From 56639254f21227e26d59230c12eaf0e3872615af Mon Sep 17 00:00:00 2001
From: kobayashi-m42 <m42kobayashi@gmail.com>
Date: Fri, 20 Sep 2024 22:29:39 +0900
Subject: [PATCH 1/2] =?UTF-8?q?lgtm-cat-processor=E3=81=AE=E3=83=87?=
 =?UTF-8?q?=E3=83=97=E3=83=AD=E3=82=A4=E7=94=A8=E3=81=AEIAM=20Role?=
 =?UTF-8?q?=E3=82=92=E4=BD=9C=E6=88=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../files/policy.json                         | 35 +++++++++++++++++
 .../lgtm-cat-processor-deploy-role/role.tf    | 38 +++++++++++++++++++
 .../variables.tf                              |  6 +++
 .../aws/environments/prod/15-iam/main.tf      |  6 +++
 4 files changed, 85 insertions(+)
 create mode 100644 modules/aws/iam/lgtm-cat-processor-deploy-role/files/policy.json
 create mode 100644 modules/aws/iam/lgtm-cat-processor-deploy-role/role.tf
 create mode 100644 modules/aws/iam/lgtm-cat-processor-deploy-role/variables.tf

diff --git a/modules/aws/iam/lgtm-cat-processor-deploy-role/files/policy.json b/modules/aws/iam/lgtm-cat-processor-deploy-role/files/policy.json
new file mode 100644
index 0000000..ebeb2da
--- /dev/null
+++ b/modules/aws/iam/lgtm-cat-processor-deploy-role/files/policy.json
@@ -0,0 +1,35 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:CompleteLayerUpload",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:UploadLayerPart",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage"
+      ],
+      "Resource": "arn:aws:ecr:${region}:${account_id}:repository/*"
+    },
+    {
+      "Effect":"Allow",
+      "Action":[
+        "codebuild:StartBuild",
+        "codebuild:BatchGetBuilds"
+      ],
+      "Resource":[
+        "arn:aws:codebuild:${region}:${account_id}:project/*"
+      ]
+    }
+  ]
+}
diff --git a/modules/aws/iam/lgtm-cat-processor-deploy-role/role.tf b/modules/aws/iam/lgtm-cat-processor-deploy-role/role.tf
new file mode 100644
index 0000000..1fb1312
--- /dev/null
+++ b/modules/aws/iam/lgtm-cat-processor-deploy-role/role.tf
@@ -0,0 +1,38 @@
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [var.github_actions_oidc_provider_arn]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:nekochans/lgtm-cat-processor:*"]
+    }
+  }
+}
+
+resource "aws_iam_role" "deploy" {
+  name               = "lgtm-cat-processor-deploy-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+resource "aws_iam_policy" "deploy" {
+  name = "lgtm-cat-processor-deploy-policy"
+  policy = templatefile("${path.module}/files/policy.json", {
+    region     = data.aws_region.current.name
+    account_id = data.aws_caller_identity.current.account_id
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "deploy" {
+  role       = aws_iam_role.deploy.name
+  policy_arn = aws_iam_policy.deploy.arn
+}
diff --git a/modules/aws/iam/lgtm-cat-processor-deploy-role/variables.tf b/modules/aws/iam/lgtm-cat-processor-deploy-role/variables.tf
new file mode 100644
index 0000000..7b768d4
--- /dev/null
+++ b/modules/aws/iam/lgtm-cat-processor-deploy-role/variables.tf
@@ -0,0 +1,6 @@
+variable "github_actions_oidc_provider_arn" {
+  type = string
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
diff --git a/providers/aws/environments/prod/15-iam/main.tf b/providers/aws/environments/prod/15-iam/main.tf
index d617a89..1294f63 100644
--- a/providers/aws/environments/prod/15-iam/main.tf
+++ b/providers/aws/environments/prod/15-iam/main.tf
@@ -12,3 +12,9 @@ module "api_deploy_role" {
 
   github_actions_oidc_provider_arn = module.identity_provider.github_actions_oidc_provider_arn
