Pearl Test Environment — Complete Implementation Guide

A subscription is like a billing account — all resources you create go inside it. Resource groups are folders that organise related resources together. We create three: one for networking (hub), one for application servers (spoke), and one for database resources (data).

• Subscription created with budget alert at £800/month (prevents surprise bills)
• Resource groups created with proper tags (so you can track costs and ownership)
• RBAC roles assigned: Contributor for infra team, Reader for QA team

The Hub VNet is the "security checkpoint" network. It contains Azure Bastion (your secure remote desktop gateway — you connect to VMs through this instead of exposing them to the internet) and Azure Firewall (controls what outbound traffic is allowed).

Then deploy Azure Bastion (Standard SKU) and Azure Firewall (Standard SKU). Configure firewall rules to allow outbound access to GitHub, NuGet, Azure Blob Storage, and sandbox API endpoints only. Block everything else by default.

• Hub VNet created (10.1.0.0/16)
• Azure Bastion deployed — you can now RDP to VMs securely
• Azure Firewall deployed with outbound rules for GitHub, NuGet, Blob Storage, and sandbox APIs

The Spoke VNet is where your actual application servers live. We divide it into subnets (floors) so the web server, worker server, build server, and database are each isolated.

• Spoke VNet created with 4 subnets
• VNet peering established between Hub ↔ Spoke
• Route table created: all internet traffic (0.0.0.0/0) → Azure Firewall

NSGs are like security guards at each floor. They check: "Is this traffic allowed to come in / go out of this subnet?" We create one NSG per subnet with rules that only allow the exact traffic Pearl needs.

• One NSG created and attached per subnet
• Default deny — only explicitly allowed traffic passes
• Verified: VMs cannot be accessed directly from the internet

Key Vault is like a secure lockbox for passwords and API keys. Instead of storing database passwords in configuration files (insecure!), we store them in Key Vault and let the servers retrieve them securely using their managed identities.

1. Create Key Vault: kv-pearl-test in rg-pearl-test-spoke
2. Enable soft-delete (accidentally deleted secrets can be recovered) and purge protection (prevents permanent deletion for 90 days)
3. Add all the secrets: 17 database connection strings, Stripe test key, GoCardless sandbox token, Mailgun sandbox key, Genesys sandbox org ID, S3 test bucket credentials

Azure Blob Storage is like a cloud hard drive. We use it to store database backup files, restore scripts, and deployment artifacts. Create a storage account called stpearltest with three containers: backup (holds DB backups from production), restore (processed files), and scripts (automation scripts).

• Storage account created (LRS redundancy, Hot tier, UK South)
• Lifecycle management: auto-delete backups older than 28 days
• Encryption at rest enabled (Microsoft-managed keys)

SQL Managed Instance is a fully-managed SQL Server in the cloud. It's compatible with on-premises SQL Server features (which Pearl relies on heavily) but Azure handles patching, backups, and high availability for you. This is where all 17 databases will live.

This is the "front desk". It runs IIS (Internet Information Services — Microsoft's web server), hosts the Pearl web application, internal web services, Memcached (a caching layer), and Apache Solr (the search engine). Operators and clients interact with Pearl through this server.

1. Provision VM: Standard_D4s_v5 (4 vCPU, 16 GB RAM), Windows Server 2022 Datacenter
2. Place in snet-web subnet, NO public IP (accessed only via Bastion)
3. Harden OS: enable Windows Update, disable unnecessary features, enable disk encryption (BitLocker), configure Windows Firewall to match NSG rules
4. Install IIS with ASP.NET 4.5 support:
   Install-WindowsFeature Web-Server, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Console, Web-Http-Redirect
5. Create 5 IIS sites with correct bindings:

6. Install and configure Memcached as a Windows service on port 11211
7. Install Java Runtime + Apache Solr as a Windows service on port 8983
8. Add hosts file entries pointing to internal IPs
9. Configure auto-shutdown at 19:00 UTC (saves costs since this is test-only)

This is the "back office". It runs 4 Windows services that do background processing — queue processing (executing scheduled jobs), health monitoring, AI quality scoring, and real-time notifications (Totem). These run 24/7 and don't have a visible web interface.

1. Provision VM: Standard_D2s_v5 (2 vCPU, 8 GB RAM), Windows Server 2022
2. Install .NET Framework 3.5 (for Totem — it's built on an older .NET version) and .NET 4.8.1 (for ai-spooler)
3. Create directory structure and register 4 Windows services:
   sc create QueueProcessor binPath="D:\apps\queue-processor\MessageQueueProcessor.exe" start=auto sc create SystemChecker binPath="D:\apps\system-checker\SystemChecker.exe" start=auto sc create AISpooler binPath="D:\apps\ai-spooler\AISpooler.exe" start=auto sc create TotemServer binPath="D:\apps\totem\Totem2.exe" start=auto
4. Add hosts file entries mapping internal hostnames to IPs
5. Configure auto-shutdown at 19:00 UTC

This is the "workshop". It compiles code (MSBuild), runs the GitHub Actions runner (which automates deployments), and hosts the database restore tooling. No end-users ever interact with this server.

