ER-790: Terraform Authentication (#814)

* ER-790: Autoscaling rules * ER-790: Seed Development database * ER-790: Global Firewall Rule * ER-790: Generate Terraform variables * ER-790: Lowercase variables * ER-790: Typo * ER-790: Lowercase variable keys * ER-790: Rollback changes * ER-790: Missing Terraform variable * ER-790: Set last working Terraform versions * ER-370: Explicit OIDC URL and token * ER-790: Fix variable * ER-790: Formatting --------- Co-authored-by: Sunny Sidhu <[email protected]>
DFE-Digital · Sep 6, 2023 · 4872f3b · 4872f3b
1 parent ac826f7
commit 4872f3b
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 44 deletions.
diff --git a/.github/workflows/tf-azure-deploy.yml b/.github/workflows/tf-azure-deploy.yml
@@ -32,47 +32,8 @@ env:
   ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
   ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
   ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-  TF_VAR_environment: ${{ vars.ENVIRONMENT }}
-  TF_VAR_resource_name_prefix: ${{ vars.RESOURCE_NAME_PREFIX }}
-  TF_VAR_admin_email_address: ${{ vars.ADMIN_EMAIL_ADDRESS }}
-  TF_VAR_kv_certificate_authority_username: ${{ secrets.KV_CERTIFICATE_AUTHORITY_USERNAME }}
-  TF_VAR_kv_certificate_authority_password: ${{ secrets.KV_CERTIFICATE_AUTHORITY_PASSWORD }}
-  TF_VAR_kv_certificate_authority_admin_first_name: ${{ secrets.KV_CERTIFICATE_AUTHORITY_ADMIN_FIRST_NAME }}
-  TF_VAR_kv_certificate_authority_admin_last_name: ${{ secrets.KV_CERTIFICATE_AUTHORITY_ADMIN_LAST_NAME }}
-  TF_VAR_kv_certificate_authority_admin_phone_no: ${{ secrets.KV_CERTIFICATE_AUTHORITY_ADMIN_PHONE_NO }}
-  TF_VAR_kv_certificate_label: ${{ vars.KV_CERTIFICATE_LABEL }}
-  TF_VAR_kv_certificate_subject: ${{ vars.KV_CERTIFICATE_SUBJECT }}
-  TF_VAR_psqlfs_sku: ${{ vars.PSQLFS_SKU }}
-  TF_VAR_psqlfs_storage: ${{ vars.PSQLFS_STORAGE }}
-  TF_VAR_psqlfs_username: ${{ secrets.PSQLFS_USERNAME }}
-  TF_VAR_psqlfs_password: ${{ secrets.PSQLFS_PASSWORD }}
-  TF_VAR_psqlfs_geo_redundant_backup: ${{ vars.PSQLFS_GEO_REDUNDANT_BACKUP }}
-  TF_VAR_psqlfs_ha_enabled: ${{ vars.PSQLFS_HA_ENABLED }}
-  TF_VAR_asp_sku: ${{ vars.ASP_SKU }}
-  TF_VAR_webapp_worker_count: ${{ vars.WEBAPP_WORKER_COUNT }}
-  TF_VAR_webapp_name: ${{ vars.WEBAPP_NAME }}
-  TF_VAR_workerapp_name: ${{ vars.WORKERAPP_NAME }}
-  TF_VAR_reviewapp_name: ${{ vars.REVIEWAPP_NAME }}
-  TF_VAR_webapp_database_url: ${{ secrets.WEBAPP_DATABASE_URL }}
-  TF_VAR_webapp_docker_registry_url: https://ghcr.io
-  TF_VAR_webapp_docker_image: dfe-digital/early-years-foundation-recovery
-  TF_VAR_webapp_docker_image_tag: latest
-  TF_VAR_custom_domain_name: ${{ vars.CUSTOM_DOMAIN_NAME }}
-  TF_VAR_webapp_config_bot_token: ${{ secrets.WEBAPP_CONFIG_BOT_TOKEN }}
-  TF_VAR_webapp_config_contentful_environment: ${{ vars.WEBAPP_CONFIG_CONTENTFUL_ENVIRONMENT }}
-  TF_VAR_webapp_config_contentful_preview: ${{ vars.WEBAPP_CONFIG_CONTENTFUL_PREVIEW }}
-  TF_VAR_webapp_config_domain: ${{ vars.WEBAPP_CONFIG_DOMAIN }}
-  TF_VAR_webapp_config_editor: ${{ vars.WEBAPP_CONFIG_EDITOR }}
-  TF_VAR_webapp_config_feedback_url: ${{ vars.WEBAPP_CONFIG_FEEDBACK_URL }}
-  TF_VAR_webapp_config_grover_no_sandbox: ${{ vars.WEBAPP_CONFIG_GROVER_NO_SANDBOX }}
-  TF_VAR_webapp_config_google_cloud_bucket: ${{ vars.WEBAPP_CONFIG_GOOGLE_CLOUD_BUCKET }}
-  TF_VAR_webapp_config_node_env: ${{ vars.WEBAPP_CONFIG_NODE_ENV }}
-  TF_VAR_webapp_config_rails_env: ${{ vars.WEBAPP_CONFIG_RAILS_ENV }}
-  TF_VAR_webapp_config_rails_log_to_stdout: ${{ vars.WEBAPP_CONFIG_RAILS_LOG_TO_STDOUT }}
-  TF_VAR_webapp_config_rails_master_key: ${{ secrets.WEBAPP_CONFIG_RAILS_MASTER_KEY }}
-  TF_VAR_webapp_config_rails_max_threads: ${{ vars.WEBAPP_CONFIG_RAILS_MAX_THREADS }}
-  TF_VAR_webapp_config_rails_serve_static_files: ${{ vars.WEBAPP_CONFIG_RAILS_SERVE_STATIC_FILES }}
-  TF_VAR_webapp_config_web_concurrency: ${{ vars.WEBAPP_CONFIG_WEB_CONCURRENCY }}
+  TF_VAR_oidc_request_token: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
+  TF_VAR_oidc_request_url: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
 
