Prerequisites
Before starting a deployment of Codebeamer AI customer-hosted deployment, complete the following prerequisites.
Install required tools
|
Tool
|
Version
|
|---|---|
|
Azure CLI (az)
|
Latest
|
|
Terraform
|
>= 1.5
|
|
kubectl
|
Latest
|
|
Helm
|
>= 3.x
|
|
Rancher/Docker
|
>=1.20.0
|
Create service principals to run IaC
Store the following values securely for each Service Principal after creation.
• client_id
• client_secret
• tenant_id
|
Variable
|
Description
|
Output Key
|
|---|---|---|
|
ARM_CLIENT_ID
|
Azure Service Principal Client ID
|
appId
|
|
ARM_CLIENT_SECRET
|
Azure Service Principal Client Secret
|
password
|
|
ARM_TENANT_ID
|
Azure tenant ID
|
tenant_id
|
|
ARM_SUBSCRIPTION_ID
|
Azure Subscription ID for the target environment
|
subscription_id. From the service principal creation command.
|
1. Create the infrastructure service principal.
az ad sp create-for-rbac \
--name "ptc-cbai-infra-sp" \
--role Contributor \
--scopes /subscriptions/<subscription_id>
2. Create policy service principal.
az ad sp create-for-rbac \
--name "ptc-cbai-policy-sp" \
--role Contributor \
--scopes /subscriptions/
--scopes /subscriptions/>
Example output:
{
"appId": "<client_id>",
"password": "<client_secret>",
"tenant": "<tenant_id>"
}
Azure role assignments for deployment identities
Infrastructure service principal
Assign only the following roles to the infrastructure service principal from the Azure portal.
|
Role
|
Purpose
|
||
|---|---|---|---|
|
Storage Blob Data Contributor
|
Terraform state read and write, VNET flow logs
|
||
|
Network Contributor
|
VNet, Subnets, NSG, private DNS, private endpoint
|
||
|
Azure Kubernetes Service Contributor
|
AKS Cluster and node pools
|
||
|
Cognitive Services Contributor
|
Azure OpenAI account, model deployments, RAI policies
|
||
|
Managed Identity Contributor
|
User assigned identity and federated credentials
|
||
|
Managed Identity Operator
|
Assign the identity
|
||
|
Log Analytics Contributor
|
Log analytics workspace and container insights
|
||
|
User Access Administrator
|
Create and manage RBAC role assignments
|
For more information, refer to Assign Azure RBAC roles or Microsoft Entra roles to the Azure Virtual Desktop service principals
Additional required permissions
The infrastructure service principal must have the following permissions:
◦ Resource group permissions
▪ Microsoft.Resources/subscriptions/resourceGroups/read
▪ Microsoft.Resources/subscriptions/resourceGroups/write
▪ Microsoft.Resources/subscriptions/resourceGroups/delete
◦ Azure application permissions
▪ Microsoft.Solutions/applications/read
▪ Microsoft.Solutions/applications/write
▪ Application Administrator
Policy service principal
Assign only the following roles to the policy service principal.
|
Role
|
Scope
|
Purpose
|
|---|---|---|
|
Resource Policy Contributor
|
Subscription
|
Create policy definitions, initiatives, assignments, and exemptions.
|
Azure AD Group for AKS and ACR management
Create an Azure AD user group and add users responsible for deploying the cb‑ai‑service and accessing the AKS API.
Add the following roles to the Azure AD user group.
◦ AKS Access Roles
|
Role
|
Scope
|
Purpose
|
|---|---|---|
|
Azure Kubernetes Service RBAC Writer
|
Resource Group and AKS
|
Deploy and manage workloads; recommended minimum access.
|
|
Azure Kubernetes Service RBAC Admin
|
Resource Group and AKS
|
Full administrative access to the cluster; use only if required.
|
◦ Container registry access roles
|
Role
|
Scope
|
Purpose
|
|---|---|---|
|
AcrPull
|
ACR
|
Pull images for deployment.
|
|
AcrPush
|
ACR
|
Push images, if applicable.
|
|
Container Registry Contributor
|
Resource Group
|
Manage ACR resources.
|
|
Container Registry Data Access Configuration Administrator
|
Resource Group
|
Manage ACR tokens and access.
|
For more information, refer to Steps to assign an Azure role.
AKS Host Encryption
1. Enable encryption at host.
az feature register --namespace Microsoft.Compute --name EncryptionAtHost
2. Refresh the provider.
az provider register --namespace Microsoft.Compute
3. Verify that encryption is enabled.
az feature show --namespace Microsoft.Compute --name EncryptionAtHost --query properties.state -o tsv
Expected result:
Registered
For more information, refer to Encryption at host - End-to-end encryption for your VM data.
Decide region of deployment
Select the Azure deployment region by confirming the following:
• Availability of the required Azure OpenAI model version.
• Available quota for deployment type and intended commercial mode (PAY-AS-YOU-GO or PTU).
• Expected workload throughput.
• For more information, refer to Microsoft documentation: Data Zone Standard model availability.
◦ Check available regions for the required models.
◦ Identify the available SKUs, then select the SKU that aligns with your required throughput, latency, and budget (PAYGO or PTU).
◦ DataZoneStandard models are preferred for regional compliance needs.
Terraform backend setup
Before creating the storage account and resource group, refer to Recommendations and Best Practices
Requirement
Create a storage account to store Terraform states in the region of the customer-hosted deployment.
Within this storage account, create:
◦ Container for Infrastructure (IaC) state, for example: resource-tfstate.
◦ Container for Azure Policy state, for example: policy-tfstate.
Configuration
Enable the following:
◦ Blob versioning
◦ Soft delete (state protection)
VNet flow logs storage
This storage account must be created in the same region as the deployment.
Create storage
Create a separate storage account for VNet flow logs.
For more information, refer to the following links.
Azure Container Registry (ACR) / Container Registry Access
You can create and configure Container Registries using the following two options:
Option 1: Azure Container Registry (ACR)
1. Create an Azure Container Registry.
For more information, refer to Quickstart: Create an Azure container registry by using the Azure portal.
2. Create an ACR Token.
For more information, refer to
3. Store the username and password securely.
Option 2: Other container registries
Customers may use any container registry of their choice, which is reachable from the AKS created as part of the customer-hosted deployment infrastructure. As part of the pre-requisites, create a token for the container registry.