 }
+
+module "lgtm_cat_processor_deploy_role" {
+  source = "../../../../../modules/aws/iam/lgtm-cat-processor-deploy-role"
+
+  github_actions_oidc_provider_arn = module.identity_provider.github_actions_oidc_provider_arn
+}

From 24f2ca9accc2888c404ffe5abe50f36eca0a518f Mon Sep 17 00:00:00 2001
From: kobayashi-m42 <m42kobayashi@gmail.com>
Date: Sat, 21 Sep 2024 14:17:09 +0900
Subject: [PATCH 2/2] =?UTF-8?q?Lambda=E3=81=AEupdate=E3=82=92=E8=A1=8C?=
 =?UTF-8?q?=E3=81=86=E3=81=9F=E3=82=81=E3=81=AECodeBuild=E3=82=92=E6=A7=8B?=
 =?UTF-8?q?=E7=AF=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../aws/lgtm-image-processor/cloudwatch.tf    |  2 +-
 .../codebuild/codebuild.tf                    | 36 +++++++++++++++
 .../aws/lgtm-image-processor/codebuild/iam.tf | 44 +++++++++++++++++++
 .../codebuild/variables.tf                    | 15 +++++++
 modules/aws/lgtm-image-processor/iam.tf       |  2 +-
 modules/aws/lgtm-image-processor/lambda.tf    |  2 +-
 modules/aws/lgtm-image-processor/variables.tf |  8 ++--
 .../.terraform.lock.hcl                       | 21 +++++++--
 .../stg/22-lgtm-image-processor/main.tf       | 10 +++++
 .../stg/22-lgtm-image-processor/variables.tf  |  2 +
 .../stg/22-lgtm-image-processor/versions.tf   |  2 +-
 11 files changed, 133 insertions(+), 11 deletions(-)
 create mode 100644 modules/aws/lgtm-image-processor/codebuild/codebuild.tf
 create mode 100644 modules/aws/lgtm-image-processor/codebuild/iam.tf
 create mode 100644 modules/aws/lgtm-image-processor/codebuild/variables.tf

diff --git a/modules/aws/lgtm-image-processor/cloudwatch.tf b/modules/aws/lgtm-image-processor/cloudwatch.tf
index 92b84d8..65d4e6b 100644
--- a/modules/aws/lgtm-image-processor/cloudwatch.tf
+++ b/modules/aws/lgtm-image-processor/cloudwatch.tf
@@ -1,4 +1,4 @@
 resource "aws_cloudwatch_log_group" "lgtm_image_processor" {
-  name              = "/aws/lambda/${local.lambda_function_name}"
+  name              = "/aws/lambda/${var.lambda_function_name}"
   retention_in_days = var.log_retention_in_days
 }
diff --git a/modules/aws/lgtm-image-processor/codebuild/codebuild.tf b/modules/aws/lgtm-image-processor/codebuild/codebuild.tf
new file mode 100644
index 0000000..f5602e4
--- /dev/null
+++ b/modules/aws/lgtm-image-processor/codebuild/codebuild.tf
@@ -0,0 +1,36 @@
+resource "aws_codebuild_project" "codebuild" {
+  name          = "${var.env}-${var.service_name}-deploy"
+  build_timeout = 5
+  service_role  = aws_iam_role.codebuild.arn
+
+  environment {
+    compute_type                = "BUILD_LAMBDA_1GB"
+    type                        = "ARM_LAMBDA_CONTAINER"
+    image                       = "aws/codebuild/amazonlinux-aarch64-lambda-standard:python3.12"
+    image_pull_credentials_type = "CODEBUILD"
+  }
+
+  # リポジトリで設定するので何もしない
+  source {
+    type      = "NO_SOURCE"
+    buildspec = <<BUILDSPEC
+version: 0.2
+BUILDSPEC
+  }
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      status     = "ENABLED"
+      group_name = "/aws/codebuild/${var.env}-${var.service_name}-deploy"
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_group" "codebuild" {
+  name              = "${var.env}-${var.service_name}-deploy"
+  retention_in_days = var.log_retention_in_days
+}
diff --git a/modules/aws/lgtm-image-processor/codebuild/iam.tf b/modules/aws/lgtm-image-processor/codebuild/iam.tf
new file mode 100644
index 0000000..920e09a
--- /dev/null
+++ b/modules/aws/lgtm-image-processor/codebuild/iam.tf
@@ -0,0 +1,44 @@
