Merge pull request #341 from DFE-Digital/oidc-smoke-test

[2151] Github actions OIDC
DFE-Digital · Jan 9, 2025 · a6aa722 · a6aa722
2 parents 35a82ca + b14ef08
commit a6aa722
Show file tree

Hide file tree

Showing 17 changed files with 178 additions and 121 deletions.
diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml
@@ -1,8 +1,15 @@
-name: Deploy Environment
+name: Deploy environment
+description: Deploy cluster and configure kubernetes
 
 inputs:
-  azure_credentials:
-    description: Credentials with Contributor & KeyVault access to Azure subscription
+  azure-client-id:
+    description: Azure managed identity client ID for OIDC authentication
+    required: true
+  azure-subscription-id:
+    description: Azure managed identity subscription ID for OIDC authentication
+    required: true
+  azure-tenant-id:
+    description: Azure managed identity tenant ID for OIDC authentication
     required: true
   environment_name:
     description: Name of the environment in Makefile
@@ -60,7 +67,9 @@ runs:
 
   - uses: Azure/login@v2
     with:
-      creds: ${{ inputs.azure_credentials }}
+      client-id: ${{ inputs.azure-client-id }}
+      tenant-id: ${{ inputs.azure-tenant-id }}
+      subscription-id: ${{ inputs.azure-subscription-id }}
 
   - id: deploy-arm-resources
     run: |
@@ -75,7 +84,9 @@ runs:
   - name: Set ARM and kubelogin environment
     uses: DFE-Digital/github-actions/set-kubelogin-environment@master
     with:
-      azure-credentials: ${{ inputs.AZURE_CREDENTIALS }}
+      azure-client-id: ${{ inputs.azure-client-id }}
+      azure-tenant-id: ${{ inputs.azure-tenant-id }}
+      azure-subscription-id: ${{ inputs.azure-subscription-id }}
 
   - id: terraform
     run: |

diff --git a/.github/actions/test-app-deployment/action.yml b/.github/actions/test-app-deployment/action.yml
@@ -0,0 +1,73 @@
+name: Test application deployment
+description: Test deployment of an ITTMS review app to the cluster
+
+inputs:
+  azure-client-id:
+    description: Azure managed identity client ID for OIDC authentication
+    required: true
+  azure-subscription-id:
+    description: Azure managed identity subscription ID for OIDC authentication
+    required: true
+  azure-tenant-id:
+    description: Azure managed identity tenant ID for OIDC authentication
+    required: true
+  environment:
+    description: The application environment config
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+  - name: Check out ITTMS repository
+    uses: actions/checkout@v4
+    with:
+      repository: DFE-Digital/itt-mentor-services
+      path: itt-mentor-services
+      ref: 843-github-actions-oidc # Remove this line when the 843-github-actions-oidc branch is merged
+
+  - name: Set Environment variables
+    id: set_env_var
+    shell: bash
+    working-directory: itt-mentor-services
+    run: |
+      terraform_version=$(awk '/{/{f=/^terraform/;next}f' terraform/application/terraform.tf | grep -o [0-9\.]*)
+      echo "TERRAFORM_VERSION=$terraform_version" >> $GITHUB_ENV
+
+  - name: Use Terraform ${{ env.TERRAFORM_VERSION }}
+    uses: hashicorp/setup-terraform@v3
+    with:
+      terraform_version: ${{ env.TERRAFORM_VERSION }}
+      terraform_wrapper: false
+
+  - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+    with:
+      azure-client-id: ${{ inputs.azure-client-id }}
+      azure-tenant-id: ${{ inputs.azure-tenant-id }}
+      azure-subscription-id: ${{ inputs.azure-subscription-id }}
+
+  - name: Deploy application to ${{ inputs.environment }}
+    shell: bash
+    working-directory: itt-mentor-services
+    run: make ${{ inputs.environment }} ci terraform-apply
+    env:
+      DOCKER_IMAGE_TAG: main
+      PR_NUMBER: 9999
+
+  - name: Run healthcheck
+    shell: bash
+    working-directory: itt-mentor-services
+    run: |
+      external_urls=$(terraform -chdir=terraform/application output -json external_urls | jq -r '.[]')
+      for url in $external_urls; do
+        echo "Check health for $url/healthcheck/all..."
+        curl -sS --fail "$url/healthcheck/all" > /dev/null
+      done
+
+  - name: Delete application
+    shell: bash
+    working-directory: itt-mentor-services
+    run: make ${{ inputs.environment }} ci terraform-destroy
+    env:
+      DOCKER_IMAGE_TAG: main
+      PR_NUMBER: 9999
diff --git a/.github/workflows/check_sp.yml b/.github/workflows/check_sp.yml
@@ -14,10 +14,10 @@ jobs:
       - name: Select Tests
         id: select-tests
         run: |
-          d="{'environment' :'dev-domain'  , 'principal': 's189d01-tsc-contributor'}"
-          t="{'environment' :'test'      , 'principal': 's189t01-tsc-contributor'}"
-          p="{'environment' :'production'   , 'principal': 's189p01-tsc-contributor'}"
-          tests="{ 'data':[ ${d} ,  ${t} ,  ${p} ]}"
+          d="{'environment' :'development', 'principal': 's189d01-tsc-contributor'}"
+          t="{'environment' :'test', 'principal': 's189t01-tsc-contributor'}"
+          p="{'environment' :'production', 'principal': 's189p01-tsc-contributor'}"
+          tests="{'data':[${d}, ${t}, ${p}]}"
           echo "tests=${tests}" >> $GITHUB_OUTPUT
 
