DFE-Digital · neillturner · Dec 18, 2024 · Dec 18, 2024 · Dec 19, 2024 · Dec 20, 2024
diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml
@@ -38,6 +38,11 @@ runs:
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: claim-additional-payments
+        workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments-for-te/providers/claim-additional-payments-for-te
+
     - name: Terraform Apply
       shell: bash
       run: |

diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml
@@ -13,9 +13,9 @@ on:
         type: choice
         default: review
         options:
-        - review
-        - test
-        - production
+          - review
+          - test
+          - production
       docker-image-tag:
         description: "Docker image tag to deploy (optional)"
         required: true
@@ -59,6 +59,9 @@ jobs:
     needs: [build]
     environment:
       name: review
+    permissions:
+      pull-requests: write
+      id-token: write
 
     steps:
       - name: Checkout code
@@ -107,6 +110,8 @@ jobs:
       max-parallel: 1
       matrix:
         environment: [test, production]
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout code
@@ -160,6 +165,8 @@ jobs:
       url: ${{ steps.deploy_manual.outputs.environment_url }}
     outputs:
       environment_url: ${{ steps.deploy_manual.outputs.environment_url }}
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout code

diff --git a/.github/workflows/delete_review_app.yml b/.github/workflows/delete_review_app.yml
@@ -17,9 +17,13 @@ jobs:
     runs-on: ubuntu-latest
     if: >
       github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'deploy') ||
-      (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') ||
-      (github.event_name == 'workflow_dispatch')
+      (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') || (github.event_name ==
+      'workflow_dispatch')
     environment: review
+    permissions:
+      pull-requests: write
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -33,6 +37,11 @@ jobs:
         with:
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: claim-additional-payments
+          workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments-for-te/providers/claim-additional-payments-for-te
+
       - name: Terraform destroy
         run: |
           if [ ${{ github.event_name }} == 'workflow_dispatch' ]; then

diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -92,4 +92,5 @@
   config.log_level = :debug                       # Or :info
   config.log_format = :color                      # Console colorised non-json output
   config.semantic_logger.backtrace_level = :debug # Show file and line number (expensive: not for production)
+  config.dfe_analytics = true
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -94,4 +94,5 @@
 
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
+  config.dfe_analytics = true
 end
diff --git a/config/environments/test.rb b/config/environments/test.rb
@@ -71,4 +71,5 @@
     Bullet.add_safelist type: :unused_eager_loading, class_name: "TslrClaim", association: :current_school
     Bullet.add_safelist type: :n_plus_one_query, class_name: "School", association: :local_authority
   end
+  config.dfe_analytics = true
 end
diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb
@@ -1,16 +1,16 @@
 DfE::Analytics.configure do |config|
   # Whether to log events instead of sending them to BigQuery.
   #
-  # config.log_only = true
-  config.log_only = (%w[development test].include?(ENV["RAILS_ENV"]) || ENV["ENVIRONMENT_NAME"].start_with?("review"))
+  config.log_only = false
 
   # Whether to use ActiveJob or dispatch events immediately.
   #
-  # config.async = true
+  config.async = true
+  config.entity_table_checks_enabled = true
 
   # Which ActiveJob queue to put events on
   #
-  # config.queue = :default
+  config.queue = :analytics
 
   # The name of the BigQuery table we’re writing to.
   #
@@ -27,7 +27,9 @@
   # Service account JSON key for the BigQuery API. See
   # https://cloud.google.com/bigquery/docs/authentication/service-account-file
   #
-  # config.bigquery_api_json_key = ENV['BIGQUERY_API_JSON_KEY']
+  # We base64 encode the secret otherwise the raw JSON is mangled when it gets
+  #  written to/read from the Azure keyvault.
+  config.bigquery_api_json_key = ENV["BIGQUERY_API_JSON_KEY"] ? Base64.decode64(ENV["BIGQUERY_API_JSON_KEY"]) : nil
 
   # Passed directly to the retries: option on the BigQuery client
   #
@@ -41,14 +43,14 @@
   # enable analytics. You might want to hook this up to a feature flag or
   # environment variable.
   #
-  config.enable_analytics = proc { Rails.env.production? }
+  config.enable_analytics = proc { Rails.application.config.dfe_analytics }
 
