Update dfe_analytics README

DFE-Digital · Nov 25, 2024 · 39a935e · 39a935e
1 parent eae51cf
commit 39a935e
Showing 1 changed file with 34 additions and 19 deletions.
diff --git a/aks/dfe_analytics/README.md b/aks/dfe_analytics/README.md
@@ -10,7 +10,7 @@ provider "google" {
 }
 
 module "dfe_analytics" {
-  source = "./vendor/modules/dfe-terraform-modules//aks/dfe_analytics"
+  source = "./vendor/modules/aks//aks/dfe_analytics"
 
   azure_resource_prefix = var.azure_resource_prefix
   cluster               = var.cluster
@@ -32,7 +32,7 @@ provider "google" {
 }
 
 module "dfe_analytics" {
-  source = "./vendor/modules/dfe-terraform-modules//aks/dfe_analytics"
+  source = "./vendor/modules/aks//aks/dfe_analytics"
 
   azure_resource_prefix = var.azure_resource_prefix
   cluster               = var.cluster
@@ -63,30 +63,31 @@ builder.Services.AddDfeAnalytics()
 Ensure the `ProjectNumber`, `WorkloadIdentityPoolName`, `WorkloadIdentityPoolProviderName` and `ServiceAccountEmail` configuration keys are populated within the `DfeAnalytics` configuration section.
 
 ### Variables
-The application requires these environment variables:
-- BIGQUERY_PROJECT_ID
-- BIGQUERY_TABLE_NAME
-- BIGQUERY_DATASET
-- GOOGLE_CLOUD_CREDENTIALS
-Each variable is available as a separate [output](tfdocs#outputs). For convenience, the `variables_map` output provides them all:
+The application requires environment variables and a secret. Each one is available as a separate [output](tfdocs#outputs). They are set using the *application_configuration* module:
 
 ```hcl
 module "application_configuration" {
-  source = "./vendor/modules/dfe-terraform-modules//aks/application_configuration"
+  source = "./vendor/modules/aks//aks/application_configuration"
   ...
-  secret_variables = merge(
-    module.dfe_analytics.variables_map,
-    {
-      ...
-    }
-  )
+  config_variables =
+  {
+    ...
+    BIGQUERY_PROJECT_ID = module.dfe_analytics.bigquery_project_id
+    BIGQUERY_TABLE_NAME = module.dfe_analytics.bigquery_table_name
+    BIGQUERY_DATASET    = module.dfe_analytics.bigquery_dataset
+  }
+  secret_variables =
+  {
+    ...
+    GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics.google_cloud_credentials
+  }
 }
 ```
 
 ### Enable on each app that requires it
 ```hcl
 module "worker_application" {
-  source = "./vendor/modules/dfe-terraform-modules//aks/application"
+  source = "./vendor/modules/aks//aks/application"
   ...
   enable_gcp_wif = true
 }
@@ -99,17 +100,31 @@ The user should have Owner role on the Google project.
 - Run terraform
 
 ## Authentication - Github actions
-We set up workfload identity federation on the Google side and configure the workflow. The user should have Owner role on the Google project. This is done once per repository.
+Github action workflows use workload identity federation to authenticate to Google. Use the `authorise_workflow.sh` script to set it up, once per repository. The Owner role is required.
 
-- Run the `authorise_workflow.sh` located in *aks/dfe_analytics*:
+- Run the `authorise_workflow.sh` located in this terraform module, under *aks/dfe_analytics*:
   ```
   ./authorise_workflow.sh PROJECT_ID REPO
   ```
   Example:
   ```
   ./authorise_workflow.sh apply-for-qts-in-england apply-for-qualified-teacher-status
   ```
-- The script shows the *permissions* and *google-github-actions/auth step* to add to the workflow job
+- The script shows the *permissions* and *google-github-actions/auth step* to add to the workflow job e.g.:
+  ```
+  deploy_job:
+    permissions:
+      id-token: write
+      ...
+  ```
+  ```
+  steps:
+  ...
+  - uses: google-github-actions/auth@v2
+    with:
+      project_id: teaching-qualifications
+      workload_identity_provider: projects/708780292301/locations/global/workloadIdentityPools/check-childrens-barred-list/providers/check-childrens-barred-list
+  ```
 - Adding the permission removes the [default token permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token), which may be an issue for some actions that rely on them. For example, the [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) action requires `pull-requests: write`. It must then be added explicitly.
 - Run the workflow