nekochans · kobayashi-m42 · Sep 22, 2024 · Sep 20, 2024 · Sep 21, 2024 · kobayashi-m42
diff --git a/modules/aws/iam/lgtm-cat-processor-deploy-role/files/policy.json b/modules/aws/iam/lgtm-cat-processor-deploy-role/files/policy.json
@@ -0,0 +1,35 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:CompleteLayerUpload",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:UploadLayerPart",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage"
+      ],
+      "Resource": "arn:aws:ecr:${region}:${account_id}:repository/*"
+    },
+    {
+      "Effect":"Allow",
+      "Action":[
+        "codebuild:StartBuild",
+        "codebuild:BatchGetBuilds"
+      ],
+      "Resource":[
+        "arn:aws:codebuild:${region}:${account_id}:project/*"
+      ]
+    }
+  ]
+}
diff --git a/modules/aws/iam/lgtm-cat-processor-deploy-role/role.tf b/modules/aws/iam/lgtm-cat-processor-deploy-role/role.tf
@@ -0,0 +1,38 @@
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [var.github_actions_oidc_provider_arn]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:nekochans/lgtm-cat-processor:*"]
+    }
+  }
+}
+
+resource "aws_iam_role" "deploy" {
+  name               = "lgtm-cat-processor-deploy-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+resource "aws_iam_policy" "deploy" {
+  name = "lgtm-cat-processor-deploy-policy"
+  policy = templatefile("${path.module}/files/policy.json", {
+    region     = data.aws_region.current.name
+    account_id = data.aws_caller_identity.current.account_id
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "deploy" {
+  role       = aws_iam_role.deploy.name
+  policy_arn = aws_iam_policy.deploy.arn
+}
diff --git a/modules/aws/iam/lgtm-cat-processor-deploy-role/variables.tf b/modules/aws/iam/lgtm-cat-processor-deploy-role/variables.tf
@@ -0,0 +1,6 @@
+variable "github_actions_oidc_provider_arn" {
+  type = string
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
diff --git a/modules/aws/lgtm-image-processor/cloudwatch.tf b/modules/aws/lgtm-image-processor/cloudwatch.tf
@@ -1,4 +1,4 @@
 resource "aws_cloudwatch_log_group" "lgtm_image_processor" {
-  name              = "/aws/lambda/${local.lambda_function_name}"
+  name              = "/aws/lambda/${var.lambda_function_name}"
   retention_in_days = var.log_retention_in_days
 }
diff --git a/modules/aws/lgtm-image-processor/codebuild/codebuild.tf b/modules/aws/lgtm-image-processor/codebuild/codebuild.tf
@@ -0,0 +1,36 @@
+resource "aws_codebuild_project" "codebuild" {
+  name          = "${var.env}-${var.service_name}-deploy"
+  build_timeout = 5
+  service_role  = aws_iam_role.codebuild.arn
+
+  environment {
+    compute_type                = "BUILD_LAMBDA_1GB"
+    type                        = "ARM_LAMBDA_CONTAINER"
+    image                       = "aws/codebuild/amazonlinux-aarch64-lambda-standard:python3.12"
+    image_pull_credentials_type = "CODEBUILD"
+  }
+
+  # リポジトリで設定するので何もしない
+  source {
+    type      = "NO_SOURCE"
+    buildspec = <<BUILDSPEC
+version: 0.2
+BUILDSPEC
+  }
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      status     = "ENABLED"
+      group_name = "/aws/codebuild/${var.env}-${var.service_name}-deploy"
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_group" "codebuild" {
+  name              = "${var.env}-${var.service_name}-deploy"
+  retention_in_days = var.log_retention_in_days
+}
diff --git a/modules/aws/lgtm-image-processor/codebuild/iam.tf b/modules/aws/lgtm-image-processor/codebuild/iam.tf
@@ -0,0 +1,44 @@
+data "aws_iam_policy_document" "codebuild_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "codebuild" {
+  name               = "${var.env}-${var.service_name}-deploy-service-role"
+  assume_role_policy = data.aws_iam_policy_document.codebuild_assume_role.json
+}
+
+data "aws_iam_policy_document" "codebuild" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+    resources = [
+      "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/codebuild/*"
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "lambda:UpdateFunctionCode",
+      "lambda:GetFunctionConfiguration"
+    ]
+    resources = ["arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.lambda_function_name}"]
+  }
+}
+
+resource "aws_iam_role_policy" "codebuild" {
+  name   = "deploy-policy"
+  role   = aws_iam_role.codebuild.id
+  policy = data.aws_iam_policy_document.codebuild.json
+}
diff --git a/modules/aws/lgtm-image-processor/codebuild/variables.tf b/modules/aws/lgtm-image-processor/codebuild/variables.tf
@@ -0,0 +1,15 @@
+variable "env" {
+  type = string
+}
+variable "service_name" {
+  type = string
+}
+variable "lambda_function_name" {
+  type = string
+}
+variable "log_retention_in_days" {
+  type = number
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
diff --git a/modules/aws/lgtm-image-processor/iam.tf b/modules/aws/lgtm-image-processor/iam.tf
@@ -77,7 +77,7 @@ resource "aws_iam_policy" "step_functions" {
         "Action" : [
           "lambda:InvokeFunction",
         ],
-        "Resource" : "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${local.lambda_function_name}:*"
+        "Resource" : "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:${var.lambda_function_name}:*"
       }
     ]
   })

diff --git a/modules/aws/lgtm-image-processor/lambda.tf b/modules/aws/lgtm-image-processor/lambda.tf
@@ -1,5 +1,5 @@
 resource "aws_lambda_function" "lgtm_image_processor" {
-  function_name = local.lambda_function_name
+  function_name = var.lambda_function_name
   package_type  = "Image"
   image_uri     = "${aws_ecr_repository.lgtm_image_processor.repository_url}:latest"
   role          = aws_iam_role.lambda.arn

diff --git a/modules/aws/lgtm-image-processor/variables.tf b/modules/aws/lgtm-image-processor/variables.tf
@@ -22,6 +22,10 @@ variable "generate_lgtm_image_upload_bucket" {
   type = string
 }
 
+variable "lambda_function_name" {
+  type = string
+}
+
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
@@ -32,7 +36,3 @@ data "aws_secretsmanager_secret" "secret" {
 data "aws_secretsmanager_secret_version" "secret" {
   secret_id = data.aws_secretsmanager_secret.secret.id
 }
-
-locals {
-  lambda_function_name = "${var.env}-${var.service_name}"
-}
diff --git a/providers/aws/environments/prod/15-iam/main.tf b/providers/aws/environments/prod/15-iam/main.tf
@@ -12,3 +12,9 @@ module "api_deploy_role" {
 
   github_actions_oidc_provider_arn = module.identity_provider.github_actions_oidc_provider_arn
 }
+
+module "lgtm_cat_processor_deploy_role" {
+  source = "../../../../../modules/aws/iam/lgtm-cat-processor-deploy-role"
+
+  github_actions_oidc_provider_arn = module.identity_provider.github_actions_oidc_provider_arn
+}
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/.terraform.lock.hcl b/providers/aws/environments/stg/22-lgtm-image-processor/.terraform.lock.hcl
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/main.tf b/providers/aws/environments/stg/22-lgtm-image-processor/main.tf
@@ -7,4 +7,14 @@ module "lgtm_image_processor" {
   upload_images_bucket              = local.upload_images_bucket
   judge_image_upload_bucket         = local.judge_image_upload_bucket
   generate_lgtm_image_upload_bucket = local.generate_lgtm_image_upload_bucket
+  lambda_function_name              = local.lambda_function_name
+}
+
+module "codebuild" {
+  source = "../../../../../modules/aws/lgtm-image-processor/codebuild"
+
+  env                   = local.env
+  service_name          = local.service_name
+  lambda_function_name  = local.lambda_function_name
+  log_retention_in_days = local.codebuild_log_retention_in_days
 }
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/variables.tf b/providers/aws/environments/stg/22-lgtm-image-processor/variables.tf
@@ -6,4 +6,6 @@ locals {
   upload_images_bucket              = "${local.env}-lgtmeow-cat-images"
   judge_image_upload_bucket         = "${local.env}-lgtmeow-cat-images"
   generate_lgtm_image_upload_bucket = "${local.env}-lgtmeow-images"
+  lambda_function_name              = "${local.env}-${local.service_name}"
+  codebuild_log_retention_in_days   = 3
 }
diff --git a/providers/aws/environments/stg/22-lgtm-image-processor/versions.tf b/providers/aws/environments/stg/22-lgtm-image-processor/versions.tf
@@ -2,6 +2,6 @@ terraform {
   required_version = "1.0.3"
 
   required_providers {
-    aws = "5.1.0"
+    aws = "5.68.0"
   }
 }