Enable azure rbac deployment on all services

DFE-Digital · Feb 1, 2024 · 3bf481d · 3bf481d
1 parent 8e8079d
commit 3bf481d
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 31 deletions.
diff --git a/.github/workflows/actions/database-backup/action.yml b/.github/workflows/actions/database-backup/action.yml
@@ -55,6 +55,10 @@ runs:
           echo "::add-mask::$SECRET_VALUE"
           echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure_credentials }}
+
     - name: Install kubectl
       uses: azure/setup-kubectl@v3
       with:
@@ -105,7 +109,7 @@ runs:
     - name: K8 setup
       shell: bash
       run: |
-        az aks get-credentials -g ${{ env.cluster_rg }} -n ${{ env.cluster_name }}
+        make ${{ inputs.environment }} get-cluster-credentials
         make bin/konduit.sh
 
     - name: Setup postgres client

diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml
@@ -57,6 +57,10 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure_credentials }}
+
     - name: Terraform init, plan & apply
       shell: bash
       run: make ci ${{ inputs.environment }} terraform-apply

diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml
@@ -60,14 +60,17 @@ jobs:
             --account-name "s189t01faltrntfstatervsa" \
             --prefix $TF_STATE_FILE --query "[].name" -o tsv)
           if [ -n "$pr_state_file" ]; then echo "TF_STATE_EXISTS=true" >> $GITHUB_ENV; fi;
+
+      - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+        with:
+          azure-credentials: ${{ secrets.azure_credentials }}
+
       - name: Terraform
         if: env.TF_STATE_EXISTS == 'true'
         id: terraform
         run: |
           make ci review terraform-destroy
         env:
-          ARM_ACCESS_KEY: ${{ steps.get_secrets.outputs.TFSTATE-CONTAINER-ACCESS-KEY }}
-          TF_VAR_azure_sp_credentials_json: ${{ secrets.azure_credentials }}
           TF_VAR_flt_docker_image: "ghcr.io/dfe-digital/find-a-lost-trn:no-tag"
           pr_id: ${{ github.event.pull_request.number }}
         shell: bash

diff --git a/Makefile b/Makefile
@@ -195,6 +195,7 @@ domains-infra-apply: domains-infra-init ## terraform apply for dns core resource
 
 get-cluster-credentials: set-azure-account ## make <config> get-cluster-credentials [ENVIRONMENT=<clusterX>]
 	az aks get-credentials --overwrite-existing -g ${RESOURCE_GROUP_NAME} -n ${RESOURCE_PREFIX}-tsc-${ENVIRONMENT}${CLONE_STRING}-aks
+	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
 
 ######################################
 

diff --git a/terraform/aks/.terraform.lock.hcl b/terraform/aks/.terraform.lock.hcl
diff --git a/terraform/aks/application.tf b/terraform/aks/application.tf
@@ -5,6 +5,7 @@ locals {
     DATABASE_URL = var.deploy_postgres ? module.postgres.url : ""
     REDIS_URL    = var.deploy_redis ? module.redis[0].url : ""
   }
+  postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
 }
 
 module "web_application" {
@@ -37,9 +38,16 @@ module "application_configuration" {
   azure_resource_prefix  = var.azure_resource_prefix
   service_short          = var.service_short
   config_short           = var.config_short
-  config_variables       = { AKS_ENV_NAME = var.file_environment, EnableMetrics = false }
+  config_variables       = {
+    AKS_ENV_NAME = var.file_environment
+    EnableMetrics = false
+    ENVIRONMENT_NAME = local.environment
+    PGSSLMODE        = local.postgres_ssl_mode
+    }
   secret_variables       = local.app_secrets
   secret_key_vault_short = "app"
+
+  is_rails_application = true
 }
 
 module "worker_application" {

diff --git a/terraform/aks/provider.tf b/terraform/aks/provider.tf
@@ -1,12 +1,4 @@
-locals {
-  azure_credentials = try(jsondecode(var.azure_sp_credentials_json), null)
-}
-
 provider "azurerm" {
-  subscription_id            = try(local.azure_credentials.subscriptionId, null)
-  client_id                  = try(local.azure_credentials.clientId, null)
-  client_secret              = try(local.azure_credentials.clientSecret, null)
-  tenant_id                  = try(local.azure_credentials.tenantId, null)
   skip_provider_registration = true
 
   features {}
@@ -17,6 +9,15 @@ provider "kubernetes" {
   client_certificate     = module.cluster_data.kubernetes_client_certificate
   client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+
+  dynamic "exec" {
+    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "kubelogin"
+      args        = module.cluster_data.kubelogin_args
+    }
+  }
 }
 
 provider "statuscake" {

diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf
@@ -19,11 +19,6 @@ variable "azure_resource_prefix" {
   description = "Standard resource prefix. Usually s189t01 (test) or s189p01 (production)"
 }
 
-variable "azure_sp_credentials_json" {
-  type    = string
-  default = null
-}
-
 variable "cluster" {
   type        = string
   description = "AKS cluster where this app is deployed. Either 'test' or 'production'"
@@ -46,6 +41,11 @@ variable "enable_monitoring" {
   description = "Enable monitoring and alerting"
 }
 
+variable "enable_postgres_ssl" {
+  default     = true
+  description = "Enforce SSL connection from the client side"
+}
+
 variable "namespace" {
   type        = string
   description = "AKS namespace where this app is deployed"