Update schools experience workflows to use ga wif

DFE-Digital · Feb 18, 2025 · b873fd7 · b873fd7
1 parent afab2aa
commit b873fd7
Show file tree

Hide file tree

Showing 14 changed files with 123 additions and 35 deletions.
diff --git a/.github/workflows/actions/database-backup/action.yml b/.github/workflows/actions/database-backup/action.yml
@@ -5,8 +5,14 @@ inputs:
   environment:
     description: "The name of the environment"
     required: true
-  azure_credentials:
-    description: "JSON object containing a service principal that can read from Azure Key Vault"
+  azure-client-id:
+    description: Managed identity client ID
+    required: true
+  azure-subscription-id:
+    description: Azure subscription ID
+    required: true
+  azure-tenant-id:
+    description: Azure tenant ID
     required: true
 
 runs:
@@ -33,7 +39,9 @@ runs:
 
   - uses: Azure/login@v2
     with:
-      creds: ${{ inputs.azure_credentials }}
+      client-id: ${{ inputs.azure-client-id }}
+      tenant-id: ${{ inputs.azure-tenant-id }}
+      subscription-id: ${{ inputs.azure-subscription-id }}
 
   - name: Fetch slack token
     uses: azure/CLI@v2
@@ -49,7 +57,9 @@ runs:
 
   - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
     with:
-       azure-credentials: ${{ inputs.azure_credentials }}
+       azure-client-id: ${{ inputs.azure-client-id }}
+       azure-tenant-id: ${{ inputs.azure-tenant-id }}
+       azure-subscription-id: ${{ inputs.azure-subscription-id }}
 
   - name: Set environment variables
     shell: bash

diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml
@@ -7,8 +7,14 @@ inputs:
   sha:
     description: Commit sha to be deployed
     required: true
-  azure-credentials:
-    description: Credentials for azure
+  azure-client-id:
+    description: Managed identity client ID
+    required: true
+  azure-subscription-id:
+    description: Azure subscription ID
+    required: true
+  azure-tenant-id:
+    description: Azure tenant ID
     required: true
   pr:
     description: Pull Request Reference
@@ -73,7 +79,9 @@ runs:
 
     - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
-        azure-credentials: ${{ inputs.azure-credentials }}
+        azure-client-id: ${{ inputs.azure-client-id }}
+        azure-tenant-id: ${{ inputs.azure-tenant-id }}
+        azure-subscription-id: ${{ inputs.azure-subscription-id }}
 
     - name: Get Short SHA
       id: sha

diff --git a/.github/workflows/build-no-cache.yml b/.github/workflows/build-no-cache.yml
@@ -5,9 +5,15 @@ on:
   schedule:
     - cron: '0 12 * * 0'
 
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+
 jobs:
   build:
     name: Build
+    environment: review
     runs-on: ubuntu-latest
 
     steps:
@@ -19,7 +25,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-          creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch synk token from key vault
         uses: azure/CLI@v2

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -24,6 +24,7 @@ env:
 jobs:
   build:
     name: Build
+    environment: review
     runs-on: ubuntu-latest
     outputs:
       DOCKER_IMAGE: ${{ steps.docker.outputs.DOCKER_IMAGE }}
@@ -37,7 +38,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-          creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch slack web hook
         if: failure() && github.ref == 'refs/heads/master'
@@ -154,6 +157,7 @@ jobs:
 
   security_tests:
     name: Security Tests
+    environment: review
     runs-on: ubuntu-latest
     needs: [build]
     steps:
@@ -165,7 +169,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-          creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -286,6 +292,7 @@ jobs:
 
   sonarcloud:
     name: SonarCloud
+    environment: review
     runs-on: ubuntu-latest
     needs: [selenium_cucumber_tests, cucumber_tests, security_tests, spec_tests]
     steps:
@@ -298,7 +305,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-          creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Download Test Artifacts
         uses: actions/download-artifact@v4
@@ -393,7 +402,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch SECURE USERNAME
         uses: azure/CLI@v2
@@ -428,7 +439,9 @@ jobs:
         with:
           environment: ${{matrix.environment}}
           sha: ${{ github.sha }}
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           pr: ${{github.event.number}}
           secure-username: ${{ steps.fetch-username.outputs.SECURE_USERNAME}}
           secure-password: ${{ steps.fetch-password.outputs.SECURE_PASSWORD}}
@@ -495,6 +508,7 @@ jobs:
 
   owasp:
     name: "OWASP Test"
+    environment: review
     runs-on: ubuntu-latest
     needs: [deployments]
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
@@ -507,7 +521,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-          creds: ${{ secrets.GSE_REPO_AZ_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch SECURE USERNAME
         uses: azure/CLI@v2

diff --git a/.github/workflows/db_backup.yml b/.github/workflows/db_backup.yml
@@ -25,6 +25,10 @@ on:
   schedule:
     - cron: "0 1 * * *" # 01:00 UTC
 
+permissions:
+  contents: write
+  id-token: write
+
 env:
   SERVICE_NAME: get-school-experience
   SERVICE_SHORT: gse
@@ -45,13 +49,16 @@ jobs:
 
