Enable gcp wif in review env

DFE-Digital · Nov 25, 2024 · 5682df6 · 5682df6
1 parent f3775e2
commit 5682df6
Show file tree

Hide file tree

Showing 9 changed files with 74 additions and 16 deletions.
diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml
@@ -72,6 +72,11 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: teaching-qualifications
+        workload_identity_provider: projects/708780292301/locations/global/workloadIdentityPools/check-childrens-barred-list/providers/check-childrens-barred-list
+
     - name: Validate Azure Key Vault secrets
       uses: DFE-Digital/github-actions/validate-key-vault-secrets@master
       with:

diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -25,6 +25,7 @@ permissions:
   deployments: write
   packages: write
   pull-requests: write
+  id-token: write
 
 jobs:
   build:

diff --git a/Makefile b/Makefile
@@ -65,6 +65,7 @@ terraform-init: install-terrafile set-azure-account
 	$(eval export TF_VAR_config_short=$(CONFIG_SHORT))
 	$(eval export TF_VAR_service_short=$(SERVICE_SHORT))
 	$(eval export TF_VAR_rg_name=$(RESOURCE_GROUP_NAME))
+	$(eval export TF_VAR_config=${CONFIG})
 
 terraform-plan: terraform-init
 	terraform -chdir=terraform/aks plan -var-file "config/${CONFIG}.tfvars.json"

diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb
@@ -4,6 +4,7 @@
   config.queue = :analytics
   config.environment = HostingEnvironment.environment_name
   config.entity_table_checks_enabled = true
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 
   config.enable_analytics =
     proc do

diff --git a/terraform/aks/.terraform.lock.hcl b/terraform/aks/.terraform.lock.hcl
diff --git a/terraform/aks/application.tf b/terraform/aks/application.tf
@@ -41,6 +41,8 @@ module "worker_application" {
   command       = ["bundle", "exec", "sidekiq", "-C", "./config/sidekiq.yml"]
   probe_command = ["pgrep", "-f", "sidekiq"]
   enable_logit           = var.enable_logit
+
+  enable_gcp_wif = true
 }
 
 module "application_configuration" {

diff --git a/terraform/aks/config/review.tfvars.json b/terraform/aks/config/review.tfvars.json
@@ -17,5 +17,6 @@
   ],
   "replicas": 1,
   "memory_max": "1Gi",
-  "enable_logit": true
+  "enable_logit": true,
+  "enable_dfe_analytics_federated_auth": true
 }
diff --git a/terraform/aks/dfe_analytics.tf b/terraform/aks/dfe_analytics.tf
@@ -0,0 +1,15 @@
+provider "google" {
+  project = "teaching-qualifications"
+}
+
+module "dfe_analytics" {
+  count = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "./vendor/modules/aks//aks/dfe_analytics"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = var.environment
+  gcp_dataset           = "ccbl_events_${var.config}"
+}
diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf
@@ -138,6 +138,15 @@ variable "statuscake_contact_groups" {
 
 variable "enable_logit" { default = false }
 
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+
+variable "config" {
+  description = "Long name of the environment configuration, e.g. development, staging, production..."
+}
+
 locals {
   service_name = "check-childrens-barred-list"
   version      = "1.9.7"
@@ -169,6 +178,7 @@ locals {
     {
       DATABASE_URL = module.postgres.url,
       REDIS_URL    = module.redis.url,
+      GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics[0].google_cloud_credentials
     }
   )
 }