Explanation and setup guide for orchestration of configuration files between projects or instances
The project in a Convier instance can be configured by another Convier instance. A typical use case for this, is to have the User Acceptance Testing environment manage the Production environment, to make sure testing occurs in a relaistic environment. It also enables multiple banks to securely share the same Convier configuration.
Below is a list of steps needed to set up Config Orchestration when running with Azure/Entra ID, followed by some information security considerations.
One (orchestrating instance), create project A (orchestrating project)Two (orchestrated instance), create project B (orchestrated project)Two, add app role Task.Orchestrate. Set that only applications can be given access.One, add the created role as an application permission and grant admin consentB, go to Config, Manage project and add acess Orchestrate to role Task.OrchestrateOne, make sure environment variable ORCHESTRATION_ENABLED is set to true (otherwise you will not see the button mentioned in the next step)One go to OrchestrationA, the URL of Two (with /convier at the end), app scope (application id of app registration used by Two), click “Get instance projects”, select B and click add.A to BOrchestrate is able see and change the configuration of the project, but is not allowed to access any data. It is technically allowed to perform normal requests like search and load, but it is prohibited from connecting to any data sources. This means that any search or load request will return an empty result, or an error message. Any such requests will be logged as normal in the audit logs.B (disable auto merge, go to created branch, add auth, merge).
The deploy mechanism will also try to avoid overwriting instance specific config, like base URLs to APIs