Skip to content

Commit

Permalink
Adding GCloud federated authentication for analytics teaching-qualifi…
Browse files Browse the repository at this point in the history
…cations workspace
  • Loading branch information
shaheislamdfe committed Dec 4, 2024
1 parent 5ce12ba commit 7f9a5a3
Show file tree
Hide file tree
Showing 9 changed files with 61 additions and 21 deletions.
5 changes: 5 additions & 0 deletions .github/actions/deploy-environment/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ runs:
with:
azure-credentials: ${{ inputs.azure-credentials }}

- uses: google-github-actions/auth@v2
with:
project_id: teaching-qualifications
workload_identity_provider: projects/708780292301/locations/global/workloadIdentityPools/access-your-teaching-qualificati/providers/access-your-teaching-qualifications

- name: Terraform Apply
shell: bash
run: |
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/build-and-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ on:
options:
- production


jobs:
build_image:
name: Image build and push
Expand All @@ -46,6 +47,9 @@ jobs:
needs: [build_image]
environment:
name: review
permissions:
pull-requests: write
id-token: write

steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -99,6 +103,8 @@ jobs:
environment:
name: ${{ matrix.environment }}
url: ${{ steps.deploy.outputs.environment_url }}
permissions:
id-token: write

steps:
- uses: actions/checkout@v4
Expand All @@ -119,6 +125,8 @@ jobs:
environment:
name: production
url: ${{ steps.deploy.outputs.environment_url }}
permissions:
id-token: write

steps:
- uses: actions/checkout@v4
Expand Down
1 change: 1 addition & 0 deletions config/initializers/dfe_analytics.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
config.queue = :analytics
config.environment = HostingEnvironment.environment_name
config.entity_table_checks_enabled = true
config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"

config.enable_analytics =
proc do
Expand Down
30 changes: 15 additions & 15 deletions terraform/app.tf
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
locals {
aytq_env_vars = merge(try(local.infrastructure_secrets, null),
{
AZURE_STORAGE_ACCOUNT_NAME = azurerm_storage_account.evidence.name,
AZURE_STORAGE_ACCESS_KEY = azurerm_storage_account.evidence.primary_access_key,
AZURE_STORAGE_CONTAINER = azurerm_storage_container.uploads.name
BIGQUERY_DATASET = "events_${var.environment_name}",
BIGQUERY_PROJECT_ID = "teaching-qualifications",
BIGQUERY_TABLE_NAME = "events",
CHECK_RECORDS_DOMAIN = var.check_domain != null ? "https://${var.check_domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
ConnectionStrings__Redis = azurerm_redis_cache.redis.primary_connection_string
DATABASE_PASSWORD = local.infrastructure_secrets.POSTGRES_ADMIN_PASSWORD
DATABASE_URL = "postgres://postgres@${local.postgres_server_name}.postgres.database.azure.com:5432"
DOCKER_REGISTRY_SERVER_URL = "https://ghcr.io",
HOSTING_DOMAIN = var.domain != null ? "https://${var.domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
HOSTING_ENVIRONMENT_NAME = local.hosting_environment
RAILS_SERVE_STATIC_FILES = "true"
REDIS_URL = "rediss://:${azurerm_redis_cache.redis.primary_access_key}@${azurerm_redis_cache.redis.hostname}:${azurerm_redis_cache.redis.ssl_port}/0"
AZURE_STORAGE_ACCOUNT_NAME = azurerm_storage_account.evidence.name,
AZURE_STORAGE_ACCESS_KEY = azurerm_storage_account.evidence.primary_access_key,
AZURE_STORAGE_CONTAINER = azurerm_storage_container.uploads.name
BIGQUERY_DATASET = "events_${var.environment_name}",
BIGQUERY_PROJECT_ID = "teaching-qualifications",
BIGQUERY_TABLE_NAME = "events",
CHECK_RECORDS_DOMAIN = var.check_domain != null ? "https://${var.check_domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
ConnectionStrings__Redis = azurerm_redis_cache.redis.primary_connection_string
DATABASE_PASSWORD = local.infrastructure_secrets.POSTGRES_ADMIN_PASSWORD
DATABASE_URL = "postgres://postgres@${local.postgres_server_name}.postgres.database.azure.com:5432"
DOCKER_REGISTRY_SERVER_URL = "https://ghcr.io",
HOSTING_DOMAIN = var.domain != null ? "https://${var.domain}" : "https://${local.aytq_web_app_name}.azurewebsites.net"
HOSTING_ENVIRONMENT_NAME = local.hosting_environment
RAILS_SERVE_STATIC_FILES = "true"
REDIS_URL = "rediss://:${azurerm_redis_cache.redis.primary_access_key}@${azurerm_redis_cache.redis.hostname}:${azurerm_redis_cache.redis.ssl_port}/0"
}
)
}
Expand Down
5 changes: 3 additions & 2 deletions terraform/application/application.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,11 @@ module "application_configuration" {
BIGQUERY_TABLE_NAME = "events"
RAILS_SERVE_STATIC_FILES = "true"
}
secret_variables = {
secret_variables = merge({
DATABASE_URL = module.postgres.url
REDIS_URL = module.redis-cache.url
AZURE_STORAGE_ACCESS_KEY = azurerm_storage_account.evidence.primary_access_key
}
}, local.federated_auth_secrets)
}

