← Back to download

A101 Installer Runbook

Audience: your cloud-ops team on install day. Prerequisite: you received an onboarding email from AltitudeIQ containing a download page URL and a bootstrap token. If either is missing, stop and contact support before proceeding.

Scope of work

The next four sections describe what the installer will create in your subscription, what it needs from you to do so, and how its outbound traffic is shaped. These are the items a procurement, security, or cloud-governance reviewer typically wants signed off before install day. The full pre-install checklist lives at pre-install checklist — it covers RBAC, policy, quota, and conditional-access checks in detail.

What we'll provision

All resources land in a single resource group named rg-<app-name> in the region you choose. The installer creates:

Microsoft.App — Container Apps environment + apps (backend, frontend, matching service, reconciler).
Microsoft.DBforPostgreSQL — PostgreSQL Flexible Server.
Microsoft.ContainerRegistry — Azure Container Registry for per-tenant image storage.
Microsoft.KeyVault — Key Vault + secrets, soft-delete and purge protection enabled.
Microsoft.ManagedIdentity — User-assigned managed identity for runtime operations.
Microsoft.Network — Virtual Network, Network Security Group, Public IP, NAT Gateway.
Microsoft.OperationalInsights — Log Analytics workspace + tables.
Microsoft.Insights — Diagnostic settings on the resources above.
Microsoft.Storage — Storage account (object storage + JCo connector library staging).

What permissions we need

The user running the installer holds Owner (or Contributor + User Access Administrator) at the subscription scope, only for the duration of the install window.
The installer grants the managed identity Contributor and Role Based Access Control Administrator on the new resource group; the second grant is what requires the installer to hold User Access Administrator at subscription scope.
After install, the installer-running user can be downgraded to Reader. All runtime operations are performed by the managed identity, scoped to the resource group.

Networking shape

Outbound HTTPS egress to cp.altitudeiq.ai (control plane), *.azurecr.io (image pull from AltitudeIQ's release ACR), and ghcr.io + *.pkg.github.com (transitive image storage during cross-tenant ACR import).
A NAT Gateway is provisioned so all outbound traffic exits via a single, stable public IP — useful for downstream firewall allow-listing.
Public ingress on Container Apps (HTTPS, TLS terminated by Azure) for the frontend and API.

1. Get the installer binary

Open the download page URL from your onboarding email. Type the email address that received the welcome message and click "Show download". You'll see:

Download installer — click to download via your browser, or
A curl command you can copy/paste into a terminal on the install host.

Run the installer on the Linux host where az login is configured. If that's the host with your browser, click the download link directly. If you're SSH'd into a server, copy the curl command and paste it into your terminal:

curl -L -o altitudeiq-installer "<paste-the-URL-from-the-page>"
chmod +x altitudeiq-installer

The download URL is short-lived (1 hour). If it expires before you've downloaded the binary, refresh the download page and re-enter your email — a new URL will be minted.

2. Authenticate to Azure

Before running these commands:

Install Azure CLI if it isn't already on the install host. Microsoft's install instructions: https://learn.microsoft.com/cli/azure/install-azure-cli — verify with az --version.
Get your tenant-id and subscription-id from your Azure admin (or run az account list -o table from any machine that already has az access to your tenant — the TenantId and SubscriptionId columns are the values you'll paste below).
Headless install host (no browser)? Append --use-device-code to az login and complete the prompt from a browser on a different device.

az login --tenant <your-tenant-id>
az account set --subscription <your-subscription-id>

The installer reads the current az context. Confirm the right subscription is selected:

az account show --query '{name: name, id: id}'

3. Run the installer

Pick an application name. Rules: 3–12 lowercase characters, digits, and hyphens, starting with a letter. Example: acme-aiq or contoso. The installer will prompt for it (and for the admin email + region) if you don't pass them as flags.

Recommended — interactive walk-through:

export ALTITUDEIQ_BOOTSTRAP_TOKEN='eyJhbGciOiJFZERTQSIs...'
./altitudeiq-installer

The installer prompts for app-name, admin-email, and region, runs pre-flight checks, prints what it's about to deploy, and asks for confirmation before any Azure resource is created.

Scripted / non-interactive — pass values as flags:

export ALTITUDEIQ_BOOTSTRAP_TOKEN='eyJhbGciOiJFZERTQSIs...'
./altitudeiq-installer \
  --app-name acme-aiq \
  --admin-email admin@acme.com \
  --location eastus2

The bootstrap token is always supplied via the ALTITUDEIQ_BOOTSTRAP_TOKEN environment variable (or the interactive prompt) — never as a CLI flag. Flag values are visible in ps/proc listings and shell history, which makes them a poor place for secrets.

