Merge pull request #86 from DFE-Digital/937-enable-azure-rbac-deployment

[937] Enable Azure RBAC authentication to AKS

.github/actions/deploy-environment-to-aks/action.yml

@@ -32,7 +32,7 @@ runs:
         terraform_version: 1.5.4
         terraform_wrapper: false
 
-    - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
@@ -43,7 +43,6 @@ runs:
         make ci ${{ inputs.environment }} terraform-apply
         cd terraform/application && echo "url=$(terraform output -raw url)" >> $GITHUB_OUTPUT
       env:
-        TF_VAR_azure_sp_credentials_json: ${{ inputs.azure-credentials }}
         TF_VAR_statuscake_api_token: ${{ inputs.statuscake-api-token }}
         DOCKER_IMAGE: ${{ inputs.docker-image }}
         PULL_REQUEST_NUMBER: ${{ inputs.pull-request-number }}
@@ -56,6 +55,7 @@ runs:
       if: ${{ inputs.pull-request-number != '' }}
       shell: bash
       run: |
-        az aks get-credentials --resource-group s189t01-tsc-ts-rg --name s189t01-tsc-test-aks
+        make ci review get-cluster-credentials
         kubectl exec -n cpd-development deployment/cpd-tsh-review-${{ inputs.pull-request-number }} -- sh -c "cd /app && /usr/local/bin/bundle exec rails db:seed"
-
+      env:
+        PULL_REQUEST_NUMBER: ${{ inputs.pull-request-number }}

.github/workflows/aks_destroy_review.yml

@@ -30,15 +30,15 @@ jobs:
 
           echo "TF_STATE_FILE=$state_file_name" >> $GITHUB_ENV
 
-          state_file_status=$(az storage blob list -c cpdecf-tfstate \
-            --account-name "s189t01cpdecftfstatervsa" \
+          state_file_status=$(az storage blob list -c terraform-state \
+            --account-name "s189t01cpdtshrvtfsa" \
             --prefix $state_file_name --query "[].name" -o tsv)
 
           if [ -n "$state_file_status" ]; then
             echo "TF_STATE_EXISTS=true" >> $GITHUB_ENV
           fi
 
-      - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+      - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
         if: env.TF_STATE_EXISTS == 'true'
         with:
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
@@ -49,13 +49,12 @@ jobs:
         shell: bash
         run: make ci review terraform-destroy
         env:
-          TF_VAR_azure_sp_credentials_json: ${{ secrets.AZURE_CREDENTIALS }}
           TF_VAR_statuscake_api_token: ${{ secrets.STATUSCAKE_API_TOKEN }}
           DOCKER_IMAGE: "ghcr.io/dfe-digital/early-careers-framework:no-tag"
           PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
 
       - name: Delete Terraform state file
         if: env.TF_STATE_EXISTS == 'true'
         run: |
-          az storage blob delete -c cpdecf-tfstate --name ${{ env.TF_STATE_FILE }} \
-            --account-name "s189t01cpdecftfstatervsa"
+          az storage blob delete -c terraform-state --name ${{ env.TF_STATE_FILE }} \
+            --account-name "s189t01cpdtshrvtfsa"

Makefile

@@ -2,7 +2,7 @@ TERRAFILE_VERSION=0.8
 ARM_TEMPLATE_TAG=1.1.10
 RG_TAGS={"Product" : "Find a teaching school hub"}
 REGION=UK South
-SERVICE_NAME=teaching-school-hub-finder
+SERVICE_NAME=cpd-tsh
 SERVICE_SHORT=cpdtsh
 
 help:
@@ -74,6 +74,9 @@ terraform-plan: terraform-init
 terraform-apply: terraform-init
 	terraform -chdir=terraform/application apply -var-file "config/${CONFIG}.tfvars.json" ${AUTO_APPROVE}
 
+terraform-destroy: terraform-init
+	terraform -chdir=terraform/application destroy -var-file "config/${CONFIG}.tfvars.json" ${AUTO_APPROVE}
+
 set-what-if:
 	$(eval WHAT_IF=--what-if)
 
