The first step is to retrieve the Docker image:
docker pull ghcr.io/cosmo-tech/backend-tf-state-to-vault:latest
Next, you will need to run the Docker image. However, it is necessary to set the following environment variables beforehand:
export VAULT_ADDR=<value>
export VAULT_TOKEN=<value>
export TENANT_ID=<value>
export ORGANIZATION_NAME=<value>
export CLUSTER_NAME=<value>
export STORAGE_ACCOUNT_NAME=
export STORAGE_ACCOUNT_KEY=
export STORAGE_CONTAINER=
export TFSTATE_BLOB_NAME=
export PLATFORM_NAME=<value>
TENANT_ID
should correspond to the Microsoft Enterprise ID tenant identifier on which you wish to deploy resources. This value is used for the secrets' storage hierarchy in Vault:secrets/[organization_name]/[tenant_id]/
.ORGANIZATION_NAME
is used for the secrets' storage hierarchy in Vault:secrets/[organization_name]/
.STORAGE_ACCOUNT_NAME
and the following three variables can remain empty, as they are managed automatically by the latest available Terraform scripts.PLATFORM_NAME
: the name of the platform, which will be passed as a parameter to Babylon commands via the-p
option. In the Vault hierarchy, this impliessecrets/[organization_name]/[tenant_id]/[Platform_name]/
.CLUSTER_NAME
is the name of the Kubernetes cluster. This value is used for the secrets hierarchy in Vault:secrets/[organization_name]/[tenant_id]/clusters/[cluster_name]/
.
If you have a terraform state file in azure storage account.
docker run -it \
-e VAULT_ADDR="$VAULT_ADDR" \
-e VAULT_TOKEN="$VAULT_TOKEN" \
-e TENANT_ID="$TENANT_ID" \
-e ORGANIZATION_NAME="$ORGANIZATION_NAME" \
-e CLUSTER_NAME="$CLUSTER_NAME" \
-e STORAGE_ACCOUNT_NAME="$STORAGE_ACCOUNT_NAME" \
-e STORAGE_ACCOUNT_KEY="$STORAGE_ACCOUNT_KEY" \
-e STORAGE_CONTAINER="$STORAGE_CONTAINER" \
-e TFSTATE_BLOB_NAME="$TFSTATE_BLOB_NAME" \
-e PLATFORM_NAME="$PLATFORM_NAME" ghcr.io/cosmo-tech/backend-tf-state-to-vault
If you don't have a terraform state file in azure storage account but locally, copy the following content into the state.json
file and configure it correctly:
{
"outputs": {
"out_acr_login_server": {
"value": "",
},
"out_adx_uri": {
"value": "",
},
"out_babylon_client_id": {
"value": "",
},
"out_babylon_client_secret": {
"value": "",
},
"out_babylon_principal_id": {
"value": "",
},
"out_cluster_adx_name": {
"value": "",
},
"out_cluster_adx_principal_id": {
"value": "",
},
"out_cosmos_api_scope": {
"value": "",
},
"out_cosmos_api_url": {
"value": "",
},
"out_cosmos_api_version_path": {
"value": "",
},
"out_resource_location": {
"value": "",
},
"out_storage_account_name": {
"value": "",
},
"out_storage_account_secret": {
"value": "",
},
"out_subscription_id": {
"value": "",
},
"out_tenant_resource_group_name": {
"value": "",
},
"out_tenant_sp_client_id": {
"value": "",
},
"out_tenant_sp_object_id": {
"value": "",
}
}
}
acr_login_server
: Docker image server where the simulator image is located (refer to the resource group of the platform).adx_uri
: URI of the ADX cluster in the same resource group.cluster_principal_id
: Principal identifier of the ADX cluster (to be retrieved from its JSON view).cosmos_api_url
