Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rollout workload identity federation to all envs #823

Merged
merged 3 commits into from
Jul 5, 2024
Merged

Rollout workload identity federation to all envs #823

merged 3 commits into from
Jul 5, 2024

Conversation

asatwal
Copy link
Contributor

@asatwal asatwal commented Jul 4, 2024
edited
Loading

Context

This is part of a wider BigQuery Assurance piece to to harden the security around BigQuery.

It allows the use of OAuth mechanism for authentication to BigQuery rather than relying on plain text JSON API Keys.

Changes proposed in this pull request

Enable Azure workload identity federation within DfE Analytics.

Set GOOGLE_CLOUD_CREDENTIALS secret in the key vault for each environment.

Guidance to review

See Dfe Analytics GEM for further details.

This change involves the following steps

  • Set GOOGLE_CLOUD_CREDENTIALS by downloading from GCP. This should be done for each environment.
  • Enable WIF in the Azure Infrastructure
  • Enable WIF in the App. We can remove references to the the JSON API Key at the same time
  • Enable WIF in the Review App and test sending of data to BIgQuery. This can be disabled after testing
  • Release to production

Link to Trello card

The Data Insights ticket is here.

Things to check

  • If the code removes any existing feature flags, a data migration has also been added to delete the entry from the database
  • This code does not rely on migrations in the same Pull Request
  • If this code includes a migration adding or changing columns, it also backfills existing records for consistency
  • If this code adds a column to the DB, decide whether it needs to be in analytics yml file or analytics blocklist
  • API release notes have been updated if necessary
  • If it adds a significant user-facing change, is it documented in the CHANGELOG?
  • Required environment variables have been updated or added to the Azure KeyVault

@asatwal asatwal added the deploy A Review App will be created for PRs with this label label Jul 4, 2024
@asatwal asatwal requested review from Nitemaeric and saliceti July 4, 2024 14:56
@asatwal asatwal self-assigned this Jul 4, 2024
@asatwal asatwal requested review from a team as code owners July 4, 2024 14:56
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 4, 2024
edited
Loading

Review app track and pay deployed to https://track-and-pay-823.test.teacherservices.cloud was deleted
Review app school placements deployed to https://manage-school-placements-823.test.teacherservices.cloud was deleted

@asatwal asatwal force-pushed the rollout-wif-to-all-envs branch from d6dcbac to 7d96abe Compare July 4, 2024 15:36
@asatwal asatwal force-pushed the rollout-wif-to-all-envs branch from 7d96abe to 2ea1328 Compare July 5, 2024 08:39
@asatwal asatwal merged commit 5ef48b0 into main Jul 5, 2024
8 checks passed
@asatwal asatwal deleted the rollout-wif-to-all-envs branch July 5, 2024 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saliceti saliceti saliceti approved these changes

@ollietreend ollietreend ollietreend approved these changes

@Nitemaeric Nitemaeric Nitemaeric approved these changes

Assignees

@asatwal asatwal

Labels
deploy A Review App will be created for PRs with this label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@asatwal @Nitemaeric @ollietreend @saliceti