@@ -132,6 +135,7 @@ production-cluster:
 
 get-cluster-credentials: set-azure-account
 	az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME}
+	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
 
 aks-console: get-cluster-credentials
 	$(if $(PULL_REQUEST_NUMBER), $(eval export APP_ID=review-$(PULL_REQUEST_NUMBER)) , $(eval export APP_ID=$(CONFIG_LONG)))

terraform/application/application.tf

@@ -1,20 +1,18 @@
 locals {
   environment  = "${var.environment}${var.app_suffix}"
-  service_name = "cpd-tsh"
   domain       = var.environment == "review" ? "cpd-tsh-${local.environment}-web.test.teacherservices.cloud" : var.domain
 }
 
 module "application_configuration" {
   source = "./vendor/modules/aks//aks/application_configuration"
 
   namespace              = var.namespace
-  environment           = local.environment
+  environment            = local.environment
   azure_resource_prefix  = var.azure_resource_prefix
   service_short          = var.service_short
   config_short           = var.config_short
   secret_key_vault_short = "app"
 
-  # Delete for non rails apps
   is_rails_application = true
 
   config_variables = {
@@ -37,7 +35,7 @@ module "web_application" {
 
   namespace    = var.namespace
   environment  = local.environment
-  service_name = local.service_name
+  service_name = var.service_name
 
   cluster_configuration_map  = module.cluster_data.configuration_map
   kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name

terraform/application/config/review.tfvars.json

@@ -3,6 +3,5 @@
     "namespace": "cpd-development",
     "environment": "review",
     "deploy_azure_backing_services": false,
-    "enable_postgres_ssl" : false,
-    "command": ["/bin/sh", "-c", "bundle exec rails db:environment:set RAILS_ENV=review && RAILS_ENV=review bundle exec rails db:schema:load && RAILS_ENV=review bundle exec rails db:seed && bundle exec rails server -b 0.0.0.0"]
+    "enable_postgres_ssl" : false
 }

terraform/application/database.tf

@@ -4,7 +4,7 @@ module "postgres" {
   namespace                   = var.namespace
   environment                 = local.environment
   azure_resource_prefix       = var.azure_resource_prefix
-  service_name                = local.service_name
+  service_name                = var.service_name
   service_short               = var.service_short
   config_short                = var.config_short
   cluster_configuration_map   = module.cluster_data.configuration_map
@@ -25,7 +25,7 @@ module "redis-cache" {
   azure_resource_prefix     = var.azure_resource_prefix
   service_short             = var.service_short
   config_short              = var.config_short
-  service_name              = local.service_name
+  service_name              = var.service_name
   cluster_configuration_map = module.cluster_data.configuration_map
   use_azure                 = var.deploy_azure_backing_services
   azure_enable_monitoring   = var.enable_monitoring

terraform/application/terraform.tf

@@ -23,15 +23,20 @@ provider "azurerm" {
   features {}
 
   skip_provider_registration = true
-  subscription_id            = try(local.azure_credentials.subscriptionId, null)
-  client_id                  = try(local.azure_credentials.clientId, null)
-  client_secret              = try(local.azure_credentials.clientSecret, null)
-  tenant_id                  = try(local.azure_credentials.tenantId, null)
 }
 
 provider "kubernetes" {
   host                   = module.cluster_data.kubernetes_host
   client_certificate     = module.cluster_data.kubernetes_client_certificate
   client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+
+  dynamic "exec" {
+    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "kubelogin"
+      args        = module.cluster_data.kubelogin_args
+    }
+  }
 }

terraform/application/variables.tf

@@ -7,10 +7,6 @@ variable "namespace" {
 variable "environment" {
   description = "Name of the deployed environment in AKS"
 }
-variable "azure_credentials_json" {
-  default     = null
-  description = "JSON containing the service principal authentication key when running in automation"
-}
 variable "azure_resource_prefix" {
   description = "Standard resource prefix. Usually s189t01 (test) or s189p01 (production)"
 }
@@ -62,7 +58,5 @@ variable "app_suffix" {
 }
 
 locals {
-  azure_credentials = try(jsondecode(var.azure_credentials_json), null)
-
   postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
 }