feat: Adding OIDC for FALTRN

DFE-Digital · Feb 27, 2025 · 807994d · 807994d
1 parent b355a6d
commit 807994d
Show file tree

Hide file tree

Showing 10 changed files with 115 additions and 35 deletions.
diff --git a/.github/workflows/actions/database-backup/action.yml b/.github/workflows/actions/database-backup/action.yml
@@ -5,9 +5,18 @@ inputs:
   environment:
     description: "The name of the environment"
     required: true
-  azure_credentials:
-    description: "JSON object containing a service principal that can read from Azure Key Vault"
+  azure-client-id:
+    description: Azure Client ID for authentication
     required: true
+  azure-tenant-id:
+    description: Azure Tenant ID for authentication
+    required: true
+  azure-subscription-id:
+    description: Azure Subscription ID for authentication
+    required: true
+  namespace:
+    description: Namespace to deploy to
+    type: string
 
 outputs:
   backup_artifact:
@@ -44,7 +53,9 @@ runs:
 
     - uses: Azure/login@v2
       with:
-        creds: ${{ inputs.azure_credentials }}
+        client-id: ${{ inputs.azure-client-id }}
+        tenant-id: ${{ inputs.azure-tenant-id }}
+        subscription-id: ${{ inputs.azure-subscription-id }}
 
     - name: Fetch slack web hook
       uses: azure/CLI@v1
@@ -57,7 +68,9 @@ runs:
 
     - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
-        azure-credentials: ${{ inputs.azure_credentials }}
+        azure-client-id: ${{ inputs.azure-client-id }}
+        azure-tenant-id: ${{ inputs.azure-tenant-id }}
+        azure-subscription-id: ${{ inputs.azure-subscription-id }}
 
     - name: Install kubectl
       uses: DFE-Digital/github-actions/set-kubectl@master
@@ -121,7 +134,7 @@ runs:
     - name: Backup ${{ inputs.environment }} DB
       shell: bash
       run: |
-        bin/konduit.sh find-a-lost-trn-${{ inputs.environment }} -- pg_dump -E utf8 --clean --if-exists --no-owner --verbose --no-password -f ${BACKUP_FILE_NAME}.sql
+        bin/konduit.sh -n {{ inputs.namespace }} find-a-lost-trn-${{ inputs.environment }} -- pg_dump -E utf8 --clean --if-exists --no-owner --verbose --no-password -f ${BACKUP_FILE_NAME}.sql
         tar -cvzf ${BACKUP_FILE_NAME}.tar.gz ${BACKUP_FILE_NAME}.sql
 
     - name: Set Connection String

diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml
@@ -7,8 +7,14 @@ inputs:
   docker_image:
     description: Docker image to be deployed
     required: true
-  azure-credentials:
-    description: Credentials for azure
+  azure-client-id:
+    description: Azure Client ID for authentication
+    required: true
+  azure-tenant-id:
+    description: Azure Tenant ID for authentication
+    required: true
+  azure-subscription-id:
+    description: Azure Subscription ID for authentication
     required: true
   arm-access-key:
     required: true
@@ -55,11 +61,15 @@ runs:
 
     - uses: azure/login@v2
       with:
-        creds: ${{ inputs.azure-credentials }}
+        client-id: ${{ inputs.azure-client-id }}
+        tenant-id: ${{ inputs.azure-tenant-id }}
+        subscription-id: ${{ inputs.azure-subscription-id }}
 
     - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
-        azure-credentials: ${{ inputs.azure-credentials }}
+        azure-client-id: ${{ inputs.azure-client-id }}
+        azure-tenant-id: ${{ inputs.azure-tenant-id }}
+        azure-subscription-id: ${{ inputs.azure-subscription-id }}
 
     - name: Terraform init, plan & apply
       shell: bash
@@ -68,5 +78,4 @@ runs:
         ARM_ACCESS_KEY: ${{ inputs.arm-access-key }}
         DOCKER_IMAGE: ${{ inputs.docker_image }}
         pr_id: ${{ inputs.pr-id }}
-        TF_VAR_azure_credentials: ${{ inputs.azure-credentials }}
         CONFIRM_PRODUCTION: true
diff --git a/.github/workflows/actions/smoke-test/action.yml b/.github/workflows/actions/smoke-test/action.yml
@@ -4,8 +4,14 @@ inputs:
   environment:
     description: The name of the environment
     required: true
-  azure_credentials:
-    description: JSON object containing a service principal that can read from Azure Key Vault
+  azure-client-id:
+    description: Azure Client ID for authentication
+    required: true
+  azure-tenant-id:
+    description: Azure Tenant ID for authentication
+    required: true
+  azure-subscription-id:
+    description: Azure Subscription ID for authentication
     required: true
 
 runs:
@@ -14,7 +20,9 @@ runs:
   steps:
     - uses: Azure/login@v2
       with:
-        creds: ${{ inputs.azure_credentials }}
+        client-id: ${{ inputs.azure-client-id }}
+        tenant-id: ${{ inputs.azure-tenant-id }}
+        subscription-id: ${{ inputs.azure-subscription-id }}
 
     - name: Prepare application environment
       uses: ./.github/actions/prepare-app-env

diff --git a/.github/workflows/aks-db-backup.yml b/.github/workflows/aks-db-backup.yml
@@ -5,22 +5,44 @@ on:
   schedule: # 01:00 UTC
     - cron: "0 1 * * *"
 
+env:
+  SERVICE_NAME: faltrn
+  SERVICE_SHORT: faltrn
+  TF_VARS_PATH: terraform/aks/workspace_variables
+
 jobs:
   backup:
     name: Backup AKS Database
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     strategy:
       max-parallel: 1
       matrix:
         environment: [development, test, preproduction, production]
     environment:
       name: ${{matrix.environment}}
+    env:
+      DEPLOY_ENV: ${{ inputs.environment || 'production'  }}
+      BACKUP_FILE: ${{ inputs.backup-file || 'schedule'  }}
     concurrency: ${{matrix.environment}}_${{github.event.number}}
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
+
+      - name: Set environment variables
+        run: |
+          source global_config/${DEPLOY_ENV}.sh
+          tf_vars_file=${TF_VARS_PATH}/${DEPLOY_ENV}.tfvars.json
+          echo "NAMESPACE=$(jq -r '.namespace' ${tf_vars_file})" >> $GITHUB_ENV
+          echo "CLUSTER=$(jq -r '.cluster' ${tf_vars_file})" >> $GITHUB_ENV
+
       - uses: ./.github/workflows/actions/database-backup
         id: aks_db_backup
         with:
-          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          namespace: ${{ env.NAMESPACE }}
           environment: ${{ matrix.environment }}
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -30,6 +30,11 @@ on:
 env:
   CONTAINER_REGISTRY: ghcr.io
 
+permissions:
+  id-token: write
+  pull-requests: write
+  packages: write
+
 jobs:
   build_image:
     name: Image build and push
@@ -66,7 +71,9 @@ jobs:
         with:
           environment: review
           docker_image: ${{ needs.build_image.outputs.docker-image }}
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
           pr-id: ${{ github.event.pull_request.number }}
 
@@ -114,7 +121,9 @@ jobs:
 
       - uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch secrets from key vault
         uses: azure/CLI@v2
@@ -130,14 +139,18 @@ jobs:
         with:
           environment: ${{ matrix.environment }}
           docker_image: ${{ needs.build_image.outputs.docker-image }}
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
 
       - uses: ./.github/workflows/actions/smoke-test
         id: smoke-test
         with:
           environment: ${{ matrix.environment }}
-          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Slack Notification
         if: failure()
@@ -166,7 +179,9 @@ jobs:
 
       - uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch secrets from key vault
         uses: azure/CLI@v2
@@ -182,7 +197,9 @@ jobs:
         with:
           environment: production
           docker_image: ${{ needs.build_image.outputs.docker-image }}
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
 
       - name: Slack Notification

diff --git a/.github/workflows/build-nocache.yml b/.github/workflows/build-nocache.yml
@@ -17,7 +17,9 @@ jobs:
 
       - uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch secrets from key vault
         uses: azure/CLI@v2

diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml
@@ -12,6 +12,9 @@ jobs:
     if: ${{ contains(github.event.pull_request.labels.*.name, 'deploy') }}
     runs-on: ubuntu-latest
     environment: review
+    permissions:
+      pull-requests: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -33,7 +36,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-          creds: ${{ secrets.azure_credentials }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - uses: azure/CLI@v2
         id: get_secrets
@@ -63,7 +68,9 @@ jobs:
       - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
         if: ${{ env.TF_STATE_EXISTS }} == 'true'
         with:
-          azure-credentials: ${{ secrets.azure_credentials }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Terraform
         if: ${{ env.TF_STATE_EXISTS }} == 'true'

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -25,6 +25,9 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: development
+    permissions:
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
 
@@ -42,11 +45,15 @@ jobs:
         with:
           environment: development
           docker_image: ${{ steps.image.outputs.tag }}
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           arm-access-key: ${{ secrets.ARM_ACCESS_KEY }}
 
       - uses: ./.github/workflows/actions/smoke-test
         id: smoke-test
         with:
           environment: development
-          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/Makefile b/Makefile
@@ -183,7 +183,7 @@ production-cluster:
 
 get-cluster-credentials: set-azure-account ## make <config> get-cluster-credentials [ENVIRONMENT=<clusterX>]
 	az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME}
-	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
+	kubelogin convert-kubeconfig -l $(if ${AAD_LOGIN_METHOD},${AAD_LOGIN_METHOD},azurecli)
 
 console: get-cluster-credentials
 	kubectl -n tra-${DEPLOY_ENV} exec -ti --tty deployment/find-a-lost-trn-${DEPLOY_ENV} -- /bin/sh -c 'cd /app && /usr/local/bin/bundle exec rails c'
diff --git a/terraform/aks/provider.tf b/terraform/aks/provider.tf
@@ -6,17 +6,12 @@ provider "azurerm" {
 
 provider "kubernetes" {
   host                   = module.cluster_data.kubernetes_host
-  client_certificate     = module.cluster_data.kubernetes_client_certificate
-  client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
 
-  dynamic "exec" {
-    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
-    content {
-      api_version = "client.authentication.k8s.io/v1beta1"
-      command     = "kubelogin"
-      args        = module.cluster_data.kubelogin_args
-    }
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "kubelogin"
+    args        = module.cluster_data.kubelogin_args
   }
 }