Merge pull request #3296 from DFE-Digital/2110-school-experience-migr…

…ate-to-gcp-wif [2110] Enable dfe analytics federated authentication
DFE-Digital · Dec 10, 2024 · 75967f1 · 75967f1
2 parents 528a548 + 35bcafc
commit 75967f1
Show file tree

Hide file tree

Showing 15 changed files with 82 additions and 9 deletions.
diff --git a/.env.production b/.env.production
@@ -6,4 +6,3 @@ DEACTIVATE_CANDIDATES=""
 DFE_SIGNIN_API_ENABLED="1"
 DFE_SIGNIN_API_SCHOOL_CHANGE_ENABLED="1"
 GTM_ID=GTM-W3VGWP6
-BIGQUERY_DATASET=gse_events_production
diff --git a/.env.staging b/.env.staging
@@ -5,4 +5,3 @@ DEACTIVATE_CANDIDATES=""
 DFE_SIGNIN_API_ENABLED="1"
 DFE_SIGNIN_API_SCHOOL_CHANGE_ENABLED="1"
 GTM_ID=GTM-PN3BPDM
-BIGQUERY_DATASET=gse_events_staging
diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml
@@ -60,6 +60,11 @@ runs:
           ;;
         esac
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: get-into-teaching
+        workload_identity_provider: projects/574582782335/locations/global/workloadIdentityPools/schools-experience/providers/schools-experience
+
     - name: Use Terraform ${{ env.TERRAFORM_VERSION }}
       uses: hashicorp/setup-terraform@v3
       with:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -11,6 +11,7 @@ permissions:
   issues: write
   packages: write
   pull-requests: write
+  id-token: write
 
 env:
   code-coverage-artifact-name: code_coverage_${{github.run_number}}_${{github.run_attempt}}
@@ -382,6 +383,7 @@ jobs:
     concurrency: ${{matrix.environment}}_${{github.event.number}}
     needs: [prepare]
     runs-on: ubuntu-latest
+
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -544,7 +546,6 @@ jobs:
             echo "::add-mask::$SECRET_VALUE"
             echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT
 
-
       - name: Slack Notification
         if: failure()
         uses: rtCamp/action-slack-notify@master

diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml
@@ -3,6 +3,10 @@ on:
   pull_request:
     types: [closed]
 
+permissions:
+  id-token: write
+  pull-requests: write
+
 jobs:
   destroy:
     name: Destroy
@@ -16,13 +20,19 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
       - name: Set Environment variables
         shell: bash
         run: |
           tf_vars_file=terraform/aks/config/review.tfvars.json
           terraform_version=$(awk '/{/{f=/^terraform/;next}f' terraform/aks/terraform.tf | grep -o [0-9\.]*)
           echo "TERRAFORM_VERSION=$terraform_version" >> $GITHUB_ENV
 
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: get-into-teaching
+          workload_identity_provider: projects/574582782335/locations/global/workloadIdentityPools/schools-experience/providers/schools-experience
+
       - name: Use Terraform ${{ env.TERRAFORM_VERSION }}
         uses: hashicorp/setup-terraform@v3
         with:

diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml
@@ -11,6 +11,9 @@ on:
         description: Release Tag
         required: true
 
+permissions:
+  id-token: write
+
 jobs:
   manual:
     name: Deploy to ${{github.event.inputs.environment}}
@@ -31,7 +34,7 @@ jobs:
       - uses: Azure/login@v2
         with:
             creds: ${{ secrets.AZURE_CREDENTIALS }}
-      
+
       - name: Fetch slack token
         uses: azure/CLI@v2
         id: fetch-slack-secret

diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb
@@ -53,4 +53,6 @@
   # config.environment = ENV.fetch('RAILS_ENV', 'development')
 
   config.bigquery_maintenance_window = "08-09-2024 18:00..08-09-2024 19:00"
+
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 end
diff --git a/terraform/aks/.terraform.lock.hcl b/terraform/aks/.terraform.lock.hcl
diff --git a/terraform/aks/application.tf b/terraform/aks/application.tf
@@ -14,10 +14,15 @@ module "application_configuration" {
     ENVIRONMENT_NAME    = var.environment
     PGSSLMODE           = local.postgres_ssl_mode
     DFE_SIGNIN_BASE_URL = "https://${var.dsi_hostname}"
+    BIGQUERY_PROJECT_ID = "get-into-teaching"
+    BIGQUERY_TABLE_NAME = "events"
+    BIGQUERY_DATASET    = var.dataset_name
   }
   secret_variables = {
     DATABASE_URL = module.postgres[0].url
     REDIS_URL    = module.redis-cache[0].url
+
+    GOOGLE_CLOUD_CREDENTIALS = var.enable_dfe_analytics_federated_auth ? module.dfe_analytics[0].google_cloud_credentials : null
   }
 }
 
@@ -60,4 +65,6 @@ module "worker_application" {
   enable_logit               = var.enable_logit
 
   enable_prometheus_monitoring = var.enable_prometheus_monitoring
+
+  enable_gcp_wif = true
 }
diff --git a/terraform/aks/config/development.tfvars.json b/terraform/aks/config/development.tfvars.json
@@ -10,5 +10,6 @@
     "sidekiq_memory_max" : "1Gi",
     "dsi_hostname": "development.schoolexperience.education.gov.uk",
     "enable_logit": true,
-    "enable_prometheus_monitoring": true
+    "enable_prometheus_monitoring": true,
+    "dataset_name": "gse_events_staging"
 }
diff --git a/terraform/aks/config/production.tfvars.json b/terraform/aks/config/production.tfvars.json
@@ -26,5 +26,6 @@
     },
     "dsi_hostname": "schoolexperience.education.gov.uk",
     "enable_logit": true,
-    "enable_prometheus_monitoring": true
+    "enable_prometheus_monitoring": true,
+    "dataset_name": "gse_events_production"
 }
diff --git a/terraform/aks/config/review.tfvars.json b/terraform/aks/config/review.tfvars.json
@@ -12,5 +12,7 @@
     "create_dsi_ingress": true,
     "enable_logit": true,
     "webapp_command": ["/app/docker-entrypoint.sh", "-e", "-f"],
-    "create_database": false
+    "create_database": false,
+    "enable_dfe_analytics_federated_auth": true,
+    "dataset_name": "gse_events_staging"
 }
diff --git a/terraform/aks/config/staging.tfvars.json b/terraform/aks/config/staging.tfvars.json
@@ -16,5 +16,6 @@
       },
     "dsi_hostname": "staging.schoolexperience.education.gov.uk",
     "enable_logit": true,
-    "enable_prometheus_monitoring": true
+    "enable_prometheus_monitoring": true,
+    "dataset_name": "gse_events_staging"
 }
diff --git a/terraform/aks/dfe_analytics.tf b/terraform/aks/dfe_analytics.tf
@@ -0,0 +1,15 @@
+provider "google" {
+  project = "get-into-teaching"
+}
+
+module "dfe_analytics" {
+  count  = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "./vendor/modules/aks//aks/dfe_analytics"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = var.environment
+  gcp_dataset           = var.dataset_name
+}
diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf
@@ -49,6 +49,13 @@ variable "app_replicas" {
   description = "number of replicas of the web app"
   default     = 1
 }
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+variable "dataset_name" {
+  description = "dfe analytics dataset name in Google Bigquery"
+}
 
 variable "enable_monitoring" {
   default     = false