   check_expires:

diff --git a/.github/workflows/deploy-cluster.yml b/.github/workflows/deploy-cluster.yml
@@ -13,7 +13,6 @@ on:
       - reopened
       - opened
       - converted_to_draft
-  workflow_dispatch:
 
 jobs:
   validate-terraform:
@@ -91,14 +90,28 @@ jobs:
       max-parallel: 1
       matrix:
         environment: [platform-test, test, production]
+    permissions:
+      id-token: write # Required for OIDC authentication to Azure
+
     steps:
     - uses: actions/checkout@v4
 
     - uses: ./.github/actions/deploy-environment
       with:
-        azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         environment_name: ${{ matrix.environment }}
 
+    - name: Test application deployment
+      if: vars.TEST_APP_DEPLOYMENT == 'true'
+      uses: ./.github/actions/test-app-deployment
+      with:
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        environment: ${{ vars.ITTMS_ENVIRONMENT }}
+
     - name: Send Slack notification on failure
       if: failure()
       uses: rtCamp/action-slack-notify@master
@@ -121,7 +134,7 @@ jobs:
     strategy:
       max-parallel: 1
       matrix:
-        environment: [dev-domain, prod-domain]
+        environment: [development, production]
     steps:
     - uses: actions/checkout@v4
 
@@ -133,14 +146,16 @@ jobs:
     - name: Set ARM environment variables
       uses: DFE-Digital/github-actions/set-arm-environment-variables@master
       with:
-        azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
 
     - name: Update DNS in ${{ matrix.environment }}
       run: |
         make ci ${{ matrix.environment }} domains-infra-apply
       shell: bash
       env:
-        TF_VAR_azure_sp_credentials_json: ${{ secrets.AZURE_CREDENTIALS }}
+        ENVIRONMENT: dummy # "make development" requires the ENVIRONMENT var but it is not used for domains
 
     - name: Send Slack notification on failure
       if: failure()

diff --git a/Makefile b/Makefile
@@ -22,21 +22,27 @@ production:
 	$(if $(or ${CI}, ${CONFIRM_PRODUCTION}), , $(error Missing CONFIRM_PRODUCTION=yes))
 	$(eval include cluster/config/production.sh)
 
-prod-domain:
-	$(if $(or ${CI}, ${CONFIRM_PROD_DOMAIN}), , $(error Missing CONFIRM_PROD_DOMAIN=yes))
-	$(eval include custom_domains/config/prod-domain.sh)
+domains:
+	$(eval include cluster/config/domains.sh)
 
-dev-domain:
-	$(if $(or ${CI}, ${CONFIRM_DEV_DOMAIN}), , $(error Missing CONFIRM_DEV_DOMAIN=yes))
-	$(eval include custom_domains/config/dev-domain.sh)
+cluster-composed-variables:
+	$(eval RESOURCE_GROUP_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-rg)
+	$(eval KEYVAULT_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-kv)
+	$(eval STORAGE_ACCOUNT_NAME=${RESOURCE_PREFIX}tsctfstate${CONFIG_SHORT})
+	$(eval MANAGE_IDENTITY_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-id)
+
+domains-composed-variables: domains
+	$(eval RESOURCE_GROUP_NAME=${RESOURCE_PREFIX}-tscdomains-rg)
+	$(eval KEYVAULT_NAME=${RESOURCE_PREFIX}-tscdomains-kv)
+	$(eval STORAGE_ACCOUNT_NAME=${RESOURCE_PREFIX}tscdomainstf)
 
 clone:
 	$(eval CLONE_STRING=-clone)
 
 set-azure-account:
 	[ "${SKIP_AZURE_LOGIN}" != "true" ] && az account set -s ${AZ_SUBSCRIPTION} || true
 
