From a4e50c478ee9b8be46af92b67a0ef2d4c8b387da Mon Sep 17 00:00:00 2001 From: Neill Turner Date: Tue, 31 Dec 2024 13:32:53 +0000 Subject: [PATCH] Migrate GCP wif --- .github/actions/deploy-environment/action.yml | 5 ++++ .github/workflows/build_and_deploy.yml | 13 ++++++++--- .github/workflows/delete_review_app.yml | 13 +++++++++-- config/environments/development.rb | 1 + config/environments/production.rb | 1 + config/environments/test.rb | 1 + config/initializers/dfe_analytics.rb | 20 ++++++++-------- terraform/application/application.tf | 23 ++++++++++--------- .../application/config/production.tfvars.json | 3 ++- .../application/config/review.tfvars.json | 4 +++- terraform/application/config/test.tfvars.json | 3 ++- terraform/application/dfe_analytics.tf | 15 ++++++++++++ terraform/application/variables.tf | 10 ++++++++ 13 files changed, 84 insertions(+), 28 deletions(-) create mode 100644 terraform/application/dfe_analytics.tf diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml index 1409f7f2f9..2803f4f98f 100644 --- a/.github/actions/deploy-environment/action.yml +++ b/.github/actions/deploy-environment/action.yml @@ -38,6 +38,11 @@ runs: with: azure-credentials: ${{ inputs.azure-credentials }} + - uses: google-github-actions/auth@v2 + with: + project_id: claim-additional-payments + workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments-for-te/providers/claim-additional-payments-for-te + - name: Terraform Apply shell: bash run: | diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index 2f42adc56c..f549e00f2e 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -13,9 +13,9 @@ on: type: choice default: review options: - - review - - test - - production + - review + - test + - production docker-image-tag: description: "Docker image tag to deploy (optional)" required: true @@ -59,6 +59,9 @@ jobs: needs: [build] environment: name: review + permissions: + pull-requests: write + id-token: write steps: - name: Checkout code @@ -107,6 +110,8 @@ jobs: max-parallel: 1 matrix: environment: [test, production] + permissions: + id-token: write steps: - name: Checkout code @@ -160,6 +165,8 @@ jobs: url: ${{ steps.deploy_manual.outputs.environment_url }} outputs: environment_url: ${{ steps.deploy_manual.outputs.environment_url }} + permissions: + id-token: write steps: - name: Checkout code diff --git a/.github/workflows/delete_review_app.yml b/.github/workflows/delete_review_app.yml index 91275ef9b6..e282dfdc9a 100644 --- a/.github/workflows/delete_review_app.yml +++ b/.github/workflows/delete_review_app.yml @@ -17,9 +17,13 @@ jobs: runs-on: ubuntu-latest if: > github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'deploy') || - (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') || - (github.event_name == 'workflow_dispatch') + (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') || (github.event_name == + 'workflow_dispatch') environment: review + permissions: + pull-requests: write + id-token: write + steps: - name: Checkout uses: actions/checkout@v4 @@ -33,6 +37,11 @@ jobs: with: azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + - uses: google-github-actions/auth@v2 + with: + project_id: claim-additional-payments + workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments-for-te/providers/claim-additional-payments-for-te + - name: Terraform destroy run: | if [ ${{ github.event_name }} == 'workflow_dispatch' ]; then diff --git a/config/environments/development.rb b/config/environments/development.rb index d7b3cb6f23..08efda0b4d 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -92,4 +92,5 @@ config.log_level = :debug # Or :info config.log_format = :color # Console colorised non-json output config.semantic_logger.backtrace_level = :debug # Show file and line number (expensive: not for production) + config.dfe_analytics = true end diff --git a/config/environments/production.rb b/config/environments/production.rb index 21b9b7fd6d..c6021c6632 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -94,4 +94,5 @@ # Do not dump schema after migrations. config.active_record.dump_schema_after_migration = false + config.dfe_analytics = true end diff --git a/config/environments/test.rb b/config/environments/test.rb index a92b501287..6ee1f1380a 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -71,4 +71,5 @@ Bullet.add_safelist type: :unused_eager_loading, class_name: "TslrClaim", association: :current_school Bullet.add_safelist type: :n_plus_one_query, class_name: "School", association: :local_authority end + config.dfe_analytics = false end diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb index 8f4a1f704e..0f4119e8aa 100644 --- a/config/initializers/dfe_analytics.rb +++ b/config/initializers/dfe_analytics.rb @@ -1,16 +1,16 @@ DfE::Analytics.configure do |config| # Whether to log events instead of sending them to BigQuery. # - # config.log_only = true - config.log_only = (%w[development test].include?(ENV["RAILS_ENV"]) || ENV["ENVIRONMENT_NAME"].start_with?