module "web_application" {
Expand Down Expand Up @@ -70,4 +70,5 @@ module "worker_application" {
replicas = var.worker_replicas
docker_image = var.docker_image
enable_logit = true
enable_gcp_wif = true
}
3 changes: 2 additions & 1 deletion terraform/application/config/review.tfvars.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,6 @@
"namespace": "tra-development",
"deploy_azure_backing_services": false,
"enable_postgres_ssl": false,
"evidence_container_retention_in_days": 1
"evidence_container_retention_in_days": 1,
"enable_dfe_analytics_federated_auth": true
}
15 changes: 15 additions & 0 deletions terraform/application/dfe_analytics.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
provider "google" {
project = "teaching-qualifications"
}

module "dfe_analytics" {
count = var.enable_dfe_analytics_federated_auth ? 1 : 0
source = "./vendor/modules/aks//aks/dfe_analytics"

azure_resource_prefix = var.azure_resource_prefix
cluster = var.cluster
namespace = var.namespace
service_short = var.service_short
environment = var.environment
gcp_dataset = "events_${var.config}"
}
6 changes: 3 additions & 3 deletions terraform/application/terraform.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ terraform {
version = "2.32.0"
}
statuscake = {
source = "StatusCakeDev/statuscake"
version = "2.2.2"
source = "StatusCakeDev/statuscake"
version = "2.2.2"
}
}
backend "azurerm" {
Expand Down Expand Up @@ -42,5 +42,5 @@ provider "kubernetes" {
}

provider "statuscake" {
api_token = module.infrastructure_secrets.map.STATUSCAKE-API-TOKEN
api_token = module.infrastructure_secrets.map.STATUSCAKE-API-TOKEN
}
9 changes: 9 additions & 0 deletions terraform/application/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,11 @@ variable "postgres_enable_high_availability" {
default = false
}

variable "enable_dfe_analytics_federated_auth" {
description = "Create the resources in Google cloud for federated authentication and enable in application"
default = false
}

locals {
postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"

Expand All @@ -105,4 +110,8 @@ locals {
# s189paytqevidpdsa vs s189daytqevidpr12345sa
storage_account_environment = var.config == var.environment ? var.config_short : replace(var.environment, "-", "")
evidence_storage_account_name = "${local.azure_resource_prefix_short}aytqevid${local.storage_account_environment}sa"

federated_auth_secrets = var.enable_dfe_analytics_federated_auth ? {
GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics[0].google_cloud_credentials
} : {}
}

0 comments on commit 7f9a5a3

Please sign in to comment.