-  # Enable entity table check job
-  #
-  config.entity_table_checks_enabled = true
+  config.user_identifier = proc { |user| user&.sub }
 
   # The environment we’re running in. This value will be attached
   # to all events we send to BigQuery.
   #
   # config.environment = ENV.fetch('RAILS_ENV', 'development')
+
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 end
diff --git a/terraform/application/application.tf b/terraform/application/application.tf
@@ -13,18 +13,18 @@ module "application_configuration" {
   config_variables = merge(
     local.app_env_values,
     {
-      ENVIRONMENT_NAME   = var.environment
-      PGSSLMODE          = local.postgres_ssl_mode
-      CANONICAL_HOSTNAME = local.canonical_hostname
+      ENVIRONMENT_NAME    = var.environment
+      PGSSLMODE           = local.postgres_ssl_mode
+      CANONICAL_HOSTNAME  = local.canonical_hostname
+      BIGQUERY_DATASET    = var.dataset_name
+      BIGQUERY_PROJECT_ID = "claim-additional-payments"
+      BIGQUERY_TABLE_NAME = "events"
   })
-  secret_variables = merge(
-    {
-      DATABASE_URL        = module.postgres.url
-    },
-    var.enable_monitoring ? {
-      HEARTBEAT_CHECK_URL = module.statuscake[0].heartbeat_check_urls[local.heartbeat_check_name]
-    } : {}
-  )
+  secret_variables = {
+    DATABASE_URL        = module.postgres.url
+    HEARTBEAT_CHECK_URL = var.enable_monitoring ? module.statuscake[0].heartbeat_check_urls[local.heartbeat_check_name] : null
+    GOOGLE_CLOUD_CREDENTIALS = var.enable_dfe_analytics_federated_auth ? module.dfe_analytics[0].google_cloud_credentials : null
+  }
 }
 
 module "web_application" {
@@ -69,4 +69,5 @@ module "worker_application" {
   replicas = var.worker_replicas
 
   enable_logit = var.enable_logit
+  enable_gcp_wif = true
 }
diff --git a/terraform/application/config/production.tfvars.json b/terraform/application/config/production.tfvars.json
@@ -19,5 +19,6 @@
   "enable_monitoring": true,
   "statuscake_contact_groups": [195955, 282453],
   "external_url": "https://www.claim-additional-teaching-payment.service.gov.uk/healthcheck",
-  "enable_logit": true
+  "enable_logit": true,
+  "dataset_name": "claim_events_production"
 }
diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json
@@ -6,5 +6,7 @@
   "enable_postgres_ssl": false,
   "startup_command": ["/bin/sh", "-c", "bin/rails server -b 0.0.0.0"],
   "worker_command": ["/bin/sh", "-c", "bin/bundle exec bin/delayed_job run -n 1"],
-  "enable_logit": true
+  "enable_logit": true,
+  "dataset_name": "claim_events_test",
+  "enable_dfe_analytics_federated_auth": true
 }
diff --git a/terraform/application/config/test.tfvars.json b/terraform/application/config/test.tfvars.json
@@ -11,5 +11,7 @@
   "statuscake_contact_groups": [195955, 282453],
   "external_url": "https://test.claim-additional-teaching-payment.service.gov.uk/healthcheck",
   "enable_logit": true,
-  "enable_postgres_backup_storage": true
+  "enable_postgres_backup_storage": true,
+  "dataset_name": "claim_events_test",
+  "enable_dfe_analytics_federated_auth": true
 }
diff --git a/terraform/application/dfe_analytics.tf b/terraform/application/dfe_analytics.tf
@@ -0,0 +1,15 @@
+provider "google" {
+  project = "claim-additional-payments"
+}
+
+module "dfe_analytics" {
+  count  = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "./vendor/modules/aks//aks/dfe_analytics"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = var.environment
+  gcp_dataset           = var.dataset_name
+}
diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf
@@ -84,6 +84,16 @@ variable "enable_logit" {
   nullable    = false
 }
 
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+
+variable "dataset_name" {
+  description = "dfe analytics dataset name in Google Bigquery"
+  default     = null
+}
+
 locals {
   postgres_ssl_mode       = var.enable_postgres_ssl ? "require" : "disable"
   canonical_hostname      = var.canonical_hostname != null ? var.canonical_hostname : "${var.service_name}-${var.environment}-web.test.teacherservices.cloud"