Merge pull request #4 from Suke-H/#3-google-cloudへのデプロイ

#3 google cloudへのデプロイ
Suke-H · Dec 17, 2024 · a4fe59f · a4fe59f
2 parents f527437 + 6cf2d59
commit a4fe59f
Show file tree

Hide file tree

Showing 8 changed files with 315 additions and 0 deletions.
diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -0,0 +1,52 @@
+name: Deploy to Cloud Run
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    env:
+      SERVICE_NAME: 'kiro-stage-editor'
+      REGION: 'asia-northeast1' 
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
+          service_account: ${{ secrets.SA_EMAIL }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1
+        with:
+          project_id: ${{ secrets.PROJECT_ID }}
+          install_components: 'beta'
+
+      - name: Build Docker image
+        run: |
+          docker build --no-cache -t ${{ env.REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.ARTIFACT_REGISTRY_REPO_NAME }}/${{ env.SERVICE_NAME }}:$GITHUB_SHA .
+
+      - name: Push Docker image
+        run: |
+          gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev
+          docker push ${{ env.REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.ARTIFACT_REGISTRY_REPO_NAME }}/${{ env.SERVICE_NAME }}:$GITHUB_SHA
+
+      - name: Deploy to Cloud Run
+        run: |
+          gcloud run deploy ${{ env.SERVICE_NAME }} \
+            --image ${{ env.REGION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.ARTIFACT_REGISTRY_REPO_NAME }}/${{ env.SERVICE_NAME }}:$GITHUB_SHA \
+            --platform managed \
+            --region ${{ env.REGION }} \
+            --allow-unauthenticated
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,9 @@ dist-ssr
 *.njsproj
 *.sln
 *.sw?
+
+# Terraform
+.terraform
+*.tfvars
+*.tfstate
+*.tfstate.*
diff --git a/default.conf b/default.conf
@@ -0,0 +1,9 @@
+server {
+    listen 8080;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}
diff --git a/dockerfile b/dockerfile
@@ -0,0 +1,18 @@
+FROM node:18-alpine AS builder
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+
+FROM nginx:alpine
+
+COPY default.conf /etc/nginx/conf.d/default.conf
+COPY --from=builder /app/dist /usr/share/nginx/html
+
+EXPOSE 8080
+
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -0,0 +1,122 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+}
+
+# Terraformを実行するサービスアカウントを作成
+resource "google_service_account" "terraform_sa" {
+  account_id   = "${var.terraform_sa_name}"
+  display_name = "Terraform Service Account"
+  project      = var.project_id
+}
+
+# Terraformサービスアカウントに必要な権限を付与
+module "terraform_sa_roles" {
+  source = "./modules/iam_binding"
+  project = var.project_id
+  roles = var.terraform_sa_roles
+  service_account_email = google_service_account.terraform_sa.email
+}
+
+# 必要なAPIの有効化
+resource "google_project_service" "services" {
+  for_each = toset(var.enabled_apis)
+
+  project = var.project_id
+  service = each.key
+  disable_on_destroy = false
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Artifact Registryリポジトリの作成
+resource "google_artifact_registry_repository" "docker_repo" {
+  depends_on = [google_project_service.services]
+
+  location      = var.region
+  repository_id = var.artifact_registry_repo_name
+  description   = "Docker repository for GitHub Actions"
+  format        = "DOCKER"
+  project       = var.project_id
+}
+
+# GitHub Actions用のサービスアカウントの作成
+resource "google_service_account" "github_actions" {
+  depends_on = [google_project_service.services]
+
+  account_id   = var.github_actions.service_account_name
+  display_name = "Service Account for GitHub Actions"
+  description  = "Used for deploying to Cloud Run from GitHub Actions"
+  project      = var.project_id
+}
+
+# GitHub Actions用サービスアカウントに必要な権限の付与
+module "github_actions_roles" {
+  source = "./modules/iam_binding"
+  project = var.project_id
+  roles = var.github_actions_roles
+  service_account_email = google_service_account.github_actions.email
+}
+
+# Workload Identity Poolの作成
+resource "google_iam_workload_identity_pool" "github_pool" {