: URL of the API as previously deployed via Terraform scripts.cosmos_api_version
:v3
API version that will be concatenated withcosmos_api_url
to obtain the complete URL to use.resource-group-name
: The resource group.resource_location
: Region in which the resource group is deployed: e.gwesteurope
.storage_account_name
: get the name of the storage account of the platform resource group.storage_account_secret
: go to theAccess Key
menu and usekey1
.babylon_client_id
: retrieve the application ID from the enterprise application ofBabylon
babylon_principal_id
: retrieve the object ID from the enterprise applicationBabylon
babylon_client_secret
: create a new secret in the enterprise applicationBabylon
For the secrets, you should have this JSON file locally with the name secrets.json
, which can be used to populate Vault with those secrets :
{
"outputs": {
"out_API_VERSION": {
"value": ""
},
"out_ACR_SERVER": {
"value": ""
},
"out_ACR_USERNAME": {
"value": ""
},
"out_ACR_PASSWORD": {
"value": ""
},
"out_ACR_REGISTRY_URL": {
"value": ""
},
"out_HOST_COSMOTECH_API": {
"value": ""
},
"out_IDENTITY_AUTHORIZATION_URL": {
"value": ""
},
"out_IDENTITY_TOKEN_URL": {
"value": ""
},
"out_MONITORING_NAMESPACE": {
"value": ""
},
"out_NAMESPACE": {
"value": ""
},
"out_ARGO_SERVICE_ACCOUNT_NAME": {
"value": ""
},
"out_AZURE_TENANT_ID": {
"value": ""
},
"out_AZURE_APPID_URI": {
"value": ""
},
"out_AZURE_STORAGE_ACCOUNT_KEY": {
"value": ""
},
"out_AZURE_STORAGE_ACCOUNT_NAME": {
"value": ""
},
"out_AZURE_CREDENTIALS_CLIENT_ID": {
"value": ""
},
"out_AZURE_CREDENTIALS_CLIENT_SECRET": {
"value": ""
},
"out_AZURE_CREDENTIALS_CUSTOMER_CLIENT_ID": {
"value": ""
},
"out_AZURE_CREDENTIALS_CUSTOMER_CLIENT_SECRET": {
"value": ""
},
"out_ADX_BASE_URI": {
"value": ""
},
"out_ADX_INGEST_URI": {
"value": ""
},
"out_EVENTBUS_BASE_URI": {
"value": ""
},
"out_HOST_POSTGRES": {
"value": ""
},
"out_HOST_REDIS": {
"value": ""
},
"out_HOST_REDIS_PASSWORD": {
"value": ""
},
"out_HOST_ARGO_WORKFLOWS_SERVER": {
"value": ""
},
"out_RDS_HUB_LISTENER": {
"value": ""
},
"out_RDS_HUB_SENDER": {
"value": ""
},
"out_RDS_STORAGE_ADMIN": {
"value": ""
},
"out_RDS_STORAGE_READER": {
"value": ""
},
"out_RDS_STORAGE_WRITER": {
"value": ""
},
"out_HOST_RDS": {
"value": ""
},
"out_HOST_RDS_POSTGRES": {
"value": ""
},
"out_SPRING_APPLICATION_JSON": {
"value": ""
}
}
}
Below, the meaning and role of each of the defined values above are detailed:
docker run -it --entrypoint bash \
-e VAULT_ADDR="$VAULT_ADDR" \
-e VAULT_TOKEN="$VAULT_TOKEN" \
-e TENANT_ID="$TENANT_ID" \
-e ORGANIZATION_NAME="$ORGANIZATION_NAME" \
-e CLUSTER_NAME="$CLUSTER_NAME" \
-e STORAGE_ACCOUNT_NAME="$STORAGE_ACCOUNT_NAME" \
-e STORAGE_ACCOUNT_KEY="$STORAGE_ACCOUNT_KEY" \
-e STORAGE_CONTAINER="$STORAGE_CONTAINER" \
-e TFSTATE_BLOB_NAME="$TFSTATE_BLOB_NAME" \
-e PLATFORM_NAME="$PLATFORM_NAME" \
-v <path>/<state.json>:/usr/src/babyapp/state.json \
-v <path>/<secrets.json>:/usr/src/babyapp/secrets.json ghcr.io/cosmo-tech/backend-tf-state-to-vault
With --entrypoint bash
, you can enter interactive mode to execute all commands within the Python application. Here's what the application looks like: