diff --git a/.github/workflows/actions/database-backup/action.yml b/.github/workflows/actions/database-backup/action.yml index 63cc4026..0ed68283 100644 --- a/.github/workflows/actions/database-backup/action.yml +++ b/.github/workflows/actions/database-backup/action.yml @@ -102,10 +102,14 @@ runs: - uses: azure/setup-kubectl@v3 + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master + with: + azure-credentials: ${{ inputs.azure_credentials }} + - name: K8 setup shell: bash run: | - az aks get-credentials -g ${{ env.cluster_rg }} -n ${{ env.cluster_name }} + make ${{ inputs.environment }} get-cluster-credentials make bin/konduit.sh - name: Setup postgres client diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml index b0227997..79a9a215 100644 --- a/.github/workflows/actions/deploy/action.yml +++ b/.github/workflows/actions/deploy/action.yml @@ -10,8 +10,6 @@ inputs: azure-credentials: description: Credentials for azure required: true - arm-access-key: - required: true pr-id: description: PR number for the review app required: false @@ -57,11 +55,14 @@ runs: with: creds: ${{ inputs.azure-credentials }} + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master + with: + azure-credentials: ${{ inputs.azure_credentials }} + - name: Terraform init, plan & apply shell: bash run: make ci ${{ inputs.environment }} terraform-apply env: - ARM_ACCESS_KEY: ${{ inputs.arm-access-key }} DOCKER_IMAGE: ${{ inputs.docker_image }} pr_id: ${{ inputs.pr-id }} TF_VAR_azure_credentials: ${{ inputs.azure-credentials }} diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index abb0372a..bca2b824 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -50,7 +50,6 @@ jobs: environment: review docker_image: ${{ needs.docker.outputs.docker_image }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} - arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} pr-id: ${{ github.event.pull_request.number }} - name: Post sticky pull request comment @@ -84,7 +83,6 @@ jobs: environment: ${{ matrix.environment }} docker_image: ${{ needs.docker.outputs.docker_image }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} - arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} - uses: ./.github/workflows/actions/smoke-test id: smoke-test with: @@ -112,4 +110,3 @@ jobs: environment: production docker_image: ${{ needs.docker.outputs.docker_image }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} - arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml index 42a7bf1c..6772e99e 100644 --- a/.github/workflows/delete-review-app.yml +++ b/.github/workflows/delete-review-app.yml @@ -66,8 +66,6 @@ jobs: run: | make ci review terraform-destroy env: - ARM_ACCESS_KEY: ${{ steps.get_secrets.outputs.TFSTATE-CONTAINER-ACCESS-KEY }} - TF_VAR_azure_sp_credentials_json: ${{ secrets.azure_credentials }} TF_VAR_flt_docker_image: "ghcr.io/dfe-digital/find-a-lost-trn:no-tag" pr_id: ${{ github.event.pull_request.number }} shell: bash diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c98a9a32..54576552 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -43,7 +43,6 @@ jobs: environment: development docker_image: ${{ steps.image.outputs.tag }} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} - arm-access-key: ${{ secrets.ARM_ACCESS_KEY }} - uses: ./.github/workflows/actions/smoke-test id: smoke-test diff --git a/Makefile b/Makefile index 34e88915..0abbc334 100644 --- a/Makefile +++ b/Makefile @@ -195,6 +195,7 @@ domains-infra-apply: domains-infra-init ## terraform apply for dns core resource get-cluster-credentials: set-azure-account ## make get-cluster-credentials [ENVIRONMENT=] az aks get-credentials --overwrite-existing -g ${RESOURCE_GROUP_NAME} -n ${RESOURCE_PREFIX}-tsc-${ENVIRONMENT}${CLONE_STRING}-aks + kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli) ###################################### diff --git a/terraform/aks/.terraform.lock.hcl b/terraform/aks/.terraform.lock.hcl index 37b79d5e..5c48cae3 100644 --- a/terraform/aks/.terraform.lock.hcl +++ b/terraform/aks/.terraform.lock.hcl @@ -1,6 +1,29 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/eppo/environment" { + version = "1.3.5" + constraints = "1.3.5" + hashes = [ + "h1:1Af95/IhzW16rbX8kSApfrAi8vwc5+7uVbCeyVaGw2E=", + "zh:00e7a6bf7f0f09cc4871d7f4fee2c943ce61c05b9802365a97703d6c2e63e3dc", + "zh:018d92e621177d053ed5c32e8220efa8c019852c4d60cc7539683bac28470d9b", + "zh:12ca5162286b80b7f46bd013ae2007641132d201af12bc6adb872f9a0ff85b7a", + "zh:2991085432bd4dc718aadfb37b2cdb6201ef73a8a0e5661411f46d9ec782e678", + "zh:2a8f6801266f89b816ebfdb441411e53f4cf1e0278e853715fb561946ad5a575", + "zh:8783a8dc846d3e71b38ca470066f506dde8040f149402f0d348e5dca7f012909", + "zh:8bc8f61e496e96c81c46e1aa59bf2155b6acc80db1ea462f2ddd665748fcda7f", + "zh:95fb102fecceb3a5b44dbe9fbe262494a0abdb6805addf1286c5d92cd4b0f779", + "zh:a158837ec561c161d3c47068e30bca341e5e4c7abff7fa72b9522438b85af4ac", + "zh:a738a7b2e953ee8059f9e68d48ae954175d001a5480f29e22d717bee9fd93f7f", + "zh:bac4b3a38eed35c91269cd008ad88862f47be99474de85e9a2efcce6564e0c24", + "zh:cd56a12eef3515fa5a5845d550be2f67989c8e65563e8fa9f5060666c0728a7c", + "zh:e3e895bc8b557b36bfa03f251df429aa0fba068f4c7ef0ed6ac551b7cba9ff86", + "zh:e959a9e826e3c33242bf4492ee12e5f8be023cf2461702c43d1833c4a8516232", + "zh:f41d9d60b205e6d536881e4af7bb9fc85ae90858bfddf695f95fbd68e01e0ad3", + ] +} + provider "registry.terraform.io/hashicorp/azurerm" { version = "3.64.0" constraints = "3.64.0" @@ -44,22 +67,21 @@ provider "registry.terraform.io/hashicorp/kubernetes" { } provider "registry.terraform.io/hashicorp/random" { - version = "3.5.1" + version = "3.6.0" hashes = [ - "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", - "h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=", - "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", - "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", - "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", - "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", - "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", + "h1:p6WG1IPHnqx1fnJVKNjv733FBaArIugqy58HRZnpPCk=", + "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d", + "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211", + "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829", + "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d", + "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", - "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", - "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", - "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", - "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", - "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", + "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17", + "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21", + "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839", + "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0", + "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c", + "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e", ] } diff --git a/terraform/aks/provider.tf b/terraform/aks/provider.tf index 39dc6d07..86ae23b6 100644 --- a/terraform/aks/provider.tf +++ b/terraform/aks/provider.tf @@ -1,12 +1,4 @@ -locals { - azure_credentials = try(jsondecode(var.azure_sp_credentials_json), null) -} - provider "azurerm" { - subscription_id = try(local.azure_credentials.subscriptionId, null) - client_id = try(local.azure_credentials.clientId, null) - client_secret = try(local.azure_credentials.clientSecret, null) - tenant_id = try(local.azure_credentials.tenantId, null) skip_provider_registration = true features {} @@ -17,6 +9,15 @@ provider "kubernetes" { client_certificate = module.cluster_data.kubernetes_client_certificate client_key = module.cluster_data.kubernetes_client_key cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate + + dynamic "exec" { + for_each = module.cluster_data.azure_RBAC_enabled ? [1] : [] + content { + api_version = "client.authentication.k8s.io/v1beta1" + command = "kubelogin" + args = module.cluster_data.kubelogin_args + } + } } provider "statuscake" { diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf index 326fbea3..ce875218 100644 --- a/terraform/aks/variables.tf +++ b/terraform/aks/variables.tf @@ -19,11 +19,6 @@ variable "azure_resource_prefix" { description = "Standard resource prefix. Usually s189t01 (test) or s189p01 (production)" } -variable "azure_sp_credentials_json" { - type = string - default = null -} - variable "cluster" { type = string description = "AKS cluster where this app is deployed. Either 'test' or 'production'"