+data "aws_iam_policy_document" "codebuild_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "codebuild" {
+  name               = "${var.env}-${var.service_name}-deploy-service-role"
+  assume_role_policy = data.aws_iam_policy_document.codebuild_assume_role.json
+}
+
+data "aws_iam_policy_document" "codebuild" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+    resources = [
+      "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/*"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "lambda:UpdateFunctionCode",
+      "lambda:GetFunctionConfiguration"
+    ]
+    resources = ["arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.lambda_function_name}"]
+  }
+}
+
+resource "aws_iam_role_policy" "codebuild" {
+  name   = "deploy-policy"
+  role   = aws_iam_role.codebuild.id
+  policy = data.aws_iam_policy_document.codebuild.json
+}
diff --git a/modules/aws/lgtm-image-processor/codebuild/variables.tf b/modules/aws/lgtm-image-processor/codebuild/variables.tf
new file mode 100644
index 0000000..e85323c
--- /dev/null
+++ b/modules/aws/lgtm-image-processor/codebuild/variables.tf
@@ -0,0 +1,15 @@
+variable "env" {
+  type = string
+}
+variable "service_name" {
+  type = string
+}
+variable "lambda_function_name" {
+  type = string
+}
+variable "log_retention_in_days" {
+  type = number
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
diff --git a/modules/aws/lgtm-image-processor/iam.tf b/modules/aws/lgtm-image-processor/iam.tf
index d9c7465..c559340 100644
--- a/modules/aws/lgtm-image-processor/iam.tf
+++ b/modules/aws/lgtm-image-processor/iam.tf
@@ -77,7 +77,7 @@ resource "aws_iam_policy" "step_functions" {
         "Action" : [
           "lambda:InvokeFunction",
         ],
-        "Resource" : "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${local.lambda_function_name}:*"
+        "Resource" : "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.lambda_function_name}:*"
       }
     ]
   })
diff --git a/modules/aws/lgtm-image-processor/lambda.tf b/modules/aws/lgtm-image-processor/lambda.tf
index 160a922..0d3dad7 100644
--- a/modules/aws/lgtm-image-processor/lambda.tf
+++ b/modules/aws/lgtm-image-processor/lambda.tf
@@ -1,5 +1,5 @@
 resource "aws_lambda_function" "lgtm_image_processor" {
-  function_name = local.lambda_function_name
+  function_name = var.lambda_function_name
   package_type  = "Image"
   image_uri     = "${aws_ecr_repository.lgtm_image_processor.repository_url}:latest"
   role          = aws_iam_role.lambda.arn
diff --git a/modules/aws/lgtm-image-processor/variables.tf b/modules/aws/lgtm-image-processor/variables.tf
index d52ae82..bf32742 100644
--- a/modules/aws/lgtm-image-processor/variables.tf
+++ b/modules/aws/lgtm-image-processor/variables.tf
@@ -22,6 +22,10 @@ variable "generate_lgtm_image_upload_bucket" {
   type = string
 }
 
+variable "lambda_function_name" {
+  type = string
+}
+
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
@@ -32,7 +36,3 @@ data "aws_secretsmanager_secret" "secret" {
 data "aws_secretsmanager_secret_version" "secret" {
   secret_id = data.aws_secretsmanager_secret.secret.id
 }
-
-locals {
-  lambda_function_name = "${var.env}-${var.service_name}"
-}
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/.terraform.lock.hcl b/providers/aws/environments/stg/22-lgtm-image-processor/.terraform.lock.hcl
index 9db786f..58c4a2e 100644
--- a/providers/aws/environments/stg/22-lgtm-image-processor/.terraform.lock.hcl