+  depends_on = [google_project_service.services]
+
+  workload_identity_pool_id = var.github_actions.workload_identity_pool_name
+  project                   = var.project_id
+  display_name              = "GitHub Actions Pool"
+  description               = "Workload Identity Pool for GitHub Actions"
+}
+
+# Workload Identity Providerの作成
+resource "google_iam_workload_identity_pool_provider" "github_provider" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.github_pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = var.github_actions.workload_identity_provider_name
+  project                            = var.project_id
+
+  attribute_mapping = {
+    "google.subject"       = "assertion.sub"
+    "attribute.actor"      = "assertion.actor"
+    "attribute.repository" = "assertion.repository"
+    "attribute.ref"        = "assertion.ref"
+  }
+
+  oidc {
+    issuer_uri = "https://token.actions.githubusercontent.com"
+  }
+
+  attribute_condition = "attribute.repository == \"${var.github_repo}\""
+}
+
+# Workload Identity Poolとサービスアカウントの紐付け
+resource "google_service_account_iam_member" "workload_identity_user" {
+  service_account_id = google_service_account.github_actions.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_pool.name}/attribute.repository/${var.github_repo}"
+}
+
+# Secretsに必要な情報を出力
+output "github_actions" {
+  value = {
+    PROJECT_ID                  = var.project_id
+    WIF_PROVIDER                = "projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_pool.workload_identity_pool_id}/providers/${google_iam_workload_identity_pool_provider.github_provider.workload_identity_pool_provider_id}"
+    SA_EMAIL                    = google_service_account.github_actions.email
+    ARTIFACT_REGISTRY_REPO_NAME = var.artifact_registry_repo_name
+  }
+  description = "GitHub Actions用の設定情報"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
+}
diff --git a/terraform/modules/iam_binding/main.tf b/terraform/modules/iam_binding/main.tf
@@ -0,0 +1,19 @@
+variable "project" {
+  type = string
+}
+
+variable "roles" {
+  type = list(string)
+}
+
+variable "service_account_email" {
+  type = string
+}
+
+resource "google_project_iam_member" "binding" {
+  for_each = toset(var.roles)
+
+  project = var.project
+  role    = each.key
+  member  = "serviceAccount:${var.service_account_email}"
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -0,0 +1,67 @@
+variable "project_id" {
+  type        = string
+  description = "GCP Project ID"
+}
+
+variable "region" {
+  type        = string
+  description = "GCP Region"
+  default     = "asia-northeast1"
+}
+
+variable "github_repo" {
+  type        = string
+  description = "GitHubリポジトリ (例: user/repo)"
+}
+
+variable "artifact_registry_repo_name" {
+  type        = string
+  description = "Artifact Registryのリポジトリ名"
+}
+
+variable "terraform_sa_name" {
+  type        = string
+  description = "Terraform用サービスアカウントの名前"
+  default     = "terraform-sa"
+}
+
+variable "github_actions" {
+  type = object({
+    service_account_name            = string
+    workload_identity_pool_name     = string
+    workload_identity_provider_name = string
+  })
+  description = "GitHub Actions関連の設定"
+}
+
+variable "enabled_apis" {
+  type        = list(string)
+  description = "プロジェクトに必要なAPI"
+  default     = [
+    "iam.googleapis.com",
+    "iamcredentials.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "run.googleapis.com",
+    "artifactregistry.googleapis.com"
+  ]
+}
+
+variable "terraform_sa_roles" {
+  type        = list(string)
+  description = "Terraform用サービスアカウントに付与するロール"
+  default     = [
+    "roles/iam.serviceAccountAdmin",
+    "roles/iam.workloadIdentityPoolAdmin",
+    "roles/serviceusage.serviceUsageAdmin"
+  ]
+}
+
+variable "github_actions_roles" {
+  type        = list(string)
+  description = "GitHub Actions用サービスアカウントに付与するロール"
+  default     = [
+    "roles/run.admin",
+    "roles/iam.serviceAccountUser",
+    "roles/artifactregistry.writer"
+  ]
+}