1. Provision VM: Standard_D2s_v5, Windows Server 2022
2. Install Visual Studio Build Tools 2022 (with MSBuild 17, .NET 4.8 and 3.5 targeting packs, NuGet CLI)
3. Install Git for Windows
4. Install and configure GitHub Actions self-hosted runner (detailed in Phase 4)
5. Create restore tools directory: D:\restore-tools\
6. Configure auto-shutdown at 19:00 UTC

Managed Identity is like giving a VM its own ID card. Instead of storing Key Vault passwords on the VM (which defeats the purpose), the VM uses its identity to authenticate with Key Vault automatically. Azure handles this behind the scenes — no passwords needed.

1. Enable System-assigned Managed Identity on VM1, VM2, VM3
2. Grant Key Vault access: VM1 gets Secret Read, VM2 gets Secret Read, VM3 gets Secret Read + Storage Contributor
3. Test: RDP into each VM, try to read a secret from Key Vault using PowerShell — it should work without providing any credentials

What is a self-hosted runner? GitHub Actions normally runs your code on GitHub's servers in the cloud. But Pearl needs to build inside your private Azure network (because the code needs access to NuGet packages and the network is firewalled). A self-hosted runner is software you install on VM3 that connects to GitHub and says "I'm ready to run jobs."

1. Go to your GitHub repository → Settings → Actions → Runners → "New self-hosted runner"
2. Select "Windows" and "x64"
3. GitHub shows you a token — copy it. Remote desktop into VM3 via Bastion
4. Download the runner package and run the configuration:
   # On VM3, in PowerShell (Administrator): # Create a folder for the runner mkdir C:\actions-runner ; cd C:\actions-runner # Download the latest runner (GitHub shows you the URL) Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v2.XXX.X/actions-runner-win-x64-2.XXX.X.zip -OutFile actions-runner.zip # Extract Expand-Archive -Path actions-runner.zip -DestinationPath . # Configure — GitHub gives you the exact command with your token .\config.cmd --url https://github.com/YOUR-ORG/message-direct --token YOUR_TOKEN --name pearl-test-runner --labels self-hosted,windows,pearl-test # Install as a Windows service so it starts automatically .\svc.cmd install .\svc.cmd start
5. Verify: go back to GitHub → Settings → Actions → Runners — your runner should show "Online" with a green dot

This is the recipe that tells GitHub how to compile Pearl's code. It's a YAML file that lives in your repository. Here's what it does:

When a developer pushes code to the main, develop, or release/* branch, this workflow automatically:

1. Downloads the latest code from GitHub
2. Restores NuGet packages (third-party libraries Pearl depends on)
3. Compiles all 7+ components using MSBuild
4. Packages the compiled output as a "build artifact" that the deploy workflow can use

This is the recipe that deploys compiled code to the test servers. It has a manual trigger and requires someone to click "Approve" before it runs — so nobody accidentally deploys.

This workflow runs the PowerShell restore script from Phase 3 on a schedule (every Saturday) or manually when needed.

Before calling Phase 4 done, prove everything works reliably:

• Test #1: Push code to develop branch → verify build workflow runs automatically and succeeds
• Test #2: Trigger deploy workflow → approve → verify code appears on VM1 and VM2
• Test #3: Access the Pearl login page via browser → verify HTTP 200
• Test #4: Force a deployment failure (deploy broken code) → verify rollback restores the previous version
• Test #5: Trigger database refresh → verify all 17 databases are restored and masked
• Document all workflows, parameters, and troubleshooting steps in the operations runbook

"Smoke testing" means testing the most important things work. The name comes from electronics — if you plug something in and smoke comes out, you know there's a problem. We test the critical user journeys:

• Operator login: Navigate to Pearl login page → authenticate → see the dashboard
• Message capture: Create a test message via the operator screen → verify it appears in the database
• Client portal: Log in as a test client → view messages → view rota schedule
• Queue processor: Verify jobs are processing (check Process_MachineStates table)
• System checker: Verify health checks running (check checkjobs table)
• Totem: Verify long-poll registration works (/ping endpoint responds)
• Integration safety: Verify Stripe calls use test mode (check API logs)
• Integration safety: Verify no SMS messages are sent (check SMSSpoolOutgoing table)
• Integration safety: Verify Mailgun uses sandbox domain (emails don't reach real people)

Create the documents the team will rely on after the build is complete:

• Deployment guide: How to deploy code changes (step-by-step with screenshots)
• Backup & restore guide: How to refresh test data manually when needed
• Troubleshooting runbook: Common issues and how to fix them
• Secret rotation procedure: How to rotate passwords and API keys
• VM start/stop guide: How to turn VMs on/off for cost savings
• Architecture diagram: Final diagram with actual IPs, hostnames, and component placement
• Recorded walkthrough video: Screen recording of the full deploy cycle (build → approve → deploy → verify)

The formal transfer of ownership. After this, the operations team runs the environment independently.

1. Live walkthrough session with the operations team (deployment, restore, rollback, troubleshooting)
2. Record the session for future reference
3. Confirm named owners and support responsibilities
4. Formal handover acceptance sign-off