the_order/docs/deployment/AZURE_CDN_SETUP.md

# Azure CDN Setup for Credential Seals

Complete guide for setting up Azure CDN infrastructure for Order of St John credential seal images.

## Quick Start

**One-Command Setup:**
```bash
./scripts/deploy/setup-azure-cdn-complete.sh
```

This automates:
1. ✅ Quota checking
2. ✅ Infrastructure creation
3. ✅ File upload
4. ✅ Manifest URL updates

## Prerequisites

1. **Azure CLI installed**
   ```bash
   # Install Azure CLI
   curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
   ```

2. **Logged in to Azure**
   ```bash
   az login
   az account set --subscription <subscription-id>
   ```

3. **Required Permissions**
   - Contributor or Owner role on subscription
   - Ability to create resource groups
   - Ability to create storage accounts
   - Ability to create CDN profiles

## Step-by-Step Setup

### Step 1: Check Quotas

```bash
./infra/scripts/azure-check-cdn-quotas.sh
```

This checks:
- Storage account quota
- CDN profile quota
- Resource group quota
- CDN endpoint quota

**Output**: `azure-cdn-quota-report.txt`

### Step 2: Set Up Infrastructure

```bash
./infra/scripts/azure-cdn-setup.sh
```

This creates:
- Resource group: `the-order-cdn-rg`
- Storage account: `theordercdn<timestamp>`
- Storage container: `images` (public blob access)
- CDN profile: `theorder-cdn-profile`
- CDN endpoint: `theorder-cdn-endpoint`

**Output**: `azure-cdn-config.env`

### Step 3: Upload Files

```bash
./scripts/deploy/upload-seals-to-azure.sh
```

Uploads all PNG files to Azure Blob Storage.

### Step 4: Update Manifest URLs

```bash
source azure-cdn-config.env
CDN_BASE_URL="${CDN_BASE_URL_CDN}" ./scripts/deploy/update-manifest-seal-urls.sh
```

## Infrastructure Components

### Storage Account

- **Name**: `theordercdn<timestamp>` (globally unique)
- **SKU**: Standard_LRS
- **Public Access**: Enabled for blob access
- **CORS**: Configured for GET, HEAD, OPTIONS

### Storage Container

- **Name**: `images`
- **Access Type**: Blob (public read access)
- **Purpose**: Store credential seal PNG files

### CDN Profile

- **Name**: `theorder-cdn-profile`
- **SKU**: Standard_Microsoft
- **Purpose**: CDN profile for image delivery

### CDN Endpoint

- **Name**: `theorder-cdn-endpoint`
- **Origin**: Storage account blob host
- **Compression**: Enabled (gzip, deflate)
- **Cache**: 1 day default

## Configuration File

After setup, `azure-cdn-config.env` contains:

```bash
# Storage Account
AZURE_STORAGE_ACCOUNT=theordercdn123456
AZURE_STORAGE_KEY=<key>
AZURE_STORAGE_CONTAINER=images
AZURE_RESOURCE_GROUP=the-order-cdn-rg
AZURE_LOCATION=westeurope

# CDN
AZURE_CDN_PROFILE=theorder-cdn-profile
AZURE_CDN_ENDPOINT=theorder-cdn-endpoint
AZURE_CDN_ENDPOINT_URL=<endpoint-url>

# URLs
CDN_BASE_URL_BLOB=https://theordercdn123456.blob.core.windows.net/images/
CDN_BASE_URL_CDN=https://<endpoint>.azureedge.net/images/
CDN_BASE_URL=${CDN_BASE_URL_CDN:-${CDN_BASE_URL_BLOB}}
```

## URLs

### Blob Storage URL (Immediate)
```
https://<storage-account>.blob.core.windows.net/images/
```

### CDN URL (After Propagation)
```
https://<cdn-endpoint>.azureedge.net/images/
```

**Note**: CDN endpoint takes 10-15 minutes to fully propagate.

## Quota Requirements

Minimum quotas needed:
- **Storage Accounts**: 1 available
- **CDN Profiles**: 1 available
- **CDN Endpoints**: 1 available per profile
- **Resource Groups**: 1 available

## Cost Estimation

Approximate monthly costs (West Europe):
- **Storage Account**: ~$0.02/GB/month
- **CDN Profile**: ~$0.04/GB egress
- **Blob Storage**: ~$0.0004/GB/month

For credential images (~17 files, ~200KB each = ~3.4MB total):
- **Storage**: ~$0.0001/month
- **CDN**: Depends on traffic (first 5GB free/month)

**Total**: ~$0-5/month depending on traffic

## Terraform Option

Alternatively, use Terraform:

```bash
cd infra/terraform
terraform init
terraform plan -target=azurerm_storage_account.cdn_images
terraform apply -target=azurerm_storage_account.cdn_images
```

## Verification

### Check Storage Account
```bash
az storage account show \
  --name <storage-account> \
  --resource-group the-order-cdn-rg
```

### Check Container
```bash
az storage container show \
  --name images \
  --account-name <storage-account> \
  --account-key <key>
```

### Check CDN Endpoint
```bash
az cdn endpoint show \
  --name theorder-cdn-endpoint \
  --profile-name theorder-cdn-profile \
  --resource-group the-order-cdn-rg
```

### Test File Access
```bash
curl -I https://<storage-account>.blob.core.windows.net/images/digital-bank-seal.png
```

## Troubleshooting

### Quota Exceeded
- Request quota increase: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade
- Or use existing storage account

### Storage Account Name Taken
- Script auto-generates unique name with timestamp
- Or specify: `AZURE_STORAGE_ACCOUNT=<custom-name>`

### CDN Endpoint Not Ready
- Wait 10-15 minutes for propagation
- Check status in Azure Portal
- Use blob URL temporarily

### Files Not Accessible
- Verify container has public blob access
- Check CORS configuration
- Verify file upload succeeded

## Security

- **HTTPS**: All URLs use HTTPS
- **Public Access**: Only blob read access (no write)
- **CORS**: Configured for cross-origin requests
- **Storage Key**: Keep secure, use managed identity in production

## Production Recommendations

1. **Use Managed Identity** instead of storage keys
2. **Enable CDN HTTPS** with custom domain
3. **Set up monitoring** for CDN usage
4. **Configure alerts** for quota limits
5. **Use Azure Key Vault** for secrets

## Next Steps

After setup:
1. ✅ Verify files are accessible
2. ✅ Update manifest templates
3. ✅ Test credential issuance
4. ✅ Monitor CDN usage
5. ✅ Set up custom domain (optional)

---

**Last Updated**: [Current Date]  
**Status**: Ready for deployment