diff --git a/.github/workflows/actions/database-backup/action.yml b/.github/workflows/actions/database-backup/action.yml index 059a5c10..42d93476 100644 --- a/.github/workflows/actions/database-backup/action.yml +++ b/.github/workflows/actions/database-backup/action.yml @@ -5,8 +5,14 @@ inputs: environment: description: "The name of the environment" required: true - azure_credentials: - description: "JSON object containing a service principal that can read from Azure Key Vault" + azure-client-id: + description: Azure Client ID for authentication + required: true + azure-tenant-id: + description: Azure Tenant ID for authentication + required: true + azure-subscription-id: + description: Azure Subscription ID for authentication required: true outputs: @@ -44,7 +50,9 @@ runs: - uses: Azure/login@v2 with: - creds: ${{ inputs.azure_credentials }} + client-id: ${{ inputs.azure-client-id }} + tenant-id: ${{ inputs.azure-tenant-id }} + subscription-id: ${{ inputs.azure-subscription-id }} - name: Fetch slack web hook uses: azure/CLI@v1 @@ -57,7 +65,9 @@ runs: - uses: DFE-Digital/github-actions/set-kubelogin-environment@master with: - azure-credentials: ${{ inputs.azure_credentials }} + azure-client-id: ${{ inputs.azure-client-id }} + azure-tenant-id: ${{ inputs.azure-tenant-id }} + azure-subscription-id: ${{ inputs.azure-subscription-id }} - name: Install kubectl uses: DFE-Digital/github-actions/set-kubectl@master @@ -121,7 +131,7 @@ runs: - name: Backup ${{ inputs.environment }} DB shell: bash run: | - bin/konduit.sh find-a-lost-trn-${{ inputs.environment }} -- pg_dump -E utf8 --clean --if-exists --no-owner --verbose --no-password -f ${BACKUP_FILE_NAME}.sql + bin/konduit.sh -n ${{ env.NAMESPACE }} find-a-lost-trn-${{ inputs.environment }} -- pg_dump -E utf8 --clean --if-exists --no-owner --verbose --no-password -f ${BACKUP_FILE_NAME}.sql tar -cvzf ${BACKUP_FILE_NAME}.tar.gz ${BACKUP_FILE_NAME}.sql - name: Set Connection String diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml index df930637..405f5b24 100644 --- a/.github/workflows/actions/deploy/action.yml +++ b/.github/workflows/actions/deploy/action.yml @@ -7,8 +7,14 @@ inputs: docker_image: description: Docker image to be deployed required: true - azure-credentials: - description: Credentials for azure + azure-client-id: + description: Azure Client ID for authentication + required: true + azure-tenant-id: + description: Azure Tenant ID for authentication + required: true + azure-subscription-id: + description: Azure Subscription ID for authentication required: true arm-access-key: required: true @@ -55,11 +61,15 @@ runs: - uses: azure/login@v2 with: - creds: ${{ inputs.azure-credentials }} + client-id: ${{ inputs.azure-client-id }} + tenant-id: ${{ inputs.azure-tenant-id }} + subscription-id: ${{ inputs.azure-subscription-id }} - uses: DFE-Digital/github-actions/set-kubelogin-environment@master with: - azure-credentials: ${{ inputs.azure-credentials }} + azure-client-id: ${{ inputs.azure-client-id }} + azure-tenant-id: ${{ inputs.azure-tenant-id }} + azure-subscription-id: ${{ inputs.azure-subscription-id }} - name: Terraform init, plan & apply shell: bash @@ -68,5 +78,4 @@ runs: ARM_ACCESS_KEY: ${{ inputs.arm-access-key }} DOCKER_IMAGE: ${{ inputs.docker_image }} pr_id: ${{ inputs.pr-id }} - TF_VAR_azure_credentials: ${{ inputs.azure-credentials }} CONFIRM_PRODUCTION: true diff --git a/.github/workflows/actions/smoke-test/action.yml b/.github/workflows/actions/smoke-test/action.yml index a3080461..c7e82bd2 100644 --- a/.github/workflows/actions/smoke-test/action.yml +++ b/.github/workflows/actions/smoke-test/action.yml @@ -4,8 +4,14 @@ inputs: environment: description: The name of the environment required: true - azure_credentials: - description: JSON object containing a service principal that can read from Azure Key Vault + azure-client-id: + description: Azure Client ID for authentication + required: true + azure-tenant-id: + description: Azure Tenant ID for authentication + required: true + azure-subscription-id: + description: Azure Subscription ID for authentication required: true runs: @@ -14,7 +20,9 @@ runs: steps: - uses: Azure/login@v2 with: - creds: ${{ inputs.azure_credentials }} + client-id: ${{ inputs.azure-client-id }} + tenant-id: ${{ inputs.azure-tenant-id }} + subscription-id: ${{ inputs.azure-subscription-id }} - name: Prepare application environment uses: ./.github/actions/prepare-app-env diff --git a/.github/workflows/aks-db-backup.yml b/.github/workflows/aks-db-backup.yml index 5adf4d01..25c31d71 100644 --- a/.github/workflows/aks-db-backup.yml +++ b/.github/workflows/aks-db-backup.yml @@ -5,22 +5,43 @@ on: schedule: # 01:00 UTC - cron: "0 1 * * *" +env: + SERVICE_NAME: faltrn + SERVICE_SHORT: faltrn + TF_VARS_PATH: terraform/aks/workspace_variables + jobs: backup: name: Backup AKS Database runs-on: ubuntu-latest + permissions: + contents: write + id-token: write strategy: max-parallel: 1 matrix: environment: [development, test, preproduction, production] environment: name: ${{matrix.environment}} + env: + DEPLOY_ENV: ${{ inputs.environment || 'production' }} + BACKUP_FILE: ${{ inputs.backup-file || 'schedule' }} concurrency: ${{matrix.environment}}_${{github.event.number}} steps: - name: Check out the repo uses: actions/checkout@v4 + + - name: Set environment variables + run: | + source global_config/${DEPLOY_ENV}.sh + tf_vars_file=${TF_VARS_PATH}/${DEPLOY_ENV}.tfvars.json + echo "NAMESPACE=$(jq -r '.namespace' ${tf_vars_file})" >> $GITHUB_ENV + echo "CLUSTER=$(jq -r '.cluster' ${tf_vars_file})" >> $GITHUB_ENV + - uses: ./.github/workflows/actions/database-backup id: aks_db_backup with: - azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} environment: ${{ matrix.environment }} diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 4770be8b..33f6d173 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -30,6 +30,11 @@ on: env: CONTAINER_REGISTRY: ghcr.io +permissions: + id-token: write + pull-requests: write + packages: write + jobs: build_image: name: Image build and push @@ -66,7 +71,9 @@ jobs: with: environment: review docker_image: ${{ needs.build_image.outputs.docker-image }} - azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} pr-id: ${{ github.event.pull_request.number }} @@ -114,7 +121,9 @@ jobs: - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Fetch secrets from key vault uses: azure/CLI@v2 @@ -130,14 +139,18 @@ jobs: with: environment: ${{ matrix.environment }} docker_image: ${{ needs.build_image.outputs.docker-image }} - azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} - uses: ./.github/workflows/actions/smoke-test id: smoke-test with: environment: ${{ matrix.environment }} - azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Slack Notification if: failure() @@ -166,7 +179,9 @@ jobs: - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Fetch secrets from key vault uses: azure/CLI@v2 @@ -182,7 +197,9 @@ jobs: with: environment: production docker_image: ${{ needs.build_image.outputs.docker-image }} - azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} - name: Slack Notification diff --git a/.github/workflows/build-nocache.yml b/.github/workflows/build-nocache.yml index b26890a1..4ef7ff9d 100644 --- a/.github/workflows/build-nocache.yml +++ b/.github/workflows/build-nocache.yml @@ -17,7 +17,9 @@ jobs: - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Fetch secrets from key vault uses: azure/CLI@v2 diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml index 093e4cf3..a6e2a5a7 100644 --- a/.github/workflows/delete-review-app.yml +++ b/.github/workflows/delete-review-app.yml @@ -12,6 +12,9 @@ jobs: if: ${{ contains(github.event.pull_request.labels.*.name, 'deploy') }} runs-on: ubuntu-latest environment: review + permissions: + pull-requests: write + id-token: write steps: - uses: actions/checkout@v4 @@ -33,7 +36,9 @@ jobs: - uses: Azure/login@v2 with: - creds: ${{ secrets.azure_credentials }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - uses: azure/CLI@v2 id: get_secrets @@ -63,7 +68,9 @@ jobs: - uses: DFE-Digital/github-actions/set-kubelogin-environment@master if: ${{ env.TF_STATE_EXISTS }} == 'true' with: - azure-credentials: ${{ secrets.azure_credentials }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Terraform if: ${{ env.TF_STATE_EXISTS }} == 'true' diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c98a9a32..1da54f78 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -25,6 +25,9 @@ jobs: runs-on: ubuntu-latest environment: name: development + permissions: + id-token: write + steps: - uses: actions/checkout@v4 @@ -42,11 +45,15 @@ jobs: with: environment: development docker_image: ${{ steps.image.outputs.tag }} - azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} - uses: ./.github/workflows/actions/smoke-test id: smoke-test with: environment: development - azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} diff --git a/Makefile b/Makefile index fe6f0ccc..0b600a5c 100644 --- a/Makefile +++ b/Makefile @@ -183,7 +183,7 @@ production-cluster: get-cluster-credentials: set-azure-account ## make get-cluster-credentials [ENVIRONMENT=] az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME} - kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli) + kubelogin convert-kubeconfig -l $(if ${AAD_LOGIN_METHOD},${AAD_LOGIN_METHOD},azurecli) console: get-cluster-credentials kubectl -n tra-${DEPLOY_ENV} exec -ti --tty deployment/find-a-lost-trn-${DEPLOY_ENV} -- /bin/sh -c 'cd /app && /usr/local/bin/bundle exec rails c' diff --git a/terraform/aks/provider.tf b/terraform/aks/provider.tf index 86ae23b6..4da53b7a 100644 --- a/terraform/aks/provider.tf +++ b/terraform/aks/provider.tf @@ -6,17 +6,12 @@ provider "azurerm" { provider "kubernetes" { host = module.cluster_data.kubernetes_host - client_certificate = module.cluster_data.kubernetes_client_certificate - client_key = module.cluster_data.kubernetes_client_key cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate - dynamic "exec" { - for_each = module.cluster_data.azure_RBAC_enabled ? [1] : [] - content { - api_version = "client.authentication.k8s.io/v1beta1" - command = "kubelogin" - args = module.cluster_data.kubelogin_args - } + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "kubelogin" + args = module.cluster_data.kubelogin_args } }