From 64b834d2e4f10b948f3c1ed74d454ae60954767b Mon Sep 17 00:00:00 2001
From: cwrw <abeer.salameh@gmail.com>
Date: Mon, 29 Jan 2024 17:52:02 +0000
Subject: [PATCH] Enable azure rbac on deployment

Update Makefile, terraform and workflows to use rbac if configured
for the cluster.
---
 .../backup-and-restore-snapshot-database/action.yml      | 6 +++++-
 .github/actions/backup-and-upload-database/action.yml    | 6 +++++-
 .github/actions/deploy-environment-to-aks/action.yml     | 7 +++++--
 .github/actions/refresh-migration-database/action.yml    | 6 +++++-
 .github/actions/sanitise-and-upload-database/action.yml  | 6 +++++-
 .github/workflows/aks_destroy_review.yml                 | 2 +-
 Makefile                                                 | 1 +
 terraform/aks/providers.tf                               | 9 +++++++++
 8 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/.github/actions/backup-and-restore-snapshot-database/action.yml b/.github/actions/backup-and-restore-snapshot-database/action.yml
index 5a0c2ccb00..6f9d08d0b5 100644
--- a/.github/actions/backup-and-restore-snapshot-database/action.yml
+++ b/.github/actions/backup-and-restore-snapshot-database/action.yml
@@ -21,9 +21,13 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Set AKS credentials
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Install kubectl
       uses: azure/setup-kubectl@v3
diff --git a/.github/actions/backup-and-upload-database/action.yml b/.github/actions/backup-and-upload-database/action.yml
index b2a8ebcfdf..195ba13d7c 100644
--- a/.github/actions/backup-and-upload-database/action.yml
+++ b/.github/actions/backup-and-upload-database/action.yml
@@ -18,9 +18,13 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Set AKS credentials
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Install kubectl
       uses: azure/setup-kubectl@v3
diff --git a/.github/actions/deploy-environment-to-aks/action.yml b/.github/actions/deploy-environment-to-aks/action.yml
index 257b0b1537..a3f23b718b 100644
--- a/.github/actions/deploy-environment-to-aks/action.yml
+++ b/.github/actions/deploy-environment-to-aks/action.yml
@@ -39,7 +39,7 @@ runs:
         terraform_version: 1.5.4
         terraform_wrapper: false
 
-    - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
@@ -63,8 +63,11 @@ runs:
       if: ${{ inputs.pull-request-number != '' }}
       shell: bash
       run: |
-        az aks get-credentials --resource-group s189t01-tsc-ts-rg --name s189t01-tsc-test-aks
+        make ci review get-cluster-credentials
         kubectl exec -n cpd-development deployment/cpd-ecf-review-${{ inputs.pull-request-number }}-web -- sh -c "cd /app && /usr/local/bin/bundle exec rails db:safe_reset"
+      env:
+        PULL_REQUEST_NUMBER: ${{ inputs.pull-request-number }}
+
 
     - uses: ./.github/actions/smoke-test
       with:
diff --git a/.github/actions/refresh-migration-database/action.yml b/.github/actions/refresh-migration-database/action.yml
index e043e407d7..e6c67cd0c6 100644
--- a/.github/actions/refresh-migration-database/action.yml
+++ b/.github/actions/refresh-migration-database/action.yml
@@ -21,6 +21,10 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Install kubectl
       uses: azure/setup-kubectl@v3
 
@@ -30,7 +34,7 @@ runs:
 
     - name: Set AKS credentials (production)
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Backup production DB
       shell: bash
diff --git a/.github/actions/sanitise-and-upload-database/action.yml b/.github/actions/sanitise-and-upload-database/action.yml
index 92b506d63e..f235bf2394 100644
--- a/.github/actions/sanitise-and-upload-database/action.yml
+++ b/.github/actions/sanitise-and-upload-database/action.yml
@@ -33,9 +33,13 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Set AKS credentials
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Install kubectl
       uses: azure/setup-kubectl@v3
diff --git a/.github/workflows/aks_destroy_review.yml b/.github/workflows/aks_destroy_review.yml
index ac29cf01d7..11d817aaba 100644
--- a/.github/workflows/aks_destroy_review.yml
+++ b/.github/workflows/aks_destroy_review.yml
@@ -38,7 +38,7 @@ jobs:
             echo "TF_STATE_EXISTS=true" >> $GITHUB_ENV
           fi
 
-      - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+      - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
         if: env.TF_STATE_EXISTS == 'true'
         with:
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
diff --git a/Makefile b/Makefile
index 2bded97f08..dc0848c593 100644
--- a/Makefile
+++ b/Makefile
@@ -146,6 +146,7 @@ production-cluster:
 
 get-cluster-credentials: set-azure-account
 	az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME}
+	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
 
 .PHONY: install-konduit
 install-konduit: ## Install the konduit script, for accessing backend services
diff --git a/terraform/aks/providers.tf b/terraform/aks/providers.tf
index 5f0a62748d..8a8ae78106 100644
--- a/terraform/aks/providers.tf
+++ b/terraform/aks/providers.tf
@@ -17,6 +17,15 @@ provider "kubernetes" {
   client_certificate     = module.cluster_data.kubernetes_client_certificate
   client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+
+  dynamic "exec" {
+    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "kubelogin"
+      args        = module.cluster_data.kubelogin_args
+    }
+  }
 }
 
 provider "statuscake" {