Enable azure rbac deployment on all services

DFE-Digital · Jan 29, 2024 · f620e4f · f620e4f
1 parent 8e8079d
commit f620e4f
Show file tree

Hide file tree

Showing 9 changed files with 55 additions and 37 deletions.
diff --git a/.github/workflows/actions/database-backup/action.yml b/.github/workflows/actions/database-backup/action.yml
@@ -102,10 +102,14 @@ runs:
 
     - uses: azure/setup-kubectl@v3
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+        with:
+          azure-credentials: ${{ inputs.azure_credentials }}
+
     - name: K8 setup
       shell: bash
       run: |
-        az aks get-credentials -g ${{ env.cluster_rg }} -n ${{ env.cluster_name }}
+        make ${{ inputs.environment }} get-cluster-credentials
         make bin/konduit.sh
 
     - name: Setup postgres client

diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml
@@ -10,8 +10,6 @@ inputs:
   azure-credentials:
     description: Credentials for azure
     required: true
-  arm-access-key:
-    required: true
   pr-id:
     description: PR number for the review app
     required: false
@@ -57,11 +55,14 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure_credentials }}
+
     - name: Terraform init, plan & apply
       shell: bash
       run: make ci ${{ inputs.environment }} terraform-apply
       env:
-        ARM_ACCESS_KEY: ${{ inputs.arm-access-key }}
         DOCKER_IMAGE: ${{ inputs.docker_image }}
         pr_id: ${{ inputs.pr-id }}
         TF_VAR_azure_credentials: ${{ inputs.azure-credentials }}

diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -50,7 +50,6 @@ jobs:
           environment: review
           docker_image: ${{ needs.docker.outputs.docker_image }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
-          arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
           pr-id: ${{ github.event.pull_request.number }}
 
       - name: Post sticky pull request comment
@@ -84,7 +83,6 @@ jobs:
           environment: ${{ matrix.environment }}
           docker_image: ${{ needs.docker.outputs.docker_image }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
-          arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
       - uses: ./.github/workflows/actions/smoke-test
         id: smoke-test
         with:
@@ -112,4 +110,3 @@ jobs:
           environment: production
           docker_image: ${{ needs.docker.outputs.docker_image }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
-          arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml
@@ -66,8 +66,6 @@ jobs:
         run: |
           make ci review terraform-destroy
         env:
-          ARM_ACCESS_KEY: ${{ steps.get_secrets.outputs.TFSTATE-CONTAINER-ACCESS-KEY }}
-          TF_VAR_azure_sp_credentials_json: ${{ secrets.azure_credentials }}
           TF_VAR_flt_docker_image: "ghcr.io/dfe-digital/find-a-lost-trn:no-tag"
           pr_id: ${{ github.event.pull_request.number }}
         shell: bash

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -43,7 +43,6 @@ jobs:
           environment: development
           docker_image: ${{ steps.image.outputs.tag }}
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
-          arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
 
       - uses: ./.github/workflows/actions/smoke-test
         id: smoke-test

diff --git a/Makefile b/Makefile
@@ -195,6 +195,7 @@ domains-infra-apply: domains-infra-init ## terraform apply for dns core resource
 
 get-cluster-credentials: set-azure-account ## make <config> get-cluster-credentials [ENVIRONMENT=<clusterX>]
 	az aks get-credentials --overwrite-existing -g ${RESOURCE_GROUP_NAME} -n ${RESOURCE_PREFIX}-tsc-${ENVIRONMENT}${CLONE_STRING}-aks
+	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
 
 ######################################
 

diff --git a/terraform/aks/.terraform.lock.hcl b/terraform/aks/.terraform.lock.hcl
diff --git a/terraform/aks/provider.tf b/terraform/aks/provider.tf
@@ -1,12 +1,4 @@
-locals {
-  azure_credentials = try(jsondecode(var.azure_sp_credentials_json), null)
-}
-
 provider "azurerm" {
-  subscription_id            = try(local.azure_credentials.subscriptionId, null)
-  client_id                  = try(local.azure_credentials.clientId, null)
-  client_secret              = try(local.azure_credentials.clientSecret, null)
-  tenant_id                  = try(local.azure_credentials.tenantId, null)
   skip_provider_registration = true
 
   features {}
@@ -17,6 +9,15 @@ provider "kubernetes" {
   client_certificate     = module.cluster_data.kubernetes_client_certificate
   client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+
+  dynamic "exec" {
+    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "kubelogin"
+      args        = module.cluster_data.kubelogin_args
+    }
+  }
 }
 
 provider "statuscake" {

diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf
@@ -19,11 +19,6 @@ variable "azure_resource_prefix" {
   description = "Standard resource prefix. Usually s189t01 (test) or s189p01 (production)"
 }
 
-variable "azure_sp_credentials_json" {
-  type    = string
-  default = null
-}
-
 variable "cluster" {
   type        = string
   description = "AKS cluster where this app is deployed. Either 'test' or 'production'"