The control plane URL and performance tier are resolved automatically: the URL is embedded in the release binary, and the tier is read from the bootstrap token claim. You don't need to pass either.

Expected output for a healthy install:

Parameter validation — [OK] All parameters valid and ARM template embedded.
Authentication — [OK] Authenticated to Azure (subscription: …).
Pre-flight checks — 10 checks run in ~40 seconds; all should be [PASS] or [WARN]. See §6 if any are [FAIL].
Confirmation — Proceed with deployment? [y/N] — type y and press Enter.
Deployment — => Deploying AltitudeIQ bootstrap infrastructure (this may take 5-10 minutes) followed by per-resource progress.
Reconciler bootstrap — => Watching reconciler bootstrap (the next 10–15 min is hands-off) while backend, frontend, matching, and PostgreSQL get provisioned.
Success — Frontend URL: https://… printed at the end. That URL is your instance.

Total elapsed time: ~20–30 minutes for a green install.

4. Verify

Open the printed Frontend URL in a browser. You should see the AltitudeIQ login page. Sign in with the admin email you supplied.

If the URL doesn't respond yet, wait up to 5 more minutes — the CDN may still be warming. After that, see §6.

5. Hand-off to end users

Once the frontend is live:

Your admin completes their initial profile + SSO configuration via the in-app onboarding flow.
Invite other users via the "Team" page.
Begin configuring data sources.

6. Troubleshooting

"Pre-flight checks failed"

The installer prints each failing check with a remediation hint. The most common ones:

[FAIL] rbac — your Azure account needs Owner (or Contributor + User Access Administrator) on the target subscription for the install window. Ask your cloud admin to grant this, then re-run.
[FAIL] providers — one or more Azure resource providers is unregistered. The installer prints the exact az provider register command to run.
[FAIL] image-manifest — almost always means the installer binary is from a dev build, not a release. Re-download from the canonical URL in §1.
[FAIL] arm-whatif — Azure Policy blocked a simulated deploy. The error names the specific policy. File with your Azure governance team and re-run once resolved.

"Invalid bootstrap token" during register

Three common causes:

Token expired. Bootstrap tokens have a 30-day lifetime. If yours is older, request a fresh one from your AltitudeIQ contact.
Token already used. Bootstrap tokens are single-use. If you re-ran the installer after a partial install, ask AltitudeIQ to either re-issue a token or clear the stuck state on their side.
Token tier doesn't match the install. The token is bound to a specific tier (starter / professional / enterprise / enterprise-plus) at issuance. The installer reads the tier from the token claim, so a "tier mismatch" message means the token you're holding is for a different tier than expected. Ask your AltitudeIQ contact to re-issue a token for the correct tier.

ARM deploy fails mid-way

Status "Deploying" for >20 min with no progress typically means a policy or quota block.

az deployment group list --resource-group rg-<app-name> \
  --query "[].{Name:name, State:properties.provisioningState, Error:properties.error}"

Look at the Error field. If it's RequestDisallowedByPolicy, see the installer output — the error translator names the remediation. If quota, file a ticket with Azure and re-run with --cleanup first to remove the partial install.

Frontend URL doesn't respond

First 5 min after install: wait. DNS + CDN propagation.
Still unresponsive after 10 min: check reconciler health from a machine with az auth to your subscription:
```
az containerapp logs show --name ca-<app-name>-reconciler \
  --resource-group rg-<app-name> --tail 100
```
Look for ERROR lines. If you can't parse them, attach the output to a support ticket.

Reconciler register returns 403

Usually means your AltitudeIQ tenant has been suspended (contract issue). Contact AltitudeIQ support.

7. Getting help

Email: support@altitudeiq.ai — include your install's --app-name, the Frontend URL (if you got one), and any visible error messages. Never include your bootstrap token or anything from Key Vault.
On-call bridge: for install-window incidents, your onboarding share contains a phone number. That number is staffed during the time window you agreed with AltitudeIQ.
Status: https://status.altitudeiq.ai for platform-wide issues.

8. What NOT to do

Don't paste the bootstrap token into Slack, email, or a ticketing system. It's a credential. Use your onboarding share's secure channel.
Don't share the Key Vault secrets the installer creates in your subscription. They're per-install and shouldn't leave your Azure tenant.
Don't delete the resource group without telling AltitudeIQ. If you need to uninstall, open a support ticket first — your tenant record on our side needs a graceful shutdown.
Don't re-use a bootstrap token across deployments. One token, one install. If you need a second environment, request a second token.