("review")) + config.log_only = false # Whether to use ActiveJob or dispatch events immediately. # - # config.async = true + config.async = true + config.entity_table_checks_enabled = true # Which ActiveJob queue to put events on # - # config.queue = :default + config.queue = :analytics # The name of the BigQuery table we’re writing to. # @@ -27,7 +27,9 @@ # Service account JSON key for the BigQuery API. See # https://cloud.google.com/bigquery/docs/authentication/service-account-file # - # config.bigquery_api_json_key = ENV['BIGQUERY_API_JSON_KEY'] + # We base64 encode the secret otherwise the raw JSON is mangled when it gets + #  written to/read from the Azure keyvault. + config.bigquery_api_json_key = ENV["BIGQUERY_API_JSON_KEY"] ? Base64.decode64(ENV["BIGQUERY_API_JSON_KEY"]) : nil # Passed directly to the retries: option on the BigQuery client # @@ -41,14 +43,14 @@ # enable analytics. You might want to hook this up to a feature flag or # environment variable. # - config.enable_analytics = proc { Rails.env.production? } + config.enable_analytics = proc { Rails.application.config.dfe_analytics } - # Enable entity table check job - # - config.entity_table_checks_enabled = true + config.user_identifier = proc { |user| user&.sub } # The environment we’re running in. This value will be attached # to all events we send to BigQuery. # # config.environment = ENV.fetch('RAILS_ENV', 'development') + + config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS" end diff --git a/terraform/application/application.tf b/terraform/application/application.tf index 34a7229e5a..e67c1b2f19 100644 --- a/terraform/application/application.tf +++ b/terraform/application/application.tf @@ -13,18 +13,18 @@ module "application_configuration" { config_variables = merge( local.app_env_values, { - ENVIRONMENT_NAME = var.environment - PGSSLMODE = local.postgres_ssl_mode - CANONICAL_HOSTNAME = local.canonical_hostname + ENVIRONMENT_NAME = var.environment + PGSSLMODE = local.postgres_ssl_mode + CANONICAL_HOSTNAME = local.canonical_hostname + BIGQUERY_DATASET = var.dataset_name + BIGQUERY_PROJECT_ID = "claim-additional-payments" + BIGQUERY_TABLE_NAME = "events" }) - secret_variables = merge( - { - DATABASE_URL = module.postgres.url - }, - var.enable_monitoring ? { - HEARTBEAT_CHECK_URL = module.statuscake[0].heartbeat_check_urls[local.heartbeat_check_name] - } : {} - ) + secret_variables = { + DATABASE_URL = module.postgres.url + HEARTBEAT_CHECK_URL = var.enable_monitoring ? module.statuscake[0].heartbeat_check_urls[local.heartbeat_check_name] : null + GOOGLE_CLOUD_CREDENTIALS = var.enable_dfe_analytics_federated_auth ? module.dfe_analytics[0].google_cloud_credentials : null + } } module "web_application" { @@ -69,4 +69,5 @@ module "worker_application" { replicas = var.worker_replicas enable_logit = var.enable_logit + enable_gcp_wif = true } diff --git a/terraform/application/config/production.tfvars.json b/terraform/application/config/production.tfvars.json index 855c0fd94b..52567a044b 100644 --- a/terraform/application/config/production.tfvars.json +++ b/terraform/application/config/production.tfvars.json @@ -19,5 +19,6 @@ "enable_monitoring": true, "statuscake_contact_groups": [195955, 282453], "external_url": "https://www.claim-additional-teaching-payment.service.gov.uk/healthcheck", - "enable_logit": true + "enable_logit": true, + "dataset_name": "claim_events_production" } diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json index 496c0b3474..46bb55b4a0 100644 --- a/terraform/application/config/review.tfvars.json +++ b/terraform/application/config/review.tfvars.json @@ -6,5 +6,7 @@ "enable_postgres_ssl": false, "startup_command": ["/bin/sh", "-c", "bin/rails server -b 0.0.0.0"], "worker_command": ["/bin/sh", "-c", "bin/bundle exec bin/delayed_job run -n 1"], - "enable_logit": true + "enable_logit": true, + "dataset_name": "claim_events_test", + "enable_dfe_analytics_federated_auth": true } diff --git a/terraform/application/config/test.tfvars.json b/terraform/application/config/test.tfvars.json index 78e9ccfdce..efc1b7205b 100644 --- a/terraform/application/config/test.tfvars.json +++ b/terraform/application/config/test.tfvars.json @@ -11,5 +11,6 @@ "statuscake_contact_groups": [195955, 282453], "external_url": "https://test.claim-additional-teaching-payment.service.gov.uk/healthcheck", "enable_logit": true, - "enable_postgres_backup_storage": true + "enable_postgres_backup_storage": true, + "dataset_name": "claim_events_test" } diff --git a/terraform/application/dfe_analytics.tf b/terraform/application/dfe_analytics.tf new file mode 100644 index 0000000000..3ea75a47cc --- /dev/null +++ b/terraform/application/dfe_analytics.tf @@ -0,0 +1,15 @@ +provider "google" { + project = "claim-additional-payments" +} + +module "dfe_analytics" { + count = var.enable_dfe_analytics_federated_auth ? 1 : 0 + source = "./vendor/modules/aks//aks/dfe_analytics" + + azure_resource_prefix = var.azure_resource_prefix + cluster = var.cluster + namespace = var.namespace + service_short = var.service_short + environment = var.environment + gcp_dataset = var.dataset_name +} diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf index d95514bf47..bf753844df 100644 --- a/terraform/application/variables.tf +++ b/terraform/application/variables.tf @@ -84,6 +84,16 @@ variable "enable_logit" { nullable = false } +variable "enable_dfe_analytics_federated_auth" { + description = "Create the resources in Google cloud for federated authentication and enable in application" + default = false +} + +variable "dataset_name" { + description = "dfe analytics dataset name in Google Bigquery" + default = null +} + locals { postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable" canonical_hostname = var.canonical_hostname != null ? var.canonical_hostname : "${var.service_name}-${var.environment}-web.test.teacherservices.cloud"