 jobs:
   terraform-plan:
@@ -91,7 +52,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: 1.5.5
+          terraform_version: 1.5.6
           terraform_wrapper: false
 
       # Initialise a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
@@ -108,6 +69,18 @@ jobs:
       - name: Terraform Format
         run: terraform fmt -check
 
+      # Generates Terraform input variables
+      - name: Generate Terraform Variables
+        shell: bash
+        env:
+          WEB_SECRETS: ${{ toJSON(secrets) }}
+          WEB_VARS: ${{ toJSON(vars) }}
+        run: |
+          printf '%s\n' "$WEB_SECRETS" > tmp-secrets.json
+          printf '%s\n' "$WEB_VARS" > tmp-vars.json
+          jq 'with_entries(.key |= ascii_downcase)' tmp-secrets.json > web-secrets.auto.tfvars.json
+          jq 'with_entries(.key |= ascii_downcase)' tmp-vars.json > web-vars.auto.tfvars.json
+
       # Generates an execution plan for Terraform
       # An exit code of 0 indicated no changes, 1 a terraform failure, 2 there are pending changes.
       - name: Terraform Plan
@@ -181,6 +154,18 @@ jobs:
           -backend-config="container_name=${{ secrets.TERRAFORM_STATE_STORAGE_CONTAINER_NAME }}"
           -backend-config="key=${{ secrets.TERRAFORM_STATE_KEY }}"
 
+      # Generates Terraform input variables
+      - name: Generate Terraform Variables
+        shell: bash
+        env:
+          WEB_SECRETS: ${{ toJSON(secrets) }}
+          WEB_VARS: ${{ toJSON(vars) }}
+        run: |
+          printf '%s\n' "$WEB_SECRETS" > tmp-secrets.json
+          printf '%s\n' "$WEB_VARS" > tmp-vars.json
+          jq 'with_entries(.key |= ascii_downcase)' tmp-secrets.json > web-secrets.auto.tfvars.json
+          jq 'with_entries(.key |= ascii_downcase)' tmp-vars.json > web-vars.auto.tfvars.json
+
       # Download saved plan from artifacts
       - name: Download Terraform Plan
         uses: actions/download-artifact@v3

diff --git a/terraform-azure/main.tf b/terraform-azure/main.tf
@@ -1,5 +1,7 @@
 provider "azurerm" {
-  use_oidc = true
+  use_oidc           = true
+  oidc_request_token = var.oidc_request_token
+  oidc_request_url   = var.oidc_request_url
 
   features {
     resource_group {

diff --git a/terraform-azure/terraform.tf b/terraform-azure/terraform.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "= 3.69.0"
+      version = "= 3.71.0"
     }
   }
 

diff --git a/terraform-azure/variables.tf b/terraform-azure/variables.tf
@@ -1,3 +1,6 @@
+variable "oidc_request_token" {}
+variable "oidc_request_url" {}
+
 variable "azure_region" {
   default     = "westeurope"
   description = "Name of the Azure region to deploy resources"