to update the configuration templates in your virtual machine.
Navigate to the directory you have extracted the Identity_Manager_4.8.7_Containers.tar.gz file.
Navigate to the Identity_Manager_4.8.7_Containers/terraform/ directory and run the following command to extract the contents of the zip file.
unzip IDM_4.8.7_Azure_Terraform_Configuration.zip
Go the IDM_Azure_Terraform_Configuration folder and update the following fields in terraform.tfvars file.
Table 19-1
Fields |
Description |
---|---|
resource_group_name |
Specify the Azure Resource group name. For example, idvault-rg. |
resource_group_location |
Specify the Resource Group Location. For example, eastus. |
resource_group_exists |
Specify your choice to know the existing resource group. For example, true. |
keyvault_name |
Specify a unique key vault name. |
keyvault_exists |
Specify your choice to know the existing key vault. For example, true. |
image_registry_server |
Specify the Azure Container Registry Server Name. |
image_registry_server_username |
Specify the Azure Container Registry username. |
image_registry_server_password |
Specify the Azure Container Registry password. |
aks_kubernetes_namespace |
Enter the namespace for Kubernetes Deployment. For example, idm. |
azure_postgres_server_name |
Specify the Azure PostgreSQL server name. For example, idmpgserver. |
NOTE:All the remaining fields are pre-filled while generating the terraform.tfvars file.
Run the following command and sign-in to Azure-CLI.
az login
Perform the following steps to store terraform state file in azure storage account:
Run the following command to create a storage account in azure.
az storage account create --name "${AZURE_STORAGE_ACCOUNT_FOR_TFSTATE}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --location "${AZURE_RESOURCE_GROUP_LOCATION}" --sku Standard_LRS --encryption-services blob
For example,
az storage account create --name stract10226600913781 --resource-group idvault-rg --location eastus --sku Standard_LRS --encryption-services blob
Run the following command to create a azure storage container:
az storage container create -n terraform-state --account-name "${AZURE_STORAGE_ACCOUNT_FOR_TFSTATE}"
For example,
az storage container create -n terraform-state --account-name stract10226600913781
Navigate to Identity_Manager_4.8.7_Containers/terraform/IDM_Azure_Terraform_Configuration/directory, go to main.tf file and update the following details under backend "azurerm" field.
Fields |
Description |
---|---|
resource_group_name |
Specify the azure Resource group name. For example, idvault-rg. |
storage_account_name |
Specify the azure storage account name. For example, stract89671501132193. |
container_name |
Indicates the azure container name. This field is auto generated. |
key |
Indicates the azure key name. This field is auto generated. |
Review the modified details in terraform.tfvars and main.tf file and then upload the updated IDM_4.8.7_Azure_Terraform_Configuration.zip file into azure cloud shell.
Run the following command to download all the required plug-ins needed for infrastructure deployment.
terraform init
Run the following command to plan and understand the deployment based on the input.
terraform plan
Run the following command to create the infrastructure as defined in the input.
terraform apply --auto-approve
NOTE:If you see any errors while running the terraform commands, refer to troubleshooting Running the Terraform apply Command Displays an Exception.
(Optional) Run the following command to identify Azure account specific information such as storage account name, key vault name and database administrator details.
terraform output
Run the following command to create a secret value in the key vault.
az keyvault secret set --name idm-common-password --vault-name <key vault name> --value "novell@123"
NOTE:As per your requirement, you can specify multiple secret values using Values.yaml file.
Navigate to the directory you have generated the TLS certificates, run the following command to export the certificate and key to .pfx format.
openssl pkcs12 -export -out tls.pfx -inkey tls.key -in tls.crt -passout pass:''
NOTE:The tls.pfx file will be used in the key vault to validate the secret values and keys.
Upload the tls.pfx file in the azure cloud shell and run the following command to import the file to the key vault.
az keyvault certificate import --vault-name <key vault name> -n "ingress-tls-cert" -f tls.pfx
For example,
az keyvault certificate import --vault-name idmkv20220712 -n "ingress-tls-cert" -f tls.pfx
Navigate to the Identity_Manager_4.8.7_Containers/helm_charts/ directory and update the following fields in values.yaml file.
