Skip to content

3. Create Environment Specific Static Resources

   The following infrastructure elements are environment specific. This means that there will be one instance for every environment operated at some point. For more details about environments please check here.

   When creating any of the below resources, make sure you replace the <env> placeholder with the lowercase environment name (eg. dev, uat, prod).

Create the Resource Group

    az group create \
        --location eastus \
        --resource-group ar-<env>-env
Example: 

    az group create \
        --location eastus \
        --resource-group ar-uat-env

Create the Public IP Address

     az network public-ip create \
        --resource-group ar-<env>-env \
        --sku Standard \
        --name ar-<env>-public-ip
Example: 

     az network public-ip create \
        --resource-group ar-uat-env \
        --sku Standard \
        --name ar-uat-public-ip

Create the Azure SQL Server

   Find the ObjectID of the Active Directory Group that contains the users that will have admin permissions to this server. You will need to replace the <object-id> placeholder in the command later. The ObjectID can be found using Azure Portal, by going to Active Directory \ Groups and locating the designated group, or by running a command line search, like exemplified below:

    az ad group list \
        --display-name "Infrastructure Admin uat" \
        --query "[*].id | [0]"

Create a strong, randomly generated password. Store this password in a secured temporary location as it will be used later to configure the application connectivity to the database.

Use that password to create a new Azure Database for PostgreSQL single server, using the command below, by replaceing <password> with the value you generated:

    az sql server create \
        --name ar-<env>-sql-server \
        --resource-group ar-<env>-env \
        --admin-user aradmin \
        --admin-password <password> \
        --external-admin-name "Infrastructure Admin uat" \
        --external-admin-principal-type Group \
        --external-admin-sid <object-id> \
        --minimal-tls-version "1.2"

Warning

Make sure the external-admin-name used in the az sql server create command corresponds to the one used when retrieving the ObjectID.

Once the server is created, create a new SQL Elastic Pool:

Warning

A different configuration needs to be used for SQL Elastic Pools used for Development vs those used for UAT or in Production!

    az sql elastic-pool create \
        --name ar-<env>-sql-server-pool \
        --resource-group ar-<env>-env \
        --server ar-<env>-sql-server \
        --edition <edition> \
        --capacity <capacity> \
        --family Gen5

Example:

    az sql server create \
        --name ar-uat-sql-server \
        --resource-group ar-uat-env \
        --admin-user aradmin \
        --admin-password PEDRawnnhBVvdELXDyDgnz5P \
        --external-admin-name "Infrastructure Admin" \
        --external-admin-principal-type Group \
        --external-admin-sid <password> \
        --minimal-tls-version "1.2"

    az sql elastic-pool create \
        --name ar-uat-sql-server-pool \
        --resource-group ar-uat-env \
        --server ar-uat-sql-server

Create the Azure Storage Account

    az storage account create \
        --name avocarisk<env>storage \
        --resource-group ar-<env>-env \
        --allow-blob-public-access false \
        --min-tls-version TLS1_2
Example: 

     az storage account create \
        --name avocariskuatstorage \
        --resource-group ar-uat-env \
        --allow-blob-public-access false \
        --min-tls-version TLS1_2

Create the Application Gateway WAF Policy

    az network application-gateway waf-policy create \
        --name ar-<env>-firewall-policy \
        --resource-group ar-<env>-env \
        --type OWASP \
        --version 3.2

    az network application-gateway waf-policy custom-rule create \
        --action Block \
        --name DenyAll \
        --policy-name ar-<env>-firewall-policy \
        --resource-group ar-<env>-env \
        --priority 100 \
        --rule-type MatchRule

    az network application-gateway waf-policy custom-rule match-condition add \
        --resource-group ar-<env>-env \
        --policy-name ar-<env>-firewall-policy \
        --name DenyAll \
        --match-variables RequestHeaders.Host \
        --operator Any \
        --values ""

Example: 

    az network application-gateway waf-policy create \
        --name ar-uat-firewall-policy \
        --resource-group ar-uat-env \
        --type OWASP \
        --version 3.2

    az network application-gateway waf-policy custom-rule create \
        --action Block \
        --name DenyAll \
        --policy-name ar-uat-firewall-policy \
        --resource-group ar-uat-env \
        --priority 100 \
        --rule-type MatchRule

    az network application-gateway waf-policy custom-rule match-condition add \
        --resource-group ar-uat-env \
        --policy-name ar-uat-firewall-policy \
        --name DenyAll \
        --match-variables RequestHeaders.Host \
        --operator Any \
        --values ""
TODO: Investigate the "Any operator does not require --match-values." error