DFE-Digital · neillturner · Jan 6, 2025 · Jan 6, 2025
diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml
@@ -38,6 +38,11 @@ runs:
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: claim-additional-payments
+        workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments-for-te/providers/claim-additional-payments-for-te
+
     - name: Terraform Apply
       shell: bash
       run: |

diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml
@@ -13,9 +13,9 @@ on:
         type: choice
         default: review
         options:
-        - review
-        - test
-        - production
+          - review
+          - test
+          - production
       docker-image-tag:
         description: "Docker image tag to deploy (optional)"
         required: true
@@ -59,6 +59,9 @@ jobs:
     needs: [build]
     environment:
       name: review
+    permissions:
+      pull-requests: write
+      id-token: write
 
     steps:
       - name: Checkout code
@@ -107,6 +110,8 @@ jobs:
       max-parallel: 1
       matrix:
         environment: [test, production]
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout code
@@ -160,6 +165,8 @@ jobs:
       url: ${{ steps.deploy_manual.outputs.environment_url }}
     outputs:
       environment_url: ${{ steps.deploy_manual.outputs.environment_url }}
+    permissions:
+      id-token: write
 
     steps:
       - name: Checkout code

diff --git a/.github/workflows/delete_review_app.yml b/.github/workflows/delete_review_app.yml
@@ -17,9 +17,13 @@ jobs:
     runs-on: ubuntu-latest
     if: >
       github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'deploy') ||
-      (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') ||
-      (github.event_name == 'workflow_dispatch')
+      (github.event.action == 'unlabeled' && github.event.label.name == 'deploy') || (github.event_name ==
+      'workflow_dispatch')
     environment: review
+    permissions:
+      pull-requests: write
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -33,6 +37,11 @@ jobs:
         with:
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: claim-additional-payments
+          workload_identity_provider: projects/638192024625/locations/global/workloadIdentityPools/claim-additional-payments-for-te/providers/claim-additional-payments-for-te
+
       - name: Terraform destroy
         run: |
           if [ ${{ github.event_name }} == 'workflow_dispatch' ]; then

diff --git a/config/initializers/dfe_analytics.rb b/config/initializers/dfe_analytics.rb
@@ -51,4 +51,6 @@
   # to all events we send to BigQuery.
   #
   # config.environment = ENV.fetch('RAILS_ENV', 'development')
+
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 end
diff --git a/terraform/application/application.tf b/terraform/application/application.tf
@@ -13,18 +13,18 @@ module "application_configuration" {
   config_variables = merge(
     local.app_env_values,
     {
-      ENVIRONMENT_NAME   = var.environment
-      PGSSLMODE          = local.postgres_ssl_mode
-      CANONICAL_HOSTNAME = local.canonical_hostname
+      ENVIRONMENT_NAME    = var.environment
+      PGSSLMODE           = local.postgres_ssl_mode
+      CANONICAL_HOSTNAME  = local.canonical_hostname
+      BIGQUERY_DATASET    = var.dataset_name
+      BIGQUERY_PROJECT_ID = "claim-additional-payments"
+      BIGQUERY_TABLE_NAME = "events"
   })
-  secret_variables = merge(
-    {
-      DATABASE_URL        = module.postgres.url
-    },
-    var.enable_monitoring ? {
-      HEARTBEAT_CHECK_URL = module.statuscake[0].heartbeat_check_urls[local.heartbeat_check_name]
-    } : {}
-  )
+  secret_variables = {
+    DATABASE_URL        = module.postgres.url
+    HEARTBEAT_CHECK_URL = var.enable_monitoring ? module.statuscake[0].heartbeat_check_urls[local.heartbeat_check_name] : null
+    GOOGLE_CLOUD_CREDENTIALS = var.enable_dfe_analytics_federated_auth ? module.dfe_analytics[0].google_cloud_credentials : null
+  }
 }
 
 module "web_application" {
@@ -69,4 +69,5 @@ module "worker_application" {
   replicas = var.worker_replicas
 
   enable_logit = var.enable_logit
+  enable_gcp_wif = true
 }
diff --git a/terraform/application/config/production.tfvars.json b/terraform/application/config/production.tfvars.json
@@ -19,5 +19,6 @@
   "enable_monitoring": true,
   "statuscake_contact_groups": [195955, 282453],
   "external_url": "https://www.claim-additional-teaching-payment.service.gov.uk/healthcheck",
-  "enable_logit": true
+  "enable_logit": true,
+  "dataset_name": "claim_events_production"
 }
diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json
@@ -6,5 +6,7 @@
   "enable_postgres_ssl": false,
   "startup_command": ["/bin/sh", "-c", "bin/rails server -b 0.0.0.0"],
   "worker_command": ["/bin/sh", "-c", "bin/bundle exec bin/delayed_job run -n 1"],
-  "enable_logit": true
+  "enable_logit": true,
+  "dataset_name": "claim_events_test",
+  "enable_dfe_analytics_federated_auth": true
 }
diff --git a/terraform/application/config/test.tfvars.json b/terraform/application/config/test.tfvars.json
@@ -11,5 +11,6 @@
   "statuscake_contact_groups": [195955, 282453],
   "external_url": "https://test.claim-additional-teaching-payment.service.gov.uk/healthcheck",
   "enable_logit": true,
-  "enable_postgres_backup_storage": true
+  "enable_postgres_backup_storage": true,
+  "dataset_name": "claim_events_test"
 }
diff --git a/terraform/application/dfe_analytics.tf b/terraform/application/dfe_analytics.tf
@@ -0,0 +1,15 @@
+provider "google" {
+  project = "claim-additional-payments"
+}
+
+module "dfe_analytics" {
+  count  = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "./vendor/modules/aks//aks/dfe_analytics"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = var.environment
+  gcp_dataset           = var.dataset_name
+}
diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf
@@ -84,6 +84,16 @@ variable "enable_logit" {
   nullable    = false
 }
 
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+
+variable "dataset_name" {
+  description = "dfe analytics dataset name in Google Bigquery"
+  default     = null
+}
+
 locals {
   postgres_ssl_mode       = var.enable_postgres_ssl ? "require" : "disable"
   canonical_hostname      = var.canonical_hostname != null ? var.canonical_hostname : "${var.service_name}-${var.environment}-web.test.teacherservices.cloud"