Hack for LA Lead Developers need access to the Azure Production Environment

[entrotech]

Overview

John Darragh currently provides support to the TDM production environment, which is hosted under the city's Azure account. However, he currently has access to the UAT environment, but not the production environment, which could potentially be necessary in the event of any sort of problem with the production deployment.

Action Items

• Determine if a city employee should assume responsibility for fixing any problems with production deployment.
• If not, re-instate John's access to the production environment.
• This has a time sensitive issue that its blocking (feb 2024) Migrate Application Insights to Workspace-based Application Insights #1258

Resources/Instructions

Lon Soh is the starting point of contact for IT support.

[entrotech]

Xander sent an email to Lon Soh at ITA, on Nov 29, 2022 , requesting that access be restored for John Darragh.

Lon responded on Dec 1 that access was revoked, since access to the production environment can only be granted to people with a city email address.

On Jan 10, 2023, Xander asked Lon if we could have an email account created like tdm.dev@lacity.org that could be shared by the lead devs at Hack for LA, and have access to the Azure account created.

On Jan 11, Lon responded that "using a generic email is a possibility", and said he would let us know when it was created later that day.

We need to circle back to Xander and Lon and see if the email was created, and if access can be granted to the Azure account.

[ExperimentsInHonesty]

• I just noticed that this issue is blocking Migrate Application Insights to Workspace-based Application Insights #1258

[Biuwa]

Alexander added the password to the vault and set up 2-factor authentication. Alexander will follow up with city to get a specific password change. Hack for LA cannot set up 2FA authentication in Azure, because it requires the Azure authenticator app (does not allow the account to be shared via 1password). Alexander will try to get a 2nd email account for server administration.

[Biuwa]

@entrotech Please confirm you and James are in so we could close this issue

[Biuwa]

• Azure Account Security #1325 will replace this and Developer II needs access to City's Azure Account #1268

[entrotech]

Here is what we have working so far - the bolded text indicates decisions that still need to be made or actions to be taken:

An email account is set up with the city for jacob.rodes@lacity.org with a strong password and recovery emails are set to jacob.rodes@hackforla.org. The 2FA methods are one-time password and my personal cell phone. Credentials, the one-time password and backup codes are all in the TDM Dev vault under the jacob.rodes@lacity.org entry. There may or may not be a requirement to change the password every 90 days - an email message was received on that account indicating that SOME accounts are required to change the password every 90 days.  There are also messages in the inbox of various other required actions which cannot be completed without an employee login and access to their LAN.

An email account is set up with Hack for LA for jacob.rodes@hackforla.org with a strong password and 2FA. The 2FA methods are one-time password and my personal cell phone. Credentials, the one-time password and backup codes are all in the TDM Dev vault under the jacob.rodes@hackforla.org

A second email account is set up with the city for john.darragh@lacity.org with a strong password and 2FA, and the recovery email set to john.darragh@hackforla.org. For this account the 2FA methods are a one-time password in 1Password and my personal cell phone. Credentials, the one-time password and backup codes are all in the TDM Dev vault under the john.darragh@lacity.org entry. 

An email account john.darragh@hackforla.org is also set up for my personal use - it is stored in my own vault.

Current Azure Account Setup:
There are four accounts currently set up for Hack for LA to have access to Azure:

jacob.rodes@lacity.org and john.darragh@lacity.org both have access to the TDM production resources. Here is a screenshot showing all the resources accessible to Jacob Rodes:

Both accounts have access to these same production resources.  These two account are correct, and what we want to keep going forward.

The only problem is that they both have the same very weak password that was originally assigned, so it appears that the password change Johnny Voong and I did yesterday did not somehow flow through to the corresponding Microsoft/Azure accounts, and it's not clear (to me) how we can change the Microsoft/Azure passwords.

Neither of these accounts has access to our User Acceptance Test (UAT) resources, and we need to decide whether we need a UAT environment.

My personal email johncdarragh@gmail.com has Azure access to the current UAT resources as shown on this screenshot:

Though production resources are also listed in this screenshot, if I try to access them, authorization is denied. This is currently the account I need to use to maintain the UAT environment. If we want to keep the UAT environment, Lon Soh should probably grant access to the UAT resources to the john.darragh@lacity.org and jacob.rodes@lacity.org accounts first, but then the johncdarragh@gmail.com account can be removed from access to any city Azure resources.

There is also an Azure login for ladot.tdm@lacity.org with the following resources:

This Azure login (ladot.tdm@lacity.org) is no longer needed and can be dropped.

[entrotech]

I moved the DEV and UAT environments to the LA City Azure account.
The "TDM Calculator - Dev" 1Password vault contains the credentials for Jacob.Rodes@lacity.org, which can be used to login as the fictitious user "Jacob Rodes" to the city's Azure account. This had access to all the Azure resources for the DEV, UAT and PROD server environments.