+++ b/providers/aws/environments/stg/22-lgtm-image-processor/.terraform.lock.hcl
@@ -2,9 +2,24 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "5.1.0"
-  constraints = "5.1.0"
+  version     = "5.68.0"
+  constraints = "5.68.0"
   hashes = [
-    "h1:cD/xic4fsOb2yPp4UARXqzjN8frK9QSxLM4cPfYz8Hg=",
+    "h1:C0VIWK9EIjEB17oy+sJoMprCJWrU6eQ8ZG5eWVZMejY=",
+    "zh:045f37b115a6c94a05c6a5f2aacfe4cecbaf4b40b56917ba852d988d487e94bf",
+    "zh:0c388f1a94e7941cf7e6abcd8d958a3e325e513cb60affa3cac82e75c7bbbb73",
+    "zh:15b1f2587c06bff35a15f2d1c22eab395d549908daf05582608d729cdf54ba40",
+    "zh:16a9c0c7fa7a33aa22313d4444aeecde20831bf51f9b481a0406e3cf583378fc",
+    "zh:3330c0d49fb329dff6de17913e1a774e75aa0913106c3197814c73c3a12a4c3f",
+    "zh:40920318f774ff397c7b6a01b5e89e46eb1a55d7dc9943a310669a9357b9b501",
+    "zh:838fbac358bb72f46c8d359a28a3effb6a9d7137cdd72b9e4d2f0fcf803dc462",
+    "zh:84e694c0720bf54b3b8521bf6e05700abe4a1b3e7dd2a104efd1eb55ae5866a0",
+    "zh:90606c399498027d7d07ab78a71b574a5d8b982c4372e6b67479f7e39e153e2f",
+    "zh:9162cf25d5c0fdf672c9bbc4c3c84dd87ab6a15b4971df1f32aea6b477c0e028",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9cd8ec40a88b25e9f0f7d7f51460a921f4529554a260ffbe5083ddeba2f41ae3",
+    "zh:adeffac1d01a35bc8d2497ccceb9978b4746872143016c2c631de6cb38b6aa8d",
+    "zh:c7b682c81f9ae850669deb6239a66d8aa960abed984aad25db2d3954c09c2616",
+    "zh:d10b9f40934e14d55cfc5731d728507e50d014561322e9e0c84b33ab255a4d51",
   ]
 }
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/main.tf b/providers/aws/environments/stg/22-lgtm-image-processor/main.tf
index b7bdebd..ca8cbc5 100644
--- a/providers/aws/environments/stg/22-lgtm-image-processor/main.tf
+++ b/providers/aws/environments/stg/22-lgtm-image-processor/main.tf
@@ -7,4 +7,14 @@ module "lgtm_image_processor" {
   upload_images_bucket              = local.upload_images_bucket
   judge_image_upload_bucket         = local.judge_image_upload_bucket
   generate_lgtm_image_upload_bucket = local.generate_lgtm_image_upload_bucket
+  lambda_function_name              = local.lambda_function_name
+}
+
+module "codebuild" {
+  source = "../../../../../modules/aws/lgtm-image-processor/codebuild"
+
+  env                   = local.env
+  service_name          = local.service_name
+  lambda_function_name  = local.lambda_function_name
+  log_retention_in_days = local.codebuild_log_retention_in_days
 }
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/variables.tf b/providers/aws/environments/stg/22-lgtm-image-processor/variables.tf
index 77ddbe4..0819f37 100644
--- a/providers/aws/environments/stg/22-lgtm-image-processor/variables.tf
+++ b/providers/aws/environments/stg/22-lgtm-image-processor/variables.tf
@@ -6,4 +6,6 @@ locals {
   upload_images_bucket              = "${local.env}-lgtmeow-cat-images"
   judge_image_upload_bucket         = "${local.env}-lgtmeow-cat-images"
   generate_lgtm_image_upload_bucket = "${local.env}-lgtmeow-images"
+  lambda_function_name              = "${local.env}-${local.service_name}"
+  codebuild_log_retention_in_days   = 3
 }
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/versions.tf b/providers/aws/environments/stg/22-lgtm-image-processor/versions.tf
index d171525..bd2fd28 100644
--- a/providers/aws/environments/stg/22-lgtm-image-processor/versions.tf
+++ b/providers/aws/environments/stg/22-lgtm-image-processor/versions.tf
@@ -2,6 +2,6 @@ terraform {
   required_version = "1.0.3"
 
   required_providers {
-    aws = "5.1.0"
+    aws = "5.68.0"
   }
 }