diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml index 2801d915..830e8fc6 100644 --- a/.github/actions/deploy-environment/action.yml +++ b/.github/actions/deploy-environment/action.yml @@ -33,6 +33,11 @@ runs: with: azure-credentials: ${{ inputs.azure-credentials }} + - uses: google-github-actions/auth@v2 + with: + project_id: teaching-qualifications + workload_identity_provider: projects/63681705511/locations/global/workloadIdentityPools/teaching-qualifications/providers/teaching-qualifications + - name: Terraform Apply shell: bash run: | diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 484f8982..ab41860f 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -22,6 +22,10 @@ on: options: - production +permissions: + pull-requests: write + id-token: write + jobs: build_image: name: Image build and push diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb index 6f4c1826..35b642fd 100644 --- a/config/initializers/dfe_analytics.rb +++ b/config/initializers/dfe_analytics.rb @@ -4,6 +4,9 @@ config.queue = :analytics config.environment = HostingEnvironment.environment_name config.entity_table_checks_enabled = true + config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS" + + config.bigquery_maintenance_window = "08-09-2024 18:00..08-09-2024 19:00" config.enable_analytics = proc do diff --git a/terraform/application/application.tf b/terraform/application/application.tf index cdba3aaf..b33349f9 100644 --- a/terraform/application/application.tf +++ b/terraform/application/application.tf @@ -23,11 +23,11 @@ module "application_configuration" { BIGQUERY_TABLE_NAME = "events" RAILS_SERVE_STATIC_FILES = "true" } - secret_variables = { + secret_variables = merge({ DATABASE_URL = module.postgres.url REDIS_URL = module.redis-cache.url AZURE_STORAGE_ACCESS_KEY = azurerm_storage_account.evidence.primary_access_key - } + }, local.federated_auth_secrets) } module "web_application" { @@ -70,4 +70,5 @@ module "worker_application" { replicas = var.worker_replicas docker_image = var.docker_image enable_logit = true + enable_gcp_wif = true } diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json index b9f09a74..a2f0fe23 100644 --- a/terraform/application/config/review.tfvars.json +++ b/terraform/application/config/review.tfvars.json @@ -3,5 +3,6 @@ "namespace": "tra-development", "deploy_azure_backing_services": false, "enable_postgres_ssl": false, - "evidence_container_retention_in_days": 1 + "evidence_container_retention_in_days": 1, + "enable_dfe_analytics_federated_auth": true } diff --git a/terraform/application/dfe_analytics.tf b/terraform/application/dfe_analytics.tf new file mode 100644 index 00000000..0c5e1a5f --- /dev/null +++ b/terraform/application/dfe_analytics.tf @@ -0,0 +1,14 @@ +provider "google" { + project = "teaching-qualifications" +} + +module "dfe_analytics" { + source = "./vendor/modules/dfe-terraform-modules//aks/dfe_analytics" + + azure_resource_prefix = var.azure_resource_prefix + cluster = var.cluster + namespace = var.namespace + service_short = var.service_short + environment = var.environment + gcp_dataset = "events_${var.config}" +} diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf index 684f0a9d..3e7d7d2b 100644 --- a/terraform/application/variables.tf +++ b/terraform/application/variables.tf @@ -89,6 +89,11 @@ variable "postgres_enable_high_availability" { default = false } +variable "enable_dfe_analytics_federated_auth" { + description = "Create the resources in Google cloud for federated authentication and enable in application" + default = false +} + locals { postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable" @@ -105,4 +110,8 @@ locals { # s189paytqevidpdsa vs s189daytqevidpr12345sa storage_account_environment = var.config == var.environment ? var.config_short : replace(var.environment, "-", "") evidence_storage_account_name = "${local.azure_resource_prefix_short}aytqevid${local.storage_account_environment}sa" + + federated_auth_secrets = { + GOOGLE_CLOUD_CREDENTIALS = var.enable_dfe_analytics_federated_auth ? module.dfe_analytics[0].google_cloud_credentials : null + } : {} }