Azure Account Security

[Biuwa]

Overview

We need additional security (password change) for the Azure account as discussed with the stakeholders.

Action Items

• Follow up with stakeholders on the security option discussed
• Alexander gets a second email account for server administration
• This is an issue that is blocking Migrate Application Insights to Workspace-based Application Insights #1258 (Feb 2024 deadline)

Resources/Instructions

• Hack for LA Lead Developers need access to the Azure Production Environment #1267
• Developer II needs access to City's Azure Account #1268

[Biuwa]

2023-04-04 STAKEHOLDER MEETING NOTES:

Alexander will convey a meeting between Leon and the HfLA Engineering team to discuss the Account setup and access to the city's Azure Account.

[entrotech]

We had a meeting today with Lon Soh, Alexander Wikstrom, Johnny Voong, Bonnie and myself. At the moment, the credentials stored in the "tdm shared vault with city" 1Password vault called "TDM Production Azure Account" uses the username ladot.tdm@lacity.org work, and are able to access the Production SQL Server virtual machine, SQL server database, and App Service - which is sufficient for us to support deployment to the production environment. However, that email is used for LADOT and City Planning communication with end users, and credentials for access to production environments are supposed to be associated with individual people (vs a generic service email), so we requested that two new email addresses be created, one for john.darragh@lacity.org and one for a fictitious user jacob.rodes@lacity.org for us to use, and to have these account granted access to the Azure portal.

Previously they had granted access to a different account, tdm@hackforla.org to the TDM Azure resource groups, and that account had access to the UAT and Production account resources. Since that time, this account no longer has access to the production resources, but does have access to the UAT resources, though Lon thought the UAT resources had been decommissioned - however I am still able to access the UAT environment with these credentials.

I believe the action items coming from this meeting are:

• City personnel are to create two new email accounts: john.darragh@lacity.org and jacob.rodes@lacity.org and grant them access to the City's Azure portal and the production resources.
• Once these accounts are set up and verified to have the required access, the ladot.tdm@lacity account no longer needs Azure access and can be removed from Azure.
• The UAT environment is working, but no one seems to use it. We need to decide if we want to have a UAT environment at all.
• If so, city personnel are to re-create resources for the UAT environment as desired, and grant the two new accounts access to these resources as well, so HFLA personnel can re-create the UAT environment. If re-created we can either initialize with a copy of the production environment database, or a clean-empty database (with no user accounts or projects).

[Biuwa]

Two email accounts have been created.