From a4e2cbb85de7f61c4c831341311fca8c57df17ad Mon Sep 17 00:00:00 2001
From: Colin Saliceti <colin.saliceti@ukdevops.co.uk>
Date: Tue, 29 Oct 2024 11:43:18 +0000
Subject: [PATCH 1/2] Enable BigQuery federated auth

Add dfe_analytics terraform module
Enable for review apps
---
 .env.production                              |  1 -
 .env.staging                                 |  1 -
 config/initializers/dfe_analytics.rb         |  2 ++
 terraform/aks/.terraform.lock.hcl            | 22 +++++++++++++++++++-
 terraform/aks/application.tf                 |  7 +++++++
 terraform/aks/config/development.tfvars.json |  3 ++-
 terraform/aks/config/production.tfvars.json  |  3 ++-
 terraform/aks/config/review.tfvars.json      |  4 +++-
 terraform/aks/config/staging.tfvars.json     |  3 ++-
 terraform/aks/dfe_analytics.tf               | 15 +++++++++++++
 terraform/aks/variables.tf                   |  7 +++++++
 11 files changed, 61 insertions(+), 7 deletions(-)
 create mode 100644 terraform/aks/dfe_analytics.tf

diff --git a/.env.production b/.env.production
index 6345e06a2..0550a905e 100644
--- a/.env.production
+++ b/.env.production
@@ -6,4 +6,3 @@ DEACTIVATE_CANDIDATES=""
 DFE_SIGNIN_API_ENABLED="1"
 DFE_SIGNIN_API_SCHOOL_CHANGE_ENABLED="1"
 GTM_ID=GTM-W3VGWP6
-BIGQUERY_DATASET=gse_events_production
diff --git a/.env.staging b/.env.staging
index 55f57918a..551847161 100644
--- a/.env.staging
+++ b/.env.staging
@@ -5,4 +5,3 @@ DEACTIVATE_CANDIDATES=""
 DFE_SIGNIN_API_ENABLED="1"
 DFE_SIGNIN_API_SCHOOL_CHANGE_ENABLED="1"
 GTM_ID=GTM-PN3BPDM
-BIGQUERY_DATASET=gse_events_staging
diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb
index 3bdc4260e..f95295199 100644
--- a/config/initializers/dfe_analytics.rb
+++ b/config/initializers/dfe_analytics.rb
@@ -53,4 +53,6 @@
   # config.environment = ENV.fetch('RAILS_ENV', 'development')
 
   config.bigquery_maintenance_window = "08-09-2024 18:00..08-09-2024 19:00"
+
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 end
diff --git a/terraform/aks/.terraform.lock.hcl b/terraform/aks/.terraform.lock.hcl
index bcb458725..b9b1b5307 100644
--- a/terraform/aks/.terraform.lock.hcl
+++ b/terraform/aks/.terraform.lock.hcl
@@ -28,7 +28,7 @@ provider "registry.terraform.io/eppo/environment" {
 
 provider "registry.terraform.io/hashicorp/azurerm" {
   version     = "3.116.0"
-  constraints = "3.116.0"
+  constraints = ">= 3.0.0, 3.116.0"
   hashes = [
     "h1:2QbjtN4oMXzdA++Nvrj/wSmWZTPgXKOSFGGQCLEMrb4=",
     "h1:BCR3NIorFSvGG3v/+JOiiw3VM4PkChLO4m84wzD9NDo=",
@@ -48,6 +48,26 @@ provider "registry.terraform.io/hashicorp/azurerm" {
   ]
 }
 