-terraform-aks-cluster-init: set-azure-account
+terraform-aks-cluster-init: cluster-composed-variables set-azure-account
 	terraform -chdir=cluster/terraform_aks_cluster init -reconfigure -upgrade \
 		-backend-config=resource_group_name=${RESOURCE_GROUP_NAME} \
 		-backend-config=storage_account_name=${STORAGE_ACCOUNT_NAME} \
@@ -58,7 +64,7 @@ terraform-aks-cluster-apply: terraform-aks-cluster-init
 terraform-aks-cluster-destroy: terraform-aks-cluster-init
 	terraform -chdir=cluster/terraform_aks_cluster destroy -var-file config/${CONFIG}.tfvars.json ${AUTO_APPROVE}
 
-terraform-kubernetes-init: set-azure-account
+terraform-kubernetes-init: cluster-composed-variables set-azure-account
 	rm -rf cluster/terraform_kubernetes/vendor/modules/aks
 	git -c advice.detachedHead=false clone --depth=1 --single-branch --branch ${TERRAFORM_MODULES_TAG} https://github.com/DFE-Digital/terraform-modules.git cluster/terraform_kubernetes/vendor/modules/aks
 
@@ -95,7 +101,7 @@ set-what-if:
 check-auto-approve:
 	$(if $(AUTO_APPROVE), , $(error can only run with AUTO_APPROVE))
 
-arm-deployment: set-azure-account
+arm-deployment: cluster-composed-variables set-azure-account
 	az deployment sub create --name "resourcedeploy-tsc-$(shell date +%Y%m%d%H%M%S)" \
 		-l "UK South" --template-uri "https://raw.githubusercontent.com/DFE-Digital/tra-shared-services/${ARM_TEMPLATE_TAG}/azure/resourcedeploy.json" \
 		--parameters "resourceGroupName=${RESOURCE_GROUP_NAME}" 'tags=${RG_TAGS}' \
@@ -109,32 +115,32 @@ arm-deployment: set-azure-account
 		--parameters "managedIdentityName=${MANAGE_IDENTITY_NAME}" \
 		${WHAT_IF}
 
-deploy-azure-resources: check-auto-approve arm-deployment # make dev deploy-azure-resources
-validate-azure-resources: set-what-if arm-deployment # make dev validate-azure-resources
+deploy-azure-resources: check-auto-approve arm-deployment # make test deploy-azure-resources
+validate-azure-resources: set-what-if arm-deployment # make test validate-azure-resources
 
-domains-arm-deployment: set-azure-account
+domains-arm-deployment: domains-composed-variables set-azure-account
 	az deployment sub create --name "resourcedeploy-tscdomains-$(shell date +%Y%m%d%H%M%S)" \
 		-l "UK South" --template-uri "https://raw.githubusercontent.com/DFE-Digital/tra-shared-services/${ARM_TEMPLATE_TAG}/azure/resourcedeploy.json" \
 		--parameters "resourceGroupName=${RESOURCE_GROUP_NAME}" 'tags=${RG_TAGS}' \
 			"tfStorageAccountName=${STORAGE_ACCOUNT_NAME}" "tfStorageContainerName=tscdomains-tfstate" \
 			"keyVaultName=${KEYVAULT_NAME}" ${WHAT_IF}
 
-deploy-domains-azure-resources: check-auto-approve domains-arm-deployment # make dev deploy-domains-azure-resources
-validate-domains-azure-resources: set-what-if domains-arm-deployment # make dev validate-domains-azure-resources
+deploy-domains-azure-resources: check-auto-approve domains-arm-deployment # make test deploy-domains-azure-resources
+validate-domains-azure-resources: set-what-if domains-arm-deployment # make test validate-domains-azure-resources
 
