Update env secrets created when creating auth0 client

Adds AWS_DATA_ACCOUNT_ID and APP_ROLE_ARN to secrets that are then used to deploy an app. These are added to both environmnets although currently both values will be the same. This allows it to be extended in the future to have different values for different environments.
ministryofjustice · Feb 9, 2024 · 16693ad · 16693ad
1 parent f991c59
commit 16693ad
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/controlpanel/api/cluster.py b/controlpanel/api/cluster.py
@@ -388,6 +388,8 @@ class App(EntityResource):
     AUTH0_CONNECTIONS = "AUTH0_CONNECTIONS"
     AUTHENTICATION_REQUIRED = "AUTHENTICATION_REQUIRED"
     AUTH0_PASSWORDLESS = "AUTH0_PASSWORDLESS"
+    APP_ROLE_ARN = "APP_ROLE_ARN"
+    DATA_ACCOUNT_ID = 'DATA_ACCOUNT_ID'
 
     def __init__(self, app, github_api_token=None, auth0_instance=None):
         super(App, self).__init__()
@@ -411,7 +413,9 @@ def create_or_update_secrets(self, env_name, secret_data):
 
     def _create_secrets(self, env_name, client=None):
         secret_data: dict = {
-            App.IP_RANGES: self.app.env_allowed_ip_ranges(env_name=env_name)
+            App.IP_RANGES: self.app.env_allowed_ip_ranges(env_name=env_name),
+            App.APP_ROLE_ARN: self.app.iam_role_arn,
+            App.DATA_ACCOUNT_ID: settings.AWS_DATA_ACCOUNT_ID
         }
         if client:
             secret_data[App.AUTH0_CLIENT_ID] = client["client_id"]
@@ -651,12 +655,13 @@ def get_env_vars(self, env_name):
         return app_env_vars
 
     def create_auth_settings(
-            self, env_name, disable_authentication=False, connections=None, app_domain=None
+        self, env_name, disable_authentication=False, connections=None, app_domain=None
     ):
         client = None
         group = None
-        connections = connections or \
-                      {auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION: {}}
+        if connections is None:
+            connections = {auth0.ExtendedAuth0.DEFAULT_CONNECTION_OPTION: {}}
+
         if not disable_authentication:
             client, group = self._get_auth0_instance().setup_auth0_client(
                 client_name=self.app.auth0_client_name(env_name),
@@ -665,7 +670,8 @@ def create_auth_settings(
                 app_domain=app_domain
             )
             self.app.save_auth_settings(
-                env_name=env_name, client=client, group=group)
+                env_name=env_name, client=client, group=group
+            )
         self._create_secrets(env_name, client=client)
         self._create_env_vars(
             env_name,

diff --git a/tests/api/cluster/test_app.py b/tests/api/cluster/test_app.py
@@ -4,6 +4,7 @@
 
 # Third-party
 import pytest
+from django.conf import settings
 
 # First-party/Local
 from controlpanel.api import cluster, models
@@ -156,5 +157,22 @@ def test_update_auth_connections(app, ExtendedAuth0):
             existing_conns='github')
 
 
+@patch("controlpanel.api.models.App.env_allowed_ip_ranges", new=MagicMock(return_value="1.2.3"))
+def test_create_secrets(app):
+    app_cluster = cluster.App(app)
+    secrets = {
+        app_cluster.IP_RANGES: "1.2.3",
+        app_cluster.APP_ROLE_ARN: app.iam_role_arn,
+        app_cluster.DATA_ACCOUNT_ID: settings.AWS_DATA_ACCOUNT_ID
+    }
+    with patch.object(app_cluster, "create_or_update_secrets"):
+        app_cluster._create_secrets(env_name="dev", client=None)
+        app_cluster.create_or_update_secrets.assert_called_once_with(
+            env_name="dev",
+            secret_data=secrets
+        )
+
+
+# TODO can this be removed?
 mock_ingress = MagicMock(name="Ingress")
 mock_ingress.spec.rules = [MagicMock(name="Rule", host="test-app.example.com")]