Merge pull request #1 from to24toro/feature/github_actions

prepare for github actions

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @to24toro

.github/workflows/terraform_apply.yml

@@ -0,0 +1,58 @@
+name: terraform apply
+
+on:
+  pull_request:
+    branches:
+      - main
+    types: [closed]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  apply:
+    name: terraform apply for GCP
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Configure GCP credentials
+        uses: "google-github-actions/auth@v0"
+        with:
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 1.2.9
+
+      - name: Terraform fmt
+        id: fmt
+        working-directory: ./terraform
+        run: terraform fmt -check
+        continue-on-error: true
+
+      - name: Terraform init
+        id: init
+        working-directory: ./terraform
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        working-directory: ./terraform
+        run: terraform validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        working-directory: ./terraform
+        run: terraform plan -no-color
+        continue-on-error: true
+
+      - name: Terraform Apply
+        id: apply
+        working-directory: ./terraform
+        run: terraform apply -auto-approve
+

.github/workflows/terraform_plan.yml

@@ -0,0 +1,51 @@
+name: terraform plan
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  plan:
+    name: terraform plan for GCP
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Configure GCP credentials
+        uses: "google-github-actions/auth@v0"
+        with:
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 1.2.9
+
+      - name: Terraform fmt
+        id: fmt
+        working-directory: ./terraform
+        run: terraform fmt -check
+        continue-on-error: true
+
+      - name: Terraform init
+        id: init
+        working-directory: ./terraform
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        working-directory: ./terraform
+        run: terraform validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        working-directory: ./terraform
+        run: terraform plan -no-color
+        continue-on-error: true

.gitignore

@@ -27,3 +27,6 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+
+.secret
+.terraform.lock.hcl

terraform/gcs.tf

@@ -0,0 +1,18 @@
+# resource "google_storage_bucket" "terraform-state" {
+#   name     = "terraform-bucket"
+#   location = var.region
+#   storage_class = "STANDARD"
+
+#   versioning {
+#     enabled = true
+#   }
+
+#   lifecycle_rule {
+#     action {
+#       type = "Delete"
+#     }
+#     condition {
+#       num_newer_versions = 5
+#     }
+#   }
+# }

terraform/iam.tf

@@ -0,0 +1,27 @@
+# IAM policy
+
+data "google_iam_policy" "workload_identity_user_github_actions" {
+  binding {
+    role = "roles/iam.workloadIdentityUser"
+    members = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions.name}/attribute.repository/to24toro/terraform-gcp"]
+  }
+}
+
+resource "google_project_iam_member" "owner_github_actions" {
+  project = var.project_id
+  role = "roles/owner"
+  member = "serviceAccount:${google_service_account.github_actions.email}"
+}
+
+resource "google_project_iam_member" "github_actions_cloud_storage_admin" {
+  project = var.project_id
+  role = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.github_actions.email}"
+}
+
+# IAM binding
+
+resource "google_service_account_iam_policy" "binding_sa_and_wi_github_actions" {
+  service_account_id = google_service_account.github_actions.name
+  policy_data        = data.google_iam_policy.workload_identity_user_github_actions.policy_data
+}

terraform/main.tf

@@ -0,0 +1,5 @@
+terraform {
+  backend "gcs" {
+    bucket  = "terraform-bucket"
+  }
+}

terraform/output.tf

@@ -0,0 +1,7 @@
+output "workload_identity_provider" {
+  value = "${google_iam_workload_identity_pool.github_actions.name}/providers/${google_iam_workload_identity_pool_provider.github_actions.workload_identity_pool_provider_id}"
+}
+
+output "service_account" {
+  value = google_service_account.github_actions.email
+}

terraform/provider.tf

@@ -0,0 +1,5 @@
+provider "google" {
+  project = var.project_id
+  region  = var.region
+  zone    = var.zone
+}

terraform/service_account.tf

@@ -0,0 +1,5 @@
+resource "google_service_account" "github_actions" {
+  account_id   = "terraform-github-actions"
+  display_name = "terraform_github_actions"
+  description  = "service account for github actions"
+}

terraform/variables.tf

@@ -0,0 +1,14 @@
+variable "project_id" {
+  type = string
+  default = "terraform-367614"
+}
+
+variable "region" {
+  type = string
+  default = "asia-northeast1"
+}
+
+variable "zone" {
+  type = string
+  default = "asia-northeast1-a"
+}

terraform/workload_identity.tf

@@ -0,0 +1,29 @@
+# github actions用プール
+resource "google_iam_workload_identity_pool" "github_actions" {
+  provider                  = google-beta
+  project                   = var.project_id
+  workload_identity_pool_id = "github-actions"
+  description               = "workload identity pool for github actions"
+  disabled                  = false
+}
+
+# github actions用プロバイダ
+resource "google_iam_workload_identity_pool_provider" "github_actions" {
+  provider                           = google-beta
+  project                            = var.project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.github_actions.workload_identity_pool_id
+  workload_identity_pool_provider_id = "github-actions"
+  description                        = "workload identity pool provider for github actions"
+
+  # https://cloud.google.com/iam/docs/configuring-workload-identity-federation
+  # ID プロバイダの認証情報を外部 ID にマッピングする属性マッピングを定義
+  # google.subject : ユーザーの一意の識別子。ロールバインディングで使用され、Cloud Logging のログに表示される
+  # attribute. : 特定の属性を持つすべての ID にアクセス権を付与
+  attribute_mapping                  = {
+    "google.subject"       = "assertion.sub"        # リポジトリ名と Git リファレンス
+    "attribute.actor"      = "assertion.actor"      # Github Actions を実行したユーザーアカウント
+    "attribute.repository" = "assertion.repository" # オーナーとリポジトリ名
+  }
+  oidc { issuer_uri = "https://token.actions.githubusercontent.com" }
+}
+