diff --git a/aks/dfe_analytics/README.md b/aks/dfe_analytics/README.md index be3c296..99d8602 100644 --- a/aks/dfe_analytics/README.md +++ b/aks/dfe_analytics/README.md @@ -10,7 +10,7 @@ provider "google" { } module "dfe_analytics" { - source = "./vendor/modules/dfe-terraform-modules//aks/dfe_analytics" + source = "./vendor/modules/aks//aks/dfe_analytics" azure_resource_prefix = var.azure_resource_prefix cluster = var.cluster @@ -32,7 +32,7 @@ provider "google" { } module "dfe_analytics" { - source = "./vendor/modules/dfe-terraform-modules//aks/dfe_analytics" + source = "./vendor/modules/aks//aks/dfe_analytics" azure_resource_prefix = var.azure_resource_prefix cluster = var.cluster @@ -63,30 +63,31 @@ builder.Services.AddDfeAnalytics() Ensure the `ProjectNumber`, `WorkloadIdentityPoolName`, `WorkloadIdentityPoolProviderName` and `ServiceAccountEmail` configuration keys are populated within the `DfeAnalytics` configuration section. ### Variables -The application requires these environment variables: -- BIGQUERY_PROJECT_ID -- BIGQUERY_TABLE_NAME -- BIGQUERY_DATASET -- GOOGLE_CLOUD_CREDENTIALS -Each variable is available as a separate [output](tfdocs#outputs). For convenience, the `variables_map` output provides them all: +The application requires environment variables and a secret. Each one is available as a separate [output](tfdocs#outputs). They are set using the *application_configuration* module: ```hcl module "application_configuration" { - source = "./vendor/modules/dfe-terraform-modules//aks/application_configuration" + source = "./vendor/modules/aks//aks/application_configuration" ... - secret_variables = merge( - module.dfe_analytics.variables_map, - { - ... - } - ) + config_variables = + { + ... + BIGQUERY_PROJECT_ID = module.dfe_analytics.bigquery_project_id + BIGQUERY_TABLE_NAME = module.dfe_analytics.bigquery_table_name + BIGQUERY_DATASET = module.dfe_analytics.bigquery_dataset + } + secret_variables = + { + ... + GOOGLE_CLOUD_CREDENTIALS = module.dfe_analytics.google_cloud_credentials + } } ``` ### Enable on each app that requires it ```hcl module "worker_application" { - source = "./vendor/modules/dfe-terraform-modules//aks/application" + source = "./vendor/modules/aks//aks/application" ... enable_gcp_wif = true } @@ -99,9 +100,9 @@ The user should have Owner role on the Google project. - Run terraform ## Authentication - Github actions -We set up workfload identity federation on the Google side and configure the workflow. The user should have Owner role on the Google project. This is done once per repository. +Github action workflows use workload identity federation to authenticate to Google. Use the `authorise_workflow.sh` script to set it up, once per repository. The Owner role is required. -- Run the `authorise_workflow.sh` located in *aks/dfe_analytics*: +- Run the `authorise_workflow.sh` located in this terraform module, under *aks/dfe_analytics*: ``` ./authorise_workflow.sh PROJECT_ID REPO ``` @@ -109,7 +110,21 @@ We set up workfload identity federation on the Google side and configure the wor ``` ./authorise_workflow.sh apply-for-qts-in-england apply-for-qualified-teacher-status ``` -- The script shows the *permissions* and *google-github-actions/auth step* to add to the workflow job +- The script shows the *permissions* and *google-github-actions/auth step* to add to the workflow job e.g.: + ``` + deploy_job: + permissions: + id-token: write + ... + ``` + ``` + steps: + ... + - uses: google-github-actions/auth@v2 + with: + project_id: teaching-qualifications + workload_identity_provider: projects/708780292301/locations/global/workloadIdentityPools/check-childrens-barred-list/providers/check-childrens-barred-list + ``` - Adding the permission removes the [default token permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token), which may be an issue for some actions that rely on them. For example, the [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) action requires `pull-requests: write`. It must then be added explicitly. - Run the workflow