From 460ff27d80047caf55611a667812a295ebbb2570 Mon Sep 17 00:00:00 2001
From: Tope Emmanuel <topej.emmanuel@gmail.com>
Date: Wed, 31 Jan 2024 11:58:52 +0000
Subject: [PATCH] Added RBAC to project WHY: RBAC is a requisite feature to
 enhance security HOW: By make the authentication and authorisation go through
 the new RBAC feature in MAKEFILE

---
 .github/workflows/delete_review_app_aks.yml |  2 +-
 .github/workflows/deploy_aks.yml            |  2 +-
 Makefile                                    |  1 +
 terraform/application/terraform.tf          | 10 ++++++++++
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/delete_review_app_aks.yml b/.github/workflows/delete_review_app_aks.yml
index 47d8901..393aa32 100644
--- a/.github/workflows/delete_review_app_aks.yml
+++ b/.github/workflows/delete_review_app_aks.yml
@@ -23,7 +23,7 @@ jobs:
         terraform_version: 1.6.4
         terraform_wrapper: false
 
-    - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
         azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
diff --git a/.github/workflows/deploy_aks.yml b/.github/workflows/deploy_aks.yml
index 0a7a6c6..2625a06 100644
--- a/.github/workflows/deploy_aks.yml
+++ b/.github/workflows/deploy_aks.yml
@@ -69,7 +69,7 @@ jobs:
               terraform_version: 1.6.4
               terraform_wrapper: false
 
-          - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+          - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
             with:
               azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
 
diff --git a/Makefile b/Makefile
index dcaa65f..1aca3c5 100644
--- a/Makefile
+++ b/Makefile
@@ -93,6 +93,7 @@ production-cluster:
 
 get-cluster-credentials: set-azure-account
 	az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME}
+	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
 
 bin/konduit.sh:
 	curl -s https://raw.githubusercontent.com/DFE-Digital/teacher-services-cloud/main/scripts/konduit.sh -o bin/konduit.sh \
diff --git a/terraform/application/terraform.tf b/terraform/application/terraform.tf
index 5f159b1..9efd2bc 100644
--- a/terraform/application/terraform.tf
+++ b/terraform/application/terraform.tf
@@ -28,4 +28,14 @@ provider "kubernetes" {
   client_certificate     = module.cluster_data.kubernetes_client_certificate
   client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+
+  dynamic "exec" {
+    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "kubelogin"
+      args        = module.cluster_data.kubelogin_args
+    }
+   }
+
 }