Skip to content

Commit

Permalink
Merge pull request #1273 from DFE-Digital/migrate-gcp-wif
Browse files Browse the repository at this point in the history
Migrate gcp wif
  • Loading branch information
neillturner authored Dec 16, 2024
2 parents 154f4d6 + 7e03d52 commit 8ebcd36
Show file tree
Hide file tree
Showing 9 changed files with 61 additions and 4 deletions.
5 changes: 5 additions & 0 deletions .github/actions/deploy-environment-aks/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ runs:
with:
azure-credentials: ${{ inputs.azure-credentials }}

- uses: google-github-actions/auth@v2
with:
project_id: teaching-qualifications
workload_identity_provider: projects/737868692824/locations/global/workloadIdentityPools/refer-serious-misconduct/providers/refer-serious-misconduct

- name: Terraform Apply
shell: bash
run: |
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/build-and-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ jobs:
needs: [build_image]
environment:
name: aks-review
permissions:
pull-requests: write
id-token: write

steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -77,6 +80,8 @@ jobs:
url: ${{ steps.deploy.outputs.environment_url }}
outputs:
environment_name: ${{ matrix.environment }}
permissions:
id-token: write

steps:
- uses: actions/checkout@v4
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/delete-review-app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,18 @@ on:
description: PR number of review app to delete
required: true
type: string

jobs:
delete-review-app-aks:
name: Delete Review App AKS ${{ github.event.pull_request.number }}
concurrency: deploy_review_${{ github.event.pull_request.number }}
if: contains(github.event.pull_request.labels.*.name, 'deploy-aks') || ${{ github.event_name }} == 'workflow_dispatch'
runs-on: ubuntu-latest
environment: aks-review
permissions:
pull-requests: write
id-token: write

steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -40,6 +45,11 @@ jobs:
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}

- uses: google-github-actions/auth@v2
with:
project_id: teaching-qualifications
workload_identity_provider: projects/737868692824/locations/global/workloadIdentityPools/refer-serious-misconduct/providers/refer-serious-misconduct

- name: Terraform Destroy
run: |
make ci aks-review aks-terraform-destroy PR_NUMBER=${{ env.PR_NUMBER }}
Expand Down
1 change: 1 addition & 0 deletions config/initializers/dfe_analytics.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@
disabled_by_default = Rails.env.development?
ENV.fetch("BIGQUERY_DISABLE", disabled_by_default.to_s) != "true"
end
config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
end
8 changes: 6 additions & 2 deletions terraform/application/application.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,15 @@ module "application_configuration" {
AZURE_STORAGE_CONTAINER = azurerm_storage_container.uploads.name
GROVER_NO_SANDBOX = "true"
PUPPETEER_EXECUTABLE_PATH = "/usr/bin/chromium-browser"
BIGQUERY_DATASET = var.dataset_name
BIGQUERY_PROJECT_ID = "refer-serious-misconduct"
BIGQUERY_TABLE_NAME = "events"
}
secret_variables = {
secret_variables = merge({
DATABASE_URL = module.postgres.url
REDIS_URL = module.redis-cache.url
AZURE_STORAGE_ACCESS_KEY = azurerm_storage_account.allegations.primary_access_key
}
}, local.federated_auth_secrets)
}

module "web_application" {
Expand Down Expand Up @@ -67,4 +70,5 @@ module "main_worker" {
command = ["/bin/sh", "-c", "bundle exec sidekiq -C config/sidekiq.yml"]
probe_command = ["pgrep", "-f", "sidekiq"]
enable_logit = var.enable_logit
enable_gcp_wif = true
}
4 changes: 3 additions & 1 deletion terraform/application/config/review.tfvars.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@
"namespace": "tra-development",
"deploy_azure_backing_services": false,
"enable_postgres_ssl": false,
"dataset_name": "events_dev",
"enable_dfe_analytics_federated_auth": true,
"webapp_startup_command": [
"/bin/sh",
"-c",
"bundle exec rails db:schema_load_or_migrate && bundle exec rails runner \"%i(eligibility_screener referral_form).each {|flag| FeatureFlags::FeatureFlag.activate(flag)}\" && bundle exec rails server -b 0.0.0.0"
"/usr/sbin/sshd && bundle exec rails db:migrate:ignore_concurrent_migration_exceptions && bundle exec rails runner \"%i(eligibility_screener referral_form).each {|flag| FeatureFlags::FeatureFlag.activate(flag)}\" && bundle exec rails server -b 0.0.0.0"
]
}
3 changes: 2 additions & 1 deletion terraform/application/config/test.tfvars.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{
"cluster": "test",
"namespace": "tra-test",
"enable_postgres_backup_storage": true
"enable_postgres_backup_storage": true,
"dataset_name": "events_test"
}
15 changes: 15 additions & 0 deletions terraform/application/dfe_analytics.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
provider "google" {
project = "refer-serious-misconduct"
}

module "dfe_analytics" {
count = var.enable_dfe_analytics_federated_auth ? 1 : 0
source = "./vendor/modules/aks//aks/dfe_analytics"

azure_resource_prefix = var.azure_resource_prefix
cluster = var.cluster
namespace = var.namespace
service_short = var.service_short
environment = var.environment
gcp_dataset = var.dataset_name
}
14 changes: 14 additions & 0 deletions terraform/application/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,16 @@ variable "webapp_startup_command" {
description = "Override Dockerfile startup command"
}

variable "enable_dfe_analytics_federated_auth" {
description = "Create the resources in Google cloud for federated authentication and enable in application"
default = false
}

variable "dataset_name" {
description = "dfe analytics dataset name in Google Bigquery"
default = null
}

locals {
postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
storage_account_environment = var.config == var.environment ? var.config_short : replace(var.environment, "-", "")
Expand All @@ -111,4 +121,8 @@ locals {
environment_variables = yamldecode(file("${path.module}/config/${var.config}.yml"))
ingress_domain = "${var.service_name}-${var.environment}.${module.cluster_data.ingress_domain}"
external_domain = try(local.environment_variables["EXTERNAL_DOMAIN"], local.ingress_domain)

federated_auth_secrets = var.enable_dfe_analytics_federated_auth ? {
GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics[0].google_cloud_credentials
} : {}
}

0 comments on commit 8ebcd36

Please sign in to comment.