Add APP_ROLE_ARN secret after creating role

Updates the create app role task handler to pass a github api token, so this can be used to create the APP_ROLE_ARN secret as soon as the App role is created. This is required for apps that will be deployed without Auth0 clients.
ministryofjustice · Feb 21, 2024 · cc6fa89 · cc6fa89
1 parent 7c36e0e
commit cc6fa89
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 7 deletions.
diff --git a/controlpanel/api/cluster.py b/controlpanel/api/cluster.py
@@ -508,6 +508,8 @@ def create_iam_role(self):
         assume_role_policy = deepcopy(BASE_ASSUME_ROLE_POLICY)
         assume_role_policy["Statement"].append(self.oidc_provider_statement)
         self.aws_role_service.create_role(self.iam_role_name, assume_role_policy)
+        for env in self.get_deployment_envs():
+            self._create_secrets(env_name=env)
 
     def grant_bucket_access(self, bucket_arn, access_level, path_arns):
         self.aws_role_service.grant_bucket_access(

diff --git a/controlpanel/api/tasks/handlers/app.py b/controlpanel/api/tasks/handlers/app.py
@@ -28,5 +28,6 @@ class CreateAppAWSRole(BaseModelTaskHandler):
     name = "create_app_aws_role"
 
     def handle(self):
-        cluster.App(self.object).create_iam_role()
+        task_user = User.objects.filter(pk=self.task_user_pk).first()
+        cluster.App(self.object, task_user.github_api_token).create_iam_role()
         self.complete()
diff --git a/tests/api/cluster/test_app.py b/tests/api/cluster/test_app.py
@@ -1,10 +1,9 @@
 # Standard library
 from copy import deepcopy
-from unittest.mock import MagicMock, patch
+from unittest.mock import MagicMock, patch, call
 
 # Third-party
 import pytest
-from django.conf import settings
 
 # First-party/Local
 from controlpanel.api import cluster, models
@@ -13,7 +12,11 @@
 
 @pytest.fixture
 def app():
-    return models.App(slug="test-app", repo_url="https://gitpub.example.com/test-repo", namespace="test-namespace")
+    return models.App(
+        slug="test-app",
+        repo_url="https://gitpub.example.com/test-repo",
+        namespace="test-namespace",
+    )
 
 
 @pytest.fixture
@@ -77,13 +80,22 @@ def test_oidc_provider_statement(app, oidc_provider_statement):
     assert cluster.App(app).oidc_provider_statement == oidc_provider_statement
 
 
-def test_app_create_iam_role(aws_create_role, app, oidc_provider_statement):
+@patch("controlpanel.api.cluster.App.get_deployment_envs")
+@patch("controlpanel.api.cluster.App._create_secrets")
+def test_app_create_iam_role(
+    _create_secrets, get_deployment_envs, aws_create_role, app, oidc_provider_statement
+):
     expected_assume_role = deepcopy(BASE_ASSUME_ROLE_POLICY)
     expected_assume_role["Statement"].append(oidc_provider_statement)
 
+    get_deployment_envs.return_value = ["dev", "prod"]
     cluster.App(app).create_iam_role()
 
     aws_create_role.assert_called_with(app.iam_role_name, expected_assume_role)
+    _create_secrets.assert_has_calls([
+        call(env_name="dev"),
+        call(env_name="prod"),
+    ])
 
 
 @pytest.fixture  # noqa: F405

diff --git a/tests/api/tasks/test_create_app_aws_role.py b/tests/api/tasks/test_create_app_aws_role.py
@@ -1,5 +1,5 @@
 # Standard library
-from unittest.mock import patch
+from unittest.mock import patch, MagicMock
 
 # Third-party
 import pytest
@@ -25,13 +25,14 @@ def test_cluster_not_called_without_valid_app(cluster, complete, users):
 
 
 @pytest.mark.django_db
+@patch("controlpanel.api.auth0.ExtendedAuth0", new=MagicMock())
 @patch("controlpanel.api.tasks.handlers.base.BaseModelTaskHandler.complete")
 @patch("controlpanel.api.tasks.handlers.app.cluster")
 def test_valid_app_and_user(cluster, complete, users):
     app = mommy.make("api.App")
 
     create_app_aws_role(app.pk, users["superuser"].pk)
 
-    cluster.App.assert_called_once_with(app)
+    cluster.App.assert_called_once_with(app, users["superuser"].github_api_token)
     cluster.App.return_value.create_iam_role.assert_called_once()
     complete.assert_called_once()