-domains-infra-init: set-azure-account
+domains-infra-init: domains-composed-variables set-azure-account
 	rm -rf custom_domains/terraform/infrastructure/vendor/modules/domains
-	git clone --depth=1 --single-branch --branch ${TERRAFORM_MODULES_TAG} https://github.com/DFE-Digital/terraform-modules.git custom_domains/terraform/infrastructure/vendor/modules/domains
+	git -c advice.detachedHead=false clone --depth=1 --single-branch --branch ${TERRAFORM_MODULES_TAG} https://github.com/DFE-Digital/terraform-modules.git custom_domains/terraform/infrastructure/vendor/modules/domains
 
 	terraform -chdir=custom_domains/terraform/infrastructure init -reconfigure -upgrade \
 		-backend-config=resource_group_name=${RESOURCE_GROUP_NAME} \
 		-backend-config=storage_account_name=${STORAGE_ACCOUNT_NAME}
 
 domains-infra-plan: domains-infra-init
-	terraform -chdir=custom_domains/terraform/infrastructure plan -var-file config/${DOMAINS_ID}.tfvars.json
+	terraform -chdir=custom_domains/terraform/infrastructure plan -var-file config/${CONFIG}.tfvars.json
 
 domains-infra-apply: domains-infra-init
-	terraform -chdir=custom_domains/terraform/infrastructure apply -var-file config/${DOMAINS_ID}.tfvars.json ${AUTO_APPROVE}
+	terraform -chdir=custom_domains/terraform/infrastructure apply -var-file config/${CONFIG}.tfvars.json ${AUTO_APPROVE}
 
 get-cluster-credentials: set-azure-account ## make <config> get-cluster-credentials [ENVIRONMENT=<clusterX>]
 	az aks get-credentials --overwrite-existing -g ${RESOURCE_GROUP_NAME} -n ${RESOURCE_PREFIX}-tsc-${ENVIRONMENT}${CLONE_STRING}-aks

diff --git a/cluster/config/development.sh b/cluster/config/development.sh
@@ -2,8 +2,4 @@ CONFIG=development
 CONFIG_SHORT=dv
 AZ_SUBSCRIPTION=s189-teacher-services-cloud-development
 RESOURCE_PREFIX=s189d01
-RESOURCE_GROUP_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-rg
-KEYVAULT_NAME=${RESOURCE_PREFIX}-tsc2-${CONFIG_SHORT}-kv
-STORAGE_ACCOUNT_NAME=${RESOURCE_PREFIX}tsctfstate${CONFIG_SHORT}
-MANAGE_IDENTITY_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-id
 TERRAFORM_MODULES_TAG=main
diff --git a/cluster/config/domains.sh b/cluster/config/domains.sh
@@ -0,0 +1,5 @@
+AZURE_SUBSCRIPTION=s189-teacher-services-cloud-production
+AZURE_RESOURCE_PREFIX=s189p01
+CONFIG_SHORT=tscdomains
+DISABLE_KEYVAULTS=true
+TERRAFORM_MODULES_TAG=stable
diff --git a/cluster/config/platform-test.sh b/cluster/config/platform-test.sh
@@ -3,8 +3,4 @@ CONFIG=platform-test
 CONFIG_SHORT=pt
 AZ_SUBSCRIPTION=s189-teacher-services-cloud-test
 RESOURCE_PREFIX=s189t01
-RESOURCE_GROUP_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-rg
-KEYVAULT_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-kv
-STORAGE_ACCOUNT_NAME=${RESOURCE_PREFIX}tsctfstate${CONFIG_SHORT}
-MANAGE_IDENTITY_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-id
 TERRAFORM_MODULES_TAG=testing
diff --git a/cluster/config/production.sh b/cluster/config/production.sh
@@ -3,8 +3,4 @@ CONFIG=production
 CONFIG_SHORT=pd
 AZ_SUBSCRIPTION=s189-teacher-services-cloud-production
 RESOURCE_PREFIX=s189p01
-RESOURCE_GROUP_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-rg
-KEYVAULT_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-kv
-STORAGE_ACCOUNT_NAME=${RESOURCE_PREFIX}tsctfstate${CONFIG_SHORT}
-MANAGE_IDENTITY_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-id
 TERRAFORM_MODULES_TAG=stable
diff --git a/cluster/config/test.sh b/cluster/config/test.sh
@@ -3,8 +3,4 @@ CONFIG=test
 CONFIG_SHORT=ts
 AZ_SUBSCRIPTION=s189-teacher-services-cloud-test
 RESOURCE_PREFIX=s189t01
-RESOURCE_GROUP_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-rg
-KEYVAULT_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-kv
-STORAGE_ACCOUNT_NAME=${RESOURCE_PREFIX}tsctfstate${CONFIG_SHORT}
-MANAGE_IDENTITY_NAME=${RESOURCE_PREFIX}-tsc-${CONFIG_SHORT}-id
 TERRAFORM_MODULES_TAG=testing