diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml index 1409f7f2f9..1bde7873f8 100644 --- a/.github/actions/deploy-environment/action.yml +++ b/.github/actions/deploy-environment/action.yml @@ -38,6 +38,11 @@ runs: with: azure-credentials: ${{ inputs.azure-credentials }} + - uses: google-github-actions/auth@v2 + with: + project_id: teaching-qualifications + workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments/providers/claim-additional-payments + - name: Terraform Apply shell: bash run: | diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index 2f42adc56c..f549e00f2e 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -13,9 +13,9 @@ on: type: choice default: review options: - - review - - test - - production + - review + - test + - production docker-image-tag: description: "Docker image tag to deploy (optional)" required: true @@ -59,6 +59,9 @@ jobs: needs: [build] environment: name: review + permissions: + pull-requests: write + id-token: write steps: - name: Checkout code @@ -107,6 +110,8 @@ jobs: max-parallel: 1 matrix: environment: [test, production] + permissions: + id-token: write steps: - name: Checkout code @@ -160,6 +165,8 @@ jobs: url: ${{ steps.deploy_manual.outputs.environment_url }} outputs: environment_url: ${{ steps.deploy_manual.outputs.environment_url }} + permissions: + id-token: write steps: - name: Checkout code diff --git a/.github/workflows/delete_review_app.yml b/.github/workflows/delete_review_app.yml index 91275ef9b6..4d00573154 100644 --- a/.github/workflows/delete_review_app.yml +++ b/.github/workflows/delete_review_app.yml @@ -17,9 +17,13 @@ jobs: runs-on: ubuntu-latest if: > github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'deploy') || - (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') || - (github.event_name == 'workflow_dispatch') + (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') || (github.event_name == + 'workflow_dispatch') environment: review + permissions: + pull-requests: write + id-token: write + steps: - name: Checkout uses: actions/checkout@v4 @@ -33,6 +37,11 @@ jobs: with: azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + - uses: google-github-actions/auth@v2 + with: + project_id: teaching-qualifications + workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments/providers/claim-additional-payments + - name: Terraform destroy run: | if [ ${{ github.event_name }} == 'workflow_dispatch' ]; then diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb index 8f4a1f704e..161b720cff 100644 --- a/config/initializers/dfe_analytics.rb +++ b/config/initializers/dfe_analytics.rb @@ -51,4 +51,5 @@ # to all events we send to BigQuery. # # config.environment = ENV.fetch('RAILS_ENV', 'development') + config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS" end diff --git a/terraform/application/application.tf b/terraform/application/application.tf index 34a7229e5a..dfa40f1e91 100644 --- a/terraform/application/application.tf +++ b/terraform/application/application.tf @@ -13,9 +13,12 @@ module "application_configuration" { config_variables = merge( local.app_env_values, { - ENVIRONMENT_NAME = var.environment - PGSSLMODE = local.postgres_ssl_mode - CANONICAL_HOSTNAME = local.canonical_hostname + ENVIRONMENT_NAME = var.environment + PGSSLMODE = local.postgres_ssl_mode + CANONICAL_HOSTNAME = local.canonical_hostname + BIGQUERY_DATASET = var.dataset_name + BIGQUERY_PROJECT_ID = "claim-additional-payments" + BIGQUERY_TABLE_NAME = "events" }) secret_variables = merge( { @@ -23,8 +26,8 @@ module "application_configuration" { }, var.enable_monitoring ? { HEARTBEAT_CHECK_URL = module.statuscake[0].heartbeat_check_urls[local.heartbeat_check_name] - } : {} - ) + } : {}, + local.federated_auth_secrets) } module "web_application" { @@ -47,6 +50,7 @@ module "web_application" { replicas = var.web_replicas enable_logit = var.enable_logit + enable_gcp_wif = true } module "worker_application" { diff --git a/terraform/application/config/production.tfvars.json b/terraform/application/config/production.tfvars.json index 855c0fd94b..52567a044b 100644 --- a/terraform/application/config/production.tfvars.json +++ b/terraform/application/config/production.tfvars.json @@ -19,5 +19,6 @@ "enable_monitoring": true, "statuscake_contact_groups": [195955, 282453], "external_url": "https://www.claim-additional-teaching-payment.service.gov.uk/healthcheck", - "enable_logit": true + "enable_logit": true, + "dataset_name": "claim_events_production" } diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json index 496c0b3474..42068ac341 100644 --- a/terraform/application/config/review.tfvars.json +++ b/terraform/application/config/review.tfvars.json @@ -6,5 +6,7 @@ "enable_postgres_ssl": false, "startup_command": ["/bin/sh", "-c", "bin/rails server -b 0.0.0.0"], "worker_command": ["/bin/sh", "-c", "bin/bundle exec bin/delayed_job run -n 1"], - "enable_logit": true + "enable_logit": true, + "dataset_name": "events_dev", + "enable_dfe_analytics_federated_auth": true } diff --git a/terraform/application/config/test.tfvars.json b/terraform/application/config/test.tfvars.json index 78e9ccfdce..efc1b7205b 100644 --- a/terraform/application/config/test.tfvars.json +++ b/terraform/application/config/test.tfvars.json @@ -11,5 +11,6 @@ "statuscake_contact_groups": [195955, 282453], "external_url": "https://test.claim-additional-teaching-payment.service.gov.uk/healthcheck", "enable_logit": true, - "enable_postgres_backup_storage": true + "enable_postgres_backup_storage": true, + "dataset_name": "claim_events_test" } diff --git a/terraform/application/dfe_analytics.tf b/terraform/application/dfe_analytics.tf new file mode 100644 index 0000000000..3ea75a47cc --- /dev/null +++ b/terraform/application/dfe_analytics.tf @@ -0,0 +1,15 @@ +provider "google" { + project = "claim-additional-payments" +} + +module "dfe_analytics" { + count = var.enable_dfe_analytics_federated_auth ? 1 : 0 + source = "./vendor/modules/aks//aks/dfe_analytics" + + azure_resource_prefix = var.azure_resource_prefix + cluster = var.cluster + namespace = var.namespace + service_short = var.service_short + environment = var.environment + gcp_dataset = var.dataset_name +} diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf index d95514bf47..7f7472e1e9 100644 --- a/terraform/application/variables.tf +++ b/terraform/application/variables.tf @@ -84,10 +84,23 @@ variable "enable_logit" { nullable = false } +variable "enable_dfe_analytics_federated_auth" { + description = "Create the resources in Google cloud for federated authentication and enable in application" + default = false +} + +variable "dataset_name" { + description = "dfe analytics dataset name in Google Bigquery" + default = null +} + locals { postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable" canonical_hostname = var.canonical_hostname != null ? var.canonical_hostname : "${var.service_name}-${var.environment}-web.test.teacherservices.cloud" app_env_values_from_yml = yamldecode(file("${path.module}/config/${var.config}_app_env.yml")) app_env_values = merge(local.app_env_values_from_yml) heartbeat_check_name = "${var.service_name}-${var.environment}-worker" + federated_auth_secrets = var.enable_dfe_analytics_federated_auth ? { + GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics[0].google_cloud_credentials + } : {} }