Table 19-2
Sections |
Fields |
Description |
---|---|---|
Advanced Edition of Identity Manager |
IS_ADVANCED_EDITION |
Specify your choice to deploy Advanced Edition of Identity Manager.(true/false) |
Azure PostgreSQL Server instance |
AZURE_POSTGRESQL_REQUIRED |
Specify your choice to use Azure PostgreSQL server instance as Database Server for Identity Applications and Reporting.(y/n) |
Registry credentials for Identity Manager docker images |
registry |
Specify the Azure Container Registry Server Name. |
name |
Specify the name of the Kubernetes secret which contains the login credentials of the registry. |
|
Data Persistence |
Persistent Storage for Identity Engine volumeClaimTemplate:
|
Specify the storage class name and the storage size for the Volume Claim Template to be used by Identity Engine. |
Shared Persistent Storage
dynamicClaim:
|
If you want to use an existing Persistent Volume Claim (PVC), enter the name of the existing claim. Else, for dynamic provisioning of PVC, specify the storage class name and the storage size. |
|
Secret Manager for sensitive data such as passwords, keys and certificates |
azureKeyVaultName: |
Specify name of the Azure Key Vault. |
azureKeyVaultTenantId |
Specify the azure key vault TenantId. Refer to terraform output Step 10. |
|
azureUserAssignedIdentityID |
Specify the Client ID of the user-defined Managed Identity used by the Azure Key Vault Secret Provider. You can run the following az cli command to retrieve the Client ID of the identity: az aks show -g <Resource Group> -n <AKS Cluster Name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv |
|
Ingress Configuration |
host |
Specify the domain name for accessing the Identity Manager web applications. |
azureKeyVaultCertificateName |
Specify the name of the Azure Key Vault Certificate containing the TLS certificate and the private key. |
|
Identity Engine Configuration |
deploy |
Specify your choice to deploy Identity Engine.(true/false) |
replicaCount |
Specify the number of Identity Engine replica pods. For example: ‘2’. |
|
ID_VAULT_TREENAME |
Specify Identity Vault tree name. |
|
ID_VAULT_SERVER_CONTEXT |
Specify Identity Vault Server Context. |
|
ID_VAULT_DRIVER_SET |
Specify Identity Vault Default Driver Set Name. |
|
ID_VAULT_DEPLOY_CTX |
Specify Identity Vault Default Driver Set Deploy Context. |
|
ID_VAULT_ADMIN_LDAP |
Specify Identity Vault Admin DN. |
|
ID_VAULT_PASSWORD: secret |
Specify Azure Key Vault secret containing Identity Vault Admin Password. |
|
ID_VAULT_RSA_KEYSIZE |
Specify Key size for creation of RSA certificate authority keys and server keys. |
|
ID_VAULT_EC_CURVE |
Specify Curve for the creation of EC certificate authority keys and server keys. |
|
ID_VAULT_CA_LIFE |
Specify Certificate life for the creation of default server certificates. |
|
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for Identity Engine. for more details refer Resource Management for Pods and Containers |
|
One SSO Provider (OSP) Configuration |
deploy |
Specify your choice to deploy OSP. (true/false) |
replicaCount |
Specify the number of Identity Engine replica pods. For example: ‘2’. |
|
OSP_CUSTOM_NAME |
Specify OSP custom login screen name. |
|
SSO_SERVICE_PWD: secret |
Specify Azure Key Vault secret containing OSP Client Password. |
|
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for OSP. for more details refer Resource Management for Pods and Containers |
|
Identity Applications Configuration |
deploy |
Specify your choice to deploy Identity application.(true/false) |
replicaCount |
Specify the number of Identity Engine replica pods. For example: ‘2’. |
|
UA_ADMIN |
Specify Identity Applications Administrator DN |
|
UA_ADMIN_PWD: secret |
Specify Azure Key Vault secret containing Identity Applications Administrator Password. |
|
UA_WFE_DB_PLATFORM_OPTION |
