Migrate gcp-wif

.github/actions/deploy-environment-to-aks/action.yml

@@ -59,6 +59,11 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: google-github-actions/auth@v2
+      with:
+        project_id: ecf-bq
+        workload_identity_provider: projects/808138694727/locations/global/workloadIdentityPools/early-careers-framework/providers/early-careers-framework
+
     - name: Seed database
       if: ${{ inputs.pull-request-number != '' }}
       shell: bash

.github/workflows/deploy.yml

@@ -20,6 +20,11 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  id-token: write
+  pull-requests: write
+  packages: write
+
 jobs:
   lint:
     name: Lint

.github/workflows/destroy_review.yml

@@ -5,6 +5,9 @@ on:
     types: [closed]
     branches: [main]
 
+permissions:
+  id-token: write
+
 jobs:
   delete-review-app:
     name: Delete Review App ${{ github.event.pull_request.number }}
@@ -19,6 +22,11 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
 
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: ecf-bq
+          workload_identity_provider: projects/808138694727/locations/global/workloadIdentityPools/early-careers-framework/providers/early-careers-framework
+
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.5.4

config/initializers/dfe_analytics.rb

@@ -57,4 +57,6 @@
   # users that don't use the id field.
   #
   config.user_identifier = proc { |user| user&.id if user.respond_to?(:id) }
+
+  config.azure_federated_auth = ENV.include? "GOOGLE_CLOUD_CREDENTIALS"
 end

terraform/application/application.tf

@@ -20,9 +20,9 @@ module "application_configuration" {
     RAILS_ENV           = var.app_environment
     DB_SSLMODE          = var.db_sslmode
 
-    BIGQUERY_PROJECT_ID = "ecf-bq",
-    BIGQUERY_DATASET    = "events_${var.app_environment}", # TODO: work this out
-    BIGQUERY_TABLE_NAME = "events",                        # TODO: work this out
+    BIGQUERY_PROJECT_ID = "ecf-bq"
+    BIGQUERY_DATASET    = var.dataset_name
+    BIGQUERY_TABLE_NAME = "events"
     GIAS_API_SCHEMA     = "https://ea-edubase-api-prod.azurewebsites.net/edubase/schema/service.wsdl"
     GIAS_EXTRACT_ID     = 13904
     GIAS_API_USER       = "ecftech"
@@ -65,6 +65,8 @@ module "web_application" {
 
   enable_logit = var.enable_logit
   send_traffic_to_maintenance_page = var.send_traffic_to_maintenance_page
+
+  enable_gcp_wif = true
 }
 
 module "worker_application" {

terraform/application/dfe_analytics.tf

@@ -0,0 +1,15 @@
+provider "google" {
+  project = "ecf-bq"
+}
+
+module "dfe_analytics" {
+  count  = var.enable_dfe_analytics_federated_auth ? 1 : 0
+  source = "git::https://github.com/DFE-Digital/terraform-modules.git//aks/dfe_analytics?ref=testing"
+
+  azure_resource_prefix = var.azure_resource_prefix
+  cluster               = var.cluster
+  namespace             = var.namespace
+  service_short         = var.service_short
+  environment           = local.environment
+  gcp_dataset           = var.dataset_name
+}

terraform/application/variables.tf

@@ -151,3 +151,13 @@ variable "send_traffic_to_maintenance_page" {
   default     = false
   description = "During a maintenance operation, keep sending traffic to the maintenance page instead of resetting the ingress"
 }
+
+variable "enable_dfe_analytics_federated_auth" {
+  description = "Create the resources in Google cloud for federated authentication and enable in application"
+  default     = false
+}
+
+variable "dataset_name" {
+  description = "dfe analytics dataset name in Google Bigquery"
+  default     = null
+}

terraform/application/workspace_variables/review.tfvars.json

@@ -5,5 +5,7 @@
   "enable_monitoring": false,
   "namespace": "cpd-development",
   "db_sslmode": "prefer",
-  "enable_logit": true
+  "enable_logit": true,
+  "enable_dfe_analytics_federated_auth": true,
+  "dataset_name": "ecf_events_review"
 }