     - uses: azure/login@v2
       with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Set environment variables
       run: |
         source global_config/${DEPLOY_ENV}.sh
         tf_vars_file=${TF_VARS_PATH}/${DEPLOY_ENV}.tfvars.json
         echo "CLUSTER=$(jq -r '.cluster' ${tf_vars_file})" >> $GITHUB_ENV
+        echo "NAMESPACE=$(jq -r '.namespace' ${tf_vars_file})" >> $GITHUB_ENV
         echo "RESOURCE_GROUP_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-rg" >> $GITHUB_ENV
         echo "STORAGE_ACCOUNT_NAME=${AZURE_RESOURCE_PREFIX}${SERVICE_SHORT}dbbkp${CONFIG_SHORT}sa" >> $GITHUB_ENV
         TODAY=$(date +"%F")
@@ -82,7 +89,10 @@ jobs:
         resource-group: ${{ env.RESOURCE_GROUP_NAME }}
         app-name: get-school-experience-${{ env.DEPLOY_ENV }}
         cluster: ${{ env.CLUSTER }}
-        azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+        namespace: ${{ env.NAMESPACE }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         backup-file: ${{ env.BACKUP_FILE }}.sql
         db-server-name: ${{ inputs.db-server }}
         slack-webhook: ${{ steps.key-vault-secrets.outputs.SLACK_WEBHOOK }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -24,6 +24,8 @@ on:
 
 permissions:
   id-token: write
+  contents: write
+
 
 jobs:
   manual:
@@ -44,7 +46,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-            creds: ${{ secrets.AZURE_CREDENTIALS }}
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch SECURE USERNAME
         uses: azure/CLI@v2
@@ -79,7 +83,9 @@ jobs:
         with:
           environment: ${{ github.event.inputs.environment }}
           sha:  ${{ github.event.inputs.docker-image-tag }}
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           pr: ${{ github.event.inputs.pull-request-number }}
           secure-username: ${{ steps.fetch-username.outputs.SECURE_USERNAME}}
           secure-password: ${{ steps.fetch-password.outputs.SECURE_PASSWORD}}

diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml
@@ -6,6 +6,7 @@ on:
 permissions:
   id-token: write
   pull-requests: write
+  contents: write
 
 jobs:
   destroy:
@@ -40,11 +41,16 @@ jobs:
 
       - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
         with:
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
 
       - uses: Azure/login@v2
         with:
-            creds: ${{ secrets.AZURE_CREDENTIALS }}
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: K8 setup for review apps
         shell: bash

diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
@@ -16,6 +16,10 @@ on:
         - enable
         - disable
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   set-maintenance-mode:
     name: Set maintenance mode
@@ -29,7 +33,10 @@ jobs:
     - name: Enable or disable maintenance mode
       uses: DFE-Digital/github-actions/maintenance@master
       with:
-        azure-credentials: ${{ secrets.AZURE_CREDENTIALS}}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
         environment: ${{ inputs.environment }}
         mode: ${{ inputs.mode }}
         docker-repository: ghcr.io/dfe-digital/schools-experience-maintenance

diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml
@@ -16,6 +16,7 @@ on:
 
 permissions:
   id-token: write
+  contents: write
 
 jobs:
   manual:
@@ -36,7 +37,9 @@ jobs:
 
       - uses: Azure/login@v2
         with:
-            creds: ${{ secrets.AZURE_CREDENTIALS }}
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Fetch SECURE USERNAME
         uses: azure/CLI@v2
@@ -84,7 +87,9 @@ jobs:
         with:
           environment: ${{ github.event.inputs.environment }}
           sha:  ${{ steps.tag_id.outputs.release_sha }}
-          azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           pr: ${{github.event.inputs.pr}}
           secure-username: ${{ steps.fetch-username.outputs.SECURE_USERNAME}}
           secure-password: ${{ steps.fetch-password.outputs.SECURE_PASSWORD}}

diff --git a/.github/workflows/postgres-ptr.yml b/.github/workflows/postgres-ptr.yml
@@ -28,6 +28,10 @@ on:
         description: Name of the new database server. Default is <original-server-name>-ptr.
         type: string
 
+permissions:
+  contents: write
+  id-token: write
+
 env:
   SERVICE_SHORT: gse
   TF_VARS_PATH: terraform/aks/config
@@ -67,4 +71,6 @@ jobs:
         new-server: ${{ env.NEW_DB_SERVER }}
         restore-time: ${{ inputs.restore-time }}
         cluster: ${{ env.CLUSTER }}
-        azure-credentials: ${{ secrets.AZURE_CREDENTIALS}}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/postgres-restore.yml b/.github/workflows/postgres-restore.yml
@@ -25,6 +25,10 @@ on:
         type: string
         required: false
 
+permissions:
+  contents: write
+  id-token: write
+
 env:
   SERVICE_NAME: get-school-experience
   SERVICE_SHORT: gse
@@ -47,6 +51,7 @@ jobs:
         source global_config/${{ inputs.environment }}.sh
         tf_vars_file=${{ env.TF_VARS_PATH }}/${{ inputs.environment }}.tfvars.json
         echo "CLUSTER=$(jq -r '.cluster' ${tf_vars_file})" >> $GITHUB_ENV
+        echo "NAMESPACE=$(jq -r '.namespace' ${tf_vars_file})" >> $GITHUB_ENV
         echo "RESOURCE_GROUP_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-rg" >> $GITHUB_ENV
         echo "STORAGE_ACCOUNT_NAME=${AZURE_RESOURCE_PREFIX}${SERVICE_SHORT}dbbkp${CONFIG_SHORT}sa" >> $GITHUB_ENV
         echo "DB_SERVER=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-pg" >> $GITHUB_ENV
@@ -66,5 +71,8 @@ jobs:
         resource-group: ${{ env.RESOURCE_GROUP_NAME }}
         app-name: ${{ env.SERVICE_NAME }}-${{ inputs.environment }}
         cluster: ${{ env.CLUSTER }}
-        azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
+        namespace: ${{ env.NAMESPACE }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         backup-file: ${{ env.BACKUP_FILE }}