Specify Identity Applications and Workflow Engine Database Platform. The supported values are: postgres, oracle and mssql |
|
UA_ORACLE_DATABASE_TYPE |
If Database Platform is Oracle, Specify the configuration of database.(sid/service) |
|
UA_WFE_DB_HOST |
Specify Identity Applications and Workflow Engine Database Server Host. |
|
UA_WFE_DB_PORT |
Specify Identity Applications and Workflow Engine Database Server Port number. |
|
UA_DATABASE_NAME |
Specify Identity Applications Database Name. |
|
WFE_DATABASE_NAME |
Specify Workflow Engine Database Name. |
|
UA_WFE_DATABASE_USER |
Specify Identity Applications Database Username. |
|
UA_WFE_DATABASE_PWD: secret |
Specify Azure Key Vault secret containing Identity Applications Database User Password. |
|
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for Identity Application. for more details refer Resource Management for Pods and Containers |
|
Form Renderer Configuration |
deploy |
Specify your choice to deploy Form renderer. (true/false) |
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for Form renderer. for more details refer Resource Management for Pods and Containers |
|
ActiveMQ Configuraion |
deploy |
Specify your choice to deploy ActiveMQ. (true/false) |
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for Form renderer. for more details refer Resource Management for Pods and Containers |
|
Identity Reporting Configuration |
deploy |
Specify your choice to deploy Identity reporting.(true/false) |
RPT_ADMIN |
Specify Identity Reporting Administrator DN |
|
RPT_ADMIN_PWD: secret |
Specify Azure Key Vault secret containing Identity Reporting Administrator Password. |
|
RPT_DATABASE_PLATFORM_OPTION |
Specify Identity Repoting Database Platform. The supported values are: postgres, oracle and mssql |
|
RPT_ORACLE_DATABASE_TYPE |
If Database Platform is Oracle, Specify the configuration of database.(sid/service) |
|
RPT_DATABASE_HOST |
Specify Identity Reporting Database Host. |
|
RPT_DATABASE_PORT |
Specify Identity Reporting Database Port number. |
|
RPT_DATABASE_NAME |
Specify Identity Reporting Database Name. |
|
RPT_DATABASE_USER |
Specify Identity Reporting Database User. |
|
RPT_DATABASE_SHARE_PASSWORD: secret |
Specify Azure Key Vault secret containing Identity Reporting Database Account Password |
|
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for Form renderer. for more details refer Resource Management for Pods and Containers |
|
Self Service Password Reset (SSPR) Configuration |
deploy |
Specify your choice to deploy SSPR. (true/false) |
CONFIGURATION_PWD: secret: |
Specify the password that you want to create for an administrator to configure SSPR. |
|
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for SSPR. for more details refer Resource Management for Pods and Containers |
|
Identity Console Configuration |
deploy |
Specify your choice to deploy Identity console.(true/false) |
ID_CONSOLE_USE_OSP |
Do you want to use One SSO Provider (OSP) as the login method for Identity Console. For example ‘n’ |
|
Resource requests and limits
|
Specify the cpu and memory values of resource requests and limits for Identity Console. for more details refer Resource Management for Pods and Containers |
|
Advanced Configuration |
DATA_CONTAINERS: DATA_CONTAINERS_LDIF ROOT_CONTAINER GROUP_ROOT_CONTAINER USER_CONTAINER ADMIN_CONTAINER |
Specify LDIF configuration for creating the data containers. Specify DNs for Root container, Group root container, User Container and Admin container |
Kubernetes Cluster Domain: KUBE_SUB_DOMAIN |
Specify Kubernetes Cluster Domain |
After updating the terraform.tfvars and values.yaml file, follow the steps mentioned in the Identity Manager Container Deployment on Azure Kubernetes Service to complete the Identity Manager Container deployment on azure.