+provider "registry.terraform.io/hashicorp/google" {
+  version     = "6.6.0"
+  constraints = "6.6.0"
+  hashes = [
+    "h1:bNj7UyO9+IdcTbkZJgjULH89DrJSaBCRw89zt6g8ajg=",
+    "zh:0c181f9b9f0ab81731e5c4c2d20b6d342244506687437dad94e279ef2a588f68",
+    "zh:12a4c333fc0ba670e87f09eb574e4b7da90381f9929ef7c866048b6841cc8a6a",
+    "zh:15c277c2052df89429051350df4bccabe4cf46068433d4d8c673820d9756fc00",
+    "zh:35d1663c81b81cd98d768fa7b80874b48c51b27c036a3c598a597f653374d3c8",
+    "zh:56b268389758d544722a342da4174c486a40ffa2a49b45a06111fe31c6c9c867",
+    "zh:abd3ea8c3a62928ba09ba7eb42b52f53e682bd65e92d573f1739596b5a9a67b1",
+    "zh:be55a328d61d9db58690db74ed43614111e1105e5e52cee15acaa062df4e233e",
+    "zh:ce2317ce9fd02cf14323f9e061c43a415b4ae9b3f96046460d0e6b6529a5aa6c",
+    "zh:d54a6d8e031c824f1de21b93c3e01ed7fec134b4ae55223d08868c6168c98e47",
+    "zh:d8c6e33b5467c6eb5a970adb251c4c8194af12db5388cff9d4b250294eae4daa",
+    "zh:f49e4cc9c0b55b3bec7da64dd698298345634a5df372228ee12aa45e57982f64",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/kubernetes" {
   version     = "2.32.0"
   constraints = "2.32.0"
diff --git a/terraform/aks/application.tf b/terraform/aks/application.tf
index 6d36ce9ec..0690e4b13 100644
--- a/terraform/aks/application.tf
+++ b/terraform/aks/application.tf
@@ -14,10 +14,15 @@ module "application_configuration" {
     ENVIRONMENT_NAME    = var.environment
     PGSSLMODE           = local.postgres_ssl_mode
     DFE_SIGNIN_BASE_URL = "https://${var.dsi_hostname}"
+    BIGQUERY_PROJECT_ID = "get-into-teaching"
+    BIGQUERY_TABLE_NAME = "events"
+    BIGQUERY_DATASET    = var.dataset_name
   }
   secret_variables = {
     DATABASE_URL = module.postgres[0].url
     REDIS_URL    = module.redis-cache[0].url
+
+    GOOGLE_CLOUD_CREDENTIALS = var.enable_dfe_analytics_federated_auth ? module.dfe_analytics[0].google_cloud_credentials : null
   }
 }
 
@@ -60,4 +65,6 @@ module "worker_application" {
   enable_logit               = var.enable_logit
 
   enable_prometheus_monitoring = var.enable_prometheus_monitoring
+
+  enable_gcp_wif = true
 }
diff --git a/terraform/aks/config/development.tfvars.json b/terraform/aks/config/development.tfvars.json
index d97cc0959..0e1c6c865 100644
--- a/terraform/aks/config/development.tfvars.json
+++ b/terraform/aks/config/development.tfvars.json
@@ -10,5 +10,6 @@
     "sidekiq_memory_max" : "1Gi",
     "dsi_hostname": "development.schoolexperience.education.gov.uk",
     "enable_logit": true,
-    "enable_prometheus_monitoring": true
+    "enable_prometheus_monitoring": true,
+    "dataset_name": "gse_events_staging"
 }
diff --git a/terraform/aks/config/production.tfvars.json b/terraform/aks/config/production.tfvars.json
index b4fd40c8c..bc39cd83f 100644
--- a/terraform/aks/config/production.tfvars.json
+++ b/terraform/aks/config/production.tfvars.json
@@ -26,5 +26,6 @@
     },
     "dsi_hostname": "schoolexperience.education.gov.uk",
     "enable_logit": true,
-    "enable_prometheus_monitoring": true
+    "enable_prometheus_monitoring": true,
+    "dataset_name": "gse_events_production"
 }
diff --git a/terraform/aks/config/review.tfvars.json b/terraform/aks/config/review.tfvars.json
index bc429df5f..455df7ed3 100644
--- a/terraform/aks/config/review.tfvars.json
+++ b/terraform/aks/config/review.tfvars.json
@@ -12,5 +12,7 @@
     "create_dsi_ingress": true,
     "enable_logit": true,
     "webapp_command": ["/app/docker-entrypoint.sh", "-e", "-f"],
-    "create_database": false
+    "create_database": false,
+    "enable_dfe_analytics_federated_auth": true,
+    "dataset_name": "gse_events_staging"
 }
diff --git a/terraform/aks/config/staging.tfvars.json b/terraform/aks/config/staging.tfvars.json
index f079a8058..8f6a19d8c 100644
--- a/terraform/aks/config/staging.tfvars.json
+++ b/terraform/aks/config/staging.tfvars.json
@@ -16,5 +16,6 @@
       },
     "dsi_hostname": "staging.schoolexperience.education.gov.uk",
     "enable_logit": true,
-    "enable_prometheus_monitoring": true
+    "enable_prometheus_monitoring": true,
+    "dataset_name": "gse_events_staging"
 }
diff --git a/terraform/aks/dfe_analytics.tf b/terraform/aks/dfe_analytics.tf
new file mode 100644
index 000000000..7c9189a23
--- /dev/null
+++ b/terraform/aks/dfe_analytics.tf
@@ -0,0 +1,15 @@
+provider "google" {
+  project = "get-into-teaching"
+}
+
+module "dfe_analytics" {
+  count  = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "./vendor/modules/aks//aks/dfe_analytics"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = var.environment
+  gcp_dataset           = var.dataset_name
+}
diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf
index 8a2ce512e..7848043c5 100644
--- a/terraform/aks/variables.tf
+++ b/terraform/aks/variables.tf
@@ -49,6 +49,13 @@ variable "app_replicas" {
   description = "number of replicas of the web app"
   default     = 1
 }
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+variable "dataset_name" {
+  description = "dfe analytics dataset name in Google Bigquery"
+}
 
 variable "enable_monitoring" {
   default     = false

From 35bcafc5c8a5454ea8dce87bf3db6e2cfcf854b3 Mon Sep 17 00:00:00 2001
From: Colin Saliceti <colin.saliceti@ukdevops.co.uk>
Date: Fri, 6 Dec 2024 16:43:06 +0000
Subject: [PATCH 2/2] Authorise workflows to GCP

---
 .github/workflows/actions/deploy/action.yml |  5 +++++
 .github/workflows/build.yml                 |  3 ++-
 .github/workflows/destroy.yml               | 10 ++++++++++
 .github/workflows/manual.yml                |  5 ++++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml
index 86114915b..1284c8aa5 100644
--- a/.github/workflows/actions/deploy/action.yml
+++ b/.github/workflows/actions/deploy/action.yml
@@ -60,6 +60,11 @@ runs:
           ;;
         esac
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: get-into-teaching
+        workload_identity_provider: projects/574582782335/locations/global/workloadIdentityPools/schools-experience/providers/schools-experience
+
     - name: Use Terraform ${{ env.TERRAFORM_VERSION }}
       uses: hashicorp/setup-terraform@v3
       with:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e5f28a4ef..d6d6fb986 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,6 +11,7 @@ permissions:
   issues: write
   packages: write
   pull-requests: write
+  id-token: write
 
 env:
   code-coverage-artifact-name: code_coverage_${{github.run_number}}_${{github.run_attempt}}
@@ -382,6 +383,7 @@ jobs:
     concurrency: ${{matrix.environment}}_${{github.event.number}}
     needs: [prepare]
     runs-on: ubuntu-latest
+
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -544,7 +546,6 @@ jobs:
             echo "::add-mask::$SECRET_VALUE"
             echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT
 
-
       - name: Slack Notification
         if: failure()
         uses: rtCamp/action-slack-notify@master
diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml
index 2755efdf0..0c55f1b82 100644
--- a/.github/workflows/destroy.yml
+++ b/.github/workflows/destroy.yml
@@ -3,6 +3,10 @@ on:
   pull_request:
     types: [closed]
 
+permissions:
+  id-token: write
+  pull-requests: write
+
 jobs:
   destroy:
     name: Destroy
@@ -16,6 +20,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
       - name: Set Environment variables
         shell: bash
         run: |
@@ -23,6 +28,11 @@ jobs:
           terraform_version=$(awk '/{/{f=/^terraform/;next}f' terraform/aks/terraform.tf | grep -o [0-9\.]*)
           echo "TERRAFORM_VERSION=$terraform_version" >> $GITHUB_ENV
 
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: get-into-teaching
+          workload_identity_provider: projects/574582782335/locations/global/workloadIdentityPools/schools-experience/providers/schools-experience
+
       - name: Use Terraform ${{ env.TERRAFORM_VERSION }}
         uses: hashicorp/setup-terraform@v3
         with:
diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml
index 334021deb..870cf01a8 100644
--- a/.github/workflows/manual.yml
+++ b/.github/workflows/manual.yml
@@ -11,6 +11,9 @@ on:
         description: Release Tag
         required: true
 
+permissions:
+  id-token: write
+
 jobs:
   manual:
     name: Deploy to ${{github.event.inputs.environment}}
@@ -31,7 +34,7 @@ jobs:
       - uses: Azure/login@v2
         with:
             creds: ${{ secrets.AZURE_CREDENTIALS }}
-      
+
       - name: Fetch slack token
         uses: azure/CLI